Add disk/net resource auditing to QEMU driver

Add auditing of all initial disk/net assignments to QEMU guests at startup. Add auditing for all hotplug & unplug events and disk media changes. * src/qemu/qemu_driver.c: Add disk/net resource auditing

Add disk/net resource auditing to QEMU driver
Add auditing of all initial disk/net assignments to QEMU guests at startup. Add auditing for all hotplug & unplug events and disk media changes. * src/qemu/qemu_driver.c: Add disk/net resource auditing
8dc136b5 · Daniel P. Berrange · 160b5479 · 8dc136b5
隐藏空白更改
内联并排

Showing with 111 addition and 0 deletion

src/qemu/qemu_driver.c src/qemu/qemu_driver.c +111 -0

未找到文件。
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -3668,6 +3668,79 @@ static int qemuDomainSnapshotSetActive(virDomainObjPtr vm,
 static int qemuDomainSnapshotSetInactive(virDomainObjPtr vm,
                                         char *snapshotDir);

+static void qemuDomainDiskAudit(virDomainObjPtr vm,
+                                virDomainDiskDefPtr oldDef,
+                                virDomainDiskDefPtr newDef,
+                                const char *reason,
+                                bool success)
+{
+    char uuidstr[VIR_UUID_STRING_BUFLEN];
+    char *vmname;
+    char *oldsrc = NULL;
+    char *newsrc = NULL;
+
+    virUUIDFormat(vm->def->uuid, uuidstr);
+    if (!(vmname = virAuditEncode("vm", vm->def->name))) {
+        VIR_WARN0("OOM while encoding audit message");
+        return;
+    }
+
+    if (!(oldsrc = virAuditEncode("old-disk",
+                                  oldDef && oldDef->src ?
+                                  oldDef->src : "?"))) {
+        VIR_WARN0("OOM while encoding audit message");
+        goto cleanup;
+    }
+    if (!(newsrc = virAuditEncode("new-disk",
+                                  newDef && newDef->src ?
+                                  newDef->src : "?"))) {
+        VIR_WARN0("OOM while encoding audit message");
+        goto cleanup;
+    }
+
+    VIR_AUDIT(VIR_AUDIT_RECORD_RESOURCE, success,
+              "resrc=disk reason=%s %s uuid=%s %s %s",
+              reason, vmname, uuidstr,
+              oldsrc, newsrc);
+
+cleanup:
+    VIR_FREE(vmname);
+    VIR_FREE(oldsrc);
+    VIR_FREE(newsrc);
+}
+
+
+static void qemuDomainNetAudit(virDomainObjPtr vm,
+                               virDomainNetDefPtr oldDef,
+                               virDomainNetDefPtr newDef,
+                               const char *reason,
+                               bool success)
+{
+    char uuidstr[VIR_UUID_STRING_BUFLEN];
+    char newMacstr[VIR_MAC_STRING_BUFLEN];
+    char oldMacstr[VIR_MAC_STRING_BUFLEN];
+    char *vmname;
+
+    virUUIDFormat(vm->def->uuid, uuidstr);
+    if (oldDef)
+        virFormatMacAddr(oldDef->mac, oldMacstr);
+    if (newDef)
+        virFormatMacAddr(newDef->mac, newMacstr);
+    if (!(vmname = virAuditEncode("vm", vm->def->name))) {
+        VIR_WARN0("OOM while encoding audit message");
+        return;
+    }
+
+    VIR_AUDIT(VIR_AUDIT_RECORD_RESOURCE, success,
+              "resrc=net reason=%s %s uuid=%s old-net='%s' new-net='%s'",
+              reason, vmname, uuidstr,
+              oldDef ? oldMacstr : "?",
+              newDef ? newMacstr : "?");
+
+    VIR_FREE(vmname);
+}
+
+
 static void qemuDomainLifecycleAudit(virDomainObjPtr vm,
                                     const char *op,
                                     const char *reason,
@@ -3677,6 +3750,7 @@ static void qemuDomainLifecycleAudit(virDomainObjPtr vm,
    char *vmname;

    virUUIDFormat(vm->def->uuid, uuidstr);
+
    if (!(vmname = virAuditEncode("vm", vm->def->name))) {
        VIR_WARN0("OOM while encoding audit message");
        return;
@@ -3690,6 +3764,19 @@ static void qemuDomainLifecycleAudit(virDomainObjPtr vm,

 static void qemuDomainStartAudit(virDomainObjPtr vm, const char *reason, bool success)
 {
+    int i;
+
+    for (i = 0 ; i < vm->def->ndisks ; i++) {
+        virDomainDiskDefPtr disk = vm->def->disks[i];
+        if (disk->src) /* Skips CDROM without media initially inserted */
+            qemuDomainDiskAudit(vm, NULL, disk, "start", true);
+    }
+
+    for (i = 0 ; i < vm->def->nnets ; i++) {
+        virDomainNetDefPtr net = vm->def->nets[i];
+        qemuDomainNetAudit(vm, NULL, net, "start", true);
+    }
+
    qemuDomainLifecycleAudit(vm, "start", reason, success);
 }

@@ -7565,6 +7652,8 @@ static int qemudDomainChangeEjectableMedia(struct qemud_driver *driver,
    }
    qemuDomainObjExitMonitorWithDriver(driver, vm);

+    qemuDomainDiskAudit(vm, origdisk, disk, "update", ret >= 0);
+
    if (ret < 0)
        goto error;

@@ -7664,6 +7753,8 @@ static int qemudDomainAttachPciDiskDevice(struct qemud_driver *driver,
    }
    qemuDomainObjExitMonitorWithDriver(driver, vm);

+    qemuDomainDiskAudit(vm, NULL, disk, "attach", ret >= 0);
+
    if (ret < 0)
        goto error;

@@ -7899,6 +7990,8 @@ static int qemudDomainAttachSCSIDisk(struct qemud_driver *driver,
    }
    qemuDomainObjExitMonitorWithDriver(driver, vm);

+    qemuDomainDiskAudit(vm, NULL, disk, "attach", ret >= 0);
+
    if (ret < 0)
        goto error;

@@ -7984,6 +8077,8 @@ static int qemudDomainAttachUsbMassstorageDevice(struct qemud_driver *driver,
    }
    qemuDomainObjExitMonitorWithDriver(driver, vm);

+    qemuDomainDiskAudit(vm, NULL, disk, "attach", ret >= 0);
+
    if (ret < 0)
        goto error;

@@ -8118,11 +8213,13 @@ static int qemudDomainAttachNetDevice(virConnectPtr conn,
        (qemuCmdFlags & QEMUD_CMD_FLAG_DEVICE)) {
        if (qemuMonitorAddNetdev(priv->mon, netstr) < 0) {
            qemuDomainObjExitMonitorWithDriver(driver, vm);
+            qemuDomainNetAudit(vm, NULL, net, "attach", false);
            goto try_tapfd_close;
        }
    } else {
        if (qemuMonitorAddHostNetwork(priv->mon, netstr) < 0) {
            qemuDomainObjExitMonitorWithDriver(driver, vm);
+            qemuDomainNetAudit(vm, NULL, net, "attach", false);
            goto try_tapfd_close;
        }
    }
@@ -8150,12 +8247,14 @@ static int qemudDomainAttachNetDevice(virConnectPtr conn,
    if (qemuCmdFlags & QEMUD_CMD_FLAG_DEVICE) {
        if (qemuMonitorAddDevice(priv->mon, nicstr) < 0) {
            qemuDomainObjExitMonitorWithDriver(driver, vm);
+            qemuDomainNetAudit(vm, NULL, net, "attach", false);
            goto try_remove;
        }
    } else {
        if (qemuMonitorAddPCINetwork(priv->mon, nicstr,
                                     &guestAddr) < 0) {
            qemuDomainObjExitMonitorWithDriver(driver, vm);
+            qemuDomainNetAudit(vm, NULL, net, "attach", false);
            goto try_remove;
        }
        net->info.type = VIR_DOMAIN_DEVICE_ADDRESS_TYPE_PCI;
@@ -8163,6 +8262,8 @@ static int qemudDomainAttachNetDevice(virConnectPtr conn,
    }
    qemuDomainObjExitMonitorWithDriver(driver, vm);

+    qemuDomainNetAudit(vm, NULL, net, "attach", true);
+
    ret = 0;

    vm->def->nets[vm->def->nnets++] = net;
@@ -8860,6 +8961,8 @@ static int qemudDomainDetachPciDiskDevice(struct qemud_driver *driver,
    }
    qemuDomainObjExitMonitorWithDriver(driver, vm);

+    qemuDomainDiskAudit(vm, detach, NULL, "detach", ret >= 0);
+
    if ((qemuCmdFlags & QEMUD_CMD_FLAG_DEVICE) &&
        qemuDomainPCIAddressReleaseAddr(priv->pciaddrs, &detach->info) < 0)
        VIR_WARN("Unable to release PCI address on %s", dev->data.disk->src);
@@ -8928,6 +9031,8 @@ static int qemudDomainDetachSCSIDiskDevice(struct qemud_driver *driver,
    }
    qemuDomainObjExitMonitorWithDriver(driver, vm);

+    qemuDomainDiskAudit(vm, detach, NULL, "detach", ret >= 0);
+
    virDomainDiskRemove(vm->def, i);

    virDomainDiskDefFree(detach);
@@ -9081,12 +9186,14 @@ qemudDomainDetachNetDevice(struct qemud_driver *driver,
    if (qemuCmdFlags & QEMUD_CMD_FLAG_DEVICE) {
        if (qemuMonitorDelDevice(priv->mon, detach->info.alias) < 0) {
            qemuDomainObjExitMonitor(vm);
+            qemuDomainNetAudit(vm, detach, NULL, "detach", false);
            goto cleanup;
        }
    } else {
        if (qemuMonitorRemovePCIDevice(priv->mon,
                                       &detach->info.addr.pci) < 0) {
            qemuDomainObjExitMonitorWithDriver(driver, vm);
+            qemuDomainNetAudit(vm, detach, NULL, "detach", false);
            goto cleanup;
        }
    }
@@ -9095,16 +9202,20 @@ qemudDomainDetachNetDevice(struct qemud_driver *driver,
        (qemuCmdFlags & QEMUD_CMD_FLAG_DEVICE)) {
        if (qemuMonitorRemoveNetdev(priv->mon, hostnet_name) < 0) {
            qemuDomainObjExitMonitorWithDriver(driver, vm);
+            qemuDomainNetAudit(vm, detach, NULL, "detach", false);
            goto cleanup;
        }
    } else {
        if (qemuMonitorRemoveHostNetwork(priv->mon, vlan, hostnet_name) < 0) {
            qemuDomainObjExitMonitorWithDriver(driver, vm);
+            qemuDomainNetAudit(vm, detach, NULL, "detach", false);
            goto cleanup;
        }
    }
    qemuDomainObjExitMonitorWithDriver(driver, vm);

+    qemuDomainNetAudit(vm, detach, NULL, "detach", true);
+
    if ((qemuCmdFlags & QEMUD_CMD_FLAG_DEVICE) &&
        qemuDomainPCIAddressReleaseAddr(priv->pciaddrs, &detach->info) < 0)
        VIR_WARN0("Unable to release PCI address on NIC");