Re: [PATCH] qemu: Add audit entries for suspend and resume

On Tue, Jan 07, 2025 at 12:06:59PM +0100, Michal Prívozník wrote: Actually, I'm not convinced it makese sense to call virDomainAuditStart / virDomainAuditStop for these cases. Start is used when a domain is created (eg QEMU spawned) and records all the host resources that are now used. Stop is used when a domain is destroyed (eg QEMU killed) and thus indicates that host resources are no longer in use. Resume / suspend are not creating/destroying a domain, they are merely changing the CPU running state. I'm not really convinced that these operations are compelling to audit, since they're not changing what host resources are in use. Even when guest CPUs stopped, you still have incidental host CPU usage by the emulator itself, and all the other host resources remain open by the emulator. If we really do need to audit this, I'd suggest completely distinct audit events from stop/start, but personally I'd push back against this auditors request first, as it doesn't fit with the rationale for auditing IMHO. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|