mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-10-30 09:53:10 +00:00
audit: Add auditing for serial/parallel/channel/console character devs
Add startup auditing and also hotplug auditing for said devices.
This commit is contained in:
parent
dba3432b88
commit
994cc31444
@ -285,6 +285,21 @@
|
|||||||
<dd>Updated path of the host entropy source for the RNG</dd>
|
<dd>Updated path of the host entropy source for the RNG</dd>
|
||||||
</dl>
|
</dl>
|
||||||
|
|
||||||
|
<h4><a name="typeresourcechardev">console/serial/parallel/channel</a></h4>
|
||||||
|
<p>
|
||||||
|
The <code>msg</code> field will include the following sub-fields
|
||||||
|
</p>
|
||||||
|
|
||||||
|
<dl>
|
||||||
|
<dt>reason</dt>
|
||||||
|
<dd>The reason which caused the resource to be assigned to happen</dd>
|
||||||
|
<dt>resrc</dt>
|
||||||
|
<dd>The type of resource assigned. Set to <code>chardev</code></dd>
|
||||||
|
<dt>old-chardev</dt>
|
||||||
|
<dd>Original path of the backing character device for given emulated device</dd>
|
||||||
|
<dt>new-chardev</dt>
|
||||||
|
<dd>Updated path of the backing character device for given emulated device</dd>
|
||||||
|
</dl>
|
||||||
|
|
||||||
<h4><a name="typeresourceredir">Redirected device</a></h4>
|
<h4><a name="typeresourceredir">Redirected device</a></h4>
|
||||||
<p>
|
<p>
|
||||||
|
@ -154,6 +154,29 @@ virDomainAuditGenericDev(virDomainObjPtr vm,
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
void
|
||||||
|
virDomainAuditChardev(virDomainObjPtr vm,
|
||||||
|
virDomainChrDefPtr oldDef,
|
||||||
|
virDomainChrDefPtr newDef,
|
||||||
|
const char *reason,
|
||||||
|
bool success)
|
||||||
|
{
|
||||||
|
virDomainChrSourceDefPtr oldsrc = NULL;
|
||||||
|
virDomainChrSourceDefPtr newsrc = NULL;
|
||||||
|
|
||||||
|
if (oldDef)
|
||||||
|
oldsrc = &oldDef->source;
|
||||||
|
|
||||||
|
if (newDef)
|
||||||
|
newsrc = &newDef->source;
|
||||||
|
|
||||||
|
virDomainAuditGenericDev(vm, "chardev",
|
||||||
|
virDomainAuditChardevPath(oldsrc),
|
||||||
|
virDomainAuditChardevPath(newsrc),
|
||||||
|
reason, success);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
void
|
void
|
||||||
virDomainAuditDisk(virDomainObjPtr vm,
|
virDomainAuditDisk(virDomainObjPtr vm,
|
||||||
virStorageSourcePtr oldDef,
|
virStorageSourcePtr oldDef,
|
||||||
@ -772,6 +795,25 @@ virDomainAuditStart(virDomainObjPtr vm, const char *reason, bool success)
|
|||||||
virDomainAuditRedirdev(vm, redirdev, "start", true);
|
virDomainAuditRedirdev(vm, redirdev, "start", true);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
for (i = 0; i < vm->def->nserials; i++)
|
||||||
|
virDomainAuditChardev(vm, NULL, vm->def->serials[i], "start", true);
|
||||||
|
|
||||||
|
for (i = 0; i < vm->def->nparallels; i++)
|
||||||
|
virDomainAuditChardev(vm, NULL, vm->def->parallels[i], "start", true);
|
||||||
|
|
||||||
|
for (i = 0; i < vm->def->nchannels; i++)
|
||||||
|
virDomainAuditChardev(vm, NULL, vm->def->channels[i], "start", true);
|
||||||
|
|
||||||
|
for (i = 0; i < vm->def->nconsoles; i++) {
|
||||||
|
if (i == 0 &&
|
||||||
|
(vm->def->consoles[i]->targetType == VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_SERIAL ||
|
||||||
|
vm->def->consoles[i]->targetType == VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_NONE) &&
|
||||||
|
STREQ_NULLABLE(vm->def->os.type, "hvm"))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
virDomainAuditChardev(vm, NULL, vm->def->consoles[i], "start", true);
|
||||||
|
}
|
||||||
|
|
||||||
if (vm->def->rng)
|
if (vm->def->rng)
|
||||||
virDomainAuditRNG(vm, NULL, vm->def->rng, "start", true);
|
virDomainAuditRNG(vm, NULL, vm->def->rng, "start", true);
|
||||||
|
|
||||||
|
@ -111,4 +111,11 @@ void virDomainAuditRedirdev(virDomainObjPtr vm,
|
|||||||
bool success)
|
bool success)
|
||||||
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3);
|
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3);
|
||||||
|
|
||||||
|
void virDomainAuditChardev(virDomainObjPtr vm,
|
||||||
|
virDomainChrDefPtr oldDef,
|
||||||
|
virDomainChrDefPtr newDef,
|
||||||
|
const char *reason,
|
||||||
|
bool success)
|
||||||
|
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(4);
|
||||||
|
|
||||||
#endif /* __VIR_DOMAIN_AUDIT_H__ */
|
#endif /* __VIR_DOMAIN_AUDIT_H__ */
|
||||||
|
@ -116,6 +116,7 @@ virDomainPCIAddressValidate;
|
|||||||
virDomainAuditCgroup;
|
virDomainAuditCgroup;
|
||||||
virDomainAuditCgroupMajor;
|
virDomainAuditCgroupMajor;
|
||||||
virDomainAuditCgroupPath;
|
virDomainAuditCgroupPath;
|
||||||
|
virDomainAuditChardev;
|
||||||
virDomainAuditDisk;
|
virDomainAuditDisk;
|
||||||
virDomainAuditFS;
|
virDomainAuditFS;
|
||||||
virDomainAuditHostdev;
|
virDomainAuditHostdev;
|
||||||
|
@ -1458,18 +1458,20 @@ int qemuDomainAttachChrDevice(virQEMUDriverPtr driver,
|
|||||||
qemuDomainObjEnterMonitor(driver, vm);
|
qemuDomainObjEnterMonitor(driver, vm);
|
||||||
if (qemuMonitorAttachCharDev(priv->mon, charAlias, &chr->source) < 0) {
|
if (qemuMonitorAttachCharDev(priv->mon, charAlias, &chr->source) < 0) {
|
||||||
qemuDomainObjExitMonitor(driver, vm);
|
qemuDomainObjExitMonitor(driver, vm);
|
||||||
goto cleanup;
|
goto audit;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (devstr && qemuMonitorAddDevice(priv->mon, devstr) < 0) {
|
if (devstr && qemuMonitorAddDevice(priv->mon, devstr) < 0) {
|
||||||
/* detach associated chardev on error */
|
/* detach associated chardev on error */
|
||||||
qemuMonitorDetachCharDev(priv->mon, charAlias);
|
qemuMonitorDetachCharDev(priv->mon, charAlias);
|
||||||
qemuDomainObjExitMonitor(driver, vm);
|
qemuDomainObjExitMonitor(driver, vm);
|
||||||
goto cleanup;
|
goto audit;
|
||||||
}
|
}
|
||||||
qemuDomainObjExitMonitor(driver, vm);
|
qemuDomainObjExitMonitor(driver, vm);
|
||||||
|
|
||||||
ret = 0;
|
ret = 0;
|
||||||
|
audit:
|
||||||
|
virDomainAuditChardev(vm, NULL, chr, "attach", ret == 0);
|
||||||
cleanup:
|
cleanup:
|
||||||
if (ret < 0 && need_remove)
|
if (ret < 0 && need_remove)
|
||||||
qemuDomainChrRemove(vmdef, chr);
|
qemuDomainChrRemove(vmdef, chr);
|
||||||
@ -2749,6 +2751,7 @@ qemuDomainRemoveChrDevice(virQEMUDriverPtr driver,
|
|||||||
char *charAlias = NULL;
|
char *charAlias = NULL;
|
||||||
qemuDomainObjPrivatePtr priv = vm->privateData;
|
qemuDomainObjPrivatePtr priv = vm->privateData;
|
||||||
int ret = -1;
|
int ret = -1;
|
||||||
|
int rc;
|
||||||
|
|
||||||
VIR_DEBUG("Removing character device %s from domain %p %s",
|
VIR_DEBUG("Removing character device %s from domain %p %s",
|
||||||
chr->info.alias, vm, vm->def->name);
|
chr->info.alias, vm, vm->def->name);
|
||||||
@ -2757,11 +2760,13 @@ qemuDomainRemoveChrDevice(virQEMUDriverPtr driver,
|
|||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
qemuDomainObjEnterMonitor(driver, vm);
|
qemuDomainObjEnterMonitor(driver, vm);
|
||||||
if (qemuMonitorDetachCharDev(priv->mon, charAlias) < 0) {
|
rc = qemuMonitorDetachCharDev(priv->mon, charAlias);
|
||||||
qemuDomainObjExitMonitor(driver, vm);
|
qemuDomainObjExitMonitor(driver, vm);
|
||||||
|
|
||||||
|
virDomainAuditChardev(vm, chr, NULL, "detach", rc == 0);
|
||||||
|
|
||||||
|
if (rc < 0)
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
|
||||||
qemuDomainObjExitMonitor(driver, vm);
|
|
||||||
|
|
||||||
event = virDomainEventDeviceRemovedNewFromObj(vm, chr->info.alias);
|
event = virDomainEventDeviceRemovedNewFromObj(vm, chr->info.alias);
|
||||||
if (event)
|
if (event)
|
||||||
|
Loading…
Reference in New Issue
Block a user