Although the cgroup device ACL controller path can be worked out
by researching the code, it is more efficient to include that
information directly in the audit message.
* src/util/cgroup.h (virCgroupPathOfController): New prototype.
* src/util/cgroup.c (virCgroupPathOfController): Export.
* src/libvirt_private.syms: Likewise.
* src/qemu/qemu_audit.c (qemuAuditCgroup): Use it.
---
v2: rebase onto other changes
src/libvirt_private.syms | 1 +
src/qemu/qemu_audit.c | 19 ++++++++++++++++---
src/util/cgroup.c | 8 ++++----
src/util/cgroup.h | 5 +++++
4 files changed, 26 insertions(+), 7 deletions(-)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index efcf3c5..c0da78e 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -79,6 +79,7 @@ virCgroupKill;
virCgroupKillRecursive;
virCgroupKillPainfully;
virCgroupMounted;
+virCgroupPathOfController;
virCgroupRemove;
virCgroupSetBlkioWeight;
virCgroupSetCpuShares;
diff --git a/src/qemu/qemu_audit.c b/src/qemu/qemu_audit.c
index 56b0b74..08eb431 100644
--- a/src/qemu/qemu_audit.c
+++ b/src/qemu/qemu_audit.c
@@ -216,11 +216,13 @@ cleanup:
* Log an audit message about an attempted cgroup device ACL change.
*/
void
-qemuAuditCgroup(virDomainObjPtr vm, virCgroupPtr cgroup ATTRIBUTE_UNUSED,
+qemuAuditCgroup(virDomainObjPtr vm, virCgroupPtr cgroup,
const char *reason, const char *extra, bool success)
{
char uuidstr[VIR_UUID_STRING_BUFLEN];
char *vmname;
+ char *controller = NULL;
+ char *detail;
virUUIDFormat(vm->def->uuid, uuidstr);
if (!(vmname = virAuditEncode("vm", vm->def->name))) {
@@ -228,11 +230,22 @@ qemuAuditCgroup(virDomainObjPtr vm, virCgroupPtr cgroup ATTRIBUTE_UNUSED,
return;
}
+ virCgroupPathOfController(cgroup, VIR_CGROUP_CONTROLLER_DEVICES,
+ NULL, &controller);
+
+ if (!(detail = virAuditEncode("cgroup", VIR_AUDIT_STR(controller)))) {
+ VIR_WARN0("OOM while encoding audit message");
+ goto cleanup;
+ }
+
VIR_AUDIT(VIR_AUDIT_RECORD_RESOURCE, success,
- "resrc=cgroup reason=%s %s uuid=%s class=%s",
- reason, vmname, uuidstr, extra);
+ "resrc=cgroup reason=%s %s uuid=%s %s class=%s",
+ reason, vmname, uuidstr, detail, extra);
+cleanup:
VIR_FREE(vmname);
+ VIR_FREE(controller);
+ VIR_FREE(detail);
}
/**
diff --git a/src/util/cgroup.c b/src/util/cgroup.c
index 8551acd..46358ab 100644
--- a/src/util/cgroup.c
+++ b/src/util/cgroup.c
@@ -254,10 +254,10 @@ static int virCgroupDetect(virCgroupPtr group)
#endif
-static int virCgroupPathOfController(virCgroupPtr group,
- int controller,
- const char *key,
- char **path)
+int virCgroupPathOfController(virCgroupPtr group,
+ int controller,
+ const char *key,
+ char **path)
{
if (controller == -1) {
int i;
diff --git a/src/util/cgroup.h b/src/util/cgroup.h
index d468cb3..b3c5f27 100644
--- a/src/util/cgroup.h
+++ b/src/util/cgroup.h
@@ -40,6 +40,11 @@ int virCgroupForDomain(virCgroupPtr driver,
virCgroupPtr *group,
int create);
+int virCgroupPathOfController(virCgroupPtr group,
+ int controller,
+ const char *key,
+ char **path);
+
int virCgroupAddTask(virCgroupPtr group, pid_t pid);
int virCgroupSetBlkioWeight(virCgroupPtr group, unsigned int weight);
--
1.7.4
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list