提交 340ab27d 编写于 作者: E Eric Blake

audit: also audit cgroup ACL permissions

* src/qemu/qemu_audit.h (qemuAuditCgroupMajor)
(qemuAuditCgroupPath): Add parameter.
* src/qemu/qemu_audit.c (qemuAuditCgroupMajor)
(qemuAuditCgroupPath): Add 'acl=rwm' to cgroup audit entries.
* src/qemu/qemu_cgroup.c: Update clients.
* src/qemu/qemu_driver.c (qemudDomainSaveFlag): Likewise.
上级 5564c575
...@@ -244,6 +244,7 @@ qemuAuditCgroup(virDomainObjPtr vm, virCgroupPtr cgroup, ...@@ -244,6 +244,7 @@ qemuAuditCgroup(virDomainObjPtr vm, virCgroupPtr cgroup,
* @reason: either "allow" or "deny" * @reason: either "allow" or "deny"
* @maj: the major number of the device category * @maj: the major number of the device category
* @name: a textual name for that device category, alphabetic only * @name: a textual name for that device category, alphabetic only
* @perms: string containing "r", "w", and/or "m" as appropriate
* @success: true if the cgroup operation succeeded * @success: true if the cgroup operation succeeded
* *
* Log an audit message about an attempted cgroup device ACL change. * Log an audit message about an attempted cgroup device ACL change.
...@@ -251,11 +252,12 @@ qemuAuditCgroup(virDomainObjPtr vm, virCgroupPtr cgroup, ...@@ -251,11 +252,12 @@ qemuAuditCgroup(virDomainObjPtr vm, virCgroupPtr cgroup,
void void
qemuAuditCgroupMajor(virDomainObjPtr vm, virCgroupPtr cgroup, qemuAuditCgroupMajor(virDomainObjPtr vm, virCgroupPtr cgroup,
const char *reason, int maj, const char *name, const char *reason, int maj, const char *name,
bool success) const char *perms, bool success)
{ {
char *extra; char *extra;
if (virAsprintf(&extra, "major category=%s maj=%02X", name, maj) < 0) { if (virAsprintf(&extra, "major category=%s maj=%02X acl=%s",
name, maj, perms) < 0) {
VIR_WARN0("OOM while encoding audit message"); VIR_WARN0("OOM while encoding audit message");
return; return;
} }
...@@ -271,6 +273,7 @@ qemuAuditCgroupMajor(virDomainObjPtr vm, virCgroupPtr cgroup, ...@@ -271,6 +273,7 @@ qemuAuditCgroupMajor(virDomainObjPtr vm, virCgroupPtr cgroup,
* @cgroup: cgroup that manages the devices * @cgroup: cgroup that manages the devices
* @reason: either "allow" or "deny" * @reason: either "allow" or "deny"
* @path: the device being adjusted * @path: the device being adjusted
* @perms: string containing "r", "w", and/or "m" as appropriate
* @rc: > 0 if not a device, 0 if success, < 0 if failure * @rc: > 0 if not a device, 0 if success, < 0 if failure
* *
* Log an audit message about an attempted cgroup device ACL change to * Log an audit message about an attempted cgroup device ACL change to
...@@ -278,7 +281,8 @@ qemuAuditCgroupMajor(virDomainObjPtr vm, virCgroupPtr cgroup, ...@@ -278,7 +281,8 @@ qemuAuditCgroupMajor(virDomainObjPtr vm, virCgroupPtr cgroup,
*/ */
void void
qemuAuditCgroupPath(virDomainObjPtr vm, virCgroupPtr cgroup, qemuAuditCgroupPath(virDomainObjPtr vm, virCgroupPtr cgroup,
const char *reason, const char *path, int rc) const char *reason, const char *path, const char *perms,
int rc)
{ {
char *detail; char *detail;
char *rdev; char *rdev;
...@@ -291,8 +295,8 @@ qemuAuditCgroupPath(virDomainObjPtr vm, virCgroupPtr cgroup, ...@@ -291,8 +295,8 @@ qemuAuditCgroupPath(virDomainObjPtr vm, virCgroupPtr cgroup,
rdev = qemuAuditGetRdev(path); rdev = qemuAuditGetRdev(path);
if (!(detail = virAuditEncode("path", path)) || if (!(detail = virAuditEncode("path", path)) ||
virAsprintf(&extra, "path path=%s rdev=%s", virAsprintf(&extra, "path path=%s rdev=%s acl=%s",
path, VIR_AUDIT_STR(rdev)) < 0) { path, VIR_AUDIT_STR(rdev), perms) < 0) {
VIR_WARN0("OOM while encoding audit message"); VIR_WARN0("OOM while encoding audit message");
goto cleanup; goto cleanup;
} }
......
...@@ -63,16 +63,18 @@ void qemuAuditCgroupMajor(virDomainObjPtr vm, ...@@ -63,16 +63,18 @@ void qemuAuditCgroupMajor(virDomainObjPtr vm,
const char *reason, const char *reason,
int maj, int maj,
const char *name, const char *name,
const char *perms,
bool success) bool success)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3) ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3)
ATTRIBUTE_NONNULL(5); ATTRIBUTE_NONNULL(5) ATTRIBUTE_NONNULL(6);
void qemuAuditCgroupPath(virDomainObjPtr vm, void qemuAuditCgroupPath(virDomainObjPtr vm,
virCgroupPtr group, virCgroupPtr group,
const char *reason, const char *reason,
const char *path, const char *path,
const char *perms,
int rc) int rc)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3) ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3)
ATTRIBUTE_NONNULL(4); ATTRIBUTE_NONNULL(4) ATTRIBUTE_NONNULL(5);
void qemuAuditMemory(virDomainObjPtr vm, void qemuAuditMemory(virDomainObjPtr vm,
unsigned long long oldmem, unsigned long long oldmem,
unsigned long long newmem, unsigned long long newmem,
......
...@@ -68,7 +68,8 @@ qemuSetupDiskPathAllow(virDomainDiskDefPtr disk, ...@@ -68,7 +68,8 @@ qemuSetupDiskPathAllow(virDomainDiskDefPtr disk,
rc = virCgroupAllowDevicePath(data->cgroup, path, rc = virCgroupAllowDevicePath(data->cgroup, path,
(disk->readonly ? VIR_CGROUP_DEVICE_READ (disk->readonly ? VIR_CGROUP_DEVICE_READ
: VIR_CGROUP_DEVICE_RW)); : VIR_CGROUP_DEVICE_RW));
qemuAuditCgroupPath(data->vm, data->cgroup, "allow", path, rc); qemuAuditCgroupPath(data->vm, data->cgroup, "allow", path,
disk->readonly ? "r" : "rw", rc);
if (rc < 0) { if (rc < 0) {
if (rc == -EACCES) { /* Get this for root squash NFS */ if (rc == -EACCES) { /* Get this for root squash NFS */
VIR_DEBUG("Ignoring EACCES for %s", path); VIR_DEBUG("Ignoring EACCES for %s", path);
...@@ -109,7 +110,7 @@ qemuTeardownDiskPathDeny(virDomainDiskDefPtr disk ATTRIBUTE_UNUSED, ...@@ -109,7 +110,7 @@ qemuTeardownDiskPathDeny(virDomainDiskDefPtr disk ATTRIBUTE_UNUSED,
VIR_DEBUG("Process path %s for disk", path); VIR_DEBUG("Process path %s for disk", path);
rc = virCgroupDenyDevicePath(data->cgroup, path, rc = virCgroupDenyDevicePath(data->cgroup, path,
VIR_CGROUP_DEVICE_RWM); VIR_CGROUP_DEVICE_RWM);
qemuAuditCgroupPath(data->vm, data->cgroup, "deny", path, rc); qemuAuditCgroupPath(data->vm, data->cgroup, "deny", path, "rwm", rc);
if (rc < 0) { if (rc < 0) {
if (rc == -EACCES) { /* Get this for root squash NFS */ if (rc == -EACCES) { /* Get this for root squash NFS */
VIR_DEBUG("Ignoring EACCES for %s", path); VIR_DEBUG("Ignoring EACCES for %s", path);
...@@ -154,7 +155,7 @@ qemuSetupChardevCgroup(virDomainDefPtr def, ...@@ -154,7 +155,7 @@ qemuSetupChardevCgroup(virDomainDefPtr def,
rc = virCgroupAllowDevicePath(data->cgroup, dev->source.data.file.path, rc = virCgroupAllowDevicePath(data->cgroup, dev->source.data.file.path,
VIR_CGROUP_DEVICE_RW); VIR_CGROUP_DEVICE_RW);
qemuAuditCgroupPath(data->vm, data->cgroup, "allow", qemuAuditCgroupPath(data->vm, data->cgroup, "allow",
dev->source.data.file.path, rc); dev->source.data.file.path, "rw", rc);
if (rc < 0) { if (rc < 0) {
virReportSystemError(-rc, virReportSystemError(-rc,
_("Unable to allow device %s for %s"), _("Unable to allow device %s for %s"),
...@@ -176,7 +177,7 @@ int qemuSetupHostUsbDeviceCgroup(usbDevice *dev ATTRIBUTE_UNUSED, ...@@ -176,7 +177,7 @@ int qemuSetupHostUsbDeviceCgroup(usbDevice *dev ATTRIBUTE_UNUSED,
VIR_DEBUG("Process path '%s' for USB device", path); VIR_DEBUG("Process path '%s' for USB device", path);
rc = virCgroupAllowDevicePath(data->cgroup, path, rc = virCgroupAllowDevicePath(data->cgroup, path,
VIR_CGROUP_DEVICE_RW); VIR_CGROUP_DEVICE_RW);
qemuAuditCgroupPath(data->vm, data->cgroup, "allow", path, rc); qemuAuditCgroupPath(data->vm, data->cgroup, "allow", path, "rw", rc);
if (rc < 0) { if (rc < 0) {
virReportSystemError(-rc, virReportSystemError(-rc,
_("Unable to allow device %s"), _("Unable to allow device %s"),
...@@ -232,7 +233,7 @@ int qemuSetupCgroup(struct qemud_driver *driver, ...@@ -232,7 +233,7 @@ int qemuSetupCgroup(struct qemud_driver *driver,
rc = virCgroupAllowDeviceMajor(cgroup, 'c', DEVICE_PTY_MAJOR, rc = virCgroupAllowDeviceMajor(cgroup, 'c', DEVICE_PTY_MAJOR,
VIR_CGROUP_DEVICE_RW); VIR_CGROUP_DEVICE_RW);
qemuAuditCgroupMajor(vm, cgroup, "allow", DEVICE_PTY_MAJOR, qemuAuditCgroupMajor(vm, cgroup, "allow", DEVICE_PTY_MAJOR,
"pty", rc == 0); "pty", "rw", rc == 0);
if (rc != 0) { if (rc != 0) {
virReportSystemError(-rc, "%s", virReportSystemError(-rc, "%s",
_("unable to allow /dev/pts/ devices")); _("unable to allow /dev/pts/ devices"));
...@@ -247,7 +248,7 @@ int qemuSetupCgroup(struct qemud_driver *driver, ...@@ -247,7 +248,7 @@ int qemuSetupCgroup(struct qemud_driver *driver,
rc = virCgroupAllowDeviceMajor(cgroup, 'c', DEVICE_SND_MAJOR, rc = virCgroupAllowDeviceMajor(cgroup, 'c', DEVICE_SND_MAJOR,
VIR_CGROUP_DEVICE_RW); VIR_CGROUP_DEVICE_RW);
qemuAuditCgroupMajor(vm, cgroup, "allow", DEVICE_SND_MAJOR, qemuAuditCgroupMajor(vm, cgroup, "allow", DEVICE_SND_MAJOR,
"sound", rc == 0); "sound", "rw", rc == 0);
if (rc != 0) { if (rc != 0) {
virReportSystemError(-rc, "%s", virReportSystemError(-rc, "%s",
_("unable to allow /dev/snd/ devices")); _("unable to allow /dev/snd/ devices"));
...@@ -258,7 +259,7 @@ int qemuSetupCgroup(struct qemud_driver *driver, ...@@ -258,7 +259,7 @@ int qemuSetupCgroup(struct qemud_driver *driver,
for (i = 0; deviceACL[i] != NULL ; i++) { for (i = 0; deviceACL[i] != NULL ; i++) {
rc = virCgroupAllowDevicePath(cgroup, deviceACL[i], rc = virCgroupAllowDevicePath(cgroup, deviceACL[i],
VIR_CGROUP_DEVICE_RW); VIR_CGROUP_DEVICE_RW);
qemuAuditCgroupPath(vm, cgroup, "allow", deviceACL[i], rc); qemuAuditCgroupPath(vm, cgroup, "allow", deviceACL[i], "rw", rc);
if (rc < 0 && if (rc < 0 &&
rc != -ENOENT) { rc != -ENOENT) {
virReportSystemError(-rc, virReportSystemError(-rc,
......
...@@ -1964,7 +1964,7 @@ static int qemudDomainSaveFlag(struct qemud_driver *driver, virDomainPtr dom, ...@@ -1964,7 +1964,7 @@ static int qemudDomainSaveFlag(struct qemud_driver *driver, virDomainPtr dom,
} }
rc = virCgroupAllowDevicePath(cgroup, path, rc = virCgroupAllowDevicePath(cgroup, path,
VIR_CGROUP_DEVICE_RW); VIR_CGROUP_DEVICE_RW);
qemuAuditCgroupPath(vm, cgroup, "allow", path, rc); qemuAuditCgroupPath(vm, cgroup, "allow", path, "rw", rc);
if (rc < 0) { if (rc < 0) {
virReportSystemError(-rc, virReportSystemError(-rc,
_("Unable to allow device %s for %s"), _("Unable to allow device %s for %s"),
...@@ -2015,7 +2015,7 @@ static int qemudDomainSaveFlag(struct qemud_driver *driver, virDomainPtr dom, ...@@ -2015,7 +2015,7 @@ static int qemudDomainSaveFlag(struct qemud_driver *driver, virDomainPtr dom,
if (cgroup != NULL) { if (cgroup != NULL) {
rc = virCgroupDenyDevicePath(cgroup, path, rc = virCgroupDenyDevicePath(cgroup, path,
VIR_CGROUP_DEVICE_RWM); VIR_CGROUP_DEVICE_RWM);
qemuAuditCgroupPath(vm, cgroup, "deny", path, rc); qemuAuditCgroupPath(vm, cgroup, "deny", path, "rwm", rc);
if (rc < 0) if (rc < 0)
VIR_WARN("Unable to deny device %s for %s %d", VIR_WARN("Unable to deny device %s for %s %d",
path, vm->def->name, rc); path, vm->def->name, rc);
...@@ -2048,7 +2048,7 @@ endjob: ...@@ -2048,7 +2048,7 @@ endjob:
if (cgroup != NULL) { if (cgroup != NULL) {
rc = virCgroupDenyDevicePath(cgroup, path, rc = virCgroupDenyDevicePath(cgroup, path,
VIR_CGROUP_DEVICE_RWM); VIR_CGROUP_DEVICE_RWM);
qemuAuditCgroupPath(vm, cgroup, "deny", path, rc); qemuAuditCgroupPath(vm, cgroup, "deny", path, "rwm", rc);
if (rc < 0) if (rc < 0)
VIR_WARN("Unable to deny device %s for %s: %d", VIR_WARN("Unable to deny device %s for %s: %d",
path, vm->def->name, rc); path, vm->def->name, rc);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册