[libvirt] [PATCHv2 3/8] audit: also audit cgroup controller path

Tuesday, 8 March 2011

Although the cgroup device ACL controller path can be worked out
by researching the code, it is more efficient to include that
information directly in the audit message.

* src/util/cgroup.h (virCgroupPathOfController): New prototype.
* src/util/cgroup.c (virCgroupPathOfController): Export.
* src/libvirt_private.syms: Likewise.
* src/qemu/qemu_audit.c (qemuAuditCgroup): Use it.
---

v2: rebase onto other changes

 src/libvirt_private.syms |    1 +
 src/qemu/qemu_audit.c    |   19 ++++++++++++++++---
 src/util/cgroup.c        |    8 ++++----
 src/util/cgroup.h        |    5 +++++
 4 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index efcf3c5..c0da78e 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -79,6 +79,7 @@ virCgroupKill;
 virCgroupKillRecursive;
 virCgroupKillPainfully;
 virCgroupMounted;
+virCgroupPathOfController;
 virCgroupRemove;
 virCgroupSetBlkioWeight;
 virCgroupSetCpuShares;
diff --git a/src/qemu/qemu_audit.c b/src/qemu/qemu_audit.c
index 56b0b74..08eb431 100644
--- a/src/qemu/qemu_audit.c
+++ b/src/qemu/qemu_audit.c
@@ -216,11 +216,13 @@ cleanup:
  * Log an audit message about an attempted cgroup device ACL change.
  */
 void
-qemuAuditCgroup(virDomainObjPtr vm, virCgroupPtr cgroup ATTRIBUTE_UNUSED,
+qemuAuditCgroup(virDomainObjPtr vm, virCgroupPtr cgroup,
                 const char *reason, const char *extra, bool success)
 {
     char uuidstr[VIR_UUID_STRING_BUFLEN];
     char *vmname;
+    char *controller = NULL;
+    char *detail;

     virUUIDFormat(vm->def->uuid, uuidstr);
     if (!(vmname = virAuditEncode("vm", vm->def->name))) {
@@ -228,11 +230,22 @@ qemuAuditCgroup(virDomainObjPtr vm, virCgroupPtr cgroup
ATTRIBUTE_UNUSED,
         return;
     }

+    virCgroupPathOfController(cgroup, VIR_CGROUP_CONTROLLER_DEVICES,
+                              NULL, &controller);
+
+    if (!(detail = virAuditEncode("cgroup", VIR_AUDIT_STR(controller)))) {
+        VIR_WARN0("OOM while encoding audit message");
+        goto cleanup;
+    }
+
     VIR_AUDIT(VIR_AUDIT_RECORD_RESOURCE, success,
-              "resrc=cgroup reason=%s %s uuid=%s class=%s",
-              reason, vmname, uuidstr, extra);
+              "resrc=cgroup reason=%s %s uuid=%s %s class=%s",
+              reason, vmname, uuidstr, detail, extra);

+cleanup:
     VIR_FREE(vmname);
+    VIR_FREE(controller);
+    VIR_FREE(detail);
 }

 /**
diff --git a/src/util/cgroup.c b/src/util/cgroup.c
index 8551acd..46358ab 100644
--- a/src/util/cgroup.c
+++ b/src/util/cgroup.c
@@ -254,10 +254,10 @@ static int virCgroupDetect(virCgroupPtr group)
 #endif


-static int virCgroupPathOfController(virCgroupPtr group,
-                                     int controller,
-                                     const char *key,
-                                     char **path)
+int virCgroupPathOfController(virCgroupPtr group,
+                              int controller,
+                              const char *key,
+                              char **path)
 {
     if (controller == -1) {
         int i;
diff --git a/src/util/cgroup.h b/src/util/cgroup.h
index d468cb3..b3c5f27 100644
--- a/src/util/cgroup.h
+++ b/src/util/cgroup.h
@@ -40,6 +40,11 @@ int virCgroupForDomain(virCgroupPtr driver,
                        virCgroupPtr *group,
                        int create);

+int virCgroupPathOfController(virCgroupPtr group,
+                              int controller,
+                              const char *key,
+                              char **path);
+
 int virCgroupAddTask(virCgroupPtr group, pid_t pid);

 int virCgroupSetBlkioWeight(virCgroupPtr group, unsigned int weight);
-- 
1.7.4


    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

[libvirt] [PATCHv2 3/8] audit: also audit cgroup controller path