On Tue, Mar 08, 2011 at 10:13:45PM -0700, Eric Blake wrote:
Although the cgroup device ACL controller path can be worked out by researching the code, it is more efficient to include that information directly in the audit message.
* src/util/cgroup.h (virCgroupPathOfController): New prototype. * src/util/cgroup.c (virCgroupPathOfController): Export. * src/libvirt_private.syms: Likewise. * src/qemu/qemu_audit.c (qemuAuditCgroup): Use it. ---
v2: rebase onto other changes
src/libvirt_private.syms | 1 + src/qemu/qemu_audit.c | 19 ++++++++++++++++--- src/util/cgroup.c | 8 ++++---- src/util/cgroup.h | 5 +++++ 4 files changed, 26 insertions(+), 7 deletions(-)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index efcf3c5..c0da78e 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -79,6 +79,7 @@ virCgroupKill; virCgroupKillRecursive; virCgroupKillPainfully; virCgroupMounted; +virCgroupPathOfController; virCgroupRemove; virCgroupSetBlkioWeight; virCgroupSetCpuShares; diff --git a/src/qemu/qemu_audit.c b/src/qemu/qemu_audit.c index 56b0b74..08eb431 100644 --- a/src/qemu/qemu_audit.c +++ b/src/qemu/qemu_audit.c @@ -216,11 +216,13 @@ cleanup: * Log an audit message about an attempted cgroup device ACL change. */ void -qemuAuditCgroup(virDomainObjPtr vm, virCgroupPtr cgroup ATTRIBUTE_UNUSED, +qemuAuditCgroup(virDomainObjPtr vm, virCgroupPtr cgroup, const char *reason, const char *extra, bool success) { char uuidstr[VIR_UUID_STRING_BUFLEN]; char *vmname; + char *controller = NULL; + char *detail;
virUUIDFormat(vm->def->uuid, uuidstr); if (!(vmname = virAuditEncode("vm", vm->def->name))) { @@ -228,11 +230,22 @@ qemuAuditCgroup(virDomainObjPtr vm, virCgroupPtr cgroup ATTRIBUTE_UNUSED, return; }
+ virCgroupPathOfController(cgroup, VIR_CGROUP_CONTROLLER_DEVICES, + NULL, &controller); + + if (!(detail = virAuditEncode("cgroup", VIR_AUDIT_STR(controller)))) { + VIR_WARN0("OOM while encoding audit message"); + goto cleanup; + } + VIR_AUDIT(VIR_AUDIT_RECORD_RESOURCE, success, - "resrc=cgroup reason=%s %s uuid=%s class=%s", - reason, vmname, uuidstr, extra); + "resrc=cgroup reason=%s %s uuid=%s %s class=%s", + reason, vmname, uuidstr, detail, extra);
I think perhaps we should make a better effort to output the audit event if creating 'detail' fails. eg remove the goto cleanup and do 'detail ? detail : "cgroup=?"' here Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|