Include pid namespace inode in LXC audit messages

To allow the efficient correlation of container audit messages
with host hosts, include the pid namespace inode in audit
messages.
上级 eaf7d4dd
master openEuler-20.03-LTS openEuler-20.09 v1.0.4-maint v1.0.5-maint v1.0.6-maint v1.1.0-maint v1.1.1-maint v1.1.2-maint v1.1.3-maint v1.1.4-maint v1.2.0-maint v1.2.1-maint v1.2.10-maint v1.2.11-maint v1.2.12-maint v1.2.13-maint v1.2.14-maint v1.2.15-maint v1.2.16-maint v1.2.17-maint v1.2.18-maint v1.2.19-maint v1.2.2-maint v1.2.20-maint v1.2.21-maint v1.2.3-maint v1.2.4-maint v1.2.5-maint v1.2.6-maint v1.2.7-maint v1.2.8-maint v1.2.9-maint v1.3.0-maint v1.3.1-maint v1.3.2-maint v1.3.3-maint v1.3.4-maint v1.3.5-maint v2.0-maint v2.1-maint v2.2-maint v3.0-maint v3.2-maint v3.7-maint v4.1-maint v4.10-maint v4.2-maint v4.3-maint v4.4-maint v4.5-maint v4.6-maint v4.7-maint v4.8-maint v4.9-maint v5.0-maint v5.1-maint v5.1.0-maint v5.2-maint v5.3-maint v6.5.0-rc2 v6.5.0-rc1 v6.4.0 v6.4.0-rc1 v6.3.0 v6.3.0-rc1 v6.2.0 v6.2.0-rc1 v6.1.0 v6.1.0-rc2 v6.1.0-rc1 v6.0.0 v6.0.0-rc2 v6.0.0-rc1 v5.10.0 v5.10.0-rc2 v5.10.0-rc1 v5.9.0 v5.9.0-rc1 v5.8.0 v5.8.0-rc2 v5.8.0-rc1 v5.7.0 v5.7.0-rc2 v5.7.0-rc1 v5.6.0 v5.6.0-rc2 v5.6.0-rc1 v5.5.0 v5.5.0-rc2 v5.5.0-rc1 v5.4.0 v5.4.0-rc2 v5.4.0-rc1 v5.3.0 v5.3.0-rc2 v5.3.0-rc1 v5.2.0 v5.2.0-rc2 v5.2.0-rc1 v5.1.0 v5.1.0-rc2 v5.1.0-rc1 v5.0.0 v5.0.0-rc2 v5.0.0-rc1 v4.10.0 v4.10.0-rc2 v4.10.0-rc1 v4.9.0 v4.9.0-rc1 v4.8.0 v4.8.0-rc2 v4.8.0-rc1 v4.7.0 v4.7.0-rc2 v4.7.0-rc1 v4.6.0 v4.6.0-rc2 v4.6.0-rc1 v4.5.0 v4.5.0-rc2 v4.5.0-rc1 v4.4.0 v4.4.0-rc2 v4.4.0-rc1 v4.3.0 v4.3.0-rc2 v4.3.0-rc1 v4.2.0 v4.2.0-rc2 v4.2.0-rc1 v4.1.0 v4.1.0-rc2 v4.1.0-rc1 v4.0.0 v4.0.0-rc2 v4.0.0-rc1 v3.10.0 v3.10.0-rc2 v3.10.0-rc1 v3.9.0 v3.9.0-rc2 v3.9.0-rc1 v3.8.0 v3.8.0-rc1 v3.7.0 v3.7.0-rc2 v3.7.0-rc1 v3.6.0 v3.6.0-rc2 v3.6.0-rc1 v3.5.0 v3.5.0-rc2 v3.5.0-rc1 v3.4.0 v3.4.0-rc2 v3.4.0-rc1 v3.3.0 v3.3.0-rc2 v3.3.0-rc1 v3.2.1 v3.2.0 v3.2.0-rc2 v3.2.0-rc1 v3.1.0 v3.1.0-rc2 v3.1.0-rc1 v3.0.0 v3.0.0-rc2 v3.0.0-rc1 v2.5.0 v2.5.0-rc2 v2.5.0-rc1 v2.4.0 v2.4.0-rc2 v2.4.0-rc1 v2.3.0 v2.3.0-rc2 v2.3.0-rc1 v2.2.1 v2.2.0 v2.2.0-rc2 v2.2.0-rc1 v2.1.0 v2.1.0-rc1 v2.0.0 v2.0.0-rc2 v2.0.0-rc1 v1.3.5 v1.3.5-rc1 v1.3.4 v1.3.4-rc2 v1.3.4-rc1 v1.3.3.3 v1.3.3.2 v1.3.3.1 v1.3.3 v1.3.3-rc2 v1.3.3-rc1 v1.3.2 v1.3.2-rc2 v1.3.2-rc1 v1.3.1 v1.3.1-rc2 v1.3.1-rc1 v1.3.0 v1.3.0-rc2 v1.3.0-rc1 v1.2.21 v1.2.21-rc2 v1.2.21-rc1 v1.2.20 v1.2.20-rc2 v1.2.20-rc1 v1.2.19 v1.2.19-rc2 v1.2.19-rc1 v1.2.18.4 v1.2.18.3 v1.2.18.2 v1.2.18.1 v1.2.18 v1.2.18-rc2 v1.2.18-rc1 v1.2.17 v1.2.17-rc2 v1.2.17-rc1 v1.2.16 v1.2.16-rc2 v1.2.16-rc1 v1.2.15 v1.2.15-rc2 v1.2.15-rc1 v1.2.14 v1.2.14-rc2 v1.2.14-rc1 v1.2.13.2 v1.2.13.1 v1.2.13 v1.2.13-rc2 v1.2.13-rc1 v1.2.12 v1.2.12-rc2 v1.2.12-rc1 v1.2.11 v1.2.11-rc2 v1.2.11-rc1 v1.2.10 v1.2.10-rc2 v1.2.10-rc1 v1.2.9.3 v1.2.9.2 v1.2.9.1 v1.2.9 v1.2.9-rc2 v1.2.9-rc1 v1.2.8 v1.2.8-rc2 v1.2.8-rc1 v1.2.7 v1.2.7-rc2 v1.2.7-rc1 v1.2.6 v1.2.6-rc2 v1.2.6-rc1 v1.2.5 v1.2.5-rc2 v1.2.5-rc1 v1.2.4 v1.2.4-rc2 v1.2.4-rc1 v1.2.3 v1.2.3-rc2 v1.2.3-rc1 v1.2.2 v1.2.2-rc2 v1.2.2-rc1 v1.2.1 v1.2.1-rc2 v1.2.1-rc1 v1.2.0 v1.2.0-rc2 v1.2.0-rc1 v1.1.4 v1.1.4-rc2 v1.1.4-rc1 v1.1.3.9 v1.1.3.8 v1.1.3.7 v1.1.3.6 v1.1.3.5 v1.1.3.4 v1.1.3.3 v1.1.3.2 v1.1.3.1 v1.1.3 v1.1.3-rc2 v1.1.3-rc1 v1.1.2 v1.1.2-rc2 v1.1.2-rc1 v1.1.1 v1.1.1-rc2 v1.1.1-rc1 v1.1.0 v1.1.0-rc2 v1.1.0-rc1 v1.0.6 v1.0.6-rc2 v1.0.6-rc1 v1.0.5.9 v1.0.5.8 v1.0.5.7 v1.0.5.6 v1.0.5.5 v1.0.5.4 v1.0.5.3 v1.0.5.2 v1.0.5.1 v1.0.5 v1.0.5-rc1 v1.0.4 v1.0.4-rc2 v1.0.4-rc1 CVE-2017-1000256 CVE-2017-2635 CVE-2016-5008 CVE-2015-5313 CVE-2015-5247-3 CVE-2015-5247-2 CVE-2015-5247-1 CVE-2015-0236-2 CVE-2015-0236-1 CVE-2014-8136 CVE-2014-8135 CVE-2014-8131-2 CVE-2014-8131-1 CVE-2014-7823 CVE-2014-3657 CVE-2014-3633 CVE-2014-1447-2 CVE-2014-1447-1 CVE-2014-0179 CVE-2014-0028 CVE-2013-7336 CVE-2013-6458-4 CVE-2013-6458-3 CVE-2013-6458-2 CVE-2013-6458-1 CVE-2013-6457 CVE-2013-6436 CVE-2013-5651 CVE-2013-4401 CVE-2013-4400-3 CVE-2013-4400-2 CVE-2013-4400-1 CVE-2013-4399 CVE-2013-4311 CVE-2013-4297 CVE-2013-4296 CVE-2013-4292 CVE-2013-4291 CVE-2013-4239 CVE-2013-4154 CVE-2013-4153 CVE-2013-2230 CVE-2013-2218 CVE-2013-1962
无相关合并请求
......@@ -649,7 +649,8 @@ virDomainAuditStart(virDomainObjPtr vm, const char *reason, bool success)
void
virDomainAuditInit(virDomainObjPtr vm,
pid_t initpid)
pid_t initpid,
ino_t pidns)
{
char uuidstr[VIR_UUID_STRING_BUFLEN];
char *vmname;
......@@ -668,8 +669,9 @@ virDomainAuditInit(virDomainObjPtr vm,
}
VIR_AUDIT(VIR_AUDIT_RECORD_MACHINE_CONTROL, true,
"virt=%s op=init %s uuid=%s vm-pid=%lld init-pid=%lld",
virt, vmname, uuidstr, (long long)vm->pid, (long long)initpid);
"virt=%s op=init %s uuid=%s vm-pid=%lld init-pid=%lld pid-ns=%lld",
virt, vmname, uuidstr, (long long)vm->pid, (long long)initpid,
(long long)pidns);
VIR_FREE(vmname);
}
......
......@@ -32,7 +32,8 @@ void virDomainAuditStart(virDomainObjPtr vm,
bool success)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2);
void virDomainAuditInit(virDomainObjPtr vm,
pid_t pid)
pid_t pid,
ino_t pidns)
ATTRIBUTE_NONNULL(1);
void virDomainAuditStop(virDomainObjPtr vm,
const char *reason)
......
......@@ -630,6 +630,36 @@ static void virLXCProcessMonitorExitNotify(virLXCMonitorPtr mon ATTRIBUTE_UNUSED
priv->stopReason, status);
}
static int
virLXCProcessGetNsInode(pid_t pid,
const char *nsname,
ino_t *inode)
{
char *path = NULL;
struct stat sb;
int ret = -1;
if (virAsprintf(&path, "/proc/%llu/ns/%s",
(unsigned long long)pid, nsname) < 0) {
virReportOOMError();
goto cleanup;
}
if (stat(path, &sb) < 0) {
virReportSystemError(errno,
_("Unable to stat %s"), path);
goto cleanup;
}
*inode = sb.st_ino;
ret = 0;
cleanup:
VIR_FREE(path);
return ret;
}
/* XXX a little evil */
extern virLXCDriverPtr lxc_driver;
static void virLXCProcessMonitorInitNotify(virLXCMonitorPtr mon ATTRIBUTE_UNUSED,
......@@ -637,8 +667,19 @@ static void virLXCProcessMonitorInitNotify(virLXCMonitorPtr mon ATTRIBUTE_UNUSED
virDomainObjPtr vm)
{
virLXCDomainObjPrivatePtr priv = vm->privateData;
ino_t inode;
priv->initpid = initpid;
virDomainAuditInit(vm, initpid);
if (virLXCProcessGetNsInode(initpid, "pid", &inode) < 0) {
virErrorPtr err = virGetLastError();
VIR_WARN("Cannot obtain pid NS inode for %llu: %s",
(unsigned long long)initpid,
err && err->message ? err->message : "<unknown>");
virResetLastError();
inode = 0;
}
virDomainAuditInit(vm, initpid, inode);
if (virDomainSaveStatus(lxc_driver->caps, lxc_driver->stateDir, vm) < 0)
VIR_WARN("Cannot update XML with PID for LXC %s", vm->def->name);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册
反馈
建议
客服 返回
顶部