[PATCH 6/7] Add auditing of security label in QEMU driver

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Add auditing of the allocated security label in the QEMU driver
VM startup code

* src/qemu/qemu_driver.c: Audit security label
---
 src/qemu/qemu_driver.c |   32 ++++++++++++++++++++++++++++----
 1 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 980d9d4..8db5e7a 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -3698,6 +3698,27 @@ static void qemuDomainStopAudit(virDomainObjPtr vm, const char *reason)
     qemuDomainLifecycleAudit(vm, "stop", reason, true);
 }
 
+static void qemuDomainSecurityLabelAudit(virDomainObjPtr vm, bool success)
+{
+    char uuidstr[VIR_UUID_STRING_BUFLEN];
+    char *vmname;
+
+    virUUIDFormat(vm->def->uuid, uuidstr);
+    if (!(vmname = virAuditEncode("vm", vm->def->name))) {
+        VIR_WARN0("OOM while encoding audit message");
+        return;
+    }
+
+    VIR_AUDIT(VIR_AUDIT_RECORD_MACHINE_ID, success,
+              "%s uuid=%s vm-ctx=%s img-ctx=%s",
+              vmname, uuidstr,
+              VIR_AUDIT_STR(vm->def->seclabel.label),
+              VIR_AUDIT_STR(vm->def->seclabel.imagelabel));
+
+    VIR_FREE(vmname);
+}
+
+
 static int qemudStartVMDaemon(virConnectPtr conn,
                               struct qemud_driver *driver,
                               virDomainObjPtr vm,
@@ -3752,10 +3773,13 @@ static int qemudStartVMDaemon(virConnectPtr conn,
        then generate a security label for isolation */
     DEBUG0("Generating domain security label (if required)");
     if (driver->securityDriver &&
-        driver->securityDriver->domainGenSecurityLabel &&
-        driver->securityDriver->domainGenSecurityLabel(driver->securityDriver,
-                                                       vm) < 0)
-        goto cleanup;
+        driver->securityDriver->domainGenSecurityLabel) {
+        ret = driver->securityDriver->domainGenSecurityLabel(driver->securityDriver,
+                                                             vm);
+        qemuDomainSecurityLabelAudit(vm, ret >= 0);
+        if (ret < 0)
+            goto cleanup;
+    }
 
     DEBUG0("Generating setting domain security labels (if required)");
     if (driver->securityDriver &&
-- 
1.7.2.3

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]