[libvirt] [PATCH] audit: Audit information about shmem devices

Michal Privoznik mprivozn at redhat.com
Mon Sep 12 12:16:34 UTC 2016 

On 07.09.2016 15:37, Martin Kletzander wrote:
> Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1218603
> 
> Signed-off-by: Martin Kletzander <mkletzan at redhat.com>
> ---
>  docs/auditlog.html.in    | 19 +++++++++++++++++++
>  src/conf/domain_audit.c  | 43 +++++++++++++++++++++++++++++++++++++++++++
>  src/conf/domain_audit.h  |  4 ++++
>  src/libvirt_private.syms |  1 +
>  4 files changed, 67 insertions(+)
> 
> diff --git a/docs/auditlog.html.in b/docs/auditlog.html.in
> index 012d0680a87b..7348948feb7a 100644
> --- a/docs/auditlog.html.in
> +++ b/docs/auditlog.html.in
> @@ -352,5 +352,24 @@
>        <dd>The name of the cgroup controller</dd>
>      </dl>
> 
> +
> +    <h4><a name="typeresourceshmem">console/serial/parallel/channel</a></h4>

Copy-paste error. I guess you want a different name here than
"console/..." ;-)

> +    <p>
> +      The <code>msg</code> field will include the following sub-fields
> +    </p>
> +
> +    <dl>
> +      <dt><code>resrc</code></dt>
> +      <dd>The type of resource assigned. Set to <code>shmem</code></dd>
> +      <dt><code>reason</code></dt>
> +      <dd>The reason which caused the resource to be assigned to happen</dd>
> +      <dt><code>size</code></dt>
> +      <dd>The size of the shared memory region</dd>
> +      <dt><code>shmem</code></dt>
> +      <dd>Name of the shared memory region</dd>
> +      <dt><code>source</code></dt>
> +      <dd>Path of the backing character device for given emulated device</dd>
> +    </dl>
> +
>    </body>
>  </html>
> diff --git a/src/conf/domain_audit.c b/src/conf/domain_audit.c
> index 53a58ac4c88c..cf9c03dee749 100644
> --- a/src/conf/domain_audit.c
> +++ b/src/conf/domain_audit.c
> @@ -889,6 +889,9 @@ virDomainAuditStart(virDomainObjPtr vm, const char *reason, bool success)
>      if (vm->def->tpm)
>          virDomainAuditTPM(vm, vm->def->tpm, "start", true);
> 
> +    for (i = 0; i < vm->def->nshmems; i++)
> +        virDomainAuditShmem(vm, vm->def->shmems[i], "start", true);
> +
>      virDomainAuditMemory(vm, 0, virDomainDefGetMemoryTotal(vm->def),
>                           "start", true);
>      virDomainAuditVcpu(vm, 0, virDomainDefGetVcpus(vm->def), "start", true);
> @@ -963,3 +966,43 @@ virDomainAuditSecurityLabel(virDomainObjPtr vm, bool success)
> 
>      VIR_FREE(vmname);
>  }
> +
> +void
> +virDomainAuditShmem(virDomainObjPtr vm,
> +                    virDomainShmemDefPtr def,
> +                    const char *reason, bool success)
> +{
> +    char uuidstr[VIR_UUID_STRING_BUFLEN];
> +    char *vmname = virAuditEncode("vm", vm->def->name);
> +    const char *srcpath = virDomainAuditChardevPath(&def->server.chr);
> +    char *src = virAuditEncode("server", VIR_AUDIT_STR(srcpath));
> +    char *shmem = virAuditEncode("shmem", VIR_AUDIT_STR(def->name));
> +    const char *virt = virDomainVirtTypeToString(vm->def->virtType);
> +    char *size = NULL;
> +
> +    ignore_value(virAsprintfQuiet(&size, "%llu", def->size));
> +    virUUIDFormat(vm->def->uuid, uuidstr);
> +    if (!vmname || !src || !size || !shmem || !size)
> +        goto no_memory;

I prefer to not have labels which are used from just one place.
Therefore I'd move the VIR_WARN() here and jump right onto cleanup label.
And if I wanted to be very picky, I'd say lose the ignore_value() and
check for virAsprintfQuiet() retval here too, but I am not, therefore I
won't mention it O:-)

> +
> +    if (!virt) {
> +        VIR_WARN("Unexpected virt type %d while encoding audit message",
> +                 vm->def->virtType);
> +        virt = "?";
> +    }
> +
> +    VIR_AUDIT(VIR_AUDIT_RECORD_RESOURCE, success,
> +              "virt=%s resrc=shmem reason=%s %s uuid=%s size=%s %s %s",
> +              virt, reason, vmname, uuidstr, size ?: "?", shmem, src);
> +
> + cleanup:
> +    VIR_FREE(vmname);
> +    VIR_FREE(src);
> +    VIR_FREE(size);
> +    VIR_FREE(shmem);
> +    return;
> +
> + no_memory:
> +    VIR_WARN("OOM while encoding audit message");
> +    goto cleanup;
> +}
> diff --git a/src/conf/domain_audit.h b/src/conf/domain_audit.h
> index 97dadca5aae7..8cb585dc7d96 100644
> --- a/src/conf/domain_audit.h
> +++ b/src/conf/domain_audit.h
> @@ -129,6 +129,10 @@ void virDomainAuditRNG(virDomainObjPtr vm,
>                         const char *reason,
>                         bool success)
>      ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(4);
> +void virDomainAuditShmem(virDomainObjPtr vm,
> +                         virDomainShmemDefPtr def,
> +                         const char *reason, bool success)
> +    ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3);
> 
> 
>  #endif /* __VIR_DOMAIN_AUDIT_H__ */
> diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
> index a5fa30562f0c..1555f60ffda4 100644
> --- a/src/libvirt_private.syms
> +++ b/src/libvirt_private.syms
> @@ -146,6 +146,7 @@ virDomainAuditNetDevice;
>  virDomainAuditRedirdev;
>  virDomainAuditRNG;
>  virDomainAuditSecurityLabel;
> +virDomainAuditShmem;
>  virDomainAuditStart;
>  virDomainAuditStop;
>  virDomainAuditVcpu;
> 

ACK

Michal

More information about the libvir-list mailing list