mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-01-12 15:52:55 +00:00
4199c2f221
Replace the error message during startup of libvirtd with an info message if audit_level < 2 and audit is not supported by the kernel. Audit is not supported by the current kernel if the kernel does not have audit compiled in or if audit is disabled (e.g. by the kernel cmdline). Signed-off-by: Marc Hartmayer <mhartmay@linux.vnet.ibm.com> Reviewed-by: Boris Fiuczynski <fiuczy@linux.vnet.ibm.com> Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
168 lines
4.6 KiB
C
168 lines
4.6 KiB
C
/*
|
|
* viraudit.c: auditing support
|
|
*
|
|
* Copyright (C) 2010-2011 Red Hat, Inc.
|
|
*
|
|
* This library is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
* License as published by the Free Software Foundation; either
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
*
|
|
* This library is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
* License along with this library. If not, see
|
|
* <http://www.gnu.org/licenses/>.
|
|
*
|
|
*/
|
|
|
|
#include <config.h>
|
|
|
|
#ifdef WITH_AUDIT
|
|
# include <libaudit.h>
|
|
#endif
|
|
#include <stdio.h>
|
|
#include <unistd.h>
|
|
|
|
#include "virerror.h"
|
|
#include "virlog.h"
|
|
#include "viraudit.h"
|
|
#include "virfile.h"
|
|
#include "viralloc.h"
|
|
#include "virstring.h"
|
|
|
|
VIR_LOG_INIT("util.audit");
|
|
|
|
/* Provide the macros in case the header file is old.
|
|
FIXME: should be removed. */
|
|
#ifndef AUDIT_VIRT_CONTROL
|
|
# define AUDIT_VIRT_CONTROL 2500 /* Start, Pause, Stop VM */
|
|
#endif
|
|
#ifndef AUDIT_VIRT_RESOURCE
|
|
# define AUDIT_VIRT_RESOURCE 2501 /* Resource assignment */
|
|
#endif
|
|
#ifndef AUDIT_VIRT_MACHINE_ID
|
|
# define AUDIT_VIRT_MACHINE_ID 2502 /* Binding of label to VM */
|
|
#endif
|
|
|
|
#define VIR_FROM_THIS VIR_FROM_AUDIT
|
|
|
|
#if WITH_AUDIT
|
|
static int auditfd = -1;
|
|
#endif
|
|
static bool auditlog;
|
|
|
|
int virAuditOpen(unsigned int audit_level ATTRIBUTE_UNUSED)
|
|
{
|
|
#if WITH_AUDIT
|
|
if ((auditfd = audit_open()) < 0) {
|
|
/* You get these error codes only when the kernel does not
|
|
* have audit compiled in or it's disabled (e.g. by the kernel
|
|
* cmdline) */
|
|
if (errno == EINVAL || errno == EPROTONOSUPPORT ||
|
|
errno == EAFNOSUPPORT) {
|
|
if (audit_level < 2)
|
|
VIR_INFO("Audit is not supported by the kernel");
|
|
else
|
|
virReportError(VIR_FROM_THIS, "%s", _("Audit is not supported by the kernel"));
|
|
} else {
|
|
virReportSystemError(errno, "%s", _("Unable to initialize audit layer"));
|
|
}
|
|
|
|
return -1;
|
|
}
|
|
|
|
return 0;
|
|
#else
|
|
return -1;
|
|
#endif
|
|
}
|
|
|
|
|
|
void virAuditLog(bool logging)
|
|
{
|
|
auditlog = logging;
|
|
}
|
|
|
|
|
|
void virAuditSend(virLogSourcePtr source,
|
|
const char *filename,
|
|
size_t linenr,
|
|
const char *funcname,
|
|
const char *clienttty ATTRIBUTE_UNUSED,
|
|
const char *clientaddr ATTRIBUTE_UNUSED,
|
|
virAuditRecordType type ATTRIBUTE_UNUSED, bool success,
|
|
const char *fmt, ...)
|
|
{
|
|
char *str = NULL;
|
|
va_list args;
|
|
|
|
/* Duplicate later checks, to short circuit & avoid printf overhead
|
|
* when nothing is enabled */
|
|
#if WITH_AUDIT
|
|
if (!auditlog && auditfd < 0)
|
|
return;
|
|
#else
|
|
if (!auditlog)
|
|
return;
|
|
#endif
|
|
|
|
va_start(args, fmt);
|
|
if (virVasprintf(&str, fmt, args) < 0)
|
|
VIR_WARN("Out of memory while formatting audit message");
|
|
va_end(args);
|
|
|
|
if (auditlog && str) {
|
|
if (success)
|
|
virLogMessage(source, VIR_LOG_INFO,
|
|
filename, linenr, funcname,
|
|
NULL, "success=yes %s", str);
|
|
else
|
|
virLogMessage(source, VIR_LOG_WARN,
|
|
filename, linenr, funcname,
|
|
NULL, "success=no %s", str);
|
|
}
|
|
|
|
#if WITH_AUDIT
|
|
if (str && auditfd >= 0) {
|
|
static const int record_types[] = {
|
|
[VIR_AUDIT_RECORD_MACHINE_CONTROL] = AUDIT_VIRT_CONTROL,
|
|
[VIR_AUDIT_RECORD_MACHINE_ID] = AUDIT_VIRT_MACHINE_ID,
|
|
[VIR_AUDIT_RECORD_RESOURCE] = AUDIT_VIRT_RESOURCE,
|
|
};
|
|
|
|
if (type >= ARRAY_CARDINALITY(record_types) || record_types[type] == 0)
|
|
VIR_WARN("Unknown audit record type %d", type);
|
|
else if (audit_log_user_message(auditfd, record_types[type], str, NULL,
|
|
clientaddr, clienttty, success) < 0) {
|
|
char ebuf[1024];
|
|
VIR_WARN("Failed to send audit message %s: %s",
|
|
NULLSTR(str), virStrerror(errno, ebuf, sizeof(ebuf)));
|
|
}
|
|
}
|
|
#endif
|
|
VIR_FREE(str);
|
|
}
|
|
|
|
void virAuditClose(void)
|
|
{
|
|
#if WITH_AUDIT
|
|
VIR_FORCE_CLOSE(auditfd);
|
|
#endif
|
|
}
|
|
|
|
char *virAuditEncode(const char *key, const char *value)
|
|
{
|
|
#if WITH_AUDIT
|
|
return audit_encode_nv_string(key, value, 0);
|
|
#else
|
|
char *str;
|
|
if (virAsprintf(&str, "%s=%s", key, value) < 0)
|
|
return NULL;
|
|
return str;
|
|
#endif
|
|
}
|