audit: Add auditing for serial/parallel/channel/console character devs

Add startup auditing and also hotplug auditing for said devices.

docs/auditlog.html.in

@@ -285,6 +285,21 @@
       <dd>Updated path of the host entropy source for the RNG</dd>
     </dl>
 
+    <h4><a name="typeresourcechardev">console/serial/parallel/channel</a></h4>
+    <p>
+      The <code>msg</code> field will include the following sub-fields
+    </p>
+
+    <dl>
+      <dt>reason</dt>
+      <dd>The reason which caused the resource to be assigned to happen</dd>
+      <dt>resrc</dt>
+      <dd>The type of resource assigned. Set to <code>chardev</code></dd>
+      <dt>old-chardev</dt>
+      <dd>Original path of the backing character device for given emulated device</dd>
+      <dt>new-chardev</dt>
+      <dd>Updated path of the backing character device for given emulated device</dd>
+    </dl>
 
     <h4><a name="typeresourceredir">Redirected device</a></h4>
     <p>

src/conf/domain_audit.c

@@ -154,6 +154,29 @@ virDomainAuditGenericDev(virDomainObjPtr vm,
 }
 
 
+void
+virDomainAuditChardev(virDomainObjPtr vm,
+                      virDomainChrDefPtr oldDef,
+                      virDomainChrDefPtr newDef,
+                      const char *reason,
+                      bool success)
+{
+    virDomainChrSourceDefPtr oldsrc = NULL;
+    virDomainChrSourceDefPtr newsrc = NULL;
+
+    if (oldDef)
+        oldsrc = &oldDef->source;
+
+    if (newDef)
+        newsrc = &newDef->source;
+
+    virDomainAuditGenericDev(vm, "chardev",
+                             virDomainAuditChardevPath(oldsrc),
+                             virDomainAuditChardevPath(newsrc),
+                             reason, success);
+}
+
+
 void
 virDomainAuditDisk(virDomainObjPtr vm,
                    virStorageSourcePtr oldDef,
@@ -772,6 +795,25 @@ virDomainAuditStart(virDomainObjPtr vm, const char *reason, bool success)
         virDomainAuditRedirdev(vm, redirdev, "start", true);
     }
 
+    for (i = 0; i < vm->def->nserials; i++)
+        virDomainAuditChardev(vm, NULL, vm->def->serials[i], "start", true);
+
+    for (i = 0; i < vm->def->nparallels; i++)
+        virDomainAuditChardev(vm, NULL, vm->def->parallels[i], "start", true);
+
+    for (i = 0; i < vm->def->nchannels; i++)
+        virDomainAuditChardev(vm, NULL, vm->def->channels[i], "start", true);
+
+    for (i = 0; i < vm->def->nconsoles; i++) {
+        if (i == 0 &&
+            (vm->def->consoles[i]->targetType == VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_SERIAL ||
+             vm->def->consoles[i]->targetType == VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_NONE) &&
+             STREQ_NULLABLE(vm->def->os.type, "hvm"))
+            continue;
+
+        virDomainAuditChardev(vm, NULL, vm->def->consoles[i], "start", true);
+    }
+
     if (vm->def->rng)
         virDomainAuditRNG(vm, NULL, vm->def->rng, "start", true);
 

src/conf/domain_audit.h

@@ -111,4 +111,11 @@ void virDomainAuditRedirdev(virDomainObjPtr vm,
                             bool success)
     ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3);
 
+void virDomainAuditChardev(virDomainObjPtr vm,
+                           virDomainChrDefPtr oldDef,
+                           virDomainChrDefPtr newDef,
+                           const char *reason,
+                           bool success)
+    ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(4);
+
 #endif /* __VIR_DOMAIN_AUDIT_H__ */

src/libvirt_private.syms

@@ -116,6 +116,7 @@ virDomainPCIAddressValidate;
 virDomainAuditCgroup;
 virDomainAuditCgroupMajor;
 virDomainAuditCgroupPath;
+virDomainAuditChardev;
 virDomainAuditDisk;
 virDomainAuditFS;
 virDomainAuditHostdev;

src/qemu/qemu_hotplug.c

@@ -1458,18 +1458,20 @@ int qemuDomainAttachChrDevice(virQEMUDriverPtr driver,
     qemuDomainObjEnterMonitor(driver, vm);
     if (qemuMonitorAttachCharDev(priv->mon, charAlias, &chr->source) < 0) {
         qemuDomainObjExitMonitor(driver, vm);
-        goto cleanup;
+        goto audit;
     }
 
     if (devstr && qemuMonitorAddDevice(priv->mon, devstr) < 0) {
         /* detach associated chardev on error */
         qemuMonitorDetachCharDev(priv->mon, charAlias);
         qemuDomainObjExitMonitor(driver, vm);
-        goto cleanup;
+        goto audit;
     }
     qemuDomainObjExitMonitor(driver, vm);
 
     ret = 0;
+ audit:
+    virDomainAuditChardev(vm, NULL, chr, "attach", ret == 0);
  cleanup:
     if (ret < 0 && need_remove)
         qemuDomainChrRemove(vmdef, chr);
@@ -2749,6 +2751,7 @@ qemuDomainRemoveChrDevice(virQEMUDriverPtr driver,
     char *charAlias = NULL;
     qemuDomainObjPrivatePtr priv = vm->privateData;
     int ret = -1;
+    int rc;
 
     VIR_DEBUG("Removing character device %s from domain %p %s",
               chr->info.alias, vm, vm->def->name);
@@ -2757,12 +2760,14 @@ qemuDomainRemoveChrDevice(virQEMUDriverPtr driver,
         goto cleanup;
 
     qemuDomainObjEnterMonitor(driver, vm);
-    if (qemuMonitorDetachCharDev(priv->mon, charAlias) < 0) {
-        qemuDomainObjExitMonitor(driver, vm);
-        goto cleanup;
-    }
+    rc = qemuMonitorDetachCharDev(priv->mon, charAlias);
     qemuDomainObjExitMonitor(driver, vm);
 
+    virDomainAuditChardev(vm, chr, NULL, "detach", rc == 0);
+
+    if (rc < 0)
+        goto cleanup;
+
     event = virDomainEventDeviceRemovedNewFromObj(vm, chr->info.alias);
     if (event)
         qemuDomainEventQueue(driver, event);