I'm following up on danpb's patches to add initial audit support to qemu actions (see around commit 8dc136b in Oct 2010). This series adds the following additional audit points: All changes to the device ACL whitelist via the cgroup device controller All changes to memory balloon and vcpu sizes All changes to pci and usb device passthrough Here's an example audit, using audit-2.0.6-1.el6.x86_64 from RHEL, where I hot-unplugged a PCI device from a guest: type=VIRT_RESOURCE msg=audit(1298504227.432:914): user pid=13400 uid=0 auid=500 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='resrc=dev reason=detach vm="fedora_12" uuid=51c6fc83-65a4-e627-b698-042b00145201 type=pci device="0000:0a:0a.0": exe="/home/dummy/libvirt/daemon/.libs/lt-libvirtd" hostname=? addr=? terminal=pts/0 res=success' And one where I reduced memory via ballooning: type=VIRT_RESOURCE msg=audit(1298505060.916:927): user pid=13400 uid=0 auid=500 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='resrc=mem reason=update vm="fedora_12" uuid=51c6fc83-65a4-e627-b698-042b00145201 old-mem=786432 new-mem=524288: exe="/home/dummy/libvirt/daemon/.libs/lt-libvirtd" hostname=? addr=? terminal=pts/0 res=success' Changes since v1[1]: Rebased (assumes that Jirka's patch series[2] to clean up qemuCmdFlags will go in first, otherwise you will get minor conflicts when applying) Added some patches Reworked the cgroup ACL patches to avoid spamming the audit log when visiting a regular file instead of a device [1] https://www.redhat.com/archives/libvir-list/2011-February/msg00565.html [2] https://www.redhat.com/archives/libvir-list/2011-February/msg00985.html Eric Blake (5): cgroup: determine when skipping non-devices audit: prepare qemu for listing vm in cgroup audits audit: add qemu hooks for auditing cgroup events audit: audit qemu memory and vcpu adjusments audit: audit qemu pci and usb device passthrough src/qemu/qemu_audit.c | 178 ++++++++++++++++++++++++++++++++++++++++++++++- src/qemu/qemu_audit.h | 23 ++++++- src/qemu/qemu_cgroup.c | 95 +++++++++++++++---------- src/qemu/qemu_cgroup.h | 21 +++--- src/qemu/qemu_driver.c | 28 +++++-- src/qemu/qemu_hotplug.c | 35 ++++----- src/util/cgroup.c | 7 +- 7 files changed, 305 insertions(+), 82 deletions(-) -- 1.7.4 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list