* src/qemu/qemu_audit.h (qemuAuditCgroupMajor) (qemuAuditCgroupPath): Add parameter. * src/qemu/qemu_audit.c (qemuAuditCgroupMajor) (qemuAuditCgroupPath): Add 'acl=rwm' to cgroup audit entries. * src/qemu/qemu_cgroup.c: Update clients. * src/qemu/qemu_driver.c (qemudDomainSaveFlag): Likewise. --- v2: new patch; perhaps patch should be floated before patch 2, and then this patch squashed into patch 2, so that I'm only touching qemuAuditCgroupPath once? src/qemu/qemu_audit.c | 12 ++++++++---- src/qemu/qemu_audit.h | 2 ++ src/qemu/qemu_cgroup.c | 15 ++++++++------- src/qemu/qemu_driver.c | 6 +++--- 4 files changed, 21 insertions(+), 14 deletions(-) diff --git a/src/qemu/qemu_audit.c b/src/qemu/qemu_audit.c index 705cab7..ea4f22b 100644 --- a/src/qemu/qemu_audit.c +++ b/src/qemu/qemu_audit.c @@ -291,6 +291,7 @@ cleanup: * @reason: either "allow" or "deny" * @maj: the major number of the device category * @name: a textual name for that device category, alphabetic only + * @perms: string containing "r", "w", and/or "m" as appropriate * @success: true if the cgroup operation succeeded * * Log an audit message about an attempted cgroup device ACL change. @@ -298,11 +299,12 @@ cleanup: void qemuAuditCgroupMajor(virDomainObjPtr vm, virCgroupPtr cgroup, const char *reason, int maj, const char *name, - bool success) + const char *perms, bool success) { char *extra; - if (virAsprintf(&extra, "major category=%s maj=%02X", name, maj) < 0) { + if (virAsprintf(&extra, "major category=%s maj=%02X acl=%s", + name, maj, perms) < 0) { VIR_WARN0("OOM while encoding audit message"); return; } @@ -318,6 +320,7 @@ qemuAuditCgroupMajor(virDomainObjPtr vm, virCgroupPtr cgroup, * @cgroup: cgroup that manages the devices * @reason: either "allow" or "deny" * @path: the device being adjusted + * @perms: string containing "r", "w", and/or "m" as appropriate * @rc: > 0 if not a device, 0 if success, < 0 if failure * * Log an audit message about an attempted cgroup device ACL change to @@ -325,7 +328,8 @@ qemuAuditCgroupMajor(virDomainObjPtr vm, virCgroupPtr cgroup, */ void qemuAuditCgroupPath(virDomainObjPtr vm, virCgroupPtr cgroup, - const char *reason, const char *path, int rc) + const char *reason, const char *path, const char *perms, + int rc) { char *detail; char *rdev; @@ -337,7 +341,7 @@ qemuAuditCgroupPath(virDomainObjPtr vm, virCgroupPtr cgroup, if (!(detail = virAuditEncode("path", path)) || !(rdev = qemuAuditGetRdev(path)) || - virAsprintf(&extra, "path path=%s %s", path, rdev) < 0) { + virAsprintf(&extra, "path path=%s %s acl=%s", path, rdev, perms) < 0) { VIR_WARN0("OOM while encoding audit message"); goto cleanup; } diff --git a/src/qemu/qemu_audit.h b/src/qemu/qemu_audit.h index 84874a2..a9300d3 100644 --- a/src/qemu/qemu_audit.h +++ b/src/qemu/qemu_audit.h @@ -61,11 +61,13 @@ void qemuAuditCgroupMajor(virDomainObjPtr vm, const char *reason, int maj, const char *name, + const char *perms, bool success); void qemuAuditCgroupPath(virDomainObjPtr vm, virCgroupPtr group, const char *reason, const char *path, + const char *perms, int rc); void qemuAuditMemory(virDomainObjPtr vm, unsigned long long oldmem, diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c index 83063a9..f65445c 100644 --- a/src/qemu/qemu_cgroup.c +++ b/src/qemu/qemu_cgroup.c @@ -68,7 +68,8 @@ qemuSetupDiskPathAllow(virDomainDiskDefPtr disk, rc = virCgroupAllowDevicePath(data->cgroup, path, (disk->readonly ? VIR_CGROUP_DEVICE_READ : VIR_CGROUP_DEVICE_RW)); - qemuAuditCgroupPath(data->vm, data->cgroup, "allow", path, rc); + qemuAuditCgroupPath(data->vm, data->cgroup, "allow", path, + disk->readonly ? "r" : "rw", rc); if (rc < 0) { if (rc == -EACCES) { /* Get this for root squash NFS */ VIR_DEBUG("Ignoring EACCES for %s", path); @@ -109,7 +110,7 @@ qemuTeardownDiskPathDeny(virDomainDiskDefPtr disk ATTRIBUTE_UNUSED, VIR_DEBUG("Process path %s for disk", path); rc = virCgroupDenyDevicePath(data->cgroup, path, VIR_CGROUP_DEVICE_RWM); - qemuAuditCgroupPath(data->vm, data->cgroup, "deny", path, rc); + qemuAuditCgroupPath(data->vm, data->cgroup, "deny", path, "rwm", rc); if (rc < 0) { if (rc == -EACCES) { /* Get this for root squash NFS */ VIR_DEBUG("Ignoring EACCES for %s", path); @@ -154,7 +155,7 @@ qemuSetupChardevCgroup(virDomainDefPtr def, rc = virCgroupAllowDevicePath(data->cgroup, dev->source.data.file.path, VIR_CGROUP_DEVICE_RW); qemuAuditCgroupPath(data->vm, data->cgroup, "allow", - dev->source.data.file.path, rc); + dev->source.data.file.path, "rw", rc); if (rc < 0) { virReportSystemError(-rc, _("Unable to allow device %s for %s"), @@ -176,7 +177,7 @@ int qemuSetupHostUsbDeviceCgroup(usbDevice *dev ATTRIBUTE_UNUSED, VIR_DEBUG("Process path '%s' for USB device", path); rc = virCgroupAllowDevicePath(data->cgroup, path, VIR_CGROUP_DEVICE_RW); - qemuAuditCgroupPath(data->vm, data->cgroup, "allow", path, rc); + qemuAuditCgroupPath(data->vm, data->cgroup, "allow", path, "rw", rc); if (rc < 0) { virReportSystemError(-rc, _("Unable to allow device %s"), @@ -232,7 +233,7 @@ int qemuSetupCgroup(struct qemud_driver *driver, rc = virCgroupAllowDeviceMajor(cgroup, 'c', DEVICE_PTY_MAJOR, VIR_CGROUP_DEVICE_RWM); qemuAuditCgroupMajor(vm, cgroup, "allow", DEVICE_PTY_MAJOR, - "pty", rc == 0); + "pty", "rwm", rc == 0); if (rc != 0) { virReportSystemError(-rc, "%s", _("unable to allow /dev/pts/ devices")); @@ -247,7 +248,7 @@ int qemuSetupCgroup(struct qemud_driver *driver, rc = virCgroupAllowDeviceMajor(cgroup, 'c', DEVICE_SND_MAJOR, VIR_CGROUP_DEVICE_RWM); qemuAuditCgroupMajor(vm, cgroup, "allow", DEVICE_SND_MAJOR, - "sound", rc == 0); + "sound", "rwm", rc == 0); if (rc != 0) { virReportSystemError(-rc, "%s", _("unable to allow /dev/snd/ devices")); @@ -258,7 +259,7 @@ int qemuSetupCgroup(struct qemud_driver *driver, for (i = 0; deviceACL[i] != NULL ; i++) { rc = virCgroupAllowDevicePath(cgroup, deviceACL[i], VIR_CGROUP_DEVICE_RW); - qemuAuditCgroupPath(vm, cgroup, "allow", deviceACL[i], rc); + qemuAuditCgroupPath(vm, cgroup, "allow", deviceACL[i], "rw", rc); if (rc < 0 && rc != -ENOENT) { virReportSystemError(-rc, diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 7b4edc5..ca2b61d 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -1964,7 +1964,7 @@ static int qemudDomainSaveFlag(struct qemud_driver *driver, virDomainPtr dom, } rc = virCgroupAllowDevicePath(cgroup, path, VIR_CGROUP_DEVICE_RW); - qemuAuditCgroupPath(vm, cgroup, "allow", path, rc); + qemuAuditCgroupPath(vm, cgroup, "allow", path, "rw", rc); if (rc < 0) { virReportSystemError(-rc, _("Unable to allow device %s for %s"), @@ -2015,7 +2015,7 @@ static int qemudDomainSaveFlag(struct qemud_driver *driver, virDomainPtr dom, if (cgroup != NULL) { rc = virCgroupDenyDevicePath(cgroup, path, VIR_CGROUP_DEVICE_RWM); - qemuAuditCgroupPath(vm, cgroup, "deny", path, rc); + qemuAuditCgroupPath(vm, cgroup, "deny", path, "rwm", rc); if (rc < 0) VIR_WARN("Unable to deny device %s for %s %d", path, vm->def->name, rc); @@ -2048,7 +2048,7 @@ endjob: if (cgroup != NULL) { rc = virCgroupDenyDevicePath(cgroup, path, VIR_CGROUP_DEVICE_RWM); - qemuAuditCgroupPath(vm, cgroup, "deny", path, rc); + qemuAuditCgroupPath(vm, cgroup, "deny", path, "rwm", rc); if (rc < 0) VIR_WARN("Unable to deny device %s for %s: %d", path, vm->def->name, rc); -- 1.7.4 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list