audit: Add auditing for serial/parallel/channel/console character devs

Add startup auditing and also hotplug auditing for said devices.
This commit is contained in:
Peter Krempa 2014-07-03 10:59:58 +02:00
parent dba3432b88
commit 994cc31444
5 changed files with 76 additions and 6 deletions

View File

@ -285,6 +285,21 @@
<dd>Updated path of the host entropy source for the RNG</dd> <dd>Updated path of the host entropy source for the RNG</dd>
</dl> </dl>
<h4><a name="typeresourcechardev">console/serial/parallel/channel</a></h4>
<p>
The <code>msg</code> field will include the following sub-fields
</p>
<dl>
<dt>reason</dt>
<dd>The reason which caused the resource to be assigned to happen</dd>
<dt>resrc</dt>
<dd>The type of resource assigned. Set to <code>chardev</code></dd>
<dt>old-chardev</dt>
<dd>Original path of the backing character device for given emulated device</dd>
<dt>new-chardev</dt>
<dd>Updated path of the backing character device for given emulated device</dd>
</dl>
<h4><a name="typeresourceredir">Redirected device</a></h4> <h4><a name="typeresourceredir">Redirected device</a></h4>
<p> <p>

View File

@ -154,6 +154,29 @@ virDomainAuditGenericDev(virDomainObjPtr vm,
} }
void
virDomainAuditChardev(virDomainObjPtr vm,
virDomainChrDefPtr oldDef,
virDomainChrDefPtr newDef,
const char *reason,
bool success)
{
virDomainChrSourceDefPtr oldsrc = NULL;
virDomainChrSourceDefPtr newsrc = NULL;
if (oldDef)
oldsrc = &oldDef->source;
if (newDef)
newsrc = &newDef->source;
virDomainAuditGenericDev(vm, "chardev",
virDomainAuditChardevPath(oldsrc),
virDomainAuditChardevPath(newsrc),
reason, success);
}
void void
virDomainAuditDisk(virDomainObjPtr vm, virDomainAuditDisk(virDomainObjPtr vm,
virStorageSourcePtr oldDef, virStorageSourcePtr oldDef,
@ -772,6 +795,25 @@ virDomainAuditStart(virDomainObjPtr vm, const char *reason, bool success)
virDomainAuditRedirdev(vm, redirdev, "start", true); virDomainAuditRedirdev(vm, redirdev, "start", true);
} }
for (i = 0; i < vm->def->nserials; i++)
virDomainAuditChardev(vm, NULL, vm->def->serials[i], "start", true);
for (i = 0; i < vm->def->nparallels; i++)
virDomainAuditChardev(vm, NULL, vm->def->parallels[i], "start", true);
for (i = 0; i < vm->def->nchannels; i++)
virDomainAuditChardev(vm, NULL, vm->def->channels[i], "start", true);
for (i = 0; i < vm->def->nconsoles; i++) {
if (i == 0 &&
(vm->def->consoles[i]->targetType == VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_SERIAL ||
vm->def->consoles[i]->targetType == VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_NONE) &&
STREQ_NULLABLE(vm->def->os.type, "hvm"))
continue;
virDomainAuditChardev(vm, NULL, vm->def->consoles[i], "start", true);
}
if (vm->def->rng) if (vm->def->rng)
virDomainAuditRNG(vm, NULL, vm->def->rng, "start", true); virDomainAuditRNG(vm, NULL, vm->def->rng, "start", true);

View File

@ -111,4 +111,11 @@ void virDomainAuditRedirdev(virDomainObjPtr vm,
bool success) bool success)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3); ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3);
void virDomainAuditChardev(virDomainObjPtr vm,
virDomainChrDefPtr oldDef,
virDomainChrDefPtr newDef,
const char *reason,
bool success)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(4);
#endif /* __VIR_DOMAIN_AUDIT_H__ */ #endif /* __VIR_DOMAIN_AUDIT_H__ */

View File

@ -116,6 +116,7 @@ virDomainPCIAddressValidate;
virDomainAuditCgroup; virDomainAuditCgroup;
virDomainAuditCgroupMajor; virDomainAuditCgroupMajor;
virDomainAuditCgroupPath; virDomainAuditCgroupPath;
virDomainAuditChardev;
virDomainAuditDisk; virDomainAuditDisk;
virDomainAuditFS; virDomainAuditFS;
virDomainAuditHostdev; virDomainAuditHostdev;

View File

@ -1458,18 +1458,20 @@ int qemuDomainAttachChrDevice(virQEMUDriverPtr driver,
qemuDomainObjEnterMonitor(driver, vm); qemuDomainObjEnterMonitor(driver, vm);
if (qemuMonitorAttachCharDev(priv->mon, charAlias, &chr->source) < 0) { if (qemuMonitorAttachCharDev(priv->mon, charAlias, &chr->source) < 0) {
qemuDomainObjExitMonitor(driver, vm); qemuDomainObjExitMonitor(driver, vm);
goto cleanup; goto audit;
} }
if (devstr && qemuMonitorAddDevice(priv->mon, devstr) < 0) { if (devstr && qemuMonitorAddDevice(priv->mon, devstr) < 0) {
/* detach associated chardev on error */ /* detach associated chardev on error */
qemuMonitorDetachCharDev(priv->mon, charAlias); qemuMonitorDetachCharDev(priv->mon, charAlias);
qemuDomainObjExitMonitor(driver, vm); qemuDomainObjExitMonitor(driver, vm);
goto cleanup; goto audit;
} }
qemuDomainObjExitMonitor(driver, vm); qemuDomainObjExitMonitor(driver, vm);
ret = 0; ret = 0;
audit:
virDomainAuditChardev(vm, NULL, chr, "attach", ret == 0);
cleanup: cleanup:
if (ret < 0 && need_remove) if (ret < 0 && need_remove)
qemuDomainChrRemove(vmdef, chr); qemuDomainChrRemove(vmdef, chr);
@ -2749,6 +2751,7 @@ qemuDomainRemoveChrDevice(virQEMUDriverPtr driver,
char *charAlias = NULL; char *charAlias = NULL;
qemuDomainObjPrivatePtr priv = vm->privateData; qemuDomainObjPrivatePtr priv = vm->privateData;
int ret = -1; int ret = -1;
int rc;
VIR_DEBUG("Removing character device %s from domain %p %s", VIR_DEBUG("Removing character device %s from domain %p %s",
chr->info.alias, vm, vm->def->name); chr->info.alias, vm, vm->def->name);
@ -2757,12 +2760,14 @@ qemuDomainRemoveChrDevice(virQEMUDriverPtr driver,
goto cleanup; goto cleanup;
qemuDomainObjEnterMonitor(driver, vm); qemuDomainObjEnterMonitor(driver, vm);
if (qemuMonitorDetachCharDev(priv->mon, charAlias) < 0) { rc = qemuMonitorDetachCharDev(priv->mon, charAlias);
qemuDomainObjExitMonitor(driver, vm);
goto cleanup;
}
qemuDomainObjExitMonitor(driver, vm); qemuDomainObjExitMonitor(driver, vm);
virDomainAuditChardev(vm, chr, NULL, "detach", rc == 0);
if (rc < 0)
goto cleanup;
event = virDomainEventDeviceRemovedNewFromObj(vm, chr->info.alias); event = virDomainEventDeviceRemovedNewFromObj(vm, chr->info.alias);
if (event) if (event)
qemuDomainEventQueue(driver, event); qemuDomainEventQueue(driver, event);