[pve-devel] [PATCH container] document bind/device mp permissions better

[Fabian Grünbichler]

Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
note: no functional change, just better error message and a note
in the api documentation / viewer

 src/PVE/API2/LXC/Config.pm | 1 +
 src/PVE/LXC.pm             | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/PVE/API2/LXC/Config.pm b/src/PVE/API2/LXC/Config.pm
index fd6178b..e3909a3 100644
--- a/src/PVE/API2/LXC/Config.pm
+++ b/src/PVE/API2/LXC/Config.pm
@@ -72,6 +72,7 @@ __PACKAGE__->register_method({
     description => "Set container options.",
     permissions => {
 	check => ['perm', '/vms/{vmid}', $vm_config_perm_list, any => 1],
+	description => 'non-volume mount points in rootfs and mp[n] are restricted to root at pam',
     },
     parameters => {
     	additionalProperties => 0,
diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index 810fae5..8fa03f1 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -897,7 +897,8 @@ sub check_ct_modify_config_perm {
 	    return if $delete;
 	    my $data = $opt eq 'rootfs' ? PVE::LXC::Config->parse_ct_rootfs($newconf->{$opt})
 					: PVE::LXC::Config->parse_ct_mountpoint($newconf->{$opt});
-	    raise_perm_exc("mount point type $data->{type}") if $data->{type} ne 'volume';
+	    raise_perm_exc("mount point type $data->{type} is only allowed for root\@pam")
+		if $data->{type} ne 'volume';
 	} elsif ($opt eq 'memory' || $opt eq 'swap') {
 	    $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Memory']);
 	} elsif ($opt =~ m/^net\d+$/ || $opt eq 'nameserver' ||
-- 
2.1.4