audit: Audit smartcard devices

2024-10-05 05:45:46 +00:00 · 2014-07-03 12:03:41 +02:00 · 2014-07-03 12:03:41 +02:00 · 5bd3c73bdf
commit 5bd3c73bdf
parent 994cc31444
2 changed files with 68 additions and 0 deletions
--- a/docs/auditlog.html.in
+++ b/docs/auditlog.html.in
@ -301,6 +301,26 @@
      <dd>Updated path of the backing character device for given emulated device</dd>
    </dl>

+    <h4><a name="typeresourcesmartcard">smartcard</a></h4>
+    <p>
+      The <code>msg</code> field will include the following sub-fields
+    </p>
+
+    <dl>
+      <dt>reason</dt>
+      <dd>The reason which caused the resource to be assigned to happen</dd>
+      <dt>resrc</dt>
+      <dd>The type of resource assigned. Set to <code>smartcard</code></dd>
+      <dt>old-smartcard</dt>
+      <dd>Original path of the backing character device, certificate store or
+          "nss-smartcard-device" for host smartcard passthrough.
+      </dd>
+      <dt>new-smartcard</dt>
+      <dd>Updated path of the backing character device, certificate store or
+          "nss-smartcard-device" for host smartcard passthrough.
+      </dd>
+    </dl>
+
    <h4><a name="typeresourceredir">Redirected device</a></h4>
    <p>
      The <code>msg</code> field will include the following sub-fields
--- a/src/conf/domain_audit.c
+++ b/src/conf/domain_audit.c
@ -177,6 +177,51 @@ virDomainAuditChardev(virDomainObjPtr vm,
 }


+static void
+virDomainAuditSmartcard(virDomainObjPtr vm,
+                        virDomainSmartcardDefPtr def,
+                        const char *reason,
+                        bool success)
+{
+    const char *database = VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE;
+    size_t i;
+
+    if (def) {
+        switch ((virDomainSmartcardType) def->type) {
+        case VIR_DOMAIN_SMARTCARD_TYPE_HOST:
+            virDomainAuditGenericDev(vm, "smartcard",
+                                     NULL, "nss-smartcard-device",
+                                     reason, success);
+            break;
+
+        case VIR_DOMAIN_SMARTCARD_TYPE_HOST_CERTIFICATES:
+            for (i = 0; i < VIR_DOMAIN_SMARTCARD_NUM_CERTIFICATES; i++) {
+                virDomainAuditGenericDev(vm, "smartcard", NULL,
+                                         def->data.cert.file[i],
+                                         reason, success);
+            }
+
+            if (def->data.cert.database)
+                database = def->data.cert.database;
+
+            virDomainAuditGenericDev(vm, "smartcard",
+                                     NULL, database,
+                                     reason, success);
+            break;
+
+        case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
+            virDomainAuditGenericDev(vm, "smartcard", NULL,
+                                     virDomainAuditChardevPath(&def->data.passthru),
+                                     reason, success);
+            break;
+
+        case VIR_DOMAIN_SMARTCARD_TYPE_LAST:
+            break;
+        }
+    }
+}
+
+
 void
 virDomainAuditDisk(virDomainObjPtr vm,
                   virStorageSourcePtr oldDef,
@ -814,6 +859,9 @@ virDomainAuditStart(virDomainObjPtr vm, const char *reason, bool success)
        virDomainAuditChardev(vm, NULL, vm->def->consoles[i], "start", true);
    }

+    for (i = 0; i < vm->def->nsmartcards; i++)
+        virDomainAuditSmartcard(vm, vm->def->smartcards[i], "start", true);
+
    if (vm->def->rng)
        virDomainAuditRNG(vm, NULL, vm->def->rng, "start", true);