[libvirt] [PATCH 6/7] Add auditing of security label in QEMU driver
Daniel P. Berrange
berrange at redhat.com
Wed Oct 27 11:36:16 UTC 2010
Add auditing of the allocated security label in the QEMU driver
VM startup code
* src/qemu/qemu_driver.c: Audit security label
---
src/qemu/qemu_driver.c | 32 ++++++++++++++++++++++++++++----
1 files changed, 28 insertions(+), 4 deletions(-)
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 980d9d4..8db5e7a 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -3698,6 +3698,27 @@ static void qemuDomainStopAudit(virDomainObjPtr vm, const char *reason)
qemuDomainLifecycleAudit(vm, "stop", reason, true);
}
+static void qemuDomainSecurityLabelAudit(virDomainObjPtr vm, bool success)
+{
+ char uuidstr[VIR_UUID_STRING_BUFLEN];
+ char *vmname;
+
+ virUUIDFormat(vm->def->uuid, uuidstr);
+ if (!(vmname = virAuditEncode("vm", vm->def->name))) {
+ VIR_WARN0("OOM while encoding audit message");
+ return;
+ }
+
+ VIR_AUDIT(VIR_AUDIT_RECORD_MACHINE_ID, success,
+ "%s uuid=%s vm-ctx=%s img-ctx=%s",
+ vmname, uuidstr,
+ VIR_AUDIT_STR(vm->def->seclabel.label),
+ VIR_AUDIT_STR(vm->def->seclabel.imagelabel));
+
+ VIR_FREE(vmname);
+}
+
+
static int qemudStartVMDaemon(virConnectPtr conn,
struct qemud_driver *driver,
virDomainObjPtr vm,
@@ -3752,10 +3773,13 @@ static int qemudStartVMDaemon(virConnectPtr conn,
then generate a security label for isolation */
DEBUG0("Generating domain security label (if required)");
if (driver->securityDriver &&
- driver->securityDriver->domainGenSecurityLabel &&
- driver->securityDriver->domainGenSecurityLabel(driver->securityDriver,
- vm) < 0)
- goto cleanup;
+ driver->securityDriver->domainGenSecurityLabel) {
+ ret = driver->securityDriver->domainGenSecurityLabel(driver->securityDriver,
+ vm);
+ qemuDomainSecurityLabelAudit(vm, ret >= 0);
+ if (ret < 0)
+ goto cleanup;
+ }
DEBUG0("Generating setting domain security labels (if required)");
if (driver->securityDriver &&
--
1.7.2.3
More information about the libvir-list
mailing list