[libvirt] [PATCHv2 3/8] audit: also audit cgroup controller path
Daniel P. Berrange
berrange at redhat.com
Wed Mar 9 15:10:55 UTC 2011
On Tue, Mar 08, 2011 at 10:13:45PM -0700, Eric Blake wrote:
> Although the cgroup device ACL controller path can be worked out
> by researching the code, it is more efficient to include that
> information directly in the audit message.
>
> * src/util/cgroup.h (virCgroupPathOfController): New prototype.
> * src/util/cgroup.c (virCgroupPathOfController): Export.
> * src/libvirt_private.syms: Likewise.
> * src/qemu/qemu_audit.c (qemuAuditCgroup): Use it.
> ---
>
> v2: rebase onto other changes
>
> src/libvirt_private.syms | 1 +
> src/qemu/qemu_audit.c | 19 ++++++++++++++++---
> src/util/cgroup.c | 8 ++++----
> src/util/cgroup.h | 5 +++++
> 4 files changed, 26 insertions(+), 7 deletions(-)
>
> diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
> index efcf3c5..c0da78e 100644
> --- a/src/libvirt_private.syms
> +++ b/src/libvirt_private.syms
> @@ -79,6 +79,7 @@ virCgroupKill;
> virCgroupKillRecursive;
> virCgroupKillPainfully;
> virCgroupMounted;
> +virCgroupPathOfController;
> virCgroupRemove;
> virCgroupSetBlkioWeight;
> virCgroupSetCpuShares;
> diff --git a/src/qemu/qemu_audit.c b/src/qemu/qemu_audit.c
> index 56b0b74..08eb431 100644
> --- a/src/qemu/qemu_audit.c
> +++ b/src/qemu/qemu_audit.c
> @@ -216,11 +216,13 @@ cleanup:
> * Log an audit message about an attempted cgroup device ACL change.
> */
> void
> -qemuAuditCgroup(virDomainObjPtr vm, virCgroupPtr cgroup ATTRIBUTE_UNUSED,
> +qemuAuditCgroup(virDomainObjPtr vm, virCgroupPtr cgroup,
> const char *reason, const char *extra, bool success)
> {
> char uuidstr[VIR_UUID_STRING_BUFLEN];
> char *vmname;
> + char *controller = NULL;
> + char *detail;
>
> virUUIDFormat(vm->def->uuid, uuidstr);
> if (!(vmname = virAuditEncode("vm", vm->def->name))) {
> @@ -228,11 +230,22 @@ qemuAuditCgroup(virDomainObjPtr vm, virCgroupPtr cgroup ATTRIBUTE_UNUSED,
> return;
> }
>
> + virCgroupPathOfController(cgroup, VIR_CGROUP_CONTROLLER_DEVICES,
> + NULL, &controller);
> +
> + if (!(detail = virAuditEncode("cgroup", VIR_AUDIT_STR(controller)))) {
> + VIR_WARN0("OOM while encoding audit message");
> + goto cleanup;
> + }
> +
> VIR_AUDIT(VIR_AUDIT_RECORD_RESOURCE, success,
> - "resrc=cgroup reason=%s %s uuid=%s class=%s",
> - reason, vmname, uuidstr, extra);
> + "resrc=cgroup reason=%s %s uuid=%s %s class=%s",
> + reason, vmname, uuidstr, detail, extra);
I think perhaps we should make a better effort to output the
audit event if creating 'detail' fails. eg remove the goto cleanup
and do 'detail ? detail : "cgroup=?"' here
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list