[PATCH 2/3] Log taint warnings in QEMU driver

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Wire up logging of VM taintint to the QEMU driver

 - If running QEMU as root user/group or without capabilities
   being cleared
 - If passing custom QEMU command line args
 - If issuing custom QEMU monitor commands
 - If using a network interface config with an associated
   shell script
 - If using a disk config relying on format probing

The warnings, per-VM appear in the main libvirtd logs

  11:56:17.571: 10832: warning : qemuDomainObjTaint:712 : Domain id=1 name='l2' uuid=c7a3edbd-edaf-9455-926a-d65c16db1802 is tainted: high-privileges
  11:56:17.571: 10832: warning : qemuDomainObjTaint:712 : Domain id=1 name='l2' uuid=c7a3edbd-edaf-9455-926a-d65c16db1802 is tainted: disk-probing

And in the /var/log/libvirt/qemu/$VMNAME.log file

  Domain id=2 is tainted: high-privileges
  Domain id=2 is tainted: disk-probing

The taint flags are reset when the VM is stopped.

* src/qemu/qemu_domain.c, src/qemu/qemu_domain.h: Helper APIs
  for logging taint warnings
* src/qemu/qemu_driver.c: Log tainting with custom QEMU monitor
  commands and disk/net hotplug with unsupported configs
* src/qemu/qemu_process.c: Log tainting at startup based on
  unsupported configs
---
 src/qemu/qemu_domain.c  |   75 +++++++++++++++++++++++++++++++++++++++++++++++
 src/qemu/qemu_domain.h  |   16 +++++++++-
 src/qemu/qemu_driver.c  |    8 ++---
 src/qemu/qemu_process.c |    4 ++-
 4 files changed, 96 insertions(+), 7 deletions(-)

diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index a947b4e..78839cc 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -32,6 +32,7 @@
 #include "event.h"
 #include "cpu/cpu.h"
 #include "ignore-value.h"
+#include "uuid.h"
 
 #include <sys/time.h>
 
@@ -697,3 +698,77 @@ cleanup:
     virCPUDefFree(cpu);
     return ret;
 }
+
+void qemuDomainObjTaint(virDomainObjPtr obj,
+                        int taint,
+                        int logFD)
+{
+    if (virDomainObjTaint(obj, taint)) {
+        char uuidstr[VIR_UUID_STRING_BUFLEN];
+        virUUIDFormat(obj->def->uuid, uuidstr);
+
+        VIR_WARN("Domain id=%d name='%s' uuid=%s is tainted: %s",
+                 obj->def->id,
+                 obj->def->name,
+                 uuidstr,
+                 virDomainTaintTypeToString(taint));
+
+        if (logFD != -1) {
+            char *message;
+            if (virAsprintf(&message,
+                            "Domain id=%d is tainted: %s\n",
+                            obj->def->id,
+                            virDomainTaintTypeToString(taint)) < 0)
+                return;
+            ignore_value(safewrite(logFD, message, strlen(message)));
+        }
+    }
+}
+
+
+void qemuDomainObjCheckTaint(struct qemud_driver *driver,
+                             virDomainObjPtr obj,
+                             int logFD)
+{
+    int i;
+
+    if (!driver->clearEmulatorCapabilities ||
+        driver->user == 0 ||
+        driver->group == 0)
+        qemuDomainObjTaint(obj, VIR_DOMAIN_TAINT_HIGH_PRIVILEGES, logFD);
+
+    if (obj->def->namespaceData) {
+        qemuDomainCmdlineDefPtr qemucmd = obj->def->namespaceData;
+        if (qemucmd->num_args || qemucmd->num_env)
+            qemuDomainObjTaint(obj, VIR_DOMAIN_TAINT_CUSTOM_ARGV, logFD);
+    }
+
+    for (i = 0 ; i < obj->def->ndisks ; i++)
+        qemuDomainObjCheckDiskTaint(driver, obj, obj->def->disks[i], logFD);
+
+    for (i = 0 ; i < obj->def->nnets ; i++)
+        qemuDomainObjCheckNetTaint(obj, obj->def->nets[i], logFD);
+}
+
+
+void qemuDomainObjCheckDiskTaint(struct qemud_driver *driver,
+                                 virDomainObjPtr obj,
+                                 virDomainDiskDefPtr disk,
+                                 int logFD)
+{
+    if (!disk->driverType &&
+        driver->allowDiskFormatProbing)
+        qemuDomainObjTaint(obj, VIR_DOMAIN_TAINT_DISK_PROBING, logFD);
+}
+
+
+void qemuDomainObjCheckNetTaint(virDomainObjPtr obj,
+                                virDomainNetDefPtr net,
+                                int logFD)
+{
+    if ((net->type == VIR_DOMAIN_NET_TYPE_ETHERNET &&
+         net->data.ethernet.script != NULL) ||
+        (net->type == VIR_DOMAIN_NET_TYPE_BRIDGE &&
+         net->data.bridge.script != NULL))
+        qemuDomainObjTaint(obj, VIR_DOMAIN_TAINT_SHELL_SCRIPTS, logFD);
+}
diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h
index 8258900..dbef4e1 100644
--- a/src/qemu/qemu_domain.h
+++ b/src/qemu/qemu_domain.h
@@ -69,7 +69,6 @@ struct _qemuDomainObjPrivate {
     qemuMonitorPtr mon;
     virDomainChrSourceDefPtr monConfig;
     int monJSON;
-    int monitor_warned;
     bool gotShutdown;
 
     int nvcpupids;
@@ -113,4 +112,19 @@ char *qemuDomainFormatXML(struct qemud_driver *driver,
                           virDomainObjPtr vm,
                           int flags);
 
+void qemuDomainObjTaint(virDomainObjPtr obj,
+                        int taint,
+                        int logFD);
+
+void qemuDomainObjCheckTaint(struct qemud_driver *driver,
+                             virDomainObjPtr obj,
+                             int logFD);
+void qemuDomainObjCheckDiskTaint(struct qemud_driver *driver,
+                                 virDomainObjPtr obj,
+                                 virDomainDiskDefPtr disk,
+                                 int logFD);
+void qemuDomainObjCheckNetTaint(virDomainObjPtr obj,
+                                virDomainNetDefPtr net,
+                                int logFD);
+
 #endif /* __QEMU_DOMAIN_H__ */
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 0919503..13f9362 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -3884,6 +3884,7 @@ qemuDomainAttachDeviceLive(virDomainObjPtr vm,
 
     switch (dev->type) {
     case VIR_DOMAIN_DEVICE_DISK:
+        qemuDomainObjCheckDiskTaint(driver, vm, dev->data.disk, -1);
         ret = qemuDomainAttachDeviceDiskLive(driver, vm, dev, qemuCaps);
         if (!ret)
             dev->data.disk = NULL;
@@ -3896,6 +3897,7 @@ qemuDomainAttachDeviceLive(virDomainObjPtr vm,
         break;
 
     case VIR_DOMAIN_DEVICE_NET:
+        qemuDomainObjCheckNetTaint(vm, dev->data.net, -1);
         ret = qemuDomainAttachNetDevice(dom->conn, driver, vm,
                                         dev->data.net, qemuCaps);
         if (!ret)
@@ -7001,11 +7003,7 @@ static int qemuDomainMonitorCommand(virDomainPtr domain, const char *cmd,
 
     priv = vm->privateData;
 
-    if (!priv->monitor_warned) {
-        VIR_INFO("Qemu monitor command '%s' executed; libvirt results may be unpredictable!",
-                 cmd);
-        priv->monitor_warned = 1;
-    }
+    qemuDomainObjTaint(vm, VIR_DOMAIN_TAINT_CUSTOM_MONITOR, -1);
 
     hmp = !!(flags & VIR_DOMAIN_QEMU_MONITOR_COMMAND_HMP);
 
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 7691cbe..c521dbf 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -2229,7 +2229,6 @@ int qemuProcessStart(virConnectPtr conn,
 #endif
         priv->monJSON = 0;
 
-    priv->monitor_warned = 0;
     priv->gotShutdown = false;
 
     if ((ret = virFileDeletePid(driver->stateDir, vm->def->name)) != 0) {
@@ -2316,6 +2315,8 @@ int qemuProcessStart(virConnectPtr conn,
 
     virCommandWriteArgLog(cmd, logfile);
 
+    qemuDomainObjCheckTaint(driver, vm, logfile);
+
     if ((pos = lseek(logfile, 0, SEEK_END)) < 0)
         VIR_WARN("Unable to seek to end of logfile: %s",
                  virStrerror(errno, ebuf, sizeof ebuf));
@@ -2597,6 +2598,7 @@ retry:
         qemuProcessReturnPort(driver, vm->def->graphics[0]->data.spice.tlsPort);
     }
 
+    vm->taint = 0;
     vm->pid = -1;
     vm->def->id = -1;
     vm->state = VIR_DOMAIN_SHUTOFF;
-- 
1.7.4.4

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]