On Tue, Mar 08, 2011 at 10:13:46PM -0700, Eric Blake wrote:
Passing the vhost net device fd to qemu is worth an audit point, since it is a kernel-managed device.
This patch points out that qemu still can't hot-plug and hot-unplug vhost-net interfaces.
* src/qemu/qemu_audit.h (qemuAuditNetVhost): New prototype. * src/qemu/qemu_audit.c (qemuAuditNetVhost): New function. * src/qemu/qemu_command.c (qemuOpenVhostNet): Add audit point and new parameter. (qemuBuildCommandLine): Adjust caller. ---
v2: new patch; still missing an audit point for where /dev/net/tun is opened, and the name should probably be qemuAuditNetDevice (since it is feasible to open just /dev/net/tun and not /dev/vhost-net when the xml asks for that). Perhaps should be shuffled to live after patch 8/8.
There are several devices for networking - With type=bridge or type=network, /dev/net/tun is opened to get a FD for a tap device instance - With type=direct, /dev/tap%d is opened to get an FD for a macvtap device instance In both cases, /dev/vhost-net can *also* be opened. The tun/macvtap device provides the connectivity to the host NIC. The vhost-net device provides kernel acceleration for the QEMU NIC backend So I think we need to be auditing all of these devices, if we're going todo any of them
+void +qemuAuditNetVhost(virDomainDefPtr vmDef, + virDomainNetDefPtr netDef, const char *device, + const char *reason, bool success) +{ + char uuidstr[VIR_UUID_STRING_BUFLEN]; + char macstr[VIR_MAC_STRING_BUFLEN]; + char *vmname; + char *devname; + char *rdev; + + virUUIDFormat(vmDef->uuid, uuidstr); + virFormatMacAddr(netDef->mac, macstr); + if (!(vmname = virAuditEncode("vm", vmDef->name)) || + !(devname = virAuditEncode("path", device)) || + !(rdev = qemuAuditGetRdev(device))) { + VIR_WARN0("OOM while encoding audit message"); + goto cleanup; + } + + VIR_AUDIT(VIR_AUDIT_RECORD_RESOURCE, success, + "resrc=net reason=%s %s uuid=%s net='%s' %s %s", + reason, vmname, uuidstr, + macstr, devname, rdev);
A similar thought here about rdev as per the earlier patch in the series -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|