11:19 a.m.
This patch adds auditing of resources used by the 'random' backend of
virtio RNG.
---
If there's desire to audit also use of the "egd" backend that uses a
generic character device, a way how to audit this device will need to be
introduced. We don't audit useage of chardevs right now.
src/conf/domain_audit.c | 76 +++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 76 insertions(+)
diff --git a/src/conf/domain_audit.c b/src/conf/domain_audit.c
index 8cd522a..c80bdb4 100644
--- a/src/conf/domain_audit.c
+++ b/src/conf/domain_audit.c
@@ -100,6 +100,79 @@ cleanup:
}
+static void
+virDomainAuditRNG(virDomainObjPtr vm,
+ virDomainRNGDefPtr newDef, virDomainRNGDefPtr oldDef,
+ const char *reason, bool success)
+{
+ char uuidstr[VIR_UUID_STRING_BUFLEN];
+ char *vmname;
+ char *oldsrc = NULL;
+ char *newsrc = NULL;
+ const char *virt;
+
+ virUUIDFormat(vm->def->uuid, uuidstr);
+ if (!(vmname = virAuditEncode("vm", vm->def->name)))
+ goto no_memory;
+
+ if (!(virt = virDomainVirtTypeToString(vm->def->virtType))) {
+ VIR_WARN("Unexpected virt type %d while encoding audit message",
vm->def->virtType);
+ virt = "?";
+ }
+
+ if (newDef) {
+ switch (newDef->backend) {
+ case VIR_DOMAIN_RNG_BACKEND_RANDOM:
+ if (!(newsrc = virAuditEncode("new-rng",
VIR_AUDIT_STR(newDef->source.file))))
+ goto no_memory;
+ break;
+
+ case VIR_DOMAIN_RNG_BACKEND_EGD:
+ case VIR_DOMAIN_RNG_BACKEND_LAST:
+ if (!(newsrc = virAuditEncode("new-rng", "?")))
+ goto no_memory;
+ break;
+ }
+ } else {
+ if (!(newsrc = virAuditEncode("new-rng", "?")))
+ goto no_memory;
+ }
+
+ if (oldDef) {
+ switch (oldDef->backend) {
+ case VIR_DOMAIN_RNG_BACKEND_RANDOM:
+ if (!(oldsrc = virAuditEncode("old-rng",
VIR_AUDIT_STR(oldDef->source.file))))
+ goto no_memory;
+ break;
+
+ case VIR_DOMAIN_RNG_BACKEND_EGD:
+ case VIR_DOMAIN_RNG_BACKEND_LAST:
+ if (!(oldsrc = virAuditEncode("old-rng", "?")))
+ goto no_memory;
+ break;
+ }
+ } else {
+ if (!(oldsrc = virAuditEncode("old-rng", "?")))
+ goto no_memory;
+ }
+
+ VIR_AUDIT(VIR_AUDIT_RECORD_RESOURCE, success,
+ "virt=%s resrc=rng reason=%s %s uuid=%s %s %s",
+ virt, reason, vmname, uuidstr,
+ oldsrc, newsrc);
+
+cleanup:
+ VIR_FREE(vmname);
+ VIR_FREE(oldsrc);
+ VIR_FREE(newsrc);
+ return;
+
+no_memory:
+ VIR_WARN("OOM while encoding audit message");
+ goto cleanup;
+}
+
+
void
virDomainAuditFS(virDomainObjPtr vm,
virDomainFSDefPtr oldDef, virDomainFSDefPtr newDef,
@@ -641,6 +714,9 @@ virDomainAuditStart(virDomainObjPtr vm, const char *reason, bool
success)
virDomainAuditRedirdev(vm, redirdev, "start", true);
}
+ if (vm->def->rng)
+ virDomainAuditRNG(vm, vm->def->rng, NULL, "start", true);
+
virDomainAuditMemory(vm, 0, vm->def->mem.cur_balloon, "start",
true);
virDomainAuditVcpu(vm, 0, vm->def->vcpus, "start", true);
--
1.8.1.5
6:19 a.m.
On Mon, Mar 11, 2013 at 05:19:36PM +0100, Peter Krempa wrote:
This patch adds auditing of resources used by the 'random'
backend of
virtio RNG.
---
If there's desire to audit also use of the "egd" backend that uses a
generic character device, a way how to audit this device will need to be
introduced. We don't audit useage of chardevs right now.
src/conf/domain_audit.c | 76 +++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 76 insertions(+)
Can you update the commit message to give an example of the exact
audit message that is generated from this. Also please Cc Steve
Grubb when you re-post this, for sign-off from his position as
audit tools maintainer.
+static void
+virDomainAuditRNG(virDomainObjPtr vm,
+ virDomainRNGDefPtr newDef, virDomainRNGDefPtr oldDef,
+ const char *reason, bool success)
+{
+ char uuidstr[VIR_UUID_STRING_BUFLEN];
+ char *vmname;
+ char *oldsrc = NULL;
+ char *newsrc = NULL;
+ const char *virt;
+
+ virUUIDFormat(vm->def->uuid, uuidstr);
+ if (!(vmname = virAuditEncode("vm", vm->def->name)))
+ goto no_memory;
+
+ if (!(virt = virDomainVirtTypeToString(vm->def->virtType))) {
+ VIR_WARN("Unexpected virt type %d while encoding audit message",
vm->def->virtType);
+ virt = "?";
+ }
+
+ if (newDef) {
+ switch (newDef->backend) {
+ case VIR_DOMAIN_RNG_BACKEND_RANDOM:
+ if (!(newsrc = virAuditEncode("new-rng",
VIR_AUDIT_STR(newDef->source.file))))
Can't newDef->source.file be NULL ? In such a case we need to explicitly
fill in the file that QEMU will default to in the audit record. We can't
leave the filename blank
+ goto no_memory;
+ break;
+
+ case VIR_DOMAIN_RNG_BACKEND_EGD:
+ case VIR_DOMAIN_RNG_BACKEND_LAST:
+ if (!(newsrc = virAuditEncode("new-rng", "?")))
We need to specify the EGD unix socket path we use too, not merely '?'.
+ goto no_memory;
+ break;
+ }
+ } else {
+ if (!(newsrc = virAuditEncode("new-rng", "?")))
+ goto no_memory;
+ }
+
+ if (oldDef) {
+ switch (oldDef->backend) {
+ case VIR_DOMAIN_RNG_BACKEND_RANDOM:
+ if (!(oldsrc = virAuditEncode("old-rng",
VIR_AUDIT_STR(oldDef->source.file))))
Same point here
+ goto no_memory;
+ break;
+
+ case VIR_DOMAIN_RNG_BACKEND_EGD:
+ case VIR_DOMAIN_RNG_BACKEND_LAST:
+ if (!(oldsrc = virAuditEncode("old-rng", "?")))
+ goto no_memory;
+ break;
+ }
+ } else {
+ if (!(oldsrc = virAuditEncode("old-rng", "?")))
+ goto no_memory;
+ }
+
+ VIR_AUDIT(VIR_AUDIT_RECORD_RESOURCE, success,
+ "virt=%s resrc=rng reason=%s %s uuid=%s %s %s",
+ virt, reason, vmname, uuidstr,
+ oldsrc, newsrc);
+
+cleanup:
+ VIR_FREE(vmname);
+ VIR_FREE(oldsrc);
+ VIR_FREE(newsrc);
+ return;
+
+no_memory:
+ VIR_WARN("OOM while encoding audit message");
+ goto cleanup;
+}
+
+
void
virDomainAuditFS(virDomainObjPtr vm,
virDomainFSDefPtr oldDef, virDomainFSDefPtr newDef,
@@ -641,6 +714,9 @@ virDomainAuditStart(virDomainObjPtr vm, const char *reason, bool
success)
virDomainAuditRedirdev(vm, redirdev, "start", true);
}
+ if (vm->def->rng)
+ virDomainAuditRNG(vm, vm->def->rng, NULL, "start", true);
+
virDomainAuditMemory(vm, 0, vm->def->mem.cur_balloon, "start",
true);
virDomainAuditVcpu(vm, 0, vm->def->vcpus, "start", true);
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
6:25 a.m.
On 03/12/13 12:19, Daniel P. Berrange wrote:
On Mon, Mar 11, 2013 at 05:19:36PM +0100, Peter Krempa wrote:
> This patch adds auditing of resources used by the 'random' backend of
> virtio RNG.
> ---
> If there's desire to audit also use of the "egd" backend that uses a
> generic character device, a way how to audit this device will need to be
> introduced. We don't audit useage of chardevs right now.
>
> src/conf/domain_audit.c | 76 +++++++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 76 insertions(+)
Can you update the commit message to give an example of the exact
audit message that is generated from this. Also please Cc Steve
Grubb when you re-post this, for sign-off from his position as
audit tools maintainer.
Okay.
> +static void
> +virDomainAuditRNG(virDomainObjPtr vm,
> + virDomainRNGDefPtr newDef, virDomainRNGDefPtr oldDef,
> + const char *reason, bool success)
> +{
> + char uuidstr[VIR_UUID_STRING_BUFLEN];
> + char *vmname;
> + char *oldsrc = NULL;
> + char *newsrc = NULL;
> + const char *virt;
> +
> + virUUIDFormat(vm->def->uuid, uuidstr);
> + if (!(vmname = virAuditEncode("vm", vm->def->name)))
> + goto no_memory;
> +
> + if (!(virt = virDomainVirtTypeToString(vm->def->virtType))) {
> + VIR_WARN("Unexpected virt type %d while encoding audit message",
vm->def->virtType);
> + virt = "?";
> + }
> +
> + if (newDef) {
> + switch (newDef->backend) {
> + case VIR_DOMAIN_RNG_BACKEND_RANDOM:
> + if (!(newsrc = virAuditEncode("new-rng",
VIR_AUDIT_STR(newDef->source.file))))
Can't newDef->source.file be NULL ? In such a case we need to explicitly
fill in the file that QEMU will default to in the audit record. We can't
leave the filename blank
Ah, yeah.
> + goto no_memory;
> + break;
> +
> + case VIR_DOMAIN_RNG_BACKEND_EGD:
> + case VIR_DOMAIN_RNG_BACKEND_LAST:
> + if (!(newsrc = virAuditEncode("new-rng", "?")))
We need to specify the EGD unix socket path we use too, not merely '?'.
This can be set to multiple things as the backend is a chardev from
point of view of qemu:
The data can be transported using: TCP, UDP, unix sockets and a ton of
other stuff, and we don't have a precedent case for this. Is there a
need to represend TCP backends? Or auditing is meant just for local stuff?
> + goto no_memory;
> + break;
> + }
> + } else {
> + if (!(newsrc = virAuditEncode("new-rng", "?")))
> + goto no_memory;
> + }
> +
Peter
7:35 a.m.
On Tue, Mar 12, 2013 at 12:25:14PM +0100, Peter Krempa wrote:
On 03/12/13 12:19, Daniel P. Berrange wrote:
>On Mon, Mar 11, 2013 at 05:19:36PM +0100, Peter Krempa wrote:
>>This patch adds auditing of resources used by the 'random' backend of
>>virtio RNG.
>>---
>>If there's desire to audit also use of the "egd" backend that uses
a
>>generic character device, a way how to audit this device will need to be
>>introduced. We don't audit useage of chardevs right now.
>>
>> src/conf/domain_audit.c | 76 +++++++++++++++++++++++++++++++++++++++++++++++++
>> 1 file changed, 76 insertions(+)
>
>Can you update the commit message to give an example of the exact
>audit message that is generated from this. Also please Cc Steve
>Grubb when you re-post this, for sign-off from his position as
>audit tools maintainer.
Okay.
>
>>+static void
>>+virDomainAuditRNG(virDomainObjPtr vm,
>>+ virDomainRNGDefPtr newDef, virDomainRNGDefPtr oldDef,
>>+ const char *reason, bool success)
>>+{
>>+ char uuidstr[VIR_UUID_STRING_BUFLEN];
>>+ char *vmname;
>>+ char *oldsrc = NULL;
>>+ char *newsrc = NULL;
>>+ const char *virt;
>>+
>>+ virUUIDFormat(vm->def->uuid, uuidstr);
>>+ if (!(vmname = virAuditEncode("vm", vm->def->name)))
>>+ goto no_memory;
>>+
>>+ if (!(virt = virDomainVirtTypeToString(vm->def->virtType))) {
>>+ VIR_WARN("Unexpected virt type %d while encoding audit
message", vm->def->virtType);
>>+ virt = "?";
>>+ }
>>+
>>+ if (newDef) {
>>+ switch (newDef->backend) {
>>+ case VIR_DOMAIN_RNG_BACKEND_RANDOM:
>>+ if (!(newsrc = virAuditEncode("new-rng",
VIR_AUDIT_STR(newDef->source.file))))
>
>Can't newDef->source.file be NULL ? In such a case we need to explicitly
>fill in the file that QEMU will default to in the audit record. We can't
>leave the filename blank
Ah, yeah.
>
>>+ goto no_memory;
>>+ break;
>>+
>>+ case VIR_DOMAIN_RNG_BACKEND_EGD:
>>+ case VIR_DOMAIN_RNG_BACKEND_LAST:
>>+ if (!(newsrc = virAuditEncode("new-rng", "?")))
>
>We need to specify the EGD unix socket path we use too, not merely '?'.
This can be set to multiple things as the backend is a chardev from
point of view of qemu:
The data can be transported using: TCP, UDP, unix sockets and a ton
of other stuff, and we don't have a precedent case for this. Is
there a need to represend TCP backends? Or auditing is meant just
for local stuff?
We don't have code for auditing serial/parallel/channel devices
since it was out of scope for the original security certification.
We need to fix that at some point, so yes, labelling chardevs is
relevant. We don't need to worry about network cases, only where
the chardev points to some resource that is visible in the host
filesystem, so a plain file, device node, UNIX socket, etc
Dnaiel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
4274
days inactive
4275
days old
3 comments
2 participants
participants (2)
-
Daniel P. Berrange -
Peter Krempa