[libvirt] [PATCHv2 2/2] audit: Audit smartcard devices

--- docs/auditlog.html.in | 20 ++++++++++++++++++++ src/conf/domain_audit.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 68 insertions(+) diff --git a/docs/auditlog.html.in b/docs/auditlog.html.in index 8528b52..8a007ca 100644 --- a/docs/auditlog.html.in +++ b/docs/auditlog.html.in @@ -301,6 +301,26 @@ <dd>Updated path of the backing character device for given emulated device</dd> </dl> + <h4><a name="typeresourcesmartcard">smartcard</a></h4> + <p> + The <code>msg</code> field will include the following sub-fields + </p> + + <dl> + <dt>reason</dt> + <dd>The reason which caused the resource to be assigned to happen</dd> + <dt>resrc</dt> + <dd>The type of resource assigned. Set to <code>smartcard</code></dd> + <dt>old-smartcard</dt> + <dd>Original path of the backing character device, certificate store or + "nss-smartcard-device" for host smartcard passthrough. + </dd> + <dt>new-smartcard</dt> + <dd>Updated path of the backing character device, certificate store or + "nss-smartcard-device" for host smartcard passthrough. + </dd> + </dl> + <h4><a name="typeresourceredir">Redirected device</a></h4> <p> The <code>msg</code> field will include the following sub-fields diff --git a/src/conf/domain_audit.c b/src/conf/domain_audit.c index 23bb4a7..a3d6c67 100644 --- a/src/conf/domain_audit.c +++ b/src/conf/domain_audit.c @@ -177,6 +177,51 @@ virDomainAuditChardev(virDomainObjPtr vm, } +static void +virDomainAuditSmartcard(virDomainObjPtr vm, + virDomainSmartcardDefPtr def, + const char *reason, + bool success) +{ + const char *database = VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE; + size_t i; + + if (def) { + switch ((virDomainSmartcardType) def->type) { + case VIR_DOMAIN_SMARTCARD_TYPE_HOST: + virDomainAuditGenericDev(vm, "smartcard", + NULL, "nss-smartcard-device", + reason, success); + break; + + case VIR_DOMAIN_SMARTCARD_TYPE_HOST_CERTIFICATES: + for (i = 0; i < VIR_DOMAIN_SMARTCARD_NUM_CERTIFICATES; i++) { + virDomainAuditGenericDev(vm, "smartcard", NULL, + def->data.cert.file[i], + reason, success); + } + + if (def->data.cert.database) + database = def->data.cert.database; + + virDomainAuditGenericDev(vm, "smartcard", + NULL, database, + reason, success); + break; + + case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH: + virDomainAuditGenericDev(vm, "smartcard", NULL, + virDomainAuditChardevPath(&def->data.passthru), + reason, success); + break; + + case VIR_DOMAIN_SMARTCARD_TYPE_LAST: + break; + } + } +} + + void virDomainAuditDisk(virDomainObjPtr vm, virStorageSourcePtr oldDef, @@ -814,6 +859,9 @@ virDomainAuditStart(virDomainObjPtr vm, const char *reason, bool success) virDomainAuditChardev(vm, NULL, vm->def->consoles[i], "start", true); } + for (i = 0; i < vm->def->nsmartcards; i++) + virDomainAuditSmartcard(vm, vm->def->smartcards[i], "start", true); + if (vm->def->rng) virDomainAuditRNG(vm, NULL, vm->def->rng, "start", true); -- 1.9.3