Re: [PATCHv2 3/8] audit: also audit cgroup controller path

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Mar 08, 2011 at 10:13:45PM -0700, Eric Blake wrote:
> Although the cgroup device ACL controller path can be worked out
> by researching the code, it is more efficient to include that
> information directly in the audit message.
> 
> * src/util/cgroup.h (virCgroupPathOfController): New prototype.
> * src/util/cgroup.c (virCgroupPathOfController): Export.
> * src/libvirt_private.syms: Likewise.
> * src/qemu/qemu_audit.c (qemuAuditCgroup): Use it.
> ---
> 
> v2: rebase onto other changes
> 
>  src/libvirt_private.syms |    1 +
>  src/qemu/qemu_audit.c    |   19 ++++++++++++++++---
>  src/util/cgroup.c        |    8 ++++----
>  src/util/cgroup.h        |    5 +++++
>  4 files changed, 26 insertions(+), 7 deletions(-)
> 
> diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
> index efcf3c5..c0da78e 100644
> --- a/src/libvirt_private.syms
> +++ b/src/libvirt_private.syms
> @@ -79,6 +79,7 @@ virCgroupKill;
>  virCgroupKillRecursive;
>  virCgroupKillPainfully;
>  virCgroupMounted;
> +virCgroupPathOfController;
>  virCgroupRemove;
>  virCgroupSetBlkioWeight;
>  virCgroupSetCpuShares;
> diff --git a/src/qemu/qemu_audit.c b/src/qemu/qemu_audit.c
> index 56b0b74..08eb431 100644
> --- a/src/qemu/qemu_audit.c
> +++ b/src/qemu/qemu_audit.c
> @@ -216,11 +216,13 @@ cleanup:
>   * Log an audit message about an attempted cgroup device ACL change.
>   */
>  void
> -qemuAuditCgroup(virDomainObjPtr vm, virCgroupPtr cgroup ATTRIBUTE_UNUSED,
> +qemuAuditCgroup(virDomainObjPtr vm, virCgroupPtr cgroup,
>                  const char *reason, const char *extra, bool success)
>  {
>      char uuidstr[VIR_UUID_STRING_BUFLEN];
>      char *vmname;
> +    char *controller = NULL;
> +    char *detail;
> 
>      virUUIDFormat(vm->def->uuid, uuidstr);
>      if (!(vmname = virAuditEncode("vm", vm->def->name))) {
> @@ -228,11 +230,22 @@ qemuAuditCgroup(virDomainObjPtr vm, virCgroupPtr cgroup ATTRIBUTE_UNUSED,
>          return;
>      }
> 
> +    virCgroupPathOfController(cgroup, VIR_CGROUP_CONTROLLER_DEVICES,
> +                              NULL, &controller);
> +
> +    if (!(detail = virAuditEncode("cgroup", VIR_AUDIT_STR(controller)))) {
> +        VIR_WARN0("OOM while encoding audit message");
> +        goto cleanup;
> +    }
> +
>      VIR_AUDIT(VIR_AUDIT_RECORD_RESOURCE, success,
> -              "resrc=cgroup reason=%s %s uuid=%s class=%s",
> -              reason, vmname, uuidstr, extra);
> +              "resrc=cgroup reason=%s %s uuid=%s %s class=%s",
> +              reason, vmname, uuidstr, detail, extra);

I think perhaps we should make a better effort to output the
audit event if creating 'detail' fails. eg remove the goto cleanup
and do  'detail ? detail : "cgroup=?"' here

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]