Include pid namespace inode in LXC audit messages

To allow the efficient correlation of container audit messages
with host hosts, include the pid namespace inode in audit
messages.

src/conf/domain_audit.c

@@ -649,7 +649,8 @@ virDomainAuditStart(virDomainObjPtr vm, const char *reason, bool success)
 
 void
 virDomainAuditInit(virDomainObjPtr vm,
-                   pid_t initpid)
+                   pid_t initpid,
+                   ino_t pidns)
 {
     char uuidstr[VIR_UUID_STRING_BUFLEN];
     char *vmname;
@@ -668,8 +669,9 @@ virDomainAuditInit(virDomainObjPtr vm,
     }
 
     VIR_AUDIT(VIR_AUDIT_RECORD_MACHINE_CONTROL, true,
-              "virt=%s op=init %s uuid=%s vm-pid=%lld init-pid=%lld",
-              virt, vmname, uuidstr, (long long)vm->pid, (long long)initpid);
+              "virt=%s op=init %s uuid=%s vm-pid=%lld init-pid=%lld pid-ns=%lld",
+              virt, vmname, uuidstr, (long long)vm->pid, (long long)initpid,
+              (long long)pidns);
 
     VIR_FREE(vmname);
 }

src/conf/domain_audit.h

@@ -32,7 +32,8 @@ void virDomainAuditStart(virDomainObjPtr vm,
                          bool success)
     ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2);
 void virDomainAuditInit(virDomainObjPtr vm,
-                        pid_t pid)
+                        pid_t pid,
+                        ino_t pidns)
     ATTRIBUTE_NONNULL(1);
 void virDomainAuditStop(virDomainObjPtr vm,
                         const char *reason)

src/lxc/lxc_process.c

@@ -630,6 +630,36 @@ static void virLXCProcessMonitorExitNotify(virLXCMonitorPtr mon ATTRIBUTE_UNUSED
               priv->stopReason, status);
 }
 
+static int
+virLXCProcessGetNsInode(pid_t pid,
+                        const char *nsname,
+                        ino_t *inode)
+{
+    char *path = NULL;
+    struct stat sb;
+    int ret = -1;
+
+    if (virAsprintf(&path, "/proc/%llu/ns/%s",
+                    (unsigned long long)pid, nsname) < 0) {
+        virReportOOMError();
+        goto cleanup;
+    }
+
+    if (stat(path, &sb) < 0) {
+        virReportSystemError(errno,
+                             _("Unable to stat %s"), path);
+        goto cleanup;
+    }
+
+    *inode = sb.st_ino;
+    ret = 0;
+
+cleanup:
+    VIR_FREE(path);
+    return ret;
+}
+
+
 /* XXX a little evil */
 extern virLXCDriverPtr lxc_driver;
 static void virLXCProcessMonitorInitNotify(virLXCMonitorPtr mon ATTRIBUTE_UNUSED,
@@ -637,8 +667,19 @@ static void virLXCProcessMonitorInitNotify(virLXCMonitorPtr mon ATTRIBUTE_UNUSED
                                            virDomainObjPtr vm)
 {
     virLXCDomainObjPrivatePtr priv = vm->privateData;
+    ino_t inode;
+
     priv->initpid = initpid;
-    virDomainAuditInit(vm, initpid);
+
+    if (virLXCProcessGetNsInode(initpid, "pid", &inode) < 0) {
+        virErrorPtr err = virGetLastError();
+        VIR_WARN("Cannot obtain pid NS inode for %llu: %s",
+                 (unsigned long long)initpid,
+                 err && err->message ? err->message : "<unknown>");
+        virResetLastError();
+        inode = 0;
+    }
+    virDomainAuditInit(vm, initpid, inode);
 
     if (virDomainSaveStatus(lxc_driver->caps, lxc_driver->stateDir, vm) < 0)
         VIR_WARN("Cannot update XML with PID for LXC %s", vm->def->name);