Audit the starting of a guest using TPM passthrough

When a VM with a TPM passthrough device is started, the audit daemon logs the following type of message: type=VIRT_RESOURCE msg=audit(1365170222.460:3378): pid=16382 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=dev reason=start vm="TPM-PT" uuid=a4d7cd22-da89-3094-6212-079a48a309a1 device="/dev/tpm0" exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' Signed-off-by: N Stefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: N Corey Bryant <coreyb@linux.vnet.ibm.com> Tested-by: N Corey Bryant <coreyb@linux.vnet.ibm.com>

Audit the starting of a guest using TPM passthrough
When a VM with a TPM passthrough device is started, the audit daemon logs the following type of message: type=VIRT_RESOURCE msg=audit(1365170222.460:3378): pid=16382 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=dev reason=start vm="TPM-PT" uuid=a4d7cd22-da89-3094-6212-079a48a309a1 device="/dev/tpm0" exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' Signed-off-by: N Stefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: N Corey Bryant <coreyb@linux.vnet.ibm.com> Tested-by: N Corey Bryant <coreyb@linux.vnet.ibm.com>
2c9a0639 · Stefan Berger · Stefan Berger · 2a40a092 · 2c9a0639
隐藏空白更改
内联并排

Showing with 55 addition and 0 deletion

src/conf/domain_audit.c src/conf/domain_audit.c +55 -0

未找到文件。
--- a/src/conf/domain_audit.c
+++ b/src/conf/domain_audit.c
@@ -523,6 +523,58 @@ cleanup:
 }
+/**
+ * virDomainAuditTPM:
+ * @vm: domain making a change in pass-through host device
+ * @tpm: TPM device being attached or removed
+ * @reason: one of "start", "attach", or "detach"
+ * @success: true if the device passthrough operation succeeded
+ *
+ * Log an audit message about an attempted device passthrough change.
+ */
+static void
+virDomainAuditTPM(virDomainObjPtr vm, virDomainTPMDefPtr tpm,
+                  const char *reason, bool success)
+{
+    char uuidstr[VIR_UUID_STRING_BUFLEN];
+    char *vmname;
+    char *path = NULL;
+    char *device = NULL;
+    const char *virt;
+    virUUIDFormat(vm->def->uuid, uuidstr);
+    if (!(vmname = virAuditEncode("vm", vm->def->name))) {
+        VIR_WARN("OOM while encoding audit message");
+        return;
+    }
+    if (!(virt = virDomainVirtTypeToString(vm->def->virtType))) {
+        VIR_WARN("Unexpected virt type %d while encoding audit message", vm->def->virtType);
+        virt = "?";
+    }
+    switch (tpm->type) {
+    case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
+        path = tpm->data.passthrough.source.data.file.path;
+        if (!(device = virAuditEncode("device", VIR_AUDIT_STR(path)))) {
+            VIR_WARN("OOM while encoding audit message");
+            goto cleanup;
+        }
+        VIR_AUDIT(VIR_AUDIT_RECORD_RESOURCE, success,
+                  "virt=%s resrc=dev reason=%s %s uuid=%s %s",
+                  virt, reason, vmname, uuidstr, device);
+        break;
+    default:
+        break;
+    }
+cleanup:
+    VIR_FREE(vmname);
+    VIR_FREE(device);
+}
 /**
 * virDomainAuditCgroup:
 * @vm: domain making the cgroups ACL change
@@ -761,6 +813,9 @@ virDomainAuditStart(virDomainObjPtr vm, const char *reason, bool success)
    if (vm->def->rng)
        virDomainAuditRNG(vm, vm->def->rng, NULL, "start", true);
+    if (vm->def->tpm)
+        virDomainAuditTPM(vm, vm->def->tpm, "start", true);
    virDomainAuditMemory(vm, 0, vm->def->mem.cur_balloon, "start", true);
    virDomainAuditVcpu(vm, 0, vm->def->vcpus, "start", true);