allow serial sockets to be added if VM.Config.HWType permission is
satisfied but deny serial devices for anyone other than root
(raise_perm_exc). this allows PVEVMAdmins to add serial consoles.

Signed-off-by: David Limbeck <***@proxmox.com>
---
PVE/API2/Qemu.pm | 11 +++++++++++
1 file changed, 11 insertions(+)

diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index c82e2fa..8ae4da2 100644
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -310,6 +310,7 @@ my $check_vm_modify_config_perm = sub {
next if PVE::QemuServer::is_valid_drivename($opt);
next if $opt eq 'cdrom';
next if $opt =~ m/^unused\d+$/;
+ next if $opt =~ m/^serial[0-3]$/;

if ($cpuoptions->{$opt} || $opt =~ m/^numa\d+$/) {
$rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.CPU']);
@@ -1108,6 +1109,16 @@ my $update_vm_api = sub {

&$check_vm_modify_config_perm($rpcenv, $authuser, $vmid, undef, [keys %$param]);

+ foreach my $opt (keys %$param) {
+ if ($opt =~ m/serial[0-3]/) {
+ if ($param->{$opt} eq 'socket') {
+ $rpcenv->check_vm_perm($authuser, $vmid, undef, ['VM.Config.HWType']);
+ } else {
+ raise_perm_exc('user ***@pam required for serial devices') if ($authuser ne '***@pam');
+ }
+ }
+ }
+
&$check_storage_access($rpcenv, $authuser, $storecfg, $vmid, $param);

my $updatefn = sub {