Version in base suite: 6.0.4-2

Base version: incus_6.0.4-2
Target version: incus_6.0.4-2+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/i/incus/incus_6.0.4-2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/i/incus/incus_6.0.4-2+deb13u1.dsc

 changelog                                       |   13 +
 gbp.conf                                        |    2 
 patches/100-CVE-2025-54293.patch                |   29 ++++
 patches/101-CVE-2025-54287.patch                |  120 +++++++++++++++++
 patches/102-CVE-2025-54288.patch                |   47 ++++++
 patches/103-CVE-2025-54286.patch                |   64 +++++++++
 patches/104-CVE-2025-54290_CVE-2025-54291.patch |  123 ++++++++++++++++++
 patches/105-CVE-2025-54289.patch                |  162 ++++++++++++++++++++++++
 patches/series                                  |    6 
 9 files changed, 565 insertions(+), 1 deletion(-)

diff -Nru incus-6.0.4/debian/changelog incus-6.0.4/debian/changelog
--- incus-6.0.4/debian/changelog	2025-04-27 14:45:33.000000000 +0000
+++ incus-6.0.4/debian/changelog	2025-10-02 15:51:07.000000000 +0000
@@ -1,3 +1,16 @@
+incus (6.0.4-2+deb13u1) trixie-security; urgency=high
+
+  * Backport fixes for the following security issues:
+    - CVE-2025-54293 / GHSA-472f-vmf2-pr3h
+    - CVE-2025-54287 / GHSA-w2hg-2v4p-vmh6
+    - CVE-2025-54288 / GHSA-7232-97c6-j525
+    - CVE-2025-54286 / GHSA-p8hw-rfjg-689h
+    - CVE-2025-54290 / GHSA-p3x5-mvmp-5f35
+    - CVE-2025-54291 / GHSA-xch9-h8qw-85c7
+    - CVE-2025-54289 / GHSA-3g72-chj4-2228
+
+ -- Mathias Gibbens <gibmat@debian.org>  Thu, 02 Oct 2025 15:51:07 +0000
+
 incus (6.0.4-2) unstable; urgency=medium
 
   * Fix inadvertent policy violation where build created files in HOME
diff -Nru incus-6.0.4/debian/gbp.conf incus-6.0.4/debian/gbp.conf
--- incus-6.0.4/debian/gbp.conf	2025-04-06 13:48:35.000000000 +0000
+++ incus-6.0.4/debian/gbp.conf	2025-09-29 13:46:57.000000000 +0000
@@ -1,3 +1,3 @@
 [DEFAULT]
-debian-branch = debian/sid
+debian-branch = debian/trixie
 dist = DEP14
diff -Nru incus-6.0.4/debian/patches/100-CVE-2025-54293.patch incus-6.0.4/debian/patches/100-CVE-2025-54293.patch
--- incus-6.0.4/debian/patches/100-CVE-2025-54293.patch	1970-01-01 00:00:00.000000000 +0000
+++ incus-6.0.4/debian/patches/100-CVE-2025-54293.patch	2025-08-14 12:21:05.000000000 +0000
@@ -0,0 +1,29 @@
+From dacee765384635eac3742351de64cdae23d25194 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@stgraber.org>
+Date: Thu, 17 Jul 2025 01:07:58 +0200
+Subject: [PATCH] incusd/instance_logs: Perform stricter path validation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
+---
+ cmd/incusd/instance_logs.go | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/cmd/incusd/instance_logs.go b/cmd/incusd/instance_logs.go
+index 52439de5428..b49e8005b2b 100644
+--- a/cmd/incusd/instance_logs.go
++++ b/cmd/incusd/instance_logs.go
+@@ -637,6 +637,11 @@ func instanceExecOutputDelete(d *Daemon, r *http.Request) response.Response {
+ }
+ 
+ func validLogFileName(fname string) bool {
++	// Make sure that there's nothing fishy about the provided file name.
++	if filepath.Base(fname) != fname {
++		return false
++	}
++
+ 	/* Let's just require that the paths be relative, so that we don't have
+ 	 * to deal with any escaping or whatever.
+ 	 */
diff -Nru incus-6.0.4/debian/patches/101-CVE-2025-54287.patch incus-6.0.4/debian/patches/101-CVE-2025-54287.patch
--- incus-6.0.4/debian/patches/101-CVE-2025-54287.patch	1970-01-01 00:00:00.000000000 +0000
+++ incus-6.0.4/debian/patches/101-CVE-2025-54287.patch	2025-08-14 12:21:05.000000000 +0000
@@ -0,0 +1,120 @@
+From 7e1186ab368257c0bdeb0465c9c693596f04e12f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@stgraber.org>
+Date: Fri, 18 Jul 2025 02:27:25 +0200
+Subject: [PATCH 1/2] internal/util: Add recursion limit to RenderTemplate
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
+---
+ internal/util/template.go | 38 +++++++++++++++++++++++---------------
+ 1 file changed, 23 insertions(+), 15 deletions(-)
+
+diff --git a/internal/util/template.go b/internal/util/template.go
+index e790133e710..4a963746c6b 100644
+--- a/internal/util/template.go
++++ b/internal/util/template.go
+@@ -1,29 +1,37 @@
+ package util
+ 
+ import (
++	"errors"
+ 	"strings"
+ 
+ 	"github.com/flosch/pongo2"
+ )
+ 
+-// RenderTemplate renders a pongo2 template.
++// RenderTemplate renders a pongo2 template with nesting support.
++// This supports up to 3 levels of nesting (to avoid loops).
+ func RenderTemplate(template string, ctx pongo2.Context) (string, error) {
+-	// Load template from string
+-	tpl, err := pongo2.FromString("{% autoescape off %}" + template + "{% endautoescape %}")
+-	if err != nil {
+-		return "", err
+-	}
++	// Limit recursion to 3 levels.
++	for range 3 {
++		// Load template from string
++		tpl, err := pongo2.FromString("{% autoescape off %}" + template + "{% endautoescape %}")
++		if err != nil {
++			return "", err
++		}
+ 
+-	// Get rendered template
+-	ret, err := tpl.Execute(ctx)
+-	if err != nil {
+-		return ret, err
+-	}
++		// Get rendered template
++		ret, err := tpl.Execute(ctx)
++		if err != nil {
++			return ret, err
++		}
++
++		// Check if another pass is needed.
++		if !strings.Contains(ret, "{{") && !strings.Contains(ret, "{%") {
++			return ret, nil
++		}
+ 
+-	// Looks like we're nesting templates so run pongo again
+-	if strings.Contains(ret, "{{") || strings.Contains(ret, "{%") {
+-		return RenderTemplate(ret, ctx)
++		// Prepare for another run.
++		template = ret
+ 	}
+ 
+-	return ret, err
++	return "", errors.New("Maximum template recursion limit reached")
+ }
+
+From 630d850d40bf25428b36860cd87728f34191bca9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@stgraber.org>
+Date: Fri, 18 Jul 2025 02:30:50 +0200
+Subject: [PATCH 2/2] internal/util: Tweak common pongo2 parser to block
+ dangerous functions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
+---
+ internal/util/template.go | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/internal/util/template.go b/internal/util/template.go
+index 4a963746c6b..29eaa66756e 100644
+--- a/internal/util/template.go
++++ b/internal/util/template.go
+@@ -2,6 +2,7 @@ package util
+ 
+ import (
+ 	"errors"
++	"fmt"
+ 	"strings"
+ 
+ 	"github.com/flosch/pongo2"
+@@ -10,10 +11,21 @@ import (
+ // RenderTemplate renders a pongo2 template with nesting support.
+ // This supports up to 3 levels of nesting (to avoid loops).
+ func RenderTemplate(template string, ctx pongo2.Context) (string, error) {
++	// Prepare a custom set.
++	custom := pongo2.NewSet("render-template", pongo2.DefaultLoader)
++
++	// Block the use of some tags.
++	for _, tag := range []string{"extends", "import", "include", "ssi"} {
++		err := custom.BanTag(tag)
++		if err != nil {
++			return "", fmt.Errorf("Failed to configure custom pongo2 parser: Failed to block tag tag %q: %w", tag, err)
++		}
++	}
++
+ 	// Limit recursion to 3 levels.
+ 	for range 3 {
+ 		// Load template from string
+-		tpl, err := pongo2.FromString("{% autoescape off %}" + template + "{% endautoescape %}")
++		tpl, err := custom.FromString("{% autoescape off %}" + template + "{% endautoescape %}")
+ 		if err != nil {
+ 			return "", err
+ 		}
diff -Nru incus-6.0.4/debian/patches/102-CVE-2025-54288.patch incus-6.0.4/debian/patches/102-CVE-2025-54288.patch
--- incus-6.0.4/debian/patches/102-CVE-2025-54288.patch	1970-01-01 00:00:00.000000000 +0000
+++ incus-6.0.4/debian/patches/102-CVE-2025-54288.patch	2025-08-14 12:21:05.000000000 +0000
@@ -0,0 +1,47 @@
+From 25cc63ece8f74ef2c7f9a445d544338b91340af7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@stgraber.org>
+Date: Thu, 17 Jul 2025 01:58:06 +0200
+Subject: [PATCH] incusd/dev_incus: Add extra validation for monitor
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We shouldn't just rely on the process name but also make sure that it's
+running outside of the container as this is a unique characteristic of
+the real monitor process.
+
+Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
+---
+ cmd/incusd/dev_incus.go | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/cmd/incusd/dev_incus.go b/cmd/incusd/dev_incus.go
+index e72ade71c26..dbc3b25217a 100644
+--- a/cmd/incusd/dev_incus.go
++++ b/cmd/incusd/dev_incus.go
+@@ -418,7 +418,12 @@ func findContainerForPid(pid int32, s *state.State) (instance.Container, error)
+ 			return nil, err
+ 		}
+ 
+-		if strings.HasPrefix(string(cmdline), "[lxc monitor]") {
++		status, err := os.ReadFile(fmt.Sprintf("/proc/%d/status", pid))
++		if err != nil {
++			return nil, err
++		}
++
++		if strings.HasPrefix(string(cmdline), "[lxc monitor]") && strings.Contains(string(status), fmt.Sprintf("NSpid:	%d\n", pid)) {
+ 			// container names can't have spaces
+ 			parts := strings.Split(string(cmdline), " ")
+ 			name := strings.TrimSuffix(parts[len(parts)-1], "\x00")
+@@ -442,11 +447,6 @@ func findContainerForPid(pid int32, s *state.State) (instance.Container, error)
+ 			return inst.(instance.Container), nil
+ 		}
+ 
+-		status, err := os.ReadFile(fmt.Sprintf("/proc/%d/status", pid))
+-		if err != nil {
+-			return nil, err
+-		}
+-
+ 		re, err := regexp.Compile(`^PPid:\s+([0-9]+)$`)
+ 		if err != nil {
+ 			return nil, err
diff -Nru incus-6.0.4/debian/patches/103-CVE-2025-54286.patch incus-6.0.4/debian/patches/103-CVE-2025-54286.patch
--- incus-6.0.4/debian/patches/103-CVE-2025-54286.patch	1970-01-01 00:00:00.000000000 +0000
+++ incus-6.0.4/debian/patches/103-CVE-2025-54286.patch	2025-08-14 12:21:05.000000000 +0000
@@ -0,0 +1,64 @@
+From 60a3670af35e45d6c7b62872b300d914eba05478 Mon Sep 17 00:00:00 2001
+From: Thomas Parrott <thomas.parrott@canonical.com>
+Date: Mon, 30 Jun 2025 15:23:50 +0100
+Subject: [PATCH 1/2] [lxd-import] lxd/daemon: Validate browser fetch metadata
+ if supplied to reject non-same-origin requests
+
+Imported from stable-5.0 (Apache 2.0 licensed)
+
+Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>
+(cherry picked from commit 35ac3922d60763c24b1474459c4401f7c8ed619b)
+(cherry picked from commit 569b7d472b4fc1622579e0aed32dd445ba6f53d0)
+---
+ cmd/incusd/daemon.go | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/cmd/incusd/daemon.go b/cmd/incusd/daemon.go
+index 29eb2155dcc..b310c67be1f 100644
+--- a/cmd/incusd/daemon.go
++++ b/cmd/incusd/daemon.go
+@@ -766,6 +766,12 @@ func (d *Daemon) createCmd(restAPI *mux.Router, version string, c APIEndpoint) {
+ 				return response.Forbidden(errors.New("You must be authenticated"))
+ 			}
+ 
++			// Protect against CSRF when using UI with browser that supports Fetch metadata.
++			// Deny Sec-Fetch-Site when set to cross-origin or same-site.
++			if slices.Contains([]string{"cross-site", "same-site"}, r.Header.Get("Sec-Fetch-Site")) {
++				return response.ErrorResponse(http.StatusForbidden, "Forbidden Sec-Fetch-Site header value")
++			}
++
+ 			// Call the access handler if there is one.
+ 			if action.AccessHandler != nil {
+ 				resp := action.AccessHandler(d, r)
+
+From 033789e9f1f108e03313f375c39e349c2b300c44 Mon Sep 17 00:00:00 2001
+From: Thomas Parrott <thomas.parrott@canonical.com>
+Date: Mon, 30 Jun 2025 16:11:58 +0100
+Subject: [PATCH 2/2] [lxd-import] test/suites/serverconfig: Check fetch
+ metadata header is validated
+
+Imported from stable-5.0 (Apache 2.0 licensed)
+
+Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>
+(cherry picked from commit ab548b1cadd14c0699721fa8c0ef3f66916915e8)
+(cherry picked from commit 7adcc8e8ed354e60663113c99e18a60d5fe58b81)
+---
+ test/suites/serverconfig.sh | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/test/suites/serverconfig.sh b/test/suites/serverconfig.sh
+index bef4aa3e654..074ffc96b86 100644
+--- a/test/suites/serverconfig.sh
++++ b/test/suites/serverconfig.sh
+@@ -15,6 +15,11 @@ test_server_config_access() {
+ 
+   # test authentication type
+   curl --unix-socket "$INCUS_DIR/unix.socket" "incus/1.0" | jq .metadata.auth_methods | grep tls
++
++  # test fetch metadata validation.
++  [ "$(curl --silent --unix-socket "$INCUS_DIR/unix.socket" -w "%{http_code}" -o /dev/null -H 'Sec-Fetch-Site: same-origin' "incus/1.0")" = "200" ]
++  [ "$(curl --silent --unix-socket "$INCUS_DIR/unix.socket" -w "%{http_code}" -o /dev/null -H 'Sec-Fetch-Site: cross-site' "incus/1.0")" = "403" ]
++  [ "$(curl --silent --unix-socket "$INCUS_DIR/unix.socket" -w "%{http_code}" -o /dev/null -H 'Sec-Fetch-Site: same-site' "incus/1.0")" = "403" ]
+ }
+ 
+ test_server_config_storage() {
diff -Nru incus-6.0.4/debian/patches/104-CVE-2025-54290_CVE-2025-54291.patch incus-6.0.4/debian/patches/104-CVE-2025-54290_CVE-2025-54291.patch
--- incus-6.0.4/debian/patches/104-CVE-2025-54290_CVE-2025-54291.patch	1970-01-01 00:00:00.000000000 +0000
+++ incus-6.0.4/debian/patches/104-CVE-2025-54290_CVE-2025-54291.patch	2025-08-14 12:21:05.000000000 +0000
@@ -0,0 +1,123 @@
+From 5cb0fb9e7463e9d7fd31e4c435e068de3d3dadc6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@stgraber.org>
+Date: Fri, 18 Jul 2025 01:58:49 +0200
+Subject: [PATCH 1/2] incusd/images: Restrict public image listing to default
+ project
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
+---
+ cmd/incusd/images.go | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/cmd/incusd/images.go b/cmd/incusd/images.go
+index fef7a6aae32..ef55baf62b7 100644
+--- a/cmd/incusd/images.go
++++ b/cmd/incusd/images.go
+@@ -1786,17 +1786,19 @@ func doImagesGet(ctx context.Context, tx *db.ClusterTx, recursion bool, projectN
+ //	  "500":
+ //	    $ref: "#/responses/InternalServerError"
+ func imagesGet(d *Daemon, r *http.Request) response.Response {
++	s := d.State()
++
++	// Get the parameters.
+ 	projectName := request.ProjectParam(r)
+ 	allProjects := util.IsTrue(r.FormValue("all-projects"))
+ 	filterStr := r.FormValue("filter")
+ 
+-	// ProjectParam returns default if not set
++	// Make sure that we're not dealing with conflicting parameters.
+ 	if allProjects && projectName != api.ProjectDefaultName {
+ 		return response.BadRequest(fmt.Errorf("Cannot specify a project when requesting all projects"))
+ 	}
+ 
+-	s := d.State()
+-
++	// Check if the user is authenticated and what kind of access they may have.
+ 	hasPermission, authorizationErr := s.Authorizer.GetPermissionChecker(r.Context(), r, auth.EntitlementCanView, auth.ObjectTypeImage)
+ 	if authorizationErr != nil && !api.StatusErrorCheck(authorizationErr, http.StatusForbidden) {
+ 		return response.SmartError(authorizationErr)
+@@ -1804,11 +1806,18 @@ func imagesGet(d *Daemon, r *http.Request) response.Response {
+ 
+ 	public := d.checkTrustedClient(r) != nil || authorizationErr != nil
+ 
++	// For unauthenticated/public requests, only the default profile may be queried.
++	if public && (projectName != api.ProjectDefaultName || allProjects) {
++		return response.BadRequest(errors.New("Unauthenticated image queries are only possible against the default project"))
++	}
++
++	// Process the filters.
+ 	clauses, err := filter.Parse(filterStr, filter.QueryOperatorSet())
+ 	if err != nil {
+ 		return response.SmartError(fmt.Errorf("Invalid filter: %w", err))
+ 	}
+ 
++	// Get the image list.
+ 	var result any
+ 	err = s.DB.Cluster.Transaction(r.Context(), func(ctx context.Context, tx *db.ClusterTx) error {
+ 		result, err = doImagesGet(ctx, tx, localUtil.IsRecursionRequest(r), projectName, public, clauses, hasPermission, allProjects)
+
+From 8d817f1a4ceea0599301f3240ade070b0fd5d86c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@stgraber.org>
+Date: Fri, 18 Jul 2025 01:59:17 +0200
+Subject: [PATCH 2/2] incusd/images: Use identical errors for all not-found
+ cases on public endpoints
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
+---
+ cmd/incusd/images.go | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/cmd/incusd/images.go b/cmd/incusd/images.go
+index ef55baf62b7..b7af0d1854f 100644
+--- a/cmd/incusd/images.go
++++ b/cmd/incusd/images.go
+@@ -3170,6 +3170,12 @@ func imageGet(d *Daemon, r *http.Request) response.Response {
+ 		return nil
+ 	})
+ 	if err != nil {
++		// As this is a publicly available function, override any 404 to a standard reply.
++		// This avoids leaking information about the image or project existence.
++		if response.IsNotFoundError(err) {
++			return response.NotFound(fmt.Errorf("Image %q not found", fingerprint))
++		}
++
+ 		return response.SmartError(err)
+ 	}
+ 
+@@ -3190,7 +3196,7 @@ func imageGet(d *Daemon, r *http.Request) response.Response {
+ 	}
+ 
+ 	if !info.Public && public && op == nil {
+-		return response.NotFound(fmt.Errorf("Image %q not found", info.Fingerprint))
++		return response.NotFound(fmt.Errorf("Image %q not found", fingerprint))
+ 	}
+ 
+ 	etag := []any{info.Public, info.AutoUpdate, info.Properties}
+@@ -4186,6 +4192,12 @@ func imageExport(d *Daemon, r *http.Request) response.Response {
+ 		return err
+ 	})
+ 	if err != nil {
++		// As this is a publicly available function, override any 404 to a standard reply.
++		// This avoids leaking information about the image or project existence.
++		if response.IsNotFoundError(err) {
++			return response.NotFound(fmt.Errorf("Image %q not found", fingerprint))
++		}
++
+ 		return response.SmartError(err)
+ 	}
+ 
+@@ -4217,7 +4229,7 @@ func imageExport(d *Daemon, r *http.Request) response.Response {
+ 		}
+ 
+ 		if !imgInfo.Public && public && op == nil {
+-			return response.NotFound(fmt.Errorf("Image %q not found", imgInfo.Fingerprint))
++			return response.NotFound(fmt.Errorf("Image %q not found", fingerprint))
+ 		}
+ 	}
+ 
diff -Nru incus-6.0.4/debian/patches/105-CVE-2025-54289.patch incus-6.0.4/debian/patches/105-CVE-2025-54289.patch
--- incus-6.0.4/debian/patches/105-CVE-2025-54289.patch	1970-01-01 00:00:00.000000000 +0000
+++ incus-6.0.4/debian/patches/105-CVE-2025-54289.patch	2025-09-29 14:51:55.000000000 +0000
@@ -0,0 +1,162 @@
+From 3cbda604ce91c9adf21006340d210510ae7e3f24 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@stgraber.org>
+Date: Fri, 25 Jul 2025 17:36:03 -0400
+Subject: [PATCH 1/5] incusd/operations: Add IsSameRequestor
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
+---
+ internal/server/operations/operations.go | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/internal/server/operations/operations.go b/internal/server/operations/operations.go
+index af977a89c05..67084c9796c 100644
+--- a/internal/server/operations/operations.go
++++ b/internal/server/operations/operations.go
+@@ -216,6 +216,22 @@ func (op *Operation) SetRequestor(r *http.Request) {
+ 	op.requestor = request.CreateRequestor(r)
+ }
+ 
++// IsSameRequestor compares the current request requestor to that stored (if any).
++func (op *Operation) IsSameRequestor(r *http.Request) bool {
++	// If no requestor was previously recorded, it's not the same requestor.
++	if op.requestor == nil {
++		return false
++	}
++
++	// Compare with the recorded requestor.
++	curRequestor := request.CreateRequestor(r)
++	if op.requestor.Username != curRequestor.Username || op.requestor.Protocol != curRequestor.Protocol {
++		return false
++	}
++
++	return true
++}
++
+ // CopyRequestor sets a requestor to match that of another operation.
+ func (op *Operation) CopyRequestor(otherOp *Operation) {
+ 	op.requestor = otherOp.requestor
+
+From de7e28a3dc3801286022f2fed0c76b36a5c6e2f6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@stgraber.org>
+Date: Fri, 25 Jul 2025 17:41:07 -0400
+Subject: [PATCH 2/5] incusd/instance_console: Ensure requestor match
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
+---
+ cmd/incusd/instance_console.go | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/cmd/incusd/instance_console.go b/cmd/incusd/instance_console.go
+index 02e07e78ec3..1631c6146eb 100644
+--- a/cmd/incusd/instance_console.go
++++ b/cmd/incusd/instance_console.go
+@@ -83,7 +83,12 @@ func (s *consoleWs) metadata() any {
+ 	return jmap.Map{"fds": fds}
+ }
+ 
+-func (s *consoleWs) Connect(op *operations.Operation, r *http.Request, w http.ResponseWriter) error {
++func (s *consoleWs) Connect(op *operations.Operation, r *http.Request, w http.ResponseWriter) error {
++	// Check that the user connecting is the same who started the session.
++	if !op.IsSameRequestor(r) {
++		return api.StatusErrorf(http.StatusForbidden, "Requestor mismatch")
++	}
++
+ 	switch s.protocol {
+ 	case instance.ConsoleTypeConsole:
+ 		return s.connectConsole(op, r, w)
+
+From 9fd73b55422e55404acb3698874ec4377b810330 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@stgraber.org>
+Date: Fri, 25 Jul 2025 17:41:17 -0400
+Subject: [PATCH 3/5] incusd/instance_exec: Ensure requestor match
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
+---
+ cmd/incusd/instance_exec.go | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/cmd/incusd/instance_exec.go b/cmd/incusd/instance_exec.go
+index ab070b3cce9..4f119feed9c 100644
+--- a/cmd/incusd/instance_exec.go
++++ b/cmd/incusd/instance_exec.go
+@@ -79,7 +79,12 @@ func (s *execWs) metadata() any {
+ 	}
+ }
+ 
+-func (s *execWs) Connect(op *operations.Operation, r *http.Request, w http.ResponseWriter) error {
++func (s *execWs) Connect(op *operations.Operation, r *http.Request, w http.ResponseWriter) error {
++	// Check that the user connecting is the same who started the session.
++	if !op.IsSameRequestor(r) {
++		return api.StatusErrorf(http.StatusForbidden, "Requestor mismatch")
++	}
++
+ 	secret := r.FormValue("secret")
+ 	if secret == "" {
+ 		return fmt.Errorf("missing secret")
+
+From 5dab18f5741ef8e57e11aa819c5180666333849f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@stgraber.org>
+Date: Fri, 25 Jul 2025 17:43:50 -0400
+Subject: [PATCH 4/5] incusd/auth/openfga: Restrict operations and events
+ access
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Read-only users don't need to interact with operations or access the
+events API as they can't perform any action that would require access to
+either.
+
+Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
+---
+ internal/server/auth/driver_openfga_model.openfga | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/internal/server/auth/driver_openfga_model.openfga b/internal/server/auth/driver_openfga_model.openfga
+index c63d052edf5..e6da2b9d2c0 100644
+--- a/internal/server/auth/driver_openfga_model.openfga
++++ b/internal/server/auth/driver_openfga_model.openfga
+@@ -95,8 +95,8 @@ type project
+     define can_create_storage_buckets: [user, group#member] or operator
+     define can_create_storage_volumes: [user, group#member] or operator
+     define can_edit: admin
+-    define can_view_events: [user, group#member] or viewer
+-    define can_view_operations: [user, group#member] or viewer
++    define can_view_events: [user, group#member] or user
++    define can_view_operations: [user, group#member] or user
+     define can_view: viewer
+ 
+ type server
+
+From 1480a3a8568ef6293cf1b16b4df42758773c15fa Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@stgraber.org>
+Date: Fri, 25 Jul 2025 17:45:45 -0400
+Subject: [PATCH] incusd/auth/openfga: Rebuild model
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
+---
+ internal/server/auth/driver_openfga_model.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/internal/server/auth/driver_openfga_model.go b/internal/server/auth/driver_openfga_model.go
+index 00a45d84d21..a65ab2d2263 100644
+--- a/internal/server/auth/driver_openfga_model.go
++++ b/internal/server/auth/driver_openfga_model.go
+@@ -2,4 +2,4 @@ package auth
+ 
+ // Code generated by Makefile; DO NOT EDIT.
+ 
+-var authModel = `{"schema_version":"1.1","type_definitions":[{"type":"user"},{"metadata":{"relations":{"member":{"directly_related_user_types":[{"type":"user"}]}}},"relations":{"member":{"this":{}}},"type":"group"},{"metadata":{"relations":{"can_edit":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_view":{},"server":{"directly_related_user_types":[{"type":"server"}]}}},"relations":{"can_edit":{"union":{"child":[{"this":{}},{"tupleToUserset":{"computedUserset":{"relation":"admin"},"tupleset":{"relation":"server"}}}]}},"can_view":{"tupleToUserset":{"computedUserset":{"relation":"viewer"},"tupleset":{"relation":"server"}}},"server":{"this":{}}},"type":"certificate"},{"metadata":{"relations":{"can_edit":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_view":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"project":{"directly_related_user_types":[{"type":"project"}]}}},"relations":{"can_edit":{"union":{"child":[{"this":{}},{"tupleToUserset":{"computedUserset":{"relation":"operator"},"tupleset":{"relation":"project"}}}]}},"can_view":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"can_edit"}},{"tupleToUserset":{"computedUserset":{"relation":"viewer"},"tupleset":{"relation":"project"}}}]}},"project":{"this":{}}},"type":"image"},{"metadata":{"relations":{"can_edit":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_view":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"project":{"directly_related_user_types":[{"type":"project"}]}}},"relations":{"can_edit":{"union":{"child":[{"this":{}},{"tupleToUserset":{"computedUserset":{"relation":"operator"},"tupleset":{"relation":"project"}}}]}},"can_view":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"can_edit"}},{"tupleToUserset":{"computedUserset":{"relation":"viewer"},"tupleset":{"relation":"project"}}}]}},"project":{"this":{}}},"type":"image_alias"},{"metadata":{"relations":{"admin":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_access_console":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_access_files":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_connect_sftp":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_edit":{},"can_exec":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_manage_backups":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_manage_snapshots":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_update_state":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_view":{},"operator":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"project":{"directly_related_user_types":[{"type":"project"}]},"user":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"viewer":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]}}},"relations":{"admin":{"union":{"child":[{"this":{}},{"tupleToUserset":{"computedUserset":{"relation":"admin"},"tupleset":{"relation":"project"}}}]}},"can_access_console":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"user"}}]}},"can_access_files":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"user"}}]}},"can_connect_sftp":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"user"}}]}},"can_edit":{"computedUserset":{"relation":"operator"}},"can_exec":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"user"}}]}},"can_manage_backups":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"operator"}}]}},"can_manage_snapshots":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"operator"}}]}},"can_update_state":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"operator"}}]}},"can_view":{"computedUserset":{"relation":"viewer"}},"operator":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"admin"}},{"tupleToUserset":{"computedUserset":{"relation":"operator"},"tupleset":{"relation":"project"}}}]}},"project":{"this":{}},"user":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"operator"}},{"tupleToUserset":{"computedUserset":{"relation":"user"},"tupleset":{"relation":"project"}}}]}},"viewer":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"user"}},{"tupleToUserset":{"computedUserset":{"relation":"viewer"},"tupleset":{"relation":"project"}}}]}}},"type":"instance"},{"metadata":{"relations":{"can_edit":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_view":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"project":{"directly_related_user_types":[{"type":"project"}]}}},"relations":{"can_edit":{"union":{"child":[{"this":{}},{"tupleToUserset":{"computedUserset":{"relation":"operator"},"tupleset":{"relation":"project"}}}]}},"can_view":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"can_edit"}},{"tupleToUserset":{"computedUserset":{"relation":"viewer"},"tupleset":{"relation":"project"}}}]}},"project":{"this":{}}},"type":"network"},{"metadata":{"relations":{"can_edit":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_view":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"project":{"directly_related_user_types":[{"type":"project"}]}}},"relations":{"can_edit":{"union":{"child":[{"this":{}},{"tupleToUserset":{"computedUserset":{"relation":"operator"},"tupleset":{"relation":"project"}}}]}},"can_view":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"can_edit"}},{"tupleToUserset":{"computedUserset":{"relation":"viewer"},"tupleset":{"relation":"project"}}}]}},"project":{"this":{}}},"type":"network_acl"},{"metadata":{"relations":{"can_edit":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_view":{},"server":{"directly_related_user_types":[{"type":"server"}]}}},"relations":{"can_edit":{"union":{"child":[{"this":{}},{"tupleToUserset":{"computedUserset":{"relation":"admin"},"tupleset":{"relation":"server"}}}]}},"can_view":{"tupleToUserset":{"computedUserset":{"relation":"viewer"},"tupleset":{"relation":"server"}}},"server":{"this":{}}},"type":"network_integration"},{"metadata":{"relations":{"can_edit":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_view":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"project":{"directly_related_user_types":[{"type":"project"}]}}},"relations":{"can_edit":{"union":{"child":[{"this":{}},{"tupleToUserset":{"computedUserset":{"relation":"operator"},"tupleset":{"relation":"project"}}}]}},"can_view":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"can_edit"}},{"tupleToUserset":{"computedUserset":{"relation":"viewer"},"tupleset":{"relation":"project"}}}]}},"project":{"this":{}}},"type":"network_zone"},{"metadata":{"relations":{"can_edit":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_view":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"project":{"directly_related_user_types":[{"type":"project"}]}}},"relations":{"can_edit":{"union":{"child":[{"this":{}},{"tupleToUserset":{"computedUserset":{"relation":"operator"},"tupleset":{"relation":"project"}}}]}},"can_view":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"can_edit"}},{"tupleToUserset":{"computedUserset":{"relation":"viewer"},"tupleset":{"relation":"project"}}}]}},"project":{"this":{}}},"type":"profile"},{"metadata":{"relations":{"admin":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_create_image_aliases":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_create_images":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_create_instances":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_create_network_acls":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_create_network_zones":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_create_networks":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_create_profiles":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_create_storage_buckets":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_create_storage_volumes":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_edit":{},"can_view":{},"can_view_events":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_view_operations":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"operator":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"server":{"directly_related_user_types":[{"type":"server"}]},"user":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"viewer":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]}}},"relations":{"admin":{"union":{"child":[{"this":{}},{"tupleToUserset":{"computedUserset":{"relation":"admin"},"tupleset":{"relation":"server"}}}]}},"can_create_image_aliases":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"operator"}}]}},"can_create_images":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"operator"}}]}},"can_create_instances":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"operator"}}]}},"can_create_network_acls":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"operator"}}]}},"can_create_network_zones":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"operator"}}]}},"can_create_networks":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"operator"}}]}},"can_create_profiles":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"operator"}}]}},"can_create_storage_buckets":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"operator"}}]}},"can_create_storage_volumes":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"operator"}}]}},"can_edit":{"computedUserset":{"relation":"admin"}},"can_view":{"computedUserset":{"relation":"viewer"}},"can_view_events":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"viewer"}}]}},"can_view_operations":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"viewer"}}]}},"operator":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"admin"}},{"tupleToUserset":{"computedUserset":{"relation":"operator"},"tupleset":{"relation":"server"}}}]}},"server":{"this":{}},"user":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"operator"}},{"tupleToUserset":{"computedUserset":{"relation":"user"},"tupleset":{"relation":"server"}}}]}},"viewer":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"user"}},{"tupleToUserset":{"computedUserset":{"relation":"viewer"},"tupleset":{"relation":"server"}}}]}}},"type":"project"},{"metadata":{"relations":{"admin":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"authenticated":{"directly_related_user_types":[{"type":"user","wildcard":{}}]},"can_create_certificates":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_create_network_integrations":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_create_projects":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_create_storage_pools":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_edit":{},"can_override_cluster_target_restriction":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_view":{},"can_view_metrics":{},"can_view_privileged_events":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_view_resources":{},"can_view_sensitive":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"operator":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"user":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"viewer":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]}}},"relations":{"admin":{"this":{}},"authenticated":{"this":{}},"can_create_certificates":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"admin"}}]}},"can_create_network_integrations":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"admin"}}]}},"can_create_projects":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"admin"}}]}},"can_create_storage_pools":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"admin"}}]}},"can_edit":{"computedUserset":{"relation":"admin"}},"can_override_cluster_target_restriction":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"admin"}}]}},"can_view":{"computedUserset":{"relation":"authenticated"}},"can_view_metrics":{"computedUserset":{"relation":"authenticated"}},"can_view_privileged_events":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"admin"}}]}},"can_view_resources":{"computedUserset":{"relation":"authenticated"}},"can_view_sensitive":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"viewer"}}]}},"operator":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"admin"}}]}},"user":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"operator"}}]}},"viewer":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"user"}}]}}},"type":"server"},{"metadata":{"relations":{"can_edit":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_view":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"project":{"directly_related_user_types":[{"type":"project"}]}}},"relations":{"can_edit":{"union":{"child":[{"this":{}},{"tupleToUserset":{"computedUserset":{"relation":"operator"},"tupleset":{"relation":"project"}}}]}},"can_view":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"can_edit"}},{"tupleToUserset":{"computedUserset":{"relation":"viewer"},"tupleset":{"relation":"project"}}}]}},"project":{"this":{}}},"type":"storage_bucket"},{"metadata":{"relations":{"can_edit":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_view":{},"server":{"directly_related_user_types":[{"type":"server"}]}}},"relations":{"can_edit":{"union":{"child":[{"this":{}},{"tupleToUserset":{"computedUserset":{"relation":"admin"},"tupleset":{"relation":"server"}}}]}},"can_view":{"tupleToUserset":{"computedUserset":{"relation":"authenticated"},"tupleset":{"relation":"server"}}},"server":{"this":{}}},"type":"storage_pool"},{"metadata":{"relations":{"can_edit":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_manage_backups":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_manage_snapshots":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_view":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"project":{"directly_related_user_types":[{"type":"project"}]}}},"relations":{"can_edit":{"union":{"child":[{"this":{}},{"tupleToUserset":{"computedUserset":{"relation":"operator"},"tupleset":{"relation":"project"}}}]}},"can_manage_backups":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"can_edit"}}]}},"can_manage_snapshots":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"can_edit"}}]}},"can_view":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"can_edit"}},{"tupleToUserset":{"computedUserset":{"relation":"viewer"},"tupleset":{"relation":"project"}}}]}},"project":{"this":{}}},"type":"storage_volume"}]}`
++var authModel = `{"schema_version":"1.1","type_definitions":[{"type":"user"},{"metadata":{"relations":{"member":{"directly_related_user_types":[{"type":"user"}]}}},"relations":{"member":{"this":{}}},"type":"group"},{"metadata":{"relations":{"can_edit":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_view":{},"server":{"directly_related_user_types":[{"type":"server"}]}}},"relations":{"can_edit":{"union":{"child":[{"this":{}},{"tupleToUserset":{"computedUserset":{"relation":"admin"},"tupleset":{"relation":"server"}}}]}},"can_view":{"tupleToUserset":{"computedUserset":{"relation":"viewer"},"tupleset":{"relation":"server"}}},"server":{"this":{}}},"type":"certificate"},{"metadata":{"relations":{"can_edit":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_view":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"project":{"directly_related_user_types":[{"type":"project"}]}}},"relations":{"can_edit":{"union":{"child":[{"this":{}},{"tupleToUserset":{"computedUserset":{"relation":"operator"},"tupleset":{"relation":"project"}}}]}},"can_view":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"can_edit"}},{"tupleToUserset":{"computedUserset":{"relation":"viewer"},"tupleset":{"relation":"project"}}}]}},"project":{"this":{}}},"type":"image"},{"metadata":{"relations":{"can_edit":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_view":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"project":{"directly_related_user_types":[{"type":"project"}]}}},"relations":{"can_edit":{"union":{"child":[{"this":{}},{"tupleToUserset":{"computedUserset":{"relation":"operator"},"tupleset":{"relation":"project"}}}]}},"can_view":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"can_edit"}},{"tupleToUserset":{"computedUserset":{"relation":"viewer"},"tupleset":{"relation":"project"}}}]}},"project":{"this":{}}},"type":"image_alias"},{"metadata":{"relations":{"admin":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_access_console":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_access_files":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_connect_sftp":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_edit":{},"can_exec":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_manage_backups":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_manage_snapshots":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_update_state":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_view":{},"operator":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"project":{"directly_related_user_types":[{"type":"project"}]},"user":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"viewer":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]}}},"relations":{"admin":{"union":{"child":[{"this":{}},{"tupleToUserset":{"computedUserset":{"relation":"admin"},"tupleset":{"relation":"project"}}}]}},"can_access_console":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"user"}}]}},"can_access_files":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"user"}}]}},"can_connect_sftp":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"user"}}]}},"can_edit":{"computedUserset":{"relation":"operator"}},"can_exec":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"user"}}]}},"can_manage_backups":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"operator"}}]}},"can_manage_snapshots":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"operator"}}]}},"can_update_state":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"operator"}}]}},"can_view":{"computedUserset":{"relation":"viewer"}},"operator":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"admin"}},{"tupleToUserset":{"computedUserset":{"relation":"operator"},"tupleset":{"relation":"project"}}}]}},"project":{"this":{}},"user":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"operator"}},{"tupleToUserset":{"computedUserset":{"relation":"user"},"tupleset":{"relation":"project"}}}]}},"viewer":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"user"}},{"tupleToUserset":{"computedUserset":{"relation":"viewer"},"tupleset":{"relation":"project"}}}]}}},"type":"instance"},{"metadata":{"relations":{"can_edit":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_view":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"project":{"directly_related_user_types":[{"type":"project"}]}}},"relations":{"can_edit":{"union":{"child":[{"this":{}},{"tupleToUserset":{"computedUserset":{"relation":"operator"},"tupleset":{"relation":"project"}}}]}},"can_view":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"can_edit"}},{"tupleToUserset":{"computedUserset":{"relation":"viewer"},"tupleset":{"relation":"project"}}}]}},"project":{"this":{}}},"type":"network"},{"metadata":{"relations":{"can_edit":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_view":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"project":{"directly_related_user_types":[{"type":"project"}]}}},"relations":{"can_edit":{"union":{"child":[{"this":{}},{"tupleToUserset":{"computedUserset":{"relation":"operator"},"tupleset":{"relation":"project"}}}]}},"can_view":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"can_edit"}},{"tupleToUserset":{"computedUserset":{"relation":"viewer"},"tupleset":{"relation":"project"}}}]}},"project":{"this":{}}},"type":"network_acl"},{"metadata":{"relations":{"can_edit":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_view":{},"server":{"directly_related_user_types":[{"type":"server"}]}}},"relations":{"can_edit":{"union":{"child":[{"this":{}},{"tupleToUserset":{"computedUserset":{"relation":"admin"},"tupleset":{"relation":"server"}}}]}},"can_view":{"tupleToUserset":{"computedUserset":{"relation":"viewer"},"tupleset":{"relation":"server"}}},"server":{"this":{}}},"type":"network_integration"},{"metadata":{"relations":{"can_edit":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_view":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"project":{"directly_related_user_types":[{"type":"project"}]}}},"relations":{"can_edit":{"union":{"child":[{"this":{}},{"tupleToUserset":{"computedUserset":{"relation":"operator"},"tupleset":{"relation":"project"}}}]}},"can_view":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"can_edit"}},{"tupleToUserset":{"computedUserset":{"relation":"viewer"},"tupleset":{"relation":"project"}}}]}},"project":{"this":{}}},"type":"network_zone"},{"metadata":{"relations":{"can_edit":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_view":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"project":{"directly_related_user_types":[{"type":"project"}]}}},"relations":{"can_edit":{"union":{"child":[{"this":{}},{"tupleToUserset":{"computedUserset":{"relation":"operator"},"tupleset":{"relation":"project"}}}]}},"can_view":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"can_edit"}},{"tupleToUserset":{"computedUserset":{"relation":"viewer"},"tupleset":{"relation":"project"}}}]}},"project":{"this":{}}},"type":"profile"},{"metadata":{"relations":{"admin":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_create_image_aliases":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_create_images":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_create_instances":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_create_network_acls":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_create_network_zones":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_create_networks":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_create_profiles":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_create_storage_buckets":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_create_storage_volumes":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_edit":{},"can_view":{},"can_view_events":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_view_operations":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"operator":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"server":{"directly_related_user_types":[{"type":"server"}]},"user":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"viewer":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]}}},"relations":{"admin":{"union":{"child":[{"this":{}},{"tupleToUserset":{"computedUserset":{"relation":"admin"},"tupleset":{"relation":"server"}}}]}},"can_create_image_aliases":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"operator"}}]}},"can_create_images":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"operator"}}]}},"can_create_instances":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"operator"}}]}},"can_create_network_acls":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"operator"}}]}},"can_create_network_zones":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"operator"}}]}},"can_create_networks":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"operator"}}]}},"can_create_profiles":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"operator"}}]}},"can_create_storage_buckets":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"operator"}}]}},"can_create_storage_volumes":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"operator"}}]}},"can_edit":{"computedUserset":{"relation":"admin"}},"can_view":{"computedUserset":{"relation":"viewer"}},"can_view_events":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"user"}}]}},"can_view_operations":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"user"}}]}},"operator":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"admin"}},{"tupleToUserset":{"computedUserset":{"relation":"operator"},"tupleset":{"relation":"server"}}}]}},"server":{"this":{}},"user":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"operator"}},{"tupleToUserset":{"computedUserset":{"relation":"user"},"tupleset":{"relation":"server"}}}]}},"viewer":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"user"}},{"tupleToUserset":{"computedUserset":{"relation":"viewer"},"tupleset":{"relation":"server"}}}]}}},"type":"project"},{"metadata":{"relations":{"admin":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"authenticated":{"directly_related_user_types":[{"type":"user","wildcard":{}}]},"can_create_certificates":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_create_network_integrations":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_create_projects":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_create_storage_pools":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_edit":{},"can_override_cluster_target_restriction":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_view":{},"can_view_metrics":{},"can_view_privileged_events":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_view_resources":{},"can_view_sensitive":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"operator":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"user":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"viewer":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]}}},"relations":{"admin":{"this":{}},"authenticated":{"this":{}},"can_create_certificates":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"admin"}}]}},"can_create_network_integrations":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"admin"}}]}},"can_create_projects":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"admin"}}]}},"can_create_storage_pools":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"admin"}}]}},"can_edit":{"computedUserset":{"relation":"admin"}},"can_override_cluster_target_restriction":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"admin"}}]}},"can_view":{"computedUserset":{"relation":"authenticated"}},"can_view_metrics":{"computedUserset":{"relation":"authenticated"}},"can_view_privileged_events":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"admin"}}]}},"can_view_resources":{"computedUserset":{"relation":"authenticated"}},"can_view_sensitive":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"viewer"}}]}},"operator":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"admin"}}]}},"user":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"operator"}}]}},"viewer":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"user"}}]}}},"type":"server"},{"metadata":{"relations":{"can_edit":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_view":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"project":{"directly_related_user_types":[{"type":"project"}]}}},"relations":{"can_edit":{"union":{"child":[{"this":{}},{"tupleToUserset":{"computedUserset":{"relation":"operator"},"tupleset":{"relation":"project"}}}]}},"can_view":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"can_edit"}},{"tupleToUserset":{"computedUserset":{"relation":"viewer"},"tupleset":{"relation":"project"}}}]}},"project":{"this":{}}},"type":"storage_bucket"},{"metadata":{"relations":{"can_edit":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_view":{},"server":{"directly_related_user_types":[{"type":"server"}]}}},"relations":{"can_edit":{"union":{"child":[{"this":{}},{"tupleToUserset":{"computedUserset":{"relation":"admin"},"tupleset":{"relation":"server"}}}]}},"can_view":{"tupleToUserset":{"computedUserset":{"relation":"authenticated"},"tupleset":{"relation":"server"}}},"server":{"this":{}}},"type":"storage_pool"},{"metadata":{"relations":{"can_edit":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_manage_backups":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_manage_snapshots":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"can_view":{"directly_related_user_types":[{"type":"user"},{"relation":"member","type":"group"}]},"project":{"directly_related_user_types":[{"type":"project"}]}}},"relations":{"can_edit":{"union":{"child":[{"this":{}},{"tupleToUserset":{"computedUserset":{"relation":"operator"},"tupleset":{"relation":"project"}}}]}},"can_manage_backups":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"can_edit"}}]}},"can_manage_snapshots":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"can_edit"}}]}},"can_view":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"can_edit"}},{"tupleToUserset":{"computedUserset":{"relation":"viewer"},"tupleset":{"relation":"project"}}}]}},"project":{"this":{}}},"type":"storage_volume"}]}`
diff -Nru incus-6.0.4/debian/patches/series incus-6.0.4/debian/patches/series
--- incus-6.0.4/debian/patches/series	2025-04-19 18:45:49.000000000 +0000
+++ incus-6.0.4/debian/patches/series	2025-10-02 14:47:22.000000000 +0000
@@ -5,3 +5,9 @@
 005-cherry-pick-qemu-socket-cleanup.patch
 006-cherry-pick-agent-mount-retry.patch
 007-cherry-pick-usb-hotplug-fix.patch
+100-CVE-2025-54293.patch
+101-CVE-2025-54287.patch
+102-CVE-2025-54288.patch
+103-CVE-2025-54286.patch
+104-CVE-2025-54290_CVE-2025-54291.patch
+105-CVE-2025-54289.patch