[PATCHv2 7/8] audit: also audit cgroup ACL permissions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



* src/qemu/qemu_audit.h (qemuAuditCgroupMajor)
(qemuAuditCgroupPath): Add parameter.
* src/qemu/qemu_audit.c (qemuAuditCgroupMajor)
(qemuAuditCgroupPath): Add 'acl=rwm' to cgroup audit entries.
* src/qemu/qemu_cgroup.c: Update clients.
* src/qemu/qemu_driver.c (qemudDomainSaveFlag): Likewise.
---

v2: new patch; perhaps patch should be floated before patch 2, and
then this patch squashed into patch 2, so that I'm only touching
qemuAuditCgroupPath once?

 src/qemu/qemu_audit.c  |   12 ++++++++----
 src/qemu/qemu_audit.h  |    2 ++
 src/qemu/qemu_cgroup.c |   15 ++++++++-------
 src/qemu/qemu_driver.c |    6 +++---
 4 files changed, 21 insertions(+), 14 deletions(-)

diff --git a/src/qemu/qemu_audit.c b/src/qemu/qemu_audit.c
index 705cab7..ea4f22b 100644
--- a/src/qemu/qemu_audit.c
+++ b/src/qemu/qemu_audit.c
@@ -291,6 +291,7 @@ cleanup:
  * @reason: either "allow" or "deny"
  * @maj: the major number of the device category
  * @name: a textual name for that device category, alphabetic only
+ * @perms: string containing "r", "w", and/or "m" as appropriate
  * @success: true if the cgroup operation succeeded
  *
  * Log an audit message about an attempted cgroup device ACL change.
@@ -298,11 +299,12 @@ cleanup:
 void
 qemuAuditCgroupMajor(virDomainObjPtr vm, virCgroupPtr cgroup,
                      const char *reason, int maj, const char *name,
-                     bool success)
+                     const char *perms, bool success)
 {
     char *extra;

-    if (virAsprintf(&extra, "major category=%s maj=%02X", name, maj) < 0) {
+    if (virAsprintf(&extra, "major category=%s maj=%02X acl=%s",
+                    name, maj, perms) < 0) {
         VIR_WARN0("OOM while encoding audit message");
         return;
     }
@@ -318,6 +320,7 @@ qemuAuditCgroupMajor(virDomainObjPtr vm, virCgroupPtr cgroup,
  * @cgroup: cgroup that manages the devices
  * @reason: either "allow" or "deny"
  * @path: the device being adjusted
+ * @perms: string containing "r", "w", and/or "m" as appropriate
  * @rc: > 0 if not a device, 0 if success, < 0 if failure
  *
  * Log an audit message about an attempted cgroup device ACL change to
@@ -325,7 +328,8 @@ qemuAuditCgroupMajor(virDomainObjPtr vm, virCgroupPtr cgroup,
  */
 void
 qemuAuditCgroupPath(virDomainObjPtr vm, virCgroupPtr cgroup,
-                    const char *reason, const char *path, int rc)
+                    const char *reason, const char *path, const char *perms,
+                    int rc)
 {
     char *detail;
     char *rdev;
@@ -337,7 +341,7 @@ qemuAuditCgroupPath(virDomainObjPtr vm, virCgroupPtr cgroup,

     if (!(detail = virAuditEncode("path", path)) ||
         !(rdev = qemuAuditGetRdev(path)) ||
-        virAsprintf(&extra, "path path=%s %s", path, rdev) < 0) {
+        virAsprintf(&extra, "path path=%s %s acl=%s", path, rdev, perms) < 0) {
         VIR_WARN0("OOM while encoding audit message");
         goto cleanup;
     }
diff --git a/src/qemu/qemu_audit.h b/src/qemu/qemu_audit.h
index 84874a2..a9300d3 100644
--- a/src/qemu/qemu_audit.h
+++ b/src/qemu/qemu_audit.h
@@ -61,11 +61,13 @@ void qemuAuditCgroupMajor(virDomainObjPtr vm,
                           const char *reason,
                           int maj,
                           const char *name,
+                          const char *perms,
                           bool success);
 void qemuAuditCgroupPath(virDomainObjPtr vm,
                          virCgroupPtr group,
                          const char *reason,
                          const char *path,
+                         const char *perms,
                          int rc);
 void qemuAuditMemory(virDomainObjPtr vm,
                      unsigned long long oldmem,
diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index 83063a9..f65445c 100644
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -68,7 +68,8 @@ qemuSetupDiskPathAllow(virDomainDiskDefPtr disk,
     rc = virCgroupAllowDevicePath(data->cgroup, path,
                                   (disk->readonly ? VIR_CGROUP_DEVICE_READ
                                    : VIR_CGROUP_DEVICE_RW));
-    qemuAuditCgroupPath(data->vm, data->cgroup, "allow", path, rc);
+    qemuAuditCgroupPath(data->vm, data->cgroup, "allow", path,
+                        disk->readonly ? "r" : "rw", rc);
     if (rc < 0) {
         if (rc == -EACCES) { /* Get this for root squash NFS */
             VIR_DEBUG("Ignoring EACCES for %s", path);
@@ -109,7 +110,7 @@ qemuTeardownDiskPathDeny(virDomainDiskDefPtr disk ATTRIBUTE_UNUSED,
     VIR_DEBUG("Process path %s for disk", path);
     rc = virCgroupDenyDevicePath(data->cgroup, path,
                                  VIR_CGROUP_DEVICE_RWM);
-    qemuAuditCgroupPath(data->vm, data->cgroup, "deny", path, rc);
+    qemuAuditCgroupPath(data->vm, data->cgroup, "deny", path, "rwm", rc);
     if (rc < 0) {
         if (rc == -EACCES) { /* Get this for root squash NFS */
             VIR_DEBUG("Ignoring EACCES for %s", path);
@@ -154,7 +155,7 @@ qemuSetupChardevCgroup(virDomainDefPtr def,
     rc = virCgroupAllowDevicePath(data->cgroup, dev->source.data.file.path,
                                   VIR_CGROUP_DEVICE_RW);
     qemuAuditCgroupPath(data->vm, data->cgroup, "allow",
-                        dev->source.data.file.path, rc);
+                        dev->source.data.file.path, "rw", rc);
     if (rc < 0) {
         virReportSystemError(-rc,
                              _("Unable to allow device %s for %s"),
@@ -176,7 +177,7 @@ int qemuSetupHostUsbDeviceCgroup(usbDevice *dev ATTRIBUTE_UNUSED,
     VIR_DEBUG("Process path '%s' for USB device", path);
     rc = virCgroupAllowDevicePath(data->cgroup, path,
                                   VIR_CGROUP_DEVICE_RW);
-    qemuAuditCgroupPath(data->vm, data->cgroup, "allow", path, rc);
+    qemuAuditCgroupPath(data->vm, data->cgroup, "allow", path, "rw", rc);
     if (rc < 0) {
         virReportSystemError(-rc,
                              _("Unable to allow device %s"),
@@ -232,7 +233,7 @@ int qemuSetupCgroup(struct qemud_driver *driver,
         rc = virCgroupAllowDeviceMajor(cgroup, 'c', DEVICE_PTY_MAJOR,
                                        VIR_CGROUP_DEVICE_RWM);
         qemuAuditCgroupMajor(vm, cgroup, "allow", DEVICE_PTY_MAJOR,
-                             "pty", rc == 0);
+                             "pty", "rwm", rc == 0);
         if (rc != 0) {
             virReportSystemError(-rc, "%s",
                                  _("unable to allow /dev/pts/ devices"));
@@ -247,7 +248,7 @@ int qemuSetupCgroup(struct qemud_driver *driver,
             rc = virCgroupAllowDeviceMajor(cgroup, 'c', DEVICE_SND_MAJOR,
                                            VIR_CGROUP_DEVICE_RWM);
             qemuAuditCgroupMajor(vm, cgroup, "allow", DEVICE_SND_MAJOR,
-                                 "sound", rc == 0);
+                                 "sound", "rwm", rc == 0);
             if (rc != 0) {
                 virReportSystemError(-rc, "%s",
                                      _("unable to allow /dev/snd/ devices"));
@@ -258,7 +259,7 @@ int qemuSetupCgroup(struct qemud_driver *driver,
         for (i = 0; deviceACL[i] != NULL ; i++) {
             rc = virCgroupAllowDevicePath(cgroup, deviceACL[i],
                                           VIR_CGROUP_DEVICE_RW);
-            qemuAuditCgroupPath(vm, cgroup, "allow", deviceACL[i], rc);
+            qemuAuditCgroupPath(vm, cgroup, "allow", deviceACL[i], "rw", rc);
             if (rc < 0 &&
                 rc != -ENOENT) {
                 virReportSystemError(-rc,
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 7b4edc5..ca2b61d 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -1964,7 +1964,7 @@ static int qemudDomainSaveFlag(struct qemud_driver *driver, virDomainPtr dom,
         }
         rc = virCgroupAllowDevicePath(cgroup, path,
                                       VIR_CGROUP_DEVICE_RW);
-        qemuAuditCgroupPath(vm, cgroup, "allow", path, rc);
+        qemuAuditCgroupPath(vm, cgroup, "allow", path, "rw", rc);
         if (rc < 0) {
             virReportSystemError(-rc,
                                  _("Unable to allow device %s for %s"),
@@ -2015,7 +2015,7 @@ static int qemudDomainSaveFlag(struct qemud_driver *driver, virDomainPtr dom,
     if (cgroup != NULL) {
         rc = virCgroupDenyDevicePath(cgroup, path,
                                      VIR_CGROUP_DEVICE_RWM);
-        qemuAuditCgroupPath(vm, cgroup, "deny", path, rc);
+        qemuAuditCgroupPath(vm, cgroup, "deny", path, "rwm", rc);
         if (rc < 0)
             VIR_WARN("Unable to deny device %s for %s %d",
                      path, vm->def->name, rc);
@@ -2048,7 +2048,7 @@ endjob:
             if (cgroup != NULL) {
                 rc = virCgroupDenyDevicePath(cgroup, path,
                                              VIR_CGROUP_DEVICE_RWM);
-                qemuAuditCgroupPath(vm, cgroup, "deny", path, rc);
+                qemuAuditCgroupPath(vm, cgroup, "deny", path, "rwm", rc);
                 if (rc < 0)
                     VIR_WARN("Unable to deny device %s for %s: %d",
                              path, vm->def->name, rc);
-- 
1.7.4

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]