From 340ab27dd20b5c5e00a7245299ef46c357542a4c Mon Sep 17 00:00:00 2001 From: Eric Blake Date: Tue, 8 Mar 2011 20:06:26 -0700 Subject: [PATCH] audit: also audit cgroup ACL permissions * src/qemu/qemu_audit.h (qemuAuditCgroupMajor) (qemuAuditCgroupPath): Add parameter. * src/qemu/qemu_audit.c (qemuAuditCgroupMajor) (qemuAuditCgroupPath): Add 'acl=rwm' to cgroup audit entries. * src/qemu/qemu_cgroup.c: Update clients. * src/qemu/qemu_driver.c (qemudDomainSaveFlag): Likewise. --- src/qemu/qemu_audit.c | 14 +++++++++----- src/qemu/qemu_audit.h | 6 ++++-- src/qemu/qemu_cgroup.c | 15 ++++++++------- src/qemu/qemu_driver.c | 6 +++--- 4 files changed, 24 insertions(+), 17 deletions(-) diff --git a/src/qemu/qemu_audit.c b/src/qemu/qemu_audit.c index 5258c56fa8..5bdf6555ef 100644 --- a/src/qemu/qemu_audit.c +++ b/src/qemu/qemu_audit.c @@ -244,6 +244,7 @@ qemuAuditCgroup(virDomainObjPtr vm, virCgroupPtr cgroup, * @reason: either "allow" or "deny" * @maj: the major number of the device category * @name: a textual name for that device category, alphabetic only + * @perms: string containing "r", "w", and/or "m" as appropriate * @success: true if the cgroup operation succeeded * * Log an audit message about an attempted cgroup device ACL change. @@ -251,11 +252,12 @@ qemuAuditCgroup(virDomainObjPtr vm, virCgroupPtr cgroup, void qemuAuditCgroupMajor(virDomainObjPtr vm, virCgroupPtr cgroup, const char *reason, int maj, const char *name, - bool success) + const char *perms, bool success) { char *extra; - if (virAsprintf(&extra, "major category=%s maj=%02X", name, maj) < 0) { + if (virAsprintf(&extra, "major category=%s maj=%02X acl=%s", + name, maj, perms) < 0) { VIR_WARN0("OOM while encoding audit message"); return; } @@ -271,6 +273,7 @@ qemuAuditCgroupMajor(virDomainObjPtr vm, virCgroupPtr cgroup, * @cgroup: cgroup that manages the devices * @reason: either "allow" or "deny" * @path: the device being adjusted + * @perms: string containing "r", "w", and/or "m" as appropriate * @rc: > 0 if not a device, 0 if success, < 0 if failure * * Log an audit message about an attempted cgroup device ACL change to @@ -278,7 +281,8 @@ qemuAuditCgroupMajor(virDomainObjPtr vm, virCgroupPtr cgroup, */ void qemuAuditCgroupPath(virDomainObjPtr vm, virCgroupPtr cgroup, - const char *reason, const char *path, int rc) + const char *reason, const char *path, const char *perms, + int rc) { char *detail; char *rdev; @@ -291,8 +295,8 @@ qemuAuditCgroupPath(virDomainObjPtr vm, virCgroupPtr cgroup, rdev = qemuAuditGetRdev(path); if (!(detail = virAuditEncode("path", path)) || - virAsprintf(&extra, "path path=%s rdev=%s", - path, VIR_AUDIT_STR(rdev)) < 0) { + virAsprintf(&extra, "path path=%s rdev=%s acl=%s", + path, VIR_AUDIT_STR(rdev), perms) < 0) { VIR_WARN0("OOM while encoding audit message"); goto cleanup; } diff --git a/src/qemu/qemu_audit.h b/src/qemu/qemu_audit.h index 7921ae38c7..a2fbe11b0f 100644 --- a/src/qemu/qemu_audit.h +++ b/src/qemu/qemu_audit.h @@ -63,16 +63,18 @@ void qemuAuditCgroupMajor(virDomainObjPtr vm, const char *reason, int maj, const char *name, + const char *perms, bool success) ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3) - ATTRIBUTE_NONNULL(5); + ATTRIBUTE_NONNULL(5) ATTRIBUTE_NONNULL(6); void qemuAuditCgroupPath(virDomainObjPtr vm, virCgroupPtr group, const char *reason, const char *path, + const char *perms, int rc) ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3) - ATTRIBUTE_NONNULL(4); + ATTRIBUTE_NONNULL(4) ATTRIBUTE_NONNULL(5); void qemuAuditMemory(virDomainObjPtr vm, unsigned long long oldmem, unsigned long long newmem, diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c index 0e81b49115..9a7d42f678 100644 --- a/src/qemu/qemu_cgroup.c +++ b/src/qemu/qemu_cgroup.c @@ -68,7 +68,8 @@ qemuSetupDiskPathAllow(virDomainDiskDefPtr disk, rc = virCgroupAllowDevicePath(data->cgroup, path, (disk->readonly ? VIR_CGROUP_DEVICE_READ : VIR_CGROUP_DEVICE_RW)); - qemuAuditCgroupPath(data->vm, data->cgroup, "allow", path, rc); + qemuAuditCgroupPath(data->vm, data->cgroup, "allow", path, + disk->readonly ? "r" : "rw", rc); if (rc < 0) { if (rc == -EACCES) { /* Get this for root squash NFS */ VIR_DEBUG("Ignoring EACCES for %s", path); @@ -109,7 +110,7 @@ qemuTeardownDiskPathDeny(virDomainDiskDefPtr disk ATTRIBUTE_UNUSED, VIR_DEBUG("Process path %s for disk", path); rc = virCgroupDenyDevicePath(data->cgroup, path, VIR_CGROUP_DEVICE_RWM); - qemuAuditCgroupPath(data->vm, data->cgroup, "deny", path, rc); + qemuAuditCgroupPath(data->vm, data->cgroup, "deny", path, "rwm", rc); if (rc < 0) { if (rc == -EACCES) { /* Get this for root squash NFS */ VIR_DEBUG("Ignoring EACCES for %s", path); @@ -154,7 +155,7 @@ qemuSetupChardevCgroup(virDomainDefPtr def, rc = virCgroupAllowDevicePath(data->cgroup, dev->source.data.file.path, VIR_CGROUP_DEVICE_RW); qemuAuditCgroupPath(data->vm, data->cgroup, "allow", - dev->source.data.file.path, rc); + dev->source.data.file.path, "rw", rc); if (rc < 0) { virReportSystemError(-rc, _("Unable to allow device %s for %s"), @@ -176,7 +177,7 @@ int qemuSetupHostUsbDeviceCgroup(usbDevice *dev ATTRIBUTE_UNUSED, VIR_DEBUG("Process path '%s' for USB device", path); rc = virCgroupAllowDevicePath(data->cgroup, path, VIR_CGROUP_DEVICE_RW); - qemuAuditCgroupPath(data->vm, data->cgroup, "allow", path, rc); + qemuAuditCgroupPath(data->vm, data->cgroup, "allow", path, "rw", rc); if (rc < 0) { virReportSystemError(-rc, _("Unable to allow device %s"), @@ -232,7 +233,7 @@ int qemuSetupCgroup(struct qemud_driver *driver, rc = virCgroupAllowDeviceMajor(cgroup, 'c', DEVICE_PTY_MAJOR, VIR_CGROUP_DEVICE_RW); qemuAuditCgroupMajor(vm, cgroup, "allow", DEVICE_PTY_MAJOR, - "pty", rc == 0); + "pty", "rw", rc == 0); if (rc != 0) { virReportSystemError(-rc, "%s", _("unable to allow /dev/pts/ devices")); @@ -247,7 +248,7 @@ int qemuSetupCgroup(struct qemud_driver *driver, rc = virCgroupAllowDeviceMajor(cgroup, 'c', DEVICE_SND_MAJOR, VIR_CGROUP_DEVICE_RW); qemuAuditCgroupMajor(vm, cgroup, "allow", DEVICE_SND_MAJOR, - "sound", rc == 0); + "sound", "rw", rc == 0); if (rc != 0) { virReportSystemError(-rc, "%s", _("unable to allow /dev/snd/ devices")); @@ -258,7 +259,7 @@ int qemuSetupCgroup(struct qemud_driver *driver, for (i = 0; deviceACL[i] != NULL ; i++) { rc = virCgroupAllowDevicePath(cgroup, deviceACL[i], VIR_CGROUP_DEVICE_RW); - qemuAuditCgroupPath(vm, cgroup, "allow", deviceACL[i], rc); + qemuAuditCgroupPath(vm, cgroup, "allow", deviceACL[i], "rw", rc); if (rc < 0 && rc != -ENOENT) { virReportSystemError(-rc, diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 31a8e4872b..2d11da8bb3 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -1964,7 +1964,7 @@ static int qemudDomainSaveFlag(struct qemud_driver *driver, virDomainPtr dom, } rc = virCgroupAllowDevicePath(cgroup, path, VIR_CGROUP_DEVICE_RW); - qemuAuditCgroupPath(vm, cgroup, "allow", path, rc); + qemuAuditCgroupPath(vm, cgroup, "allow", path, "rw", rc); if (rc < 0) { virReportSystemError(-rc, _("Unable to allow device %s for %s"), @@ -2015,7 +2015,7 @@ static int qemudDomainSaveFlag(struct qemud_driver *driver, virDomainPtr dom, if (cgroup != NULL) { rc = virCgroupDenyDevicePath(cgroup, path, VIR_CGROUP_DEVICE_RWM); - qemuAuditCgroupPath(vm, cgroup, "deny", path, rc); + qemuAuditCgroupPath(vm, cgroup, "deny", path, "rwm", rc); if (rc < 0) VIR_WARN("Unable to deny device %s for %s %d", path, vm->def->name, rc); @@ -2048,7 +2048,7 @@ endjob: if (cgroup != NULL) { rc = virCgroupDenyDevicePath(cgroup, path, VIR_CGROUP_DEVICE_RWM); - qemuAuditCgroupPath(vm, cgroup, "deny", path, rc); + qemuAuditCgroupPath(vm, cgroup, "deny", path, "rwm", rc); if (rc < 0) VIR_WARN("Unable to deny device %s for %s: %d", path, vm->def->name, rc); -- GitLab