[libvirt] [PATCHv2 7/8] audit: also audit cgroup ACL permissions
Eric Blake
eblake at redhat.com
Wed Mar 9 05:13:49 UTC 2011
* src/qemu/qemu_audit.h (qemuAuditCgroupMajor)
(qemuAuditCgroupPath): Add parameter.
* src/qemu/qemu_audit.c (qemuAuditCgroupMajor)
(qemuAuditCgroupPath): Add 'acl=rwm' to cgroup audit entries.
* src/qemu/qemu_cgroup.c: Update clients.
* src/qemu/qemu_driver.c (qemudDomainSaveFlag): Likewise.
---
v2: new patch; perhaps patch should be floated before patch 2, and
then this patch squashed into patch 2, so that I'm only touching
qemuAuditCgroupPath once?
src/qemu/qemu_audit.c | 12 ++++++++----
src/qemu/qemu_audit.h | 2 ++
src/qemu/qemu_cgroup.c | 15 ++++++++-------
src/qemu/qemu_driver.c | 6 +++---
4 files changed, 21 insertions(+), 14 deletions(-)
diff --git a/src/qemu/qemu_audit.c b/src/qemu/qemu_audit.c
index 705cab7..ea4f22b 100644
--- a/src/qemu/qemu_audit.c
+++ b/src/qemu/qemu_audit.c
@@ -291,6 +291,7 @@ cleanup:
* @reason: either "allow" or "deny"
* @maj: the major number of the device category
* @name: a textual name for that device category, alphabetic only
+ * @perms: string containing "r", "w", and/or "m" as appropriate
* @success: true if the cgroup operation succeeded
*
* Log an audit message about an attempted cgroup device ACL change.
@@ -298,11 +299,12 @@ cleanup:
void
qemuAuditCgroupMajor(virDomainObjPtr vm, virCgroupPtr cgroup,
const char *reason, int maj, const char *name,
- bool success)
+ const char *perms, bool success)
{
char *extra;
- if (virAsprintf(&extra, "major category=%s maj=%02X", name, maj) < 0) {
+ if (virAsprintf(&extra, "major category=%s maj=%02X acl=%s",
+ name, maj, perms) < 0) {
VIR_WARN0("OOM while encoding audit message");
return;
}
@@ -318,6 +320,7 @@ qemuAuditCgroupMajor(virDomainObjPtr vm, virCgroupPtr cgroup,
* @cgroup: cgroup that manages the devices
* @reason: either "allow" or "deny"
* @path: the device being adjusted
+ * @perms: string containing "r", "w", and/or "m" as appropriate
* @rc: > 0 if not a device, 0 if success, < 0 if failure
*
* Log an audit message about an attempted cgroup device ACL change to
@@ -325,7 +328,8 @@ qemuAuditCgroupMajor(virDomainObjPtr vm, virCgroupPtr cgroup,
*/
void
qemuAuditCgroupPath(virDomainObjPtr vm, virCgroupPtr cgroup,
- const char *reason, const char *path, int rc)
+ const char *reason, const char *path, const char *perms,
+ int rc)
{
char *detail;
char *rdev;
@@ -337,7 +341,7 @@ qemuAuditCgroupPath(virDomainObjPtr vm, virCgroupPtr cgroup,
if (!(detail = virAuditEncode("path", path)) ||
!(rdev = qemuAuditGetRdev(path)) ||
- virAsprintf(&extra, "path path=%s %s", path, rdev) < 0) {
+ virAsprintf(&extra, "path path=%s %s acl=%s", path, rdev, perms) < 0) {
VIR_WARN0("OOM while encoding audit message");
goto cleanup;
}
diff --git a/src/qemu/qemu_audit.h b/src/qemu/qemu_audit.h
index 84874a2..a9300d3 100644
--- a/src/qemu/qemu_audit.h
+++ b/src/qemu/qemu_audit.h
@@ -61,11 +61,13 @@ void qemuAuditCgroupMajor(virDomainObjPtr vm,
const char *reason,
int maj,
const char *name,
+ const char *perms,
bool success);
void qemuAuditCgroupPath(virDomainObjPtr vm,
virCgroupPtr group,
const char *reason,
const char *path,
+ const char *perms,
int rc);
void qemuAuditMemory(virDomainObjPtr vm,
unsigned long long oldmem,
diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index 83063a9..f65445c 100644
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -68,7 +68,8 @@ qemuSetupDiskPathAllow(virDomainDiskDefPtr disk,
rc = virCgroupAllowDevicePath(data->cgroup, path,
(disk->readonly ? VIR_CGROUP_DEVICE_READ
: VIR_CGROUP_DEVICE_RW));
- qemuAuditCgroupPath(data->vm, data->cgroup, "allow", path, rc);
+ qemuAuditCgroupPath(data->vm, data->cgroup, "allow", path,
+ disk->readonly ? "r" : "rw", rc);
if (rc < 0) {
if (rc == -EACCES) { /* Get this for root squash NFS */
VIR_DEBUG("Ignoring EACCES for %s", path);
@@ -109,7 +110,7 @@ qemuTeardownDiskPathDeny(virDomainDiskDefPtr disk ATTRIBUTE_UNUSED,
VIR_DEBUG("Process path %s for disk", path);
rc = virCgroupDenyDevicePath(data->cgroup, path,
VIR_CGROUP_DEVICE_RWM);
- qemuAuditCgroupPath(data->vm, data->cgroup, "deny", path, rc);
+ qemuAuditCgroupPath(data->vm, data->cgroup, "deny", path, "rwm", rc);
if (rc < 0) {
if (rc == -EACCES) { /* Get this for root squash NFS */
VIR_DEBUG("Ignoring EACCES for %s", path);
@@ -154,7 +155,7 @@ qemuSetupChardevCgroup(virDomainDefPtr def,
rc = virCgroupAllowDevicePath(data->cgroup, dev->source.data.file.path,
VIR_CGROUP_DEVICE_RW);
qemuAuditCgroupPath(data->vm, data->cgroup, "allow",
- dev->source.data.file.path, rc);
+ dev->source.data.file.path, "rw", rc);
if (rc < 0) {
virReportSystemError(-rc,
_("Unable to allow device %s for %s"),
@@ -176,7 +177,7 @@ int qemuSetupHostUsbDeviceCgroup(usbDevice *dev ATTRIBUTE_UNUSED,
VIR_DEBUG("Process path '%s' for USB device", path);
rc = virCgroupAllowDevicePath(data->cgroup, path,
VIR_CGROUP_DEVICE_RW);
- qemuAuditCgroupPath(data->vm, data->cgroup, "allow", path, rc);
+ qemuAuditCgroupPath(data->vm, data->cgroup, "allow", path, "rw", rc);
if (rc < 0) {
virReportSystemError(-rc,
_("Unable to allow device %s"),
@@ -232,7 +233,7 @@ int qemuSetupCgroup(struct qemud_driver *driver,
rc = virCgroupAllowDeviceMajor(cgroup, 'c', DEVICE_PTY_MAJOR,
VIR_CGROUP_DEVICE_RWM);
qemuAuditCgroupMajor(vm, cgroup, "allow", DEVICE_PTY_MAJOR,
- "pty", rc == 0);
+ "pty", "rwm", rc == 0);
if (rc != 0) {
virReportSystemError(-rc, "%s",
_("unable to allow /dev/pts/ devices"));
@@ -247,7 +248,7 @@ int qemuSetupCgroup(struct qemud_driver *driver,
rc = virCgroupAllowDeviceMajor(cgroup, 'c', DEVICE_SND_MAJOR,
VIR_CGROUP_DEVICE_RWM);
qemuAuditCgroupMajor(vm, cgroup, "allow", DEVICE_SND_MAJOR,
- "sound", rc == 0);
+ "sound", "rwm", rc == 0);
if (rc != 0) {
virReportSystemError(-rc, "%s",
_("unable to allow /dev/snd/ devices"));
@@ -258,7 +259,7 @@ int qemuSetupCgroup(struct qemud_driver *driver,
for (i = 0; deviceACL[i] != NULL ; i++) {
rc = virCgroupAllowDevicePath(cgroup, deviceACL[i],
VIR_CGROUP_DEVICE_RW);
- qemuAuditCgroupPath(vm, cgroup, "allow", deviceACL[i], rc);
+ qemuAuditCgroupPath(vm, cgroup, "allow", deviceACL[i], "rw", rc);
if (rc < 0 &&
rc != -ENOENT) {
virReportSystemError(-rc,
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 7b4edc5..ca2b61d 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -1964,7 +1964,7 @@ static int qemudDomainSaveFlag(struct qemud_driver *driver, virDomainPtr dom,
}
rc = virCgroupAllowDevicePath(cgroup, path,
VIR_CGROUP_DEVICE_RW);
- qemuAuditCgroupPath(vm, cgroup, "allow", path, rc);
+ qemuAuditCgroupPath(vm, cgroup, "allow", path, "rw", rc);
if (rc < 0) {
virReportSystemError(-rc,
_("Unable to allow device %s for %s"),
@@ -2015,7 +2015,7 @@ static int qemudDomainSaveFlag(struct qemud_driver *driver, virDomainPtr dom,
if (cgroup != NULL) {
rc = virCgroupDenyDevicePath(cgroup, path,
VIR_CGROUP_DEVICE_RWM);
- qemuAuditCgroupPath(vm, cgroup, "deny", path, rc);
+ qemuAuditCgroupPath(vm, cgroup, "deny", path, "rwm", rc);
if (rc < 0)
VIR_WARN("Unable to deny device %s for %s %d",
path, vm->def->name, rc);
@@ -2048,7 +2048,7 @@ endjob:
if (cgroup != NULL) {
rc = virCgroupDenyDevicePath(cgroup, path,
VIR_CGROUP_DEVICE_RWM);
- qemuAuditCgroupPath(vm, cgroup, "deny", path, rc);
+ qemuAuditCgroupPath(vm, cgroup, "deny", path, "rwm", rc);
if (rc < 0)
VIR_WARN("Unable to deny device %s for %s: %d",
path, vm->def->name, rc);
--
1.7.4
More information about the libvir-list
mailing list