Re: [libvirt] [PATCHv2 3/8] audit: also audit cgroup controller path

Wednesday, 9 March 2011

On Tue, Mar 08, 2011 at 10:13:45PM -0700, Eric Blake wrote:
...
 Although the cgroup device ACL controller path can be worked out
 by researching the code, it is more efficient to include that
 information directly in the audit message.

 * src/util/cgroup.h (virCgroupPathOfController): New prototype.
 * src/util/cgroup.c (virCgroupPathOfController): Export.
 * src/libvirt_private.syms: Likewise.
 * src/qemu/qemu_audit.c (qemuAuditCgroup): Use it.
 ---

 v2: rebase onto other changes

  src/libvirt_private.syms |    1 +
  src/qemu/qemu_audit.c    |   19 ++++++++++++++++---
  src/util/cgroup.c        |    8 ++++----
  src/util/cgroup.h        |    5 +++++
  4 files changed, 26 insertions(+), 7 deletions(-)

 diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
 index efcf3c5..c0da78e 100644
 --- a/src/libvirt_private.syms
 +++ b/src/libvirt_private.syms
 @@ -79,6 +79,7 @@ virCgroupKill;
  virCgroupKillRecursive;
  virCgroupKillPainfully;
  virCgroupMounted;
 +virCgroupPathOfController;
  virCgroupRemove;
  virCgroupSetBlkioWeight;
  virCgroupSetCpuShares;
 diff --git a/src/qemu/qemu_audit.c b/src/qemu/qemu_audit.c
 index 56b0b74..08eb431 100644
 --- a/src/qemu/qemu_audit.c
 +++ b/src/qemu/qemu_audit.c
 @@ -216,11 +216,13 @@ cleanup:
   * Log an audit message about an attempted cgroup device ACL change.
   */
  void
 -qemuAuditCgroup(virDomainObjPtr vm, virCgroupPtr cgroup ATTRIBUTE_UNUSED,
 +qemuAuditCgroup(virDomainObjPtr vm, virCgroupPtr cgroup,
                  const char *reason, const char *extra, bool success)
  {
      char uuidstr[VIR_UUID_STRING_BUFLEN];
      char *vmname;
 +    char *controller = NULL;
 +    char *detail;

      virUUIDFormat(vm->def->uuid, uuidstr);
      if (!(vmname = virAuditEncode("vm", vm->def->name))) {
 @@ -228,11 +230,22 @@ qemuAuditCgroup(virDomainObjPtr vm, virCgroupPtr cgroup
ATTRIBUTE_UNUSED,
          return;
      }

 +    virCgroupPathOfController(cgroup, VIR_CGROUP_CONTROLLER_DEVICES,
 +                              NULL, &controller);
 +
 +    if (!(detail = virAuditEncode("cgroup", VIR_AUDIT_STR(controller)))) {
 +        VIR_WARN0("OOM while encoding audit message");
 +        goto cleanup;
 +    }
 +
      VIR_AUDIT(VIR_AUDIT_RECORD_RESOURCE, success,
 -              "resrc=cgroup reason=%s %s uuid=%s class=%s",
 -              reason, vmname, uuidstr, extra);
 +              "resrc=cgroup reason=%s %s uuid=%s %s class=%s",
 +              reason, vmname, uuidstr, detail, extra); 
I think perhaps we should make a better effort to output the
audit event if creating 'detail' fails. eg remove the goto cleanup
and do  'detail ? detail : "cgroup=?"' here

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Re: [libvirt] [PATCHv2 3/8] audit: also audit cgroup controller path