On Tue, Mar 12, 2013 at 12:25:14PM +0100, Peter Krempa wrote:
On 03/12/13 12:19, Daniel P. Berrange wrote:
>On Mon, Mar 11, 2013 at 05:19:36PM +0100, Peter Krempa wrote:
>>This patch adds auditing of resources used by the 'random' backend of
>>virtio RNG.
>>---
>>If there's desire to audit also use of the "egd" backend that uses
a
>>generic character device, a way how to audit this device will need to be
>>introduced. We don't audit useage of chardevs right now.
>>
>> src/conf/domain_audit.c | 76 +++++++++++++++++++++++++++++++++++++++++++++++++
>> 1 file changed, 76 insertions(+)
>
>Can you update the commit message to give an example of the exact
>audit message that is generated from this. Also please Cc Steve
>Grubb when you re-post this, for sign-off from his position as
>audit tools maintainer.
Okay.
>
>>+static void
>>+virDomainAuditRNG(virDomainObjPtr vm,
>>+ virDomainRNGDefPtr newDef, virDomainRNGDefPtr oldDef,
>>+ const char *reason, bool success)
>>+{
>>+ char uuidstr[VIR_UUID_STRING_BUFLEN];
>>+ char *vmname;
>>+ char *oldsrc = NULL;
>>+ char *newsrc = NULL;
>>+ const char *virt;
>>+
>>+ virUUIDFormat(vm->def->uuid, uuidstr);
>>+ if (!(vmname = virAuditEncode("vm", vm->def->name)))
>>+ goto no_memory;
>>+
>>+ if (!(virt = virDomainVirtTypeToString(vm->def->virtType))) {
>>+ VIR_WARN("Unexpected virt type %d while encoding audit
message", vm->def->virtType);
>>+ virt = "?";
>>+ }
>>+
>>+ if (newDef) {
>>+ switch (newDef->backend) {
>>+ case VIR_DOMAIN_RNG_BACKEND_RANDOM:
>>+ if (!(newsrc = virAuditEncode("new-rng",
VIR_AUDIT_STR(newDef->source.file))))
>
>Can't newDef->source.file be NULL ? In such a case we need to explicitly
>fill in the file that QEMU will default to in the audit record. We can't
>leave the filename blank
Ah, yeah.
>
>>+ goto no_memory;
>>+ break;
>>+
>>+ case VIR_DOMAIN_RNG_BACKEND_EGD:
>>+ case VIR_DOMAIN_RNG_BACKEND_LAST:
>>+ if (!(newsrc = virAuditEncode("new-rng", "?")))
>
>We need to specify the EGD unix socket path we use too, not merely '?'.
This can be set to multiple things as the backend is a chardev from
point of view of qemu:
The data can be transported using: TCP, UDP, unix sockets and a ton
of other stuff, and we don't have a precedent case for this. Is
there a need to represend TCP backends? Or auditing is meant just
for local stuff?
We don't have code for auditing serial/parallel/channel devices
since it was out of scope for the original security certification.
We need to fix that at some point, so yes, labelling chardevs is
relevant. We don't need to worry about network cases, only where
the chardev points to some resource that is visible in the host
filesystem, so a plain file, device node, UNIX socket, etc
Dnaiel
--
|:
http://berrange.com -o-
http://www.flickr.com/photos/dberrange/ :|
|:
http://libvirt.org -o-
http://virt-manager.org :|
|:
http://autobuild.org -o-
http://search.cpan.org/~danberr/ :|
|:
http://entangle-photo.org -o-
http://live.gnome.org/gtk-vnc :|