audit: also audit cgroup controller path

Although the cgroup device ACL controller path can be worked out by researching the code, it is more efficient to include that information directly in the audit message. * src/util/cgroup.h (virCgroupPathOfController): New prototype. * src/util/cgroup.c (virCgroupPathOfController): Export. * src/libvirt_private.syms: Likewise. * src/qemu/qemu_audit.c (qemuAuditCgroup): Use it.
2024-08-28 03:21:19 +00:00 · 2011-03-07 16:41:40 -07:00 · 2011-03-07 16:41:40 -07:00 · f2512684ad
commit f2512684ad
parent d04916faae
4 changed files with 22 additions and 7 deletions
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@ -79,6 +79,7 @@ virCgroupKill;
 virCgroupKillRecursive;
 virCgroupKillPainfully;
 virCgroupMounted;
+virCgroupPathOfController;
 virCgroupRemove;
 virCgroupSetBlkioWeight;
 virCgroupSetCpuShares;
--- a/src/qemu/qemu_audit.c
+++ b/src/qemu/qemu_audit.c
@ -213,11 +213,13 @@ cleanup:
 * Log an audit message about an attempted cgroup device ACL change.
 */
 void
-qemuAuditCgroup(virDomainObjPtr vm, virCgroupPtr cgroup ATTRIBUTE_UNUSED,
+qemuAuditCgroup(virDomainObjPtr vm, virCgroupPtr cgroup,
                const char *reason, const char *extra, bool success)
 {
    char uuidstr[VIR_UUID_STRING_BUFLEN];
    char *vmname;
+    char *controller = NULL;
+    char *detail;

    virUUIDFormat(vm->def->uuid, uuidstr);
    if (!(vmname = virAuditEncode("vm", vm->def->name))) {
@ -225,11 +227,18 @@ qemuAuditCgroup(virDomainObjPtr vm, virCgroupPtr cgroup ATTRIBUTE_UNUSED,
        return;
    }

+    virCgroupPathOfController(cgroup, VIR_CGROUP_CONTROLLER_DEVICES,
+                              NULL, &controller);
+    detail = virAuditEncode("cgroup", VIR_AUDIT_STR(controller));
+
    VIR_AUDIT(VIR_AUDIT_RECORD_RESOURCE, success,
-              "resrc=cgroup reason=%s %s uuid=%s class=%s",
-              reason, vmname, uuidstr, extra);
+              "resrc=cgroup reason=%s %s uuid=%s %s class=%s",
+              reason, vmname, uuidstr,
+              detail ? detail : "cgroup=?", extra);

    VIR_FREE(vmname);
+    VIR_FREE(controller);
+    VIR_FREE(detail);
 }

 /**
--- a/src/util/cgroup.c
+++ b/src/util/cgroup.c
@ -254,10 +254,10 @@ static int virCgroupDetect(virCgroupPtr group)
 #endif


-static int virCgroupPathOfController(virCgroupPtr group,
-                                     int controller,
-                                     const char *key,
-                                     char **path)
+int virCgroupPathOfController(virCgroupPtr group,
+                              int controller,
+                              const char *key,
+                              char **path)
 {
    if (controller == -1) {
        int i;
--- a/src/util/cgroup.h
+++ b/src/util/cgroup.h
@ -40,6 +40,11 @@ int virCgroupForDomain(virCgroupPtr driver,
                       virCgroupPtr *group,
                       int create);

+int virCgroupPathOfController(virCgroupPtr group,
+                              int controller,
+                              const char *key,
+                              char **path);
+
 int virCgroupAddTask(virCgroupPtr group, pid_t pid);

 int virCgroupSetBlkioWeight(virCgroupPtr group, unsigned int weight);