[libvirt] [PATCH 5/6] audit: Add auditing for serial/parallel/channel/console characted devs
Peter Krempa
pkrempa at redhat.com
Thu Jul 3 10:05:01 UTC 2014
Add startup auditing and also hotplug auditing for said devices
---
src/conf/domain_audit.c | 35 +++++++++++++++++++++++++++++++++++
src/conf/domain_audit.h | 7 +++++++
src/libvirt_private.syms | 1 +
src/qemu/qemu_hotplug.c | 17 +++++++++++------
4 files changed, 54 insertions(+), 6 deletions(-)
diff --git a/src/conf/domain_audit.c b/src/conf/domain_audit.c
index c4dcfa5..b7f8123 100644
--- a/src/conf/domain_audit.c
+++ b/src/conf/domain_audit.c
@@ -155,6 +155,29 @@ virDomainAuditGenericDev(virDomainObjPtr vm,
void
+virDomainAuditChardev(virDomainObjPtr vm,
+ virDomainChrDefPtr oldDef,
+ virDomainChrDefPtr newDef,
+ const char *reason,
+ bool success)
+{
+ virDomainChrSourceDefPtr oldsrc = NULL;
+ virDomainChrSourceDefPtr newsrc = NULL;
+
+ if (oldDef)
+ oldsrc = &oldDef->source;
+
+ if (newDef)
+ newsrc = &newDef->source;
+
+ virDomainAuditGenericDev(vm, "chardev",
+ virDomainAuditChardevPath(oldsrc),
+ virDomainAuditChardevPath(newsrc),
+ reason, success);
+}
+
+
+void
virDomainAuditDisk(virDomainObjPtr vm,
virStorageSourcePtr oldDef,
virStorageSourcePtr newDef,
@@ -772,6 +795,18 @@ virDomainAuditStart(virDomainObjPtr vm, const char *reason, bool success)
virDomainAuditRedirdev(vm, redirdev, "start", true);
}
+ for (i = 0; i < vm->def->nserials; i++)
+ virDomainAuditChardev(vm, NULL, vm->def->serials[i], "start", true);
+
+ for (i = 0; i < vm->def->nparallels; i++)
+ virDomainAuditChardev(vm, NULL, vm->def->parallels[i], "start", true);
+
+ for (i = 0; i < vm->def->nchannels; i++)
+ virDomainAuditChardev(vm, NULL, vm->def->channels[i], "start", true);
+
+ for (i = 0; i < vm->def->nconsoles; i++)
+ virDomainAuditChardev(vm, NULL, vm->def->consoles[i], "start", true);
+
if (vm->def->rng)
virDomainAuditRNG(vm, NULL, vm->def->rng, "start", true);
diff --git a/src/conf/domain_audit.h b/src/conf/domain_audit.h
index 58d25a4..3434feb 100644
--- a/src/conf/domain_audit.h
+++ b/src/conf/domain_audit.h
@@ -111,4 +111,11 @@ void virDomainAuditRedirdev(virDomainObjPtr vm,
bool success)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3);
+void virDomainAuditChardev(virDomainObjPtr vm,
+ virDomainChrDefPtr oldDef,
+ virDomainChrDefPtr newDef,
+ const char *reason,
+ bool success)
+ ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(4);
+
#endif /* __VIR_DOMAIN_AUDIT_H__ */
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 067dcad..b04b099 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -116,6 +116,7 @@ virDomainPCIAddressValidate;
virDomainAuditCgroup;
virDomainAuditCgroupMajor;
virDomainAuditCgroupPath;
+virDomainAuditChardev;
virDomainAuditDisk;
virDomainAuditFS;
virDomainAuditHostdev;
diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
index 8d37813..5451118 100644
--- a/src/qemu/qemu_hotplug.c
+++ b/src/qemu/qemu_hotplug.c
@@ -1460,18 +1460,20 @@ int qemuDomainAttachChrDevice(virQEMUDriverPtr driver,
qemuDomainObjEnterMonitor(driver, vm);
if (qemuMonitorAttachCharDev(priv->mon, charAlias, &chr->source) < 0) {
qemuDomainObjExitMonitor(driver, vm);
- goto cleanup;
+ goto audit;
}
if (devstr && qemuMonitorAddDevice(priv->mon, devstr) < 0) {
/* detach associated chardev on error */
qemuMonitorDetachCharDev(priv->mon, charAlias);
qemuDomainObjExitMonitor(driver, vm);
- goto cleanup;
+ goto audit;
}
qemuDomainObjExitMonitor(driver, vm);
ret = 0;
+ audit:
+ virDomainAuditChardev(vm, NULL, chr, "attach", ret == 0);
cleanup:
if (ret < 0 && need_remove)
qemuDomainChrRemove(vmdef, chr);
@@ -2751,6 +2753,7 @@ qemuDomainRemoveChrDevice(virQEMUDriverPtr driver,
char *charAlias = NULL;
qemuDomainObjPrivatePtr priv = vm->privateData;
int ret = -1;
+ int rc;
VIR_DEBUG("Removing character device %s from domain %p %s",
chr->info.alias, vm, vm->def->name);
@@ -2759,12 +2762,14 @@ qemuDomainRemoveChrDevice(virQEMUDriverPtr driver,
goto cleanup;
qemuDomainObjEnterMonitor(driver, vm);
- if (qemuMonitorDetachCharDev(priv->mon, charAlias) < 0) {
- qemuDomainObjExitMonitor(driver, vm);
- goto cleanup;
- }
+ rc = qemuMonitorDetachCharDev(priv->mon, charAlias);
qemuDomainObjExitMonitor(driver, vm);
+ virDomainAuditChardev(vm, chr, NULL, "detach", rc == 0);
+
+ if (rc < 0)
+ goto cleanup;
+
event = virDomainEventDeviceRemovedNewFromObj(vm, chr->info.alias);
if (event)
qemuDomainEventQueue(driver, event);
--
1.9.3
More information about the libvir-list
mailing list