NuKVM/libvirt
3
0
Fork 0
mirror of https://github.com/libvirt/libvirt.git synced 2025-02-25 18:55:26 -06:00
Code Issues Packages Projects Releases Wiki Activity

Move qemu_audit.h helpers into shared code

Browse Source 
The LXC and UML drivers can both make use of auditing. Move
the qemu_audit.{c,h} files to src/conf/domain_audit.{c,h}

* src/conf/domain_audit.c: Rename from src/qemu/qemu_audit.c
* src/conf/domain_audit.h: Rename from src/qemu/qemu_audit.h
* src/Makefile.am: Remove qemu_audit.{c,h}, add domain_audit.{c,h}
* src/qemu/qemu_audit.h, src/qemu/qemu_cgroup.c,
  src/qemu/qemu_command.c, src/qemu/qemu_driver.c,
  src/qemu/qemu_hotplug.c, src/qemu/qemu_migration.c,
  src/qemu/qemu_process.c: Update for changed audit API names
This commit is contained in:
Daniel P. Berrange 2011-07-04 11:56:13 +01:00
parent 38ea116eba
commit b43070ebfc
11 changed files with 246 additions and 231 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/Makefile.am
View File

@ -108,6 +108,7 @@ LOCK_DRIVER_SANLOCK_SOURCES = \
DOMAIN_CONF_SOURCES = \ DOMAIN_CONF_SOURCES = \
conf/capabilities.c conf/capabilities.h \ conf/capabilities.c conf/capabilities.h \
conf/domain_conf.c conf/domain_conf.h \ conf/domain_conf.c conf/domain_conf.h \
conf/domain_audit.c conf/domain_audit.h \
conf/domain_nwfilter.c conf/domain_nwfilter.h conf/domain_nwfilter.c conf/domain_nwfilter.h
DOMAIN_EVENT_SOURCES = \ DOMAIN_EVENT_SOURCES = \
@ -317,7 +318,6 @@ QEMU_DRIVER_SOURCES = \
qemu/qemu_capabilities.c qemu/qemu_capabilities.h\ qemu/qemu_capabilities.c qemu/qemu_capabilities.h\
qemu/qemu_command.c qemu/qemu_command.h \ qemu/qemu_command.c qemu/qemu_command.h \
qemu/qemu_domain.c qemu/qemu_domain.h \ qemu/qemu_domain.c qemu/qemu_domain.h \
qemu/qemu_audit.c qemu/qemu_audit.h \
qemu/qemu_cgroup.c qemu/qemu_cgroup.h \ qemu/qemu_cgroup.c qemu/qemu_cgroup.h \
qemu/qemu_hostdev.c qemu/qemu_hostdev.h \ qemu/qemu_hostdev.c qemu/qemu_hostdev.h \
qemu/qemu_hotplug.c qemu/qemu_hotplug.h \ qemu/qemu_hotplug.c qemu/qemu_hotplug.h \

116
src/qemu/qemu_audit.c → src/conf/domain_audit.c
View File

@ -1,5 +1,5 @@
/* /*
* qemu_audit.c: QEMU audit management * domain_audit.c: Domain audit management
* *
* Copyright (C) 2006-2011 Red Hat, Inc. * Copyright (C) 2006-2011 Red Hat, Inc.
* Copyright (C) 2006 Daniel P. Berrange * Copyright (C) 2006 Daniel P. Berrange
@ -26,7 +26,7 @@
#include <sys/stat.h> #include <sys/stat.h>
#include <sys/types.h> #include <sys/types.h>
#include "qemu_audit.h" #include "domain_audit.h"
#include "viraudit.h" #include "viraudit.h"
#include "uuid.h" #include "uuid.h"
#include "logging.h" #include "logging.h"
@ -37,7 +37,7 @@
* for other file types, stat failure, or allocation failure. */ * for other file types, stat failure, or allocation failure. */
#if defined major && defined minor #if defined major && defined minor
static char * static char *
qemuAuditGetRdev(const char *path) virDomainAuditGetRdev(const char *path)
{ {
char *ret = NULL; char *ret = NULL;
struct stat sb; struct stat sb;
@ -52,16 +52,16 @@ qemuAuditGetRdev(const char *path)
} }
#else #else
static char * static char *
qemuAuditGetRdev(const char *path ATTRIBUTE_UNUSED) virDomainAuditGetRdev(const char *path ATTRIBUTE_UNUSED)
{ {
return NULL; return NULL;
} }
#endif #endif
void void
qemuAuditDisk(virDomainObjPtr vm, virDomainAuditDisk(virDomainObjPtr vm,
virDomainDiskDefPtr oldDef, virDomainDiskDefPtr newDef, virDomainDiskDefPtr oldDef, virDomainDiskDefPtr newDef,
const char *reason, bool success) const char *reason, bool success)
{ {
char uuidstr[VIR_UUID_STRING_BUFLEN]; char uuidstr[VIR_UUID_STRING_BUFLEN];
char *vmname; char *vmname;
@ -100,9 +100,9 @@ cleanup:
void void
qemuAuditNet(virDomainObjPtr vm, virDomainAuditNet(virDomainObjPtr vm,
virDomainNetDefPtr oldDef, virDomainNetDefPtr newDef, virDomainNetDefPtr oldDef, virDomainNetDefPtr newDef,
const char *reason, bool success) const char *reason, bool success)
{ {
char uuidstr[VIR_UUID_STRING_BUFLEN]; char uuidstr[VIR_UUID_STRING_BUFLEN];
char newMacstr[VIR_MAC_STRING_BUFLEN]; char newMacstr[VIR_MAC_STRING_BUFLEN];
@ -129,20 +129,20 @@ qemuAuditNet(virDomainObjPtr vm,
} }
/** /**
* qemuAuditNetDevice: * virDomainAuditNetDevice:
* @vm: domain opening a network-related device * @vm: domain opening a network-related device
* @def: details of network device that fd will be tied to * @def: details of network device that fd will be tied to
* @device: device being opened (such as /dev/vhost-net, * @device: device being opened (such as /dev/vhost-net,
* /dev/net/tun, /dev/tanN). Note that merely opening a device * /dev/net/tun, /dev/tanN). Note that merely opening a device
* does not mean that qemu owns it; a followup qemuAuditNet * does not mean that virDomain owns it; a followup virDomainAuditNet
* shows whether the fd was passed on. * shows whether the fd was passed on.
* @success: true if the device was opened * @success: true if the device was opened
* *
* Log an audit message about an attempted network device open. * Log an audit message about an attempted network device open.
*/ */
void void
qemuAuditNetDevice(virDomainDefPtr vmDef, virDomainNetDefPtr netDef, virDomainAuditNetDevice(virDomainDefPtr vmDef, virDomainNetDefPtr netDef,
const char *device, bool success) const char *device, bool success)
{ {
char uuidstr[VIR_UUID_STRING_BUFLEN]; char uuidstr[VIR_UUID_STRING_BUFLEN];
char macstr[VIR_MAC_STRING_BUFLEN]; char macstr[VIR_MAC_STRING_BUFLEN];
@ -152,7 +152,7 @@ qemuAuditNetDevice(virDomainDefPtr vmDef, virDomainNetDefPtr netDef,
virUUIDFormat(vmDef->uuid, uuidstr); virUUIDFormat(vmDef->uuid, uuidstr);
virFormatMacAddr(netDef->mac, macstr); virFormatMacAddr(netDef->mac, macstr);
rdev = qemuAuditGetRdev(device); rdev = virDomainAuditGetRdev(device);
if (!(vmname = virAuditEncode("vm", vmDef->name)) || if (!(vmname = virAuditEncode("vm", vmDef->name)) ||
!(devname = virAuditEncode("path", device))) { !(devname = virAuditEncode("path", device))) {
@ -171,7 +171,7 @@ cleanup:
} }
/** /**
* qemuAuditHostdev: * virDomainAuditHostdev:
* @vm: domain making a change in pass-through host device * @vm: domain making a change in pass-through host device
* @hostdev: device being attached or removed * @hostdev: device being attached or removed
* @reason: one of "start", "attach", or "detach" * @reason: one of "start", "attach", or "detach"
@ -180,8 +180,8 @@ cleanup:
* Log an audit message about an attempted device passthrough change. * Log an audit message about an attempted device passthrough change.
*/ */
void void
qemuAuditHostdev(virDomainObjPtr vm, virDomainHostdevDefPtr hostdev, virDomainAuditHostdev(virDomainObjPtr vm, virDomainHostdevDefPtr hostdev,
const char *reason, bool success) const char *reason, bool success)
{ {
char uuidstr[VIR_UUID_STRING_BUFLEN]; char uuidstr[VIR_UUID_STRING_BUFLEN];
char *vmname; char *vmname;
@ -238,21 +238,21 @@ cleanup:
/** /**
* qemuAuditCgroup: * virDomainAuditCgroup:
* @vm: domain making the cgroups ACL change * @vm: domain making the cgroups ACL change
* @cgroup: cgroup that manages the devices * @cgroup: cgroup that manages the devices
* @reason: either "allow" or "deny" * @reason: either "allow" or "deny"
* @extra: additional details, in the form "all", * @extra: additional details, in the form "all",
* "major category=xyz maj=nn", or "path path=xyz dev=nn:mm" (the * "major category=xyz maj=nn", or "path path=xyz dev=nn:mm" (the
* latter two are generated by qemuAuditCgroupMajor and * latter two are generated by virDomainAuditCgroupMajor and
* qemuAuditCgroupPath). * virDomainAuditCgroupPath).
* @success: true if the cgroup operation succeeded * @success: true if the cgroup operation succeeded
* *
* Log an audit message about an attempted cgroup device ACL change. * Log an audit message about an attempted cgroup device ACL change.
*/ */
void void
qemuAuditCgroup(virDomainObjPtr vm, virCgroupPtr cgroup, virDomainAuditCgroup(virDomainObjPtr vm, virCgroupPtr cgroup,
const char *reason, const char *extra, bool success) const char *reason, const char *extra, bool success)
{ {
char uuidstr[VIR_UUID_STRING_BUFLEN]; char uuidstr[VIR_UUID_STRING_BUFLEN];
char *vmname; char *vmname;
@ -281,7 +281,7 @@ qemuAuditCgroup(virDomainObjPtr vm, virCgroupPtr cgroup,
} }
/** /**
* qemuAuditCgroupMajor: * virDomainAuditCgroupMajor:
* @vm: domain making the cgroups ACL change * @vm: domain making the cgroups ACL change
* @cgroup: cgroup that manages the devices * @cgroup: cgroup that manages the devices
* @reason: either "allow" or "deny" * @reason: either "allow" or "deny"
@ -293,9 +293,9 @@ qemuAuditCgroup(virDomainObjPtr vm, virCgroupPtr cgroup,
* Log an audit message about an attempted cgroup device ACL change. * Log an audit message about an attempted cgroup device ACL change.
*/ */
void void
qemuAuditCgroupMajor(virDomainObjPtr vm, virCgroupPtr cgroup, virDomainAuditCgroupMajor(virDomainObjPtr vm, virCgroupPtr cgroup,
const char *reason, int maj, const char *name, const char *reason, int maj, const char *name,
const char *perms, bool success) const char *perms, bool success)
{ {
char *extra; char *extra;
@ -305,13 +305,13 @@ qemuAuditCgroupMajor(virDomainObjPtr vm, virCgroupPtr cgroup,
return; return;
} }
qemuAuditCgroup(vm, cgroup, reason, extra, success); virDomainAuditCgroup(vm, cgroup, reason, extra, success);
VIR_FREE(extra); VIR_FREE(extra);
} }
/** /**
* qemuAuditCgroupPath: * virDomainAuditCgroupPath:
* @vm: domain making the cgroups ACL change * @vm: domain making the cgroups ACL change
* @cgroup: cgroup that manages the devices * @cgroup: cgroup that manages the devices
* @reason: either "allow" or "deny" * @reason: either "allow" or "deny"
@ -323,9 +323,9 @@ qemuAuditCgroupMajor(virDomainObjPtr vm, virCgroupPtr cgroup,
* a specific device. * a specific device.
*/ */
void void
qemuAuditCgroupPath(virDomainObjPtr vm, virCgroupPtr cgroup, virDomainAuditCgroupPath(virDomainObjPtr vm, virCgroupPtr cgroup,
const char *reason, const char *path, const char *perms, const char *reason, const char *path, const char *perms,
int rc) int rc)
{ {
char *detail; char *detail;
char *rdev; char *rdev;
@ -335,7 +335,7 @@ qemuAuditCgroupPath(virDomainObjPtr vm, virCgroupPtr cgroup,
if (rc > 0) if (rc > 0)
return; return;
rdev = qemuAuditGetRdev(path); rdev = virDomainAuditGetRdev(path);
if (!(detail = virAuditEncode("path", path)) || if (!(detail = virAuditEncode("path", path)) ||
virAsprintf(&extra, "path path=%s rdev=%s acl=%s", virAsprintf(&extra, "path path=%s rdev=%s acl=%s",
@ -344,7 +344,7 @@ qemuAuditCgroupPath(virDomainObjPtr vm, virCgroupPtr cgroup,
goto cleanup; goto cleanup;
} }
qemuAuditCgroup(vm, cgroup, reason, extra, rc == 0); virDomainAuditCgroup(vm, cgroup, reason, extra, rc == 0);
cleanup: cleanup:
VIR_FREE(extra); VIR_FREE(extra);
@ -353,7 +353,7 @@ cleanup:
} }
/** /**
* qemuAuditResource: * virDomainAuditResource:
* @vm: domain making an integer resource change * @vm: domain making an integer resource change
* @resource: name of the resource: "mem" or "vcpu" * @resource: name of the resource: "mem" or "vcpu"
* @oldval: the old value of the resource * @oldval: the old value of the resource
@ -364,9 +364,9 @@ cleanup:
* Log an audit message about an attempted resource change. * Log an audit message about an attempted resource change.
*/ */
static void static void
qemuAuditResource(virDomainObjPtr vm, const char *resource, virDomainAuditResource(virDomainObjPtr vm, const char *resource,
unsigned long long oldval, unsigned long long newval, unsigned long long oldval, unsigned long long newval,
const char *reason, bool success) const char *reason, bool success)
{ {
char uuidstr[VIR_UUID_STRING_BUFLEN]; char uuidstr[VIR_UUID_STRING_BUFLEN];
char *vmname; char *vmname;
@ -386,24 +386,24 @@ qemuAuditResource(virDomainObjPtr vm, const char *resource,
} }
void void
qemuAuditMemory(virDomainObjPtr vm, virDomainAuditMemory(virDomainObjPtr vm,
unsigned long long oldmem, unsigned long long newmem, unsigned long long oldmem, unsigned long long newmem,
const char *reason, bool success) const char *reason, bool success)
{ {
return qemuAuditResource(vm, "mem", oldmem, newmem, reason, success); return virDomainAuditResource(vm, "mem", oldmem, newmem, reason, success);
} }
void void
qemuAuditVcpu(virDomainObjPtr vm, virDomainAuditVcpu(virDomainObjPtr vm,
unsigned int oldvcpu, unsigned int newvcpu, unsigned int oldvcpu, unsigned int newvcpu,
const char *reason, bool success) const char *reason, bool success)
{ {
return qemuAuditResource(vm, "vcpu", oldvcpu, newvcpu, reason, success); return virDomainAuditResource(vm, "vcpu", oldvcpu, newvcpu, reason, success);
} }
static void static void
qemuAuditLifecycle(virDomainObjPtr vm, const char *op, virDomainAuditLifecycle(virDomainObjPtr vm, const char *op,
const char *reason, bool success) const char *reason, bool success)
{ {
char uuidstr[VIR_UUID_STRING_BUFLEN]; char uuidstr[VIR_UUID_STRING_BUFLEN];
char *vmname; char *vmname;
@ -423,41 +423,41 @@ qemuAuditLifecycle(virDomainObjPtr vm, const char *op,
void void
qemuAuditDomainStart(virDomainObjPtr vm, const char *reason, bool success) virDomainAuditStart(virDomainObjPtr vm, const char *reason, bool success)
{ {
int i; int i;
for (i = 0 ; i < vm->def->ndisks ; i++) { for (i = 0 ; i < vm->def->ndisks ; i++) {
virDomainDiskDefPtr disk = vm->def->disks[i]; virDomainDiskDefPtr disk = vm->def->disks[i];
if (disk->src) /* Skips CDROM without media initially inserted */ if (disk->src) /* Skips CDROM without media initially inserted */
qemuAuditDisk(vm, NULL, disk, "start", true); virDomainAuditDisk(vm, NULL, disk, "start", true);
} }
for (i = 0 ; i < vm->def->nnets ; i++) { for (i = 0 ; i < vm->def->nnets ; i++) {
virDomainNetDefPtr net = vm->def->nets[i]; virDomainNetDefPtr net = vm->def->nets[i];
qemuAuditNet(vm, NULL, net, "start", true); virDomainAuditNet(vm, NULL, net, "start", true);
} }
for (i = 0 ; i < vm->def->nhostdevs ; i++) { for (i = 0 ; i < vm->def->nhostdevs ; i++) {
virDomainHostdevDefPtr hostdev = vm->def->hostdevs[i]; virDomainHostdevDefPtr hostdev = vm->def->hostdevs[i];
qemuAuditHostdev(vm, hostdev, "start", true); virDomainAuditHostdev(vm, hostdev, "start", true);
} }
qemuAuditMemory(vm, 0, vm->def->mem.cur_balloon, "start", true); virDomainAuditMemory(vm, 0, vm->def->mem.cur_balloon, "start", true);
qemuAuditVcpu(vm, 0, vm->def->vcpus, "start", true); virDomainAuditVcpu(vm, 0, vm->def->vcpus, "start", true);
qemuAuditLifecycle(vm, "start", reason, success); virDomainAuditLifecycle(vm, "start", reason, success);
} }
void void
qemuAuditDomainStop(virDomainObjPtr vm, const char *reason) virDomainAuditStop(virDomainObjPtr vm, const char *reason)
{ {
qemuAuditLifecycle(vm, "stop", reason, true); virDomainAuditLifecycle(vm, "stop", reason, true);
} }
void void
qemuAuditSecurityLabel(virDomainObjPtr vm, bool success) virDomainAuditSecurityLabel(virDomainObjPtr vm, bool success)
{ {
char uuidstr[VIR_UUID_STRING_BUFLEN]; char uuidstr[VIR_UUID_STRING_BUFLEN];
char *vmname; char *vmname;

99
src/conf/domain_audit.h Normal file
View File

@ -0,0 +1,99 @@
/*
* domain_audit.c: Domain audit management
*
* Copyright (C) 2006-2011 Red Hat, Inc.
* Copyright (C) 2006 Daniel P. Berrange
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*
* Author: Daniel P. Berrange <berrange@redhat.com>
*/
#ifndef __VIR_DOMAIN_AUDIT_H__
# define __VIR_DOMAIN_AUDIT_H__
# include "domain_conf.h"
# include "cgroup.h"
void virDomainAuditStart(virDomainObjPtr vm,
const char *reason,
bool success)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2);
void virDomainAuditStop(virDomainObjPtr vm,
const char *reason)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2);
void virDomainAuditDisk(virDomainObjPtr vm,
virDomainDiskDefPtr oldDef,
virDomainDiskDefPtr newDef,
const char *reason,
bool success)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(4);
void virDomainAuditNet(virDomainObjPtr vm,
virDomainNetDefPtr oldDef,
virDomainNetDefPtr newDef,
const char *reason,
bool success)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(4);
void virDomainAuditNetDevice(virDomainDefPtr vmDef,
virDomainNetDefPtr netDef,
const char *device,
bool success)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3);
void virDomainAuditHostdev(virDomainObjPtr vm,
virDomainHostdevDefPtr def,
const char *reason,
bool success)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3);
void virDomainAuditCgroup(virDomainObjPtr vm,
virCgroupPtr group,
const char *reason,
const char *extra,
bool success)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3)
ATTRIBUTE_NONNULL(4);
void virDomainAuditCgroupMajor(virDomainObjPtr vm,
virCgroupPtr group,
const char *reason,
int maj,
const char *name,
const char *perms,
bool success)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3)
ATTRIBUTE_NONNULL(5) ATTRIBUTE_NONNULL(6);
void virDomainAuditCgroupPath(virDomainObjPtr vm,
virCgroupPtr group,
const char *reason,
const char *path,
const char *perms,
int rc)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3)
ATTRIBUTE_NONNULL(4) ATTRIBUTE_NONNULL(5);
void virDomainAuditMemory(virDomainObjPtr vm,
unsigned long long oldmem,
unsigned long long newmem,
const char *reason,
bool success)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(4);
void virDomainAuditVcpu(virDomainObjPtr vm,
unsigned int oldvcpu,
unsigned int newvcpu,
const char *reason,
bool success)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(4);
void virDomainAuditSecurityLabel(virDomainObjPtr vm,
bool success)
ATTRIBUTE_NONNULL(1);
#endif /* __VIR_DOMAIN_AUDIT_H__ */

15
src/libvirt_private.syms
View File

@ -202,6 +202,21 @@ dnsmasqReload;
dnsmasqSave; dnsmasqSave;
# domain_audit.h
virDomainAuditCgroup;
virDomainAuditCgroupMajor;
virDomainAuditCgroupPath;
virDomainAuditDisk;
virDomainAuditHostdev;
virDomainAuditMemory;
virDomainAuditNet;
virDomainAuditNetDevice;
virDomainAuditSecurityLabel;
virDomainAuditStart;
virDomainAuditStop;
virDomainAuditVcpu;
# domain_conf.h # domain_conf.h
virDiskNameToBusDeviceIndex; virDiskNameToBusDeviceIndex;
virDiskNameToIndex; virDiskNameToIndex;

99
src/qemu/qemu_audit.h
View File

@ -1,99 +0,0 @@
/*
* qemu_audit.h: QEMU audit management
*
* Copyright (C) 2006-2011 Red Hat, Inc.
* Copyright (C) 2006 Daniel P. Berrange
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*
* Author: Daniel P. Berrange <berrange@redhat.com>
*/
#ifndef __QEMU_AUDIT_H__
# define __QEMU_AUDIT_H__
# include "domain_conf.h"
# include "cgroup.h"
void qemuAuditDomainStart(virDomainObjPtr vm,
const char *reason,
bool success)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2);
void qemuAuditDomainStop(virDomainObjPtr vm,
const char *reason)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2);
void qemuAuditDisk(virDomainObjPtr vm,
virDomainDiskDefPtr oldDef,
virDomainDiskDefPtr newDef,
const char *reason,
bool success)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(4);
void qemuAuditNet(virDomainObjPtr vm,
virDomainNetDefPtr oldDef,
virDomainNetDefPtr newDef,
const char *reason,
bool success)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(4);
void qemuAuditNetDevice(virDomainDefPtr vmDef,
virDomainNetDefPtr netDef,
const char *device,
bool success)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3);
void qemuAuditHostdev(virDomainObjPtr vm,
virDomainHostdevDefPtr def,
const char *reason,
bool success)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3);
void qemuAuditCgroup(virDomainObjPtr vm,
virCgroupPtr group,
const char *reason,
const char *extra,
bool success)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3)
ATTRIBUTE_NONNULL(4);
void qemuAuditCgroupMajor(virDomainObjPtr vm,
virCgroupPtr group,
const char *reason,
int maj,
const char *name,
const char *perms,
bool success)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3)
ATTRIBUTE_NONNULL(5) ATTRIBUTE_NONNULL(6);
void qemuAuditCgroupPath(virDomainObjPtr vm,
virCgroupPtr group,
const char *reason,
const char *path,
const char *perms,
int rc)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3)
ATTRIBUTE_NONNULL(4) ATTRIBUTE_NONNULL(5);
void qemuAuditMemory(virDomainObjPtr vm,
unsigned long long oldmem,
unsigned long long newmem,
const char *reason,
bool success)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(4);
void qemuAuditVcpu(virDomainObjPtr vm,
unsigned int oldvcpu,
unsigned int newvcpu,
const char *reason,
bool success)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(4);
void qemuAuditSecurityLabel(virDomainObjPtr vm,
bool success)
ATTRIBUTE_NONNULL(1);
#endif /* __QEMU_AUDIT_H__ */

26
src/qemu/qemu_cgroup.c
View File

@ -29,7 +29,7 @@
#include "memory.h" #include "memory.h"
#include "virterror_internal.h" #include "virterror_internal.h"
#include "util.h" #include "util.h"
#include "qemu_audit.h" #include "domain_audit.h"
#define VIR_FROM_THIS VIR_FROM_QEMU #define VIR_FROM_THIS VIR_FROM_QEMU
@ -70,8 +70,8 @@ qemuSetupDiskPathAllow(virDomainDiskDefPtr disk,
rc = virCgroupAllowDevicePath(data->cgroup, path, rc = virCgroupAllowDevicePath(data->cgroup, path,
(disk->readonly ? VIR_CGROUP_DEVICE_READ (disk->readonly ? VIR_CGROUP_DEVICE_READ
: VIR_CGROUP_DEVICE_RW)); : VIR_CGROUP_DEVICE_RW));
qemuAuditCgroupPath(data->vm, data->cgroup, "allow", path, virDomainAuditCgroupPath(data->vm, data->cgroup, "allow", path,
disk->readonly ? "r" : "rw", rc); disk->readonly ? "r" : "rw", rc);
if (rc < 0) { if (rc < 0) {
if (rc == -EACCES) { /* Get this for root squash NFS */ if (rc == -EACCES) { /* Get this for root squash NFS */
VIR_DEBUG("Ignoring EACCES for %s", path); VIR_DEBUG("Ignoring EACCES for %s", path);
@ -112,7 +112,7 @@ qemuTeardownDiskPathDeny(virDomainDiskDefPtr disk ATTRIBUTE_UNUSED,
VIR_DEBUG("Process path %s for disk", path); VIR_DEBUG("Process path %s for disk", path);
rc = virCgroupDenyDevicePath(data->cgroup, path, rc = virCgroupDenyDevicePath(data->cgroup, path,
VIR_CGROUP_DEVICE_RWM); VIR_CGROUP_DEVICE_RWM);
qemuAuditCgroupPath(data->vm, data->cgroup, "deny", path, "rwm", rc); virDomainAuditCgroupPath(data->vm, data->cgroup, "deny", path, "rwm", rc);
if (rc < 0) { if (rc < 0) {
if (rc == -EACCES) { /* Get this for root squash NFS */ if (rc == -EACCES) { /* Get this for root squash NFS */
VIR_DEBUG("Ignoring EACCES for %s", path); VIR_DEBUG("Ignoring EACCES for %s", path);
@ -156,8 +156,8 @@ qemuSetupChardevCgroup(virDomainDefPtr def,
VIR_DEBUG("Process path '%s' for disk", dev->source.data.file.path); VIR_DEBUG("Process path '%s' for disk", dev->source.data.file.path);
rc = virCgroupAllowDevicePath(data->cgroup, dev->source.data.file.path, rc = virCgroupAllowDevicePath(data->cgroup, dev->source.data.file.path,
VIR_CGROUP_DEVICE_RW); VIR_CGROUP_DEVICE_RW);
qemuAuditCgroupPath(data->vm, data->cgroup, "allow", virDomainAuditCgroupPath(data->vm, data->cgroup, "allow",
dev->source.data.file.path, "rw", rc); dev->source.data.file.path, "rw", rc);
if (rc < 0) { if (rc < 0) {
virReportSystemError(-rc, virReportSystemError(-rc,
_("Unable to allow device %s for %s"), _("Unable to allow device %s for %s"),
@ -179,7 +179,7 @@ int qemuSetupHostUsbDeviceCgroup(usbDevice *dev ATTRIBUTE_UNUSED,
VIR_DEBUG("Process path '%s' for USB device", path); VIR_DEBUG("Process path '%s' for USB device", path);
rc = virCgroupAllowDevicePath(data->cgroup, path, rc = virCgroupAllowDevicePath(data->cgroup, path,
VIR_CGROUP_DEVICE_RW); VIR_CGROUP_DEVICE_RW);
qemuAuditCgroupPath(data->vm, data->cgroup, "allow", path, "rw", rc); virDomainAuditCgroupPath(data->vm, data->cgroup, "allow", path, "rw", rc);
if (rc < 0) { if (rc < 0) {
virReportSystemError(-rc, virReportSystemError(-rc,
_("Unable to allow device %s"), _("Unable to allow device %s"),
@ -215,7 +215,7 @@ int qemuSetupCgroup(struct qemud_driver *driver,
if (qemuCgroupControllerActive(driver, VIR_CGROUP_CONTROLLER_DEVICES)) { if (qemuCgroupControllerActive(driver, VIR_CGROUP_CONTROLLER_DEVICES)) {
qemuCgroupData data = { vm, cgroup }; qemuCgroupData data = { vm, cgroup };
rc = virCgroupDenyAllDevices(cgroup); rc = virCgroupDenyAllDevices(cgroup);
qemuAuditCgroup(vm, cgroup, "deny", "all", rc == 0); virDomainAuditCgroup(vm, cgroup, "deny", "all", rc == 0);
if (rc != 0) { if (rc != 0) {
if (rc == -EPERM) { if (rc == -EPERM) {
VIR_WARN("Group devices ACL is not accessible, disabling whitelisting"); VIR_WARN("Group devices ACL is not accessible, disabling whitelisting");
@ -234,8 +234,8 @@ int qemuSetupCgroup(struct qemud_driver *driver,
rc = virCgroupAllowDeviceMajor(cgroup, 'c', DEVICE_PTY_MAJOR, rc = virCgroupAllowDeviceMajor(cgroup, 'c', DEVICE_PTY_MAJOR,
VIR_CGROUP_DEVICE_RW); VIR_CGROUP_DEVICE_RW);
qemuAuditCgroupMajor(vm, cgroup, "allow", DEVICE_PTY_MAJOR, virDomainAuditCgroupMajor(vm, cgroup, "allow", DEVICE_PTY_MAJOR,
"pty", "rw", rc == 0); "pty", "rw", rc == 0);
if (rc != 0) { if (rc != 0) {
virReportSystemError(-rc, "%s", virReportSystemError(-rc, "%s",
_("unable to allow /dev/pts/ devices")); _("unable to allow /dev/pts/ devices"));
@ -249,8 +249,8 @@ int qemuSetupCgroup(struct qemud_driver *driver,
(vm->def->graphics[0]->type == VIR_DOMAIN_GRAPHICS_TYPE_SDL)))) { (vm->def->graphics[0]->type == VIR_DOMAIN_GRAPHICS_TYPE_SDL)))) {
rc = virCgroupAllowDeviceMajor(cgroup, 'c', DEVICE_SND_MAJOR, rc = virCgroupAllowDeviceMajor(cgroup, 'c', DEVICE_SND_MAJOR,
VIR_CGROUP_DEVICE_RW); VIR_CGROUP_DEVICE_RW);
qemuAuditCgroupMajor(vm, cgroup, "allow", DEVICE_SND_MAJOR, virDomainAuditCgroupMajor(vm, cgroup, "allow", DEVICE_SND_MAJOR,
"sound", "rw", rc == 0); "sound", "rw", rc == 0);
if (rc != 0) { if (rc != 0) {
virReportSystemError(-rc, "%s", virReportSystemError(-rc, "%s",
_("unable to allow /dev/snd/ devices")); _("unable to allow /dev/snd/ devices"));
@ -261,7 +261,7 @@ int qemuSetupCgroup(struct qemud_driver *driver,
for (i = 0; deviceACL[i] != NULL ; i++) { for (i = 0; deviceACL[i] != NULL ; i++) {
rc = virCgroupAllowDevicePath(cgroup, deviceACL[i], rc = virCgroupAllowDevicePath(cgroup, deviceACL[i],
VIR_CGROUP_DEVICE_RW); VIR_CGROUP_DEVICE_RW);
qemuAuditCgroupPath(vm, cgroup, "allow", deviceACL[i], "rw", rc); virDomainAuditCgroupPath(vm, cgroup, "allow", deviceACL[i], "rw", rc);
if (rc < 0 && if (rc < 0 &&
rc != -ENOENT) { rc != -ENOENT) {
virReportSystemError(-rc, virReportSystemError(-rc,

8
src/qemu/qemu_command.c
View File

@ -35,7 +35,7 @@
#include "uuid.h" #include "uuid.h"
#include "c-ctype.h" #include "c-ctype.h"
#include "domain_nwfilter.h" #include "domain_nwfilter.h"
#include "qemu_audit.h" #include "domain_audit.h"
#include "domain_conf.h" #include "domain_conf.h"
#include <sys/utsname.h> #include <sys/utsname.h>
@ -130,7 +130,7 @@ qemuPhysIfaceConnect(virDomainDefPtr def,
&net->data.direct.virtPortProfile, &res_ifname, &net->data.direct.virtPortProfile, &res_ifname,
vmop, driver->stateDir); vmop, driver->stateDir);
if (rc >= 0) { if (rc >= 0) {
qemuAuditNetDevice(def, net, res_ifname, true); virDomainAuditNetDevice(def, net, res_ifname, true);
VIR_FREE(net->ifname); VIR_FREE(net->ifname);
net->ifname = res_ifname; net->ifname = res_ifname;
} }
@ -255,7 +255,7 @@ qemuNetworkIfaceConnect(virDomainDefPtr def,
tapmac[0] = 0xFE; /* Discourage bridge from using TAP dev MAC */ tapmac[0] = 0xFE; /* Discourage bridge from using TAP dev MAC */
err = brAddTap(driver->brctl, brname, &net->ifname, tapmac, err = brAddTap(driver->brctl, brname, &net->ifname, tapmac,
vnet_hdr, true, &tapfd); vnet_hdr, true, &tapfd);
qemuAuditNetDevice(def, net, "/dev/net/tun", tapfd >= 0); virDomainAuditNetDevice(def, net, "/dev/net/tun", tapfd >= 0);
if (err) { if (err) {
if (err == ENOTSUP) { if (err == ENOTSUP) {
/* In this particular case, give a better diagnostic. */ /* In this particular case, give a better diagnostic. */
@ -346,7 +346,7 @@ qemuOpenVhostNet(virDomainDefPtr def,
} }
*vhostfd = open("/dev/vhost-net", O_RDWR); *vhostfd = open("/dev/vhost-net", O_RDWR);
qemuAuditNetDevice(def, net, "/dev/vhost-net", *vhostfd >= 0); virDomainAuditNetDevice(def, net, "/dev/vhost-net", *vhostfd >= 0);
/* If the config says explicitly to use vhost and we couldn't open it, /* If the config says explicitly to use vhost and we couldn't open it,
* report an error. * report an error.

28
src/qemu/qemu_driver.c
View File

@ -55,7 +55,6 @@
#include "qemu_hotplug.h" #include "qemu_hotplug.h"
#include "qemu_monitor.h" #include "qemu_monitor.h"
#include "qemu_bridge_filter.h" #include "qemu_bridge_filter.h"
#include "qemu_audit.h"
#include "qemu_process.h" #include "qemu_process.h"
#include "qemu_migration.h" #include "qemu_migration.h"
@ -70,6 +69,7 @@
#include "memory.h" #include "memory.h"
#include "uuid.h" #include "uuid.h"
#include "domain_conf.h" #include "domain_conf.h"
#include "domain_audit.h"
#include "node_device_conf.h" #include "node_device_conf.h"
#include "pci.h" #include "pci.h"
#include "hostusb.h" #include "hostusb.h"
@ -1286,7 +1286,7 @@ static virDomainPtr qemudDomainCreate(virConnectPtr conn, const char *xml,
(flags & VIR_DOMAIN_START_PAUSED) != 0, (flags & VIR_DOMAIN_START_PAUSED) != 0,
(flags & VIR_DOMAIN_START_AUTODESTROY) != 0, (flags & VIR_DOMAIN_START_AUTODESTROY) != 0,
-1, NULL, VIR_VM_OP_CREATE) < 0) { -1, NULL, VIR_VM_OP_CREATE) < 0) {
qemuAuditDomainStart(vm, "booted", false); virDomainAuditStart(vm, "booted", false);
if (qemuDomainObjEndJob(vm) > 0) if (qemuDomainObjEndJob(vm) > 0)
virDomainRemoveInactive(&driver->domains, virDomainRemoveInactive(&driver->domains,
vm); vm);
@ -1297,7 +1297,7 @@ static virDomainPtr qemudDomainCreate(virConnectPtr conn, const char *xml,
event = virDomainEventNewFromObj(vm, event = virDomainEventNewFromObj(vm,
VIR_DOMAIN_EVENT_STARTED, VIR_DOMAIN_EVENT_STARTED,
VIR_DOMAIN_EVENT_STARTED_BOOTED); VIR_DOMAIN_EVENT_STARTED_BOOTED);
qemuAuditDomainStart(vm, "booted", true); virDomainAuditStart(vm, "booted", true);
dom = virGetDomain(conn, vm->def->name, vm->def->uuid); dom = virGetDomain(conn, vm->def->name, vm->def->uuid);
if (dom) dom->id = vm->def->id; if (dom) dom->id = vm->def->id;
@ -1589,7 +1589,7 @@ static int qemudDomainDestroy(virDomainPtr dom) {
event = virDomainEventNewFromObj(vm, event = virDomainEventNewFromObj(vm,
VIR_DOMAIN_EVENT_STOPPED, VIR_DOMAIN_EVENT_STOPPED,
VIR_DOMAIN_EVENT_STOPPED_DESTROYED); VIR_DOMAIN_EVENT_STOPPED_DESTROYED);
qemuAuditDomainStop(vm, "destroyed"); virDomainAuditStop(vm, "destroyed");
if (!vm->persistent) { if (!vm->persistent) {
if (qemuDomainObjEndJob(vm) > 0) if (qemuDomainObjEndJob(vm) > 0)
@ -1757,8 +1757,8 @@ static int qemudDomainSetMemoryFlags(virDomainPtr dom, unsigned long newmem,
qemuDomainObjEnterMonitor(vm); qemuDomainObjEnterMonitor(vm);
r = qemuMonitorSetBalloon(priv->mon, newmem); r = qemuMonitorSetBalloon(priv->mon, newmem);
qemuDomainObjExitMonitor(vm); qemuDomainObjExitMonitor(vm);
qemuAuditMemory(vm, vm->def->mem.cur_balloon, newmem, "update", virDomainAuditMemory(vm, vm->def->mem.cur_balloon, newmem, "update",
r == 1); r == 1);
if (r < 0) if (r < 0)
goto endjob; goto endjob;
@ -2293,7 +2293,7 @@ static int qemudDomainSaveFlag(struct qemud_driver *driver, virDomainPtr dom,
/* Shut it down */ /* Shut it down */
qemuProcessStop(driver, vm, 0, VIR_DOMAIN_SHUTOFF_SAVED); qemuProcessStop(driver, vm, 0, VIR_DOMAIN_SHUTOFF_SAVED);
qemuAuditDomainStop(vm, "saved"); virDomainAuditStop(vm, "saved");
event = virDomainEventNewFromObj(vm, event = virDomainEventNewFromObj(vm,
VIR_DOMAIN_EVENT_STOPPED, VIR_DOMAIN_EVENT_STOPPED,
VIR_DOMAIN_EVENT_STOPPED_SAVED); VIR_DOMAIN_EVENT_STOPPED_SAVED);
@ -2652,7 +2652,7 @@ static int qemudDomainCoreDump(virDomainPtr dom,
endjob: endjob:
if ((ret == 0) && (flags & VIR_DUMP_CRASH)) { if ((ret == 0) && (flags & VIR_DUMP_CRASH)) {
qemuProcessStop(driver, vm, 0, VIR_DOMAIN_SHUTOFF_CRASHED); qemuProcessStop(driver, vm, 0, VIR_DOMAIN_SHUTOFF_CRASHED);
qemuAuditDomainStop(vm, "crashed"); virDomainAuditStop(vm, "crashed");
event = virDomainEventNewFromObj(vm, event = virDomainEventNewFromObj(vm,
VIR_DOMAIN_EVENT_STOPPED, VIR_DOMAIN_EVENT_STOPPED,
VIR_DOMAIN_EVENT_STOPPED_CRASHED); VIR_DOMAIN_EVENT_STOPPED_CRASHED);
@ -2888,7 +2888,7 @@ static int qemudDomainHotplugVcpus(virDomainObjPtr vm, unsigned int nvcpus)
cleanup: cleanup:
qemuDomainObjExitMonitor(vm); qemuDomainObjExitMonitor(vm);
vm->def->vcpus = vcpus; vm->def->vcpus = vcpus;
qemuAuditVcpu(vm, oldvcpus, nvcpus, "update", rc == 1); virDomainAuditVcpu(vm, oldvcpus, nvcpus, "update", rc == 1);
return ret; return ret;
unsupported: unsupported:
@ -3696,14 +3696,14 @@ qemuDomainSaveImageStartVM(virConnectPtr conn,
} }
if (ret < 0) { if (ret < 0) {
qemuAuditDomainStart(vm, "restored", false); virDomainAuditStart(vm, "restored", false);
goto out; goto out;
} }
event = virDomainEventNewFromObj(vm, event = virDomainEventNewFromObj(vm,
VIR_DOMAIN_EVENT_STARTED, VIR_DOMAIN_EVENT_STARTED,
VIR_DOMAIN_EVENT_STARTED_RESTORED); VIR_DOMAIN_EVENT_STARTED_RESTORED);
qemuAuditDomainStart(vm, "restored", true); virDomainAuditStart(vm, "restored", true);
if (event) if (event)
qemuDomainEventQueue(driver, event); qemuDomainEventQueue(driver, event);
@ -4058,7 +4058,7 @@ static int qemudDomainObjStart(virConnectPtr conn,
ret = qemuProcessStart(conn, driver, vm, NULL, start_paused, ret = qemuProcessStart(conn, driver, vm, NULL, start_paused,
autodestroy, -1, NULL, VIR_VM_OP_CREATE); autodestroy, -1, NULL, VIR_VM_OP_CREATE);
qemuAuditDomainStart(vm, "booted", ret >= 0); virDomainAuditStart(vm, "booted", ret >= 0);
if (ret >= 0) { if (ret >= 0) {
virDomainEventPtr event = virDomainEventPtr event =
virDomainEventNewFromObj(vm, virDomainEventNewFromObj(vm,
@ -8021,7 +8021,7 @@ static int qemuDomainRevertToSnapshot(virDomainSnapshotPtr snapshot,
rc = qemuProcessStart(snapshot->domain->conn, driver, vm, NULL, rc = qemuProcessStart(snapshot->domain->conn, driver, vm, NULL,
false, false, -1, NULL, VIR_VM_OP_CREATE); false, false, -1, NULL, VIR_VM_OP_CREATE);
qemuAuditDomainStart(vm, "from-snapshot", rc >= 0); virDomainAuditStart(vm, "from-snapshot", rc >= 0);
if (qemuDomainSnapshotSetCurrentInactive(vm, driver->snapshotDir) < 0) if (qemuDomainSnapshotSetCurrentInactive(vm, driver->snapshotDir) < 0)
goto endjob; goto endjob;
if (rc < 0) if (rc < 0)
@ -8058,7 +8058,7 @@ static int qemuDomainRevertToSnapshot(virDomainSnapshotPtr snapshot,
if (virDomainObjIsActive(vm)) { if (virDomainObjIsActive(vm)) {
qemuProcessStop(driver, vm, 0, VIR_DOMAIN_SHUTOFF_FROM_SNAPSHOT); qemuProcessStop(driver, vm, 0, VIR_DOMAIN_SHUTOFF_FROM_SNAPSHOT);
qemuAuditDomainStop(vm, "from-snapshot"); virDomainAuditStop(vm, "from-snapshot");
event = virDomainEventNewFromObj(vm, event = virDomainEventNewFromObj(vm,
VIR_DOMAIN_EVENT_STOPPED, VIR_DOMAIN_EVENT_STOPPED,
VIR_DOMAIN_EVENT_STOPPED_FROM_SNAPSHOT); VIR_DOMAIN_EVENT_STOPPED_FROM_SNAPSHOT);

48
src/qemu/qemu_hotplug.c
View File

@ -29,8 +29,8 @@
#include "qemu_domain.h" #include "qemu_domain.h"
#include "qemu_command.h" #include "qemu_command.h"
#include "qemu_bridge_filter.h" #include "qemu_bridge_filter.h"
#include "qemu_audit.h"
#include "qemu_hostdev.h" #include "qemu_hostdev.h"
#include "domain_audit.h"
#include "domain_nwfilter.h" #include "domain_nwfilter.h"
#include "logging.h" #include "logging.h"
#include "virterror_internal.h" #include "virterror_internal.h"
@ -113,7 +113,7 @@ int qemuDomainChangeEjectableMedia(struct qemud_driver *driver,
} }
qemuDomainObjExitMonitorWithDriver(driver, vm); qemuDomainObjExitMonitorWithDriver(driver, vm);
qemuAuditDisk(vm, origdisk, disk, "update", ret >= 0); virDomainAuditDisk(vm, origdisk, disk, "update", ret >= 0);
if (ret < 0) if (ret < 0)
goto error; goto error;
@ -223,7 +223,7 @@ int qemuDomainAttachPciDiskDevice(struct qemud_driver *driver,
} }
qemuDomainObjExitMonitorWithDriver(driver, vm); qemuDomainObjExitMonitorWithDriver(driver, vm);
qemuAuditDisk(vm, NULL, disk, "attach", ret >= 0); virDomainAuditDisk(vm, NULL, disk, "attach", ret >= 0);
if (ret < 0) if (ret < 0)
goto error; goto error;
@ -467,7 +467,7 @@ int qemuDomainAttachSCSIDisk(struct qemud_driver *driver,
} }
qemuDomainObjExitMonitorWithDriver(driver, vm); qemuDomainObjExitMonitorWithDriver(driver, vm);
qemuAuditDisk(vm, NULL, disk, "attach", ret >= 0); virDomainAuditDisk(vm, NULL, disk, "attach", ret >= 0);
if (ret < 0) if (ret < 0)
goto error; goto error;
@ -559,7 +559,7 @@ int qemuDomainAttachUsbMassstorageDevice(struct qemud_driver *driver,
} }
qemuDomainObjExitMonitorWithDriver(driver, vm); qemuDomainObjExitMonitorWithDriver(driver, vm);
qemuAuditDisk(vm, NULL, disk, "attach", ret >= 0); virDomainAuditDisk(vm, NULL, disk, "attach", ret >= 0);
if (ret < 0) if (ret < 0)
goto error; goto error;
@ -681,14 +681,14 @@ int qemuDomainAttachNetDevice(virConnectPtr conn,
if (qemuMonitorAddNetdev(priv->mon, netstr, tapfd, tapfd_name, if (qemuMonitorAddNetdev(priv->mon, netstr, tapfd, tapfd_name,
vhostfd, vhostfd_name) < 0) { vhostfd, vhostfd_name) < 0) {
qemuDomainObjExitMonitorWithDriver(driver, vm); qemuDomainObjExitMonitorWithDriver(driver, vm);
qemuAuditNet(vm, NULL, net, "attach", false); virDomainAuditNet(vm, NULL, net, "attach", false);
goto cleanup; goto cleanup;
} }
} else { } else {
if (qemuMonitorAddHostNetwork(priv->mon, netstr, tapfd, tapfd_name, if (qemuMonitorAddHostNetwork(priv->mon, netstr, tapfd, tapfd_name,
vhostfd, vhostfd_name) < 0) { vhostfd, vhostfd_name) < 0) {
qemuDomainObjExitMonitorWithDriver(driver, vm); qemuDomainObjExitMonitorWithDriver(driver, vm);
qemuAuditNet(vm, NULL, net, "attach", false); virDomainAuditNet(vm, NULL, net, "attach", false);
goto cleanup; goto cleanup;
} }
} }
@ -715,14 +715,14 @@ int qemuDomainAttachNetDevice(virConnectPtr conn,
if (qemuCapsGet(priv->qemuCaps, QEMU_CAPS_DEVICE)) { if (qemuCapsGet(priv->qemuCaps, QEMU_CAPS_DEVICE)) {
if (qemuMonitorAddDevice(priv->mon, nicstr) < 0) { if (qemuMonitorAddDevice(priv->mon, nicstr) < 0) {
qemuDomainObjExitMonitorWithDriver(driver, vm); qemuDomainObjExitMonitorWithDriver(driver, vm);
qemuAuditNet(vm, NULL, net, "attach", false); virDomainAuditNet(vm, NULL, net, "attach", false);
goto try_remove; goto try_remove;
} }
} else { } else {
if (qemuMonitorAddPCINetwork(priv->mon, nicstr, if (qemuMonitorAddPCINetwork(priv->mon, nicstr,
&guestAddr) < 0) { &guestAddr) < 0) {
qemuDomainObjExitMonitorWithDriver(driver, vm); qemuDomainObjExitMonitorWithDriver(driver, vm);
qemuAuditNet(vm, NULL, net, "attach", false); virDomainAuditNet(vm, NULL, net, "attach", false);
goto try_remove; goto try_remove;
} }
net->info.type = VIR_DOMAIN_DEVICE_ADDRESS_TYPE_PCI; net->info.type = VIR_DOMAIN_DEVICE_ADDRESS_TYPE_PCI;
@ -730,7 +730,7 @@ int qemuDomainAttachNetDevice(virConnectPtr conn,
} }
qemuDomainObjExitMonitorWithDriver(driver, vm); qemuDomainObjExitMonitorWithDriver(driver, vm);
qemuAuditNet(vm, NULL, net, "attach", true); virDomainAuditNet(vm, NULL, net, "attach", true);
ret = 0; ret = 0;
@ -857,7 +857,7 @@ int qemuDomainAttachHostPciDevice(struct qemud_driver *driver,
hostdev->info.type = VIR_DOMAIN_DEVICE_ADDRESS_TYPE_PCI; hostdev->info.type = VIR_DOMAIN_DEVICE_ADDRESS_TYPE_PCI;
memcpy(&hostdev->info.addr.pci, &guestAddr, sizeof(guestAddr)); memcpy(&hostdev->info.addr.pci, &guestAddr, sizeof(guestAddr));
} }
qemuAuditHostdev(vm, hostdev, "attach", ret == 0); virDomainAuditHostdev(vm, hostdev, "attach", ret == 0);
if (ret < 0) if (ret < 0)
goto error; goto error;
@ -937,7 +937,7 @@ int qemuDomainAttachHostUsbDevice(struct qemud_driver *driver,
hostdev->source.subsys.u.usb.bus, hostdev->source.subsys.u.usb.bus,
hostdev->source.subsys.u.usb.device); hostdev->source.subsys.u.usb.device);
qemuDomainObjExitMonitorWithDriver(driver, vm); qemuDomainObjExitMonitorWithDriver(driver, vm);
qemuAuditHostdev(vm, hostdev, "attach", ret == 0); virDomainAuditHostdev(vm, hostdev, "attach", ret == 0);
if (ret < 0) if (ret < 0)
goto error; goto error;
@ -1246,14 +1246,14 @@ int qemuDomainDetachPciDiskDevice(struct qemud_driver *driver,
if (qemuCapsGet(priv->qemuCaps, QEMU_CAPS_DEVICE)) { if (qemuCapsGet(priv->qemuCaps, QEMU_CAPS_DEVICE)) {
if (qemuMonitorDelDevice(priv->mon, detach->info.alias) < 0) { if (qemuMonitorDelDevice(priv->mon, detach->info.alias) < 0) {
qemuDomainObjExitMonitor(vm); qemuDomainObjExitMonitor(vm);
qemuAuditDisk(vm, detach, NULL, "detach", false); virDomainAuditDisk(vm, detach, NULL, "detach", false);
goto cleanup; goto cleanup;
} }
} else { } else {
if (qemuMonitorRemovePCIDevice(priv->mon, if (qemuMonitorRemovePCIDevice(priv->mon,
&detach->info.addr.pci) < 0) { &detach->info.addr.pci) < 0) {
qemuDomainObjExitMonitor(vm); qemuDomainObjExitMonitor(vm);
qemuAuditDisk(vm, detach, NULL, "detach", false); virDomainAuditDisk(vm, detach, NULL, "detach", false);
goto cleanup; goto cleanup;
} }
} }
@ -1263,7 +1263,7 @@ int qemuDomainDetachPciDiskDevice(struct qemud_driver *driver,
qemuDomainObjExitMonitorWithDriver(driver, vm); qemuDomainObjExitMonitorWithDriver(driver, vm);
qemuAuditDisk(vm, detach, NULL, "detach", true); virDomainAuditDisk(vm, detach, NULL, "detach", true);
if (qemuCapsGet(priv->qemuCaps, QEMU_CAPS_DEVICE) && if (qemuCapsGet(priv->qemuCaps, QEMU_CAPS_DEVICE) &&
qemuDomainPCIAddressReleaseSlot(priv->pciaddrs, qemuDomainPCIAddressReleaseSlot(priv->pciaddrs,
@ -1341,7 +1341,7 @@ int qemuDomainDetachDiskDevice(struct qemud_driver *driver,
qemuDomainObjEnterMonitorWithDriver(driver, vm); qemuDomainObjEnterMonitorWithDriver(driver, vm);
if (qemuMonitorDelDevice(priv->mon, detach->info.alias) < 0) { if (qemuMonitorDelDevice(priv->mon, detach->info.alias) < 0) {
qemuDomainObjExitMonitor(vm); qemuDomainObjExitMonitor(vm);
qemuAuditDisk(vm, detach, NULL, "detach", false); virDomainAuditDisk(vm, detach, NULL, "detach", false);
goto cleanup; goto cleanup;
} }
@ -1350,7 +1350,7 @@ int qemuDomainDetachDiskDevice(struct qemud_driver *driver,
qemuDomainObjExitMonitorWithDriver(driver, vm); qemuDomainObjExitMonitorWithDriver(driver, vm);
qemuAuditDisk(vm, detach, NULL, "detach", true); virDomainAuditDisk(vm, detach, NULL, "detach", true);
virDomainDiskRemove(vm->def, i); virDomainDiskRemove(vm->def, i);
@ -1575,14 +1575,14 @@ int qemuDomainDetachNetDevice(struct qemud_driver *driver,
if (qemuCapsGet(priv->qemuCaps, QEMU_CAPS_DEVICE)) { if (qemuCapsGet(priv->qemuCaps, QEMU_CAPS_DEVICE)) {
if (qemuMonitorDelDevice(priv->mon, detach->info.alias) < 0) { if (qemuMonitorDelDevice(priv->mon, detach->info.alias) < 0) {
qemuDomainObjExitMonitor(vm); qemuDomainObjExitMonitor(vm);
qemuAuditNet(vm, detach, NULL, "detach", false); virDomainAuditNet(vm, detach, NULL, "detach", false);
goto cleanup; goto cleanup;
} }
} else { } else {
if (qemuMonitorRemovePCIDevice(priv->mon, if (qemuMonitorRemovePCIDevice(priv->mon,
&detach->info.addr.pci) < 0) { &detach->info.addr.pci) < 0) {
qemuDomainObjExitMonitorWithDriver(driver, vm); qemuDomainObjExitMonitorWithDriver(driver, vm);
qemuAuditNet(vm, detach, NULL, "detach", false); virDomainAuditNet(vm, detach, NULL, "detach", false);
goto cleanup; goto cleanup;
} }
} }
@ -1591,19 +1591,19 @@ int qemuDomainDetachNetDevice(struct qemud_driver *driver,
qemuCapsGet(priv->qemuCaps, QEMU_CAPS_DEVICE)) { qemuCapsGet(priv->qemuCaps, QEMU_CAPS_DEVICE)) {
if (qemuMonitorRemoveNetdev(priv->mon, hostnet_name) < 0) { if (qemuMonitorRemoveNetdev(priv->mon, hostnet_name) < 0) {
qemuDomainObjExitMonitorWithDriver(driver, vm); qemuDomainObjExitMonitorWithDriver(driver, vm);
qemuAuditNet(vm, detach, NULL, "detach", false); virDomainAuditNet(vm, detach, NULL, "detach", false);
goto cleanup; goto cleanup;
} }
} else { } else {
if (qemuMonitorRemoveHostNetwork(priv->mon, vlan, hostnet_name) < 0) { if (qemuMonitorRemoveHostNetwork(priv->mon, vlan, hostnet_name) < 0) {
qemuDomainObjExitMonitorWithDriver(driver, vm); qemuDomainObjExitMonitorWithDriver(driver, vm);
qemuAuditNet(vm, detach, NULL, "detach", false); virDomainAuditNet(vm, detach, NULL, "detach", false);
goto cleanup; goto cleanup;
} }
} }
qemuDomainObjExitMonitorWithDriver(driver, vm); qemuDomainObjExitMonitorWithDriver(driver, vm);
qemuAuditNet(vm, detach, NULL, "detach", true); virDomainAuditNet(vm, detach, NULL, "detach", true);
if (qemuCapsGet(priv->qemuCaps, QEMU_CAPS_DEVICE) && if (qemuCapsGet(priv->qemuCaps, QEMU_CAPS_DEVICE) &&
qemuDomainPCIAddressReleaseSlot(priv->pciaddrs, qemuDomainPCIAddressReleaseSlot(priv->pciaddrs,
@ -1713,7 +1713,7 @@ int qemuDomainDetachHostPciDevice(struct qemud_driver *driver,
ret = qemuMonitorRemovePCIDevice(priv->mon, &detach->info.addr.pci); ret = qemuMonitorRemovePCIDevice(priv->mon, &detach->info.addr.pci);
} }
qemuDomainObjExitMonitorWithDriver(driver, vm); qemuDomainObjExitMonitorWithDriver(driver, vm);
qemuAuditHostdev(vm, detach, "detach", ret == 0); virDomainAuditHostdev(vm, detach, "detach", ret == 0);
if (ret < 0) if (ret < 0)
return -1; return -1;
@ -1812,7 +1812,7 @@ int qemuDomainDetachHostUsbDevice(struct qemud_driver *driver,
qemuDomainObjEnterMonitorWithDriver(driver, vm); qemuDomainObjEnterMonitorWithDriver(driver, vm);
ret = qemuMonitorDelDevice(priv->mon, detach->info.alias); ret = qemuMonitorDelDevice(priv->mon, detach->info.alias);
qemuDomainObjExitMonitorWithDriver(driver, vm); qemuDomainObjExitMonitorWithDriver(driver, vm);
qemuAuditHostdev(vm, detach, "detach", ret == 0); virDomainAuditHostdev(vm, detach, "detach", ret == 0);
if (ret < 0) if (ret < 0)
return -1; return -1;

26
src/qemu/qemu_migration.c
View File

@ -30,9 +30,9 @@
#include "qemu_domain.h" #include "qemu_domain.h"
#include "qemu_process.h" #include "qemu_process.h"
#include "qemu_capabilities.h" #include "qemu_capabilities.h"
#include "qemu_audit.h"
#include "qemu_cgroup.h" #include "qemu_cgroup.h"
#include "domain_audit.h"
#include "logging.h" #include "logging.h"
#include "virterror_internal.h" #include "virterror_internal.h"
#include "memory.h" #include "memory.h"
@ -1131,7 +1131,7 @@ qemuMigrationPrepareTunnel(struct qemud_driver *driver,
true, dataFD[0], NULL, true, dataFD[0], NULL,
VIR_VM_OP_MIGRATE_IN_START); VIR_VM_OP_MIGRATE_IN_START);
if (internalret < 0) { if (internalret < 0) {
qemuAuditDomainStart(vm, "migrated", false); virDomainAuditStart(vm, "migrated", false);
/* Note that we don't set an error here because qemuProcessStart /* Note that we don't set an error here because qemuProcessStart
* should have already done that. * should have already done that.
*/ */
@ -1143,7 +1143,7 @@ qemuMigrationPrepareTunnel(struct qemud_driver *driver,
} }
if (virFDStreamOpen(st, dataFD[1]) < 0) { if (virFDStreamOpen(st, dataFD[1]) < 0) {
qemuAuditDomainStart(vm, "migrated", false); virDomainAuditStart(vm, "migrated", false);
qemuProcessStop(driver, vm, 0, VIR_DOMAIN_SHUTOFF_FAILED); qemuProcessStop(driver, vm, 0, VIR_DOMAIN_SHUTOFF_FAILED);
if (!vm->persistent) { if (!vm->persistent) {
if (qemuDomainObjEndJob(vm) > 0) if (qemuDomainObjEndJob(vm) > 0)
@ -1156,7 +1156,7 @@ qemuMigrationPrepareTunnel(struct qemud_driver *driver,
} }
dataFD[1] = -1; /* 'st' owns the FD now & will close it */ dataFD[1] = -1; /* 'st' owns the FD now & will close it */
qemuAuditDomainStart(vm, "migrated", true); virDomainAuditStart(vm, "migrated", true);
event = virDomainEventNewFromObj(vm, event = virDomainEventNewFromObj(vm,
VIR_DOMAIN_EVENT_STARTED, VIR_DOMAIN_EVENT_STARTED,
@ -1359,7 +1359,7 @@ qemuMigrationPrepareDirect(struct qemud_driver *driver,
snprintf (migrateFrom, sizeof (migrateFrom), "tcp:0.0.0.0:%d", this_port); snprintf (migrateFrom, sizeof (migrateFrom), "tcp:0.0.0.0:%d", this_port);
if (qemuProcessStart(dconn, driver, vm, migrateFrom, true, true, if (qemuProcessStart(dconn, driver, vm, migrateFrom, true, true,
-1, NULL, VIR_VM_OP_MIGRATE_IN_START) < 0) { -1, NULL, VIR_VM_OP_MIGRATE_IN_START) < 0) {
qemuAuditDomainStart(vm, "migrated", false); virDomainAuditStart(vm, "migrated", false);
/* Note that we don't set an error here because qemuProcessStart /* Note that we don't set an error here because qemuProcessStart
* should have already done that. * should have already done that.
*/ */
@ -1389,7 +1389,7 @@ qemuMigrationPrepareDirect(struct qemud_driver *driver,
VIR_WARN("Unable to encode migration cookie"); VIR_WARN("Unable to encode migration cookie");
} }
qemuAuditDomainStart(vm, "migrated", true); virDomainAuditStart(vm, "migrated", true);
event = virDomainEventNewFromObj(vm, event = virDomainEventNewFromObj(vm,
VIR_DOMAIN_EVENT_STARTED, VIR_DOMAIN_EVENT_STARTED,
VIR_DOMAIN_EVENT_STARTED_MIGRATED); VIR_DOMAIN_EVENT_STARTED_MIGRATED);
@ -2340,7 +2340,7 @@ int qemuMigrationPerform(struct qemud_driver *driver,
resume = 0; resume = 0;
} else { } else {
qemuProcessStop(driver, vm, 1, VIR_DOMAIN_SHUTOFF_MIGRATED); qemuProcessStop(driver, vm, 1, VIR_DOMAIN_SHUTOFF_MIGRATED);
qemuAuditDomainStop(vm, "migrated"); virDomainAuditStop(vm, "migrated");
resume = 0; resume = 0;
event = virDomainEventNewFromObj(vm, event = virDomainEventNewFromObj(vm,
@ -2505,7 +2505,7 @@ qemuMigrationFinish(struct qemud_driver *driver,
*/ */
if (v3proto) { if (v3proto) {
qemuProcessStop(driver, vm, 1, VIR_DOMAIN_SHUTOFF_FAILED); qemuProcessStop(driver, vm, 1, VIR_DOMAIN_SHUTOFF_FAILED);
qemuAuditDomainStop(vm, "failed"); virDomainAuditStop(vm, "failed");
if (newVM) { if (newVM) {
if (qemuDomainObjEndJob(vm) > 0) if (qemuDomainObjEndJob(vm) > 0)
virDomainRemoveInactive(&driver->domains, vm); virDomainRemoveInactive(&driver->domains, vm);
@ -2551,7 +2551,7 @@ qemuMigrationFinish(struct qemud_driver *driver,
*/ */
if (v3proto) { if (v3proto) {
qemuProcessStop(driver, vm, 1, VIR_DOMAIN_SHUTOFF_FAILED); qemuProcessStop(driver, vm, 1, VIR_DOMAIN_SHUTOFF_FAILED);
qemuAuditDomainStop(vm, "failed"); virDomainAuditStop(vm, "failed");
event = virDomainEventNewFromObj(vm, event = virDomainEventNewFromObj(vm,
VIR_DOMAIN_EVENT_STOPPED, VIR_DOMAIN_EVENT_STOPPED,
VIR_DOMAIN_EVENT_STOPPED_FAILED); VIR_DOMAIN_EVENT_STOPPED_FAILED);
@ -2587,7 +2587,7 @@ qemuMigrationFinish(struct qemud_driver *driver,
qemuProcessAutoDestroyRemove(driver, vm); qemuProcessAutoDestroyRemove(driver, vm);
} else { } else {
qemuProcessStop(driver, vm, 1, VIR_DOMAIN_SHUTOFF_FAILED); qemuProcessStop(driver, vm, 1, VIR_DOMAIN_SHUTOFF_FAILED);
qemuAuditDomainStop(vm, "failed"); virDomainAuditStop(vm, "failed");
event = virDomainEventNewFromObj(vm, event = virDomainEventNewFromObj(vm,
VIR_DOMAIN_EVENT_STOPPED, VIR_DOMAIN_EVENT_STOPPED,
VIR_DOMAIN_EVENT_STOPPED_FAILED); VIR_DOMAIN_EVENT_STOPPED_FAILED);
@ -2650,7 +2650,7 @@ int qemuMigrationConfirm(struct qemud_driver *driver,
*/ */
if (retcode == 0) { if (retcode == 0) {
qemuProcessStop(driver, vm, 1, VIR_DOMAIN_SHUTOFF_MIGRATED); qemuProcessStop(driver, vm, 1, VIR_DOMAIN_SHUTOFF_MIGRATED);
qemuAuditDomainStop(vm, "migrated"); virDomainAuditStop(vm, "migrated");
event = virDomainEventNewFromObj(vm, event = virDomainEventNewFromObj(vm,
VIR_DOMAIN_EVENT_STOPPED, VIR_DOMAIN_EVENT_STOPPED,
@ -2730,7 +2730,7 @@ qemuMigrationToFile(struct qemud_driver *driver, virDomainObjPtr vm,
} }
rc = virCgroupAllowDevicePath(cgroup, path, rc = virCgroupAllowDevicePath(cgroup, path,
VIR_CGROUP_DEVICE_RW); VIR_CGROUP_DEVICE_RW);
qemuAuditCgroupPath(vm, cgroup, "allow", path, "rw", rc); virDomainAuditCgroupPath(vm, cgroup, "allow", path, "rw", rc);
if (rc < 0) { if (rc < 0) {
virReportSystemError(-rc, virReportSystemError(-rc,
_("Unable to allow device %s for %s"), _("Unable to allow device %s for %s"),
@ -2819,7 +2819,7 @@ cleanup:
if (cgroup != NULL) { if (cgroup != NULL) {
rc = virCgroupDenyDevicePath(cgroup, path, rc = virCgroupDenyDevicePath(cgroup, path,
VIR_CGROUP_DEVICE_RWM); VIR_CGROUP_DEVICE_RWM);
qemuAuditCgroupPath(vm, cgroup, "deny", path, "rwm", rc); virDomainAuditCgroupPath(vm, cgroup, "deny", path, "rwm", rc);
if (rc < 0) if (rc < 0)
VIR_WARN("Unable to deny device %s for %s %d", VIR_WARN("Unable to deny device %s for %s %d",
path, vm->def->name, rc); path, vm->def->name, rc);

10
src/qemu/qemu_process.c
View File

@ -34,7 +34,6 @@
#include "qemu_capabilities.h" #include "qemu_capabilities.h"
#include "qemu_monitor.h" #include "qemu_monitor.h"
#include "qemu_command.h" #include "qemu_command.h"
#include "qemu_audit.h"
#include "qemu_hostdev.h" #include "qemu_hostdev.h"
#include "qemu_hotplug.h" #include "qemu_hotplug.h"
#include "qemu_bridge_filter.h" #include "qemu_bridge_filter.h"
@ -54,6 +53,7 @@
#include "c-ctype.h" #include "c-ctype.h"
#include "nodeinfo.h" #include "nodeinfo.h"
#include "processinfo.h" #include "processinfo.h"
#include "domain_audit.h"
#include "domain_nwfilter.h" #include "domain_nwfilter.h"
#include "locking/domain_lock.h" #include "locking/domain_lock.h"
#include "uuid.h" #include "uuid.h"
@ -144,7 +144,7 @@ qemuProcessHandleMonitorEOF(qemuMonitorPtr mon ATTRIBUTE_UNUSED,
VIR_DOMAIN_EVENT_STOPPED, VIR_DOMAIN_EVENT_STOPPED,
eventReason); eventReason);
qemuProcessStop(driver, vm, 0, stopReason); qemuProcessStop(driver, vm, 0, stopReason);
qemuAuditDomainStop(vm, auditReason); virDomainAuditStop(vm, auditReason);
if (!vm->persistent) if (!vm->persistent)
virDomainRemoveInactive(&driver->domains, vm); virDomainRemoveInactive(&driver->domains, vm);
@ -2409,10 +2409,10 @@ int qemuProcessStart(virConnectPtr conn,
then generate a security label for isolation */ then generate a security label for isolation */
VIR_DEBUG("Generating domain security label (if required)"); VIR_DEBUG("Generating domain security label (if required)");
if (virSecurityManagerGenLabel(driver->securityManager, vm) < 0) { if (virSecurityManagerGenLabel(driver->securityManager, vm) < 0) {
qemuAuditSecurityLabel(vm, false); virDomainAuditSecurityLabel(vm, false);
goto cleanup; goto cleanup;
} }
qemuAuditSecurityLabel(vm, true); virDomainAuditSecurityLabel(vm, true);
/* Ensure no historical cgroup for this VM is lying around bogus /* Ensure no historical cgroup for this VM is lying around bogus
* settings */ * settings */
@ -3217,7 +3217,7 @@ static void qemuProcessAutoDestroyDom(void *payload,
VIR_DEBUG("Killing domain"); VIR_DEBUG("Killing domain");
qemuProcessStop(data->driver, dom, 1, VIR_DOMAIN_SHUTOFF_DESTROYED); qemuProcessStop(data->driver, dom, 1, VIR_DOMAIN_SHUTOFF_DESTROYED);
qemuAuditDomainStop(dom, "destroyed"); virDomainAuditStop(dom, "destroyed");
event = virDomainEventNewFromObj(dom, event = virDomainEventNewFromObj(dom,
VIR_DOMAIN_EVENT_STOPPED, VIR_DOMAIN_EVENT_STOPPED,
VIR_DOMAIN_EVENT_STOPPED_DESTROYED); VIR_DOMAIN_EVENT_STOPPED_DESTROYED);