7:25 a.m.
V2 adds docs to docs/auditlog.html.in and doesn't log the shared serial/console
def twice. Sending for sanity review of language :)
Peter Krempa (2):
audit: Add auditing for serial/parallel/channel/console character devs
audit: Audit smartcard devices
docs/auditlog.html.in | 35 +++++++++++++++++++
src/conf/domain_audit.c | 90 ++++++++++++++++++++++++++++++++++++++++++++++++
src/conf/domain_audit.h | 7 ++++
src/libvirt_private.syms | 1 +
src/qemu/qemu_hotplug.c | 17 +++++----
5 files changed, 144 insertions(+), 6 deletions(-)
--
1.9.3
7:25 a.m.
New subject: [libvirt] [PATCHv2 1/2] audit: Add auditing for serial/parallel/channel/console character devs
Add startup auditing and also hotplug auditing for said devices.
---
docs/auditlog.html.in | 15 +++++++++++++++
src/conf/domain_audit.c | 42 ++++++++++++++++++++++++++++++++++++++++++
src/conf/domain_audit.h | 7 +++++++
src/libvirt_private.syms | 1 +
src/qemu/qemu_hotplug.c | 17 +++++++++++------
5 files changed, 76 insertions(+), 6 deletions(-)
diff --git a/docs/auditlog.html.in b/docs/auditlog.html.in
index 24cd8e9..8528b52 100644
--- a/docs/auditlog.html.in
+++ b/docs/auditlog.html.in
@@ -285,6 +285,21 @@
<dd>Updated path of the host entropy source for the RNG</dd>
</dl>
+ <h4><a
name="typeresourcechardev">console/serial/parallel/channel</a></h4>
+ <p>
+ The <code>msg</code> field will include the following sub-fields
+ </p>
+
+ <dl>
+ <dt>reason</dt>
+ <dd>The reason which caused the resource to be assigned to happen</dd>
+ <dt>resrc</dt>
+ <dd>The type of resource assigned. Set to
<code>chardev</code></dd>
+ <dt>old-chardev</dt>
+ <dd>Original path of the backing character device for given emulated
device</dd>
+ <dt>new-chardev</dt>
+ <dd>Updated path of the backing character device for given emulated
device</dd>
+ </dl>
<h4><a name="typeresourceredir">Redirected
device</a></h4>
<p>
diff --git a/src/conf/domain_audit.c b/src/conf/domain_audit.c
index 6e11f39..23bb4a7 100644
--- a/src/conf/domain_audit.c
+++ b/src/conf/domain_audit.c
@@ -155,6 +155,29 @@ virDomainAuditGenericDev(virDomainObjPtr vm,
void
+virDomainAuditChardev(virDomainObjPtr vm,
+ virDomainChrDefPtr oldDef,
+ virDomainChrDefPtr newDef,
+ const char *reason,
+ bool success)
+{
+ virDomainChrSourceDefPtr oldsrc = NULL;
+ virDomainChrSourceDefPtr newsrc = NULL;
+
+ if (oldDef)
+ oldsrc = &oldDef->source;
+
+ if (newDef)
+ newsrc = &newDef->source;
+
+ virDomainAuditGenericDev(vm, "chardev",
+ virDomainAuditChardevPath(oldsrc),
+ virDomainAuditChardevPath(newsrc),
+ reason, success);
+}
+
+
+void
virDomainAuditDisk(virDomainObjPtr vm,
virStorageSourcePtr oldDef,
virStorageSourcePtr newDef,
@@ -772,6 +795,25 @@ virDomainAuditStart(virDomainObjPtr vm, const char *reason, bool
success)
virDomainAuditRedirdev(vm, redirdev, "start", true);
}
+ for (i = 0; i < vm->def->nserials; i++)
+ virDomainAuditChardev(vm, NULL, vm->def->serials[i], "start",
true);
+
+ for (i = 0; i < vm->def->nparallels; i++)
+ virDomainAuditChardev(vm, NULL, vm->def->parallels[i], "start",
true);
+
+ for (i = 0; i < vm->def->nchannels; i++)
+ virDomainAuditChardev(vm, NULL, vm->def->channels[i], "start",
true);
+
+ for (i = 0; i < vm->def->nconsoles; i++) {
+ if (i == 0 &&
+ (vm->def->consoles[i]->targetType ==
VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_SERIAL ||
+ vm->def->consoles[i]->targetType ==
VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_NONE) &&
+ STREQ_NULLABLE(vm->def->os.type, "hvm"))
+ continue;
+
+ virDomainAuditChardev(vm, NULL, vm->def->consoles[i], "start",
true);
+ }
+
if (vm->def->rng)
virDomainAuditRNG(vm, NULL, vm->def->rng, "start", true);
diff --git a/src/conf/domain_audit.h b/src/conf/domain_audit.h
index 58d25a4..3434feb 100644
--- a/src/conf/domain_audit.h
+++ b/src/conf/domain_audit.h
@@ -111,4 +111,11 @@ void virDomainAuditRedirdev(virDomainObjPtr vm,
bool success)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3);
+void virDomainAuditChardev(virDomainObjPtr vm,
+ virDomainChrDefPtr oldDef,
+ virDomainChrDefPtr newDef,
+ const char *reason,
+ bool success)
+ ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(4);
+
#endif /* __VIR_DOMAIN_AUDIT_H__ */
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 29e9db9..18d5f28 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -116,6 +116,7 @@ virDomainPCIAddressValidate;
virDomainAuditCgroup;
virDomainAuditCgroupMajor;
virDomainAuditCgroupPath;
+virDomainAuditChardev;
virDomainAuditDisk;
virDomainAuditFS;
virDomainAuditHostdev;
diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
index b6033df..1fc28b8 100644
--- a/src/qemu/qemu_hotplug.c
+++ b/src/qemu/qemu_hotplug.c
@@ -1458,18 +1458,20 @@ int qemuDomainAttachChrDevice(virQEMUDriverPtr driver,
qemuDomainObjEnterMonitor(driver, vm);
if (qemuMonitorAttachCharDev(priv->mon, charAlias, &chr->source) < 0) {
qemuDomainObjExitMonitor(driver, vm);
- goto cleanup;
+ goto audit;
}
if (devstr && qemuMonitorAddDevice(priv->mon, devstr) < 0) {
/* detach associated chardev on error */
qemuMonitorDetachCharDev(priv->mon, charAlias);
qemuDomainObjExitMonitor(driver, vm);
- goto cleanup;
+ goto audit;
}
qemuDomainObjExitMonitor(driver, vm);
ret = 0;
+ audit:
+ virDomainAuditChardev(vm, NULL, chr, "attach", ret == 0);
cleanup:
if (ret < 0 && need_remove)
qemuDomainChrRemove(vmdef, chr);
@@ -2749,6 +2751,7 @@ qemuDomainRemoveChrDevice(virQEMUDriverPtr driver,
char *charAlias = NULL;
qemuDomainObjPrivatePtr priv = vm->privateData;
int ret = -1;
+ int rc;
VIR_DEBUG("Removing character device %s from domain %p %s",
chr->info.alias, vm, vm->def->name);
@@ -2757,12 +2760,14 @@ qemuDomainRemoveChrDevice(virQEMUDriverPtr driver,
goto cleanup;
qemuDomainObjEnterMonitor(driver, vm);
- if (qemuMonitorDetachCharDev(priv->mon, charAlias) < 0) {
- qemuDomainObjExitMonitor(driver, vm);
- goto cleanup;
- }
+ rc = qemuMonitorDetachCharDev(priv->mon, charAlias);
qemuDomainObjExitMonitor(driver, vm);
+ virDomainAuditChardev(vm, chr, NULL, "detach", rc == 0);
+
+ if (rc < 0)
+ goto cleanup;
+
event = virDomainEventDeviceRemovedNewFromObj(vm, chr->info.alias);
if (event)
qemuDomainEventQueue(driver, event);
--
1.9.3
4:47 p.m.
New subject: [libvirt] [PATCHv2 1/2] audit: Add auditing for serial/parallel/channel/console character devs
On 07/04/2014 06:25 AM, Peter Krempa wrote:
Add startup auditing and also hotplug auditing for said devices.
---
docs/auditlog.html.in | 15 +++++++++++++++
src/conf/domain_audit.c | 42 ++++++++++++++++++++++++++++++++++++++++++
src/conf/domain_audit.h | 7 +++++++
src/libvirt_private.syms | 1 +
src/qemu/qemu_hotplug.c | 17 +++++++++++------
5 files changed, 76 insertions(+), 6 deletions(-)
diff --git a/docs/auditlog.html.in b/docs/auditlog.html.in
index 24cd8e9..8528b52 100644
--- a/docs/auditlog.html.in
+++ b/docs/auditlog.html.in
@@ -285,6 +285,21 @@
<dd>Updated path of the host entropy source for the RNG</dd>
</dl>
+ <h4><a
name="typeresourcechardev">console/serial/parallel/channel</a></h4>
+ <p>
+ The <code>msg</code> field will include the following sub-fields
+ </p>
+
+ <dl>
+ <dt>reason</dt>
+ <dd>The reason which caused the resource to be assigned to happen</dd>
Already pushed, but this might read better as:
The reason which caused the change in resource assignment
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
7:25 a.m.
New subject: [libvirt] [PATCHv2 2/2] audit: Audit smartcard devices
---
docs/auditlog.html.in | 20 ++++++++++++++++++++
src/conf/domain_audit.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 68 insertions(+)
diff --git a/docs/auditlog.html.in b/docs/auditlog.html.in
index 8528b52..8a007ca 100644
--- a/docs/auditlog.html.in
+++ b/docs/auditlog.html.in
@@ -301,6 +301,26 @@
<dd>Updated path of the backing character device for given emulated
device</dd>
</dl>
+ <h4><a
name="typeresourcesmartcard">smartcard</a></h4>
+ <p>
+ The <code>msg</code> field will include the following sub-fields
+ </p>
+
+ <dl>
+ <dt>reason</dt>
+ <dd>The reason which caused the resource to be assigned to happen</dd>
+ <dt>resrc</dt>
+ <dd>The type of resource assigned. Set to
<code>smartcard</code></dd>
+ <dt>old-smartcard</dt>
+ <dd>Original path of the backing character device, certificate store or
+ "nss-smartcard-device" for host smartcard passthrough.
+ </dd>
+ <dt>new-smartcard</dt>
+ <dd>Updated path of the backing character device, certificate store or
+ "nss-smartcard-device" for host smartcard passthrough.
+ </dd>
+ </dl>
+
<h4><a name="typeresourceredir">Redirected
device</a></h4>
<p>
The <code>msg</code> field will include the following sub-fields
diff --git a/src/conf/domain_audit.c b/src/conf/domain_audit.c
index 23bb4a7..a3d6c67 100644
--- a/src/conf/domain_audit.c
+++ b/src/conf/domain_audit.c
@@ -177,6 +177,51 @@ virDomainAuditChardev(virDomainObjPtr vm,
}
+static void
+virDomainAuditSmartcard(virDomainObjPtr vm,
+ virDomainSmartcardDefPtr def,
+ const char *reason,
+ bool success)
+{
+ const char *database = VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE;
+ size_t i;
+
+ if (def) {
+ switch ((virDomainSmartcardType) def->type) {
+ case VIR_DOMAIN_SMARTCARD_TYPE_HOST:
+ virDomainAuditGenericDev(vm, "smartcard",
+ NULL, "nss-smartcard-device",
+ reason, success);
+ break;
+
+ case VIR_DOMAIN_SMARTCARD_TYPE_HOST_CERTIFICATES:
+ for (i = 0; i < VIR_DOMAIN_SMARTCARD_NUM_CERTIFICATES; i++) {
+ virDomainAuditGenericDev(vm, "smartcard", NULL,
+ def->data.cert.file[i],
+ reason, success);
+ }
+
+ if (def->data.cert.database)
+ database = def->data.cert.database;
+
+ virDomainAuditGenericDev(vm, "smartcard",
+ NULL, database,
+ reason, success);
+ break;
+
+ case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
+ virDomainAuditGenericDev(vm, "smartcard", NULL,
+
virDomainAuditChardevPath(&def->data.passthru),
+ reason, success);
+ break;
+
+ case VIR_DOMAIN_SMARTCARD_TYPE_LAST:
+ break;
+ }
+ }
+}
+
+
void
virDomainAuditDisk(virDomainObjPtr vm,
virStorageSourcePtr oldDef,
@@ -814,6 +859,9 @@ virDomainAuditStart(virDomainObjPtr vm, const char *reason, bool
success)
virDomainAuditChardev(vm, NULL, vm->def->consoles[i], "start",
true);
}
+ for (i = 0; i < vm->def->nsmartcards; i++)
+ virDomainAuditSmartcard(vm, vm->def->smartcards[i], "start",
true);
+
if (vm->def->rng)
virDomainAuditRNG(vm, NULL, vm->def->rng, "start", true);
--
1.9.3
4:48 p.m.
New subject: [libvirt] [PATCHv2 2/2] audit: Audit smartcard devices
On 07/04/2014 06:25 AM, Peter Krempa wrote:
---
docs/auditlog.html.in | 20 ++++++++++++++++++++
src/conf/domain_audit.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 68 insertions(+)
diff --git a/docs/auditlog.html.in b/docs/auditlog.html.in
index 8528b52..8a007ca 100644
--- a/docs/auditlog.html.in
+++ b/docs/auditlog.html.in
@@ -301,6 +301,26 @@
<dd>Updated path of the backing character device for given emulated
device</dd>
</dl>
+ <h4><a
name="typeresourcesmartcard">smartcard</a></h4>
+ <p>
+ The <code>msg</code> field will include the following sub-fields
+ </p>
+
+ <dl>
+ <dt>reason</dt>
+ <dd>The reason which caused the resource to be assigned to happen</dd>
Same wording suggestion as in 1/2
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
5:36 a.m.
On 07/04/2014 02:25 PM, Peter Krempa wrote:
V2 adds docs to docs/auditlog.html.in and doesn't log the shared
serial/console
def twice. Sending for sanity review of language :)
Peter Krempa (2):
audit: Add auditing for serial/parallel/channel/console character devs
audit: Audit smartcard devices
docs/auditlog.html.in | 35 +++++++++++++++++++
src/conf/domain_audit.c | 90 ++++++++++++++++++++++++++++++++++++++++++++++++
src/conf/domain_audit.h | 7 ++++
src/libvirt_private.syms | 1 +
src/qemu/qemu_hotplug.c | 17 +++++----
5 files changed, 144 insertions(+), 6 deletions(-)
ACK series, the language looks sane to me.
Jan
6:08 a.m.
On 07/07/14 12:36, Ján Tomko wrote:
On 07/04/2014 02:25 PM, Peter Krempa wrote:
> V2 adds docs to docs/auditlog.html.in and doesn't log the shared serial/console
> def twice. Sending for sanity review of language :)
>
> Peter Krempa (2):
> audit: Add auditing for serial/parallel/channel/console character devs
> audit: Audit smartcard devices
>
> docs/auditlog.html.in | 35 +++++++++++++++++++
> src/conf/domain_audit.c | 90 ++++++++++++++++++++++++++++++++++++++++++++++++
> src/conf/domain_audit.h | 7 ++++
> src/libvirt_private.syms | 1 +
> src/qemu/qemu_hotplug.c | 17 +++++----
> 5 files changed, 144 insertions(+), 6 deletions(-)
>
ACK series, the language looks sane to me.
Thanks; Pushed.
Peter
3789
days inactive
3792
days old
6 comments
3 participants
participants (3)
-
Eric Blake -
Ján Tomko -
Peter Krempa