提交 1aaef5ad 编写于 作者: E Eric Blake

audit: audit qemu pci and usb device passthrough

* src/qemu/qemu_audit.h (qemuDomainHostdevAudit): New prototype.
* src/qemu/qemu_audit.c (qemuDomainHostdevAudit): New function.
(qemuDomainStartAudit): Call as appropriate.
* src/qemu/qemu_hotplug.c (qemuDomainAttachHostPciDevice)
(qemuDomainAttachHostUsbDevice, qemuDomainDetachHostPciDevice)
(qemuDomainDetachHostUsbDevice): Likewise.
上级 e25f2c74
...@@ -102,6 +102,75 @@ void qemuDomainNetAudit(virDomainObjPtr vm, ...@@ -102,6 +102,75 @@ void qemuDomainNetAudit(virDomainObjPtr vm,
} }
/**
* qemuDomainHostdevAudit:
* @vm: domain making a change in pass-through host device
* @hostdev: device being attached or removed
* @reason: one of "start, "attach", or "detach"
* @success: true if the device passthrough operation succeeded
*
* Log an audit message about an attempted device passthrough change.
*/
void
qemuDomainHostdevAudit(virDomainObjPtr vm,
virDomainHostdevDefPtr hostdev,
const char *reason,
bool success)
{
char uuidstr[VIR_UUID_STRING_BUFLEN];
char *vmname;
char *address;
char *device;
virUUIDFormat(vm->def->uuid, uuidstr);
if (!(vmname = virAuditEncode("vm", vm->def->name))) {
VIR_WARN0("OOM while encoding audit message");
return;
}
switch (hostdev->source.subsys.type) {
case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI:
if (virAsprintf(&address, "%.4x:%.2x:%.2x.%.1x",
hostdev->source.subsys.u.pci.domain,
hostdev->source.subsys.u.pci.bus,
hostdev->source.subsys.u.pci.slot,
hostdev->source.subsys.u.pci.function) < 0) {
VIR_WARN0("OOM while encoding audit message");
goto cleanup;
}
break;
case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB:
if (virAsprintf(&address, "%.3d.%.3d",
hostdev->source.subsys.u.usb.bus,
hostdev->source.subsys.u.usb.device) < 0) {
VIR_WARN0("OOM while encoding audit message");
goto cleanup;
}
break;
default:
VIR_WARN("Unexpected hostdev type while encoding audit message: %d",
hostdev->source.subsys.type);
goto cleanup;
}
if (!(device = virAuditEncode("device", VIR_AUDIT_STR(address)))) {
VIR_WARN0("OOM while encoding audit message");
goto cleanup;
}
VIR_AUDIT(VIR_AUDIT_RECORD_RESOURCE, success,
"resrc=dev reason=%s %s uuid=%s type=%s %s",
reason, vmname, uuidstr,
virDomainHostdevSubsysTypeToString(hostdev->source.subsys.type),
device);
cleanup:
VIR_FREE(vmname);
VIR_FREE(device);
VIR_FREE(address);
}
/** /**
* qemuDomainCgroupAudit: * qemuDomainCgroupAudit:
* @vm: domain making the cgroups ACL change * @vm: domain making the cgroups ACL change
...@@ -238,6 +307,11 @@ void qemuDomainStartAudit(virDomainObjPtr vm, const char *reason, bool success) ...@@ -238,6 +307,11 @@ void qemuDomainStartAudit(virDomainObjPtr vm, const char *reason, bool success)
qemuDomainNetAudit(vm, NULL, net, "start", true); qemuDomainNetAudit(vm, NULL, net, "start", true);
} }
for (i = 0 ; i < vm->def->nhostdevs ; i++) {
virDomainHostdevDefPtr hostdev = vm->def->hostdevs[i];
qemuDomainHostdevAudit(vm, hostdev, "start", true);
}
qemuDomainMemoryAudit(vm, 0, vm->def->mem.cur_balloon, "start", true); qemuDomainMemoryAudit(vm, 0, vm->def->mem.cur_balloon, "start", true);
qemuDomainVcpuAudit(vm, 0, vm->def->vcpus, "start", true); qemuDomainVcpuAudit(vm, 0, vm->def->vcpus, "start", true);
......
...@@ -39,6 +39,10 @@ void qemuDomainNetAudit(virDomainObjPtr vm, ...@@ -39,6 +39,10 @@ void qemuDomainNetAudit(virDomainObjPtr vm,
virDomainNetDefPtr newDef, virDomainNetDefPtr newDef,
const char *reason, const char *reason,
bool success); bool success);
void qemuDomainHostdevAudit(virDomainObjPtr vm,
virDomainHostdevDefPtr def,
const char *reason,
bool success);
void qemuDomainCgroupAudit(virDomainObjPtr vm, void qemuDomainCgroupAudit(virDomainObjPtr vm,
virCgroupPtr group, virCgroupPtr group,
const char *reason, const char *reason,
......
...@@ -842,6 +842,7 @@ int qemuDomainAttachHostPciDevice(struct qemud_driver *driver, ...@@ -842,6 +842,7 @@ int qemuDomainAttachHostPciDevice(struct qemud_driver *driver,
hostdev->info.type = VIR_DOMAIN_DEVICE_ADDRESS_TYPE_PCI; hostdev->info.type = VIR_DOMAIN_DEVICE_ADDRESS_TYPE_PCI;
memcpy(&hostdev->info.addr.pci, &guestAddr, sizeof(guestAddr)); memcpy(&hostdev->info.addr.pci, &guestAddr, sizeof(guestAddr));
} }
qemuDomainHostdevAudit(vm, hostdev, "attach", ret == 0);
if (ret < 0) if (ret < 0)
goto error; goto error;
...@@ -918,6 +919,7 @@ int qemuDomainAttachHostUsbDevice(struct qemud_driver *driver, ...@@ -918,6 +919,7 @@ int qemuDomainAttachHostUsbDevice(struct qemud_driver *driver,
hostdev->source.subsys.u.usb.bus, hostdev->source.subsys.u.usb.bus,
hostdev->source.subsys.u.usb.device); hostdev->source.subsys.u.usb.device);
qemuDomainObjExitMonitorWithDriver(driver, vm); qemuDomainObjExitMonitorWithDriver(driver, vm);
qemuDomainHostdevAudit(vm, hostdev, "attach", ret == 0);
if (ret < 0) if (ret < 0)
goto error; goto error;
...@@ -1607,20 +1609,14 @@ int qemuDomainDetachHostPciDevice(struct qemud_driver *driver, ...@@ -1607,20 +1609,14 @@ int qemuDomainDetachHostPciDevice(struct qemud_driver *driver,
qemuDomainObjEnterMonitorWithDriver(driver, vm); qemuDomainObjEnterMonitorWithDriver(driver, vm);
if (qemuCapsGet(qemuCaps, QEMU_CAPS_DEVICE)) { if (qemuCapsGet(qemuCaps, QEMU_CAPS_DEVICE)) {
if (qemuMonitorDelDevice(priv->mon, detach->info.alias) < 0) { ret = qemuMonitorDelDevice(priv->mon, detach->info.alias);
qemuDomainObjExitMonitor(vm);
return -1;
}
} else { } else {
if (qemuMonitorRemovePCIDevice(priv->mon, ret = qemuMonitorRemovePCIDevice(priv->mon, &detach->info.addr.pci);
&detach->info.addr.pci) < 0) {
qemuDomainObjExitMonitorWithDriver(driver, vm);
return -1;
}
} }
qemuDomainObjExitMonitorWithDriver(driver, vm); qemuDomainObjExitMonitorWithDriver(driver, vm);
qemuDomainHostdevAudit(vm, detach, "detach", ret == 0);
ret = 0; if (ret < 0)
return -1;
pci = pciGetDevice(detach->source.subsys.u.pci.domain, pci = pciGetDevice(detach->source.subsys.u.pci.domain,
detach->source.subsys.u.pci.bus, detach->source.subsys.u.pci.bus,
...@@ -1715,13 +1711,11 @@ int qemuDomainDetachHostUsbDevice(struct qemud_driver *driver, ...@@ -1715,13 +1711,11 @@ int qemuDomainDetachHostUsbDevice(struct qemud_driver *driver,
} }
qemuDomainObjEnterMonitorWithDriver(driver, vm); qemuDomainObjEnterMonitorWithDriver(driver, vm);
if (qemuMonitorDelDevice(priv->mon, detach->info.alias) < 0) { ret = qemuMonitorDelDevice(priv->mon, detach->info.alias);
qemuDomainObjExitMonitorWithDriver(driver, vm);
return -1;
}
qemuDomainObjExitMonitorWithDriver(driver, vm); qemuDomainObjExitMonitorWithDriver(driver, vm);
qemuDomainHostdevAudit(vm, detach, "detach", ret == 0);
ret = 0; if (ret < 0)
return -1;
if (vm->def->nhostdevs > 1) { if (vm->def->nhostdevs > 1) {
memmove(vm->def->hostdevs + i, memmove(vm->def->hostdevs + i,
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册