[libvirt] [PATCH 6/7] Add auditing of security label in QEMU driver

Daniel Veillard veillard at redhat.com
Wed Oct 27 14:34:24 UTC 2010 

On Wed, Oct 27, 2010 at 12:36:16PM +0100, Daniel P. Berrange wrote:
> Add auditing of the allocated security label in the QEMU driver
> VM startup code
> 
> * src/qemu/qemu_driver.c: Audit security label
> ---
>  src/qemu/qemu_driver.c |   32 ++++++++++++++++++++++++++++----
>  1 files changed, 28 insertions(+), 4 deletions(-)
> 
> diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
> index 980d9d4..8db5e7a 100644
> --- a/src/qemu/qemu_driver.c
> +++ b/src/qemu/qemu_driver.c
> @@ -3698,6 +3698,27 @@ static void qemuDomainStopAudit(virDomainObjPtr vm, const char *reason)
>      qemuDomainLifecycleAudit(vm, "stop", reason, true);
>  }
>  
> +static void qemuDomainSecurityLabelAudit(virDomainObjPtr vm, bool success)
> +{
> +    char uuidstr[VIR_UUID_STRING_BUFLEN];
> +    char *vmname;
> +
> +    virUUIDFormat(vm->def->uuid, uuidstr);
> +    if (!(vmname = virAuditEncode("vm", vm->def->name))) {
> +        VIR_WARN0("OOM while encoding audit message");
> +        return;
> +    }
> +
> +    VIR_AUDIT(VIR_AUDIT_RECORD_MACHINE_ID, success,
> +              "%s uuid=%s vm-ctx=%s img-ctx=%s",
> +              vmname, uuidstr,
> +              VIR_AUDIT_STR(vm->def->seclabel.label),
> +              VIR_AUDIT_STR(vm->def->seclabel.imagelabel));
> +
> +    VIR_FREE(vmname);
> +}
> +
> +
>  static int qemudStartVMDaemon(virConnectPtr conn,
>                                struct qemud_driver *driver,
>                                virDomainObjPtr vm,
> @@ -3752,10 +3773,13 @@ static int qemudStartVMDaemon(virConnectPtr conn,
>         then generate a security label for isolation */
>      DEBUG0("Generating domain security label (if required)");
>      if (driver->securityDriver &&
> -        driver->securityDriver->domainGenSecurityLabel &&
> -        driver->securityDriver->domainGenSecurityLabel(driver->securityDriver,
> -                                                       vm) < 0)
> -        goto cleanup;
> +        driver->securityDriver->domainGenSecurityLabel) {
> +        ret = driver->securityDriver->domainGenSecurityLabel(driver->securityDriver,
> +                                                             vm);
> +        qemuDomainSecurityLabelAudit(vm, ret >= 0);
> +        if (ret < 0)
> +            goto cleanup;
> +    }
>  
>      DEBUG0("Generating setting domain security labels (if required)");
>      if (driver->securityDriver &&

ACK,

Daniel

-- 
Daniel Veillard      | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
daniel at veillard.com  | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library  http://libvirt.org/

More information about the libvir-list mailing list