audit: audit qemu memory and vcpu adjusments

* src/qemu/qemu_audit.h (qemuDomainMemoryAudit) (qemuDomainVcpuAudit): New prototypes. * src/qemu/qemu_audit.c (qemuDomainResourceAudit) (qemuDomainMemoryAudit, qemuDomainVcpuAudit): New functions. (qemuDomainStartAudit): Call as appropriate. * src/qemu/qemu_driver.c (qemudDomainSetMemory) (qemudDomainHotplugVcpus): Likewise.

audit: audit qemu memory and vcpu adjusments
* src/qemu/qemu_audit.h (qemuDomainMemoryAudit) (qemuDomainVcpuAudit): New prototypes. * src/qemu/qemu_audit.c (qemuDomainResourceAudit) (qemuDomainMemoryAudit, qemuDomainVcpuAudit): New functions. (qemuDomainStartAudit): Call as appropriate. * src/qemu/qemu_driver.c (qemudDomainSetMemory) (qemudDomainHotplugVcpus): Likewise.
e25f2c74 · Eric Blake · 6bb98d41 · e25f2c74 · e25f2c74 · e25f2c74
隐藏空白更改
内联并排

Showing with 71 addition and 1 deletion

src/qemu/qemu_audit.c src/qemu/qemu_audit.c +56 -0

src/qemu/qemu_audit.h src/qemu/qemu_audit.h +10 -0

src/qemu/qemu_driver.c src/qemu/qemu_driver.c +5 -1

未找到文件。
--- a/src/qemu/qemu_audit.c
+++ b/src/qemu/qemu_audit.c
@@ -148,6 +148,59 @@ cleanup:
 }


+/**
+ * qemuDomainResourceAudit:
+ * @vm: domain making an integer resource change
+ * @resource: name of the resource: "mem" or "vcpu"
+ * @oldval: the old value of the resource
+ * @newval: the new value of the resource
+ * @reason: either "start" or "update"
+ * @success: true if the resource change succeeded
+ *
+ * Log an audit message about an attempted resource change.
+ */
+static void
+qemuDomainResourceAudit(virDomainObjPtr vm,
+                        const char *resource,
+                        unsigned long long oldval,
+                        unsigned long long newval,
+                        const char *reason,
+                        bool success)
+{
+    char uuidstr[VIR_UUID_STRING_BUFLEN];
+    char *vmname;
+
+    virUUIDFormat(vm->def->uuid, uuidstr);
+    if (!(vmname = virAuditEncode("vm", vm->def->name))) {
+        VIR_WARN0("OOM while encoding audit message");
+        return;
+    }
+
+    VIR_AUDIT(VIR_AUDIT_RECORD_RESOURCE, success,
+              "resrc=%s reason=%s %s uuid=%s old-%s=%lld new-%s=%lld",
+              resource, reason, vmname, uuidstr,
+              resource, oldval, resource, newval);
+
+    VIR_FREE(vmname);
+}
+
+void
+qemuDomainMemoryAudit(virDomainObjPtr vm,
+                      unsigned long long oldmem, unsigned long long newmem,
+                      const char *reason, bool success)
+{
+    return qemuDomainResourceAudit(vm, "mem", oldmem, newmem, reason, success);
+}
+
+void
+qemuDomainVcpuAudit(virDomainObjPtr vm,
+                    unsigned int oldvcpu, unsigned int newvcpu,
+                    const char *reason, bool success)
+{
+    return qemuDomainResourceAudit(vm, "vcpu", oldvcpu, newvcpu, reason,
+                                   success);
+}
+
 static void qemuDomainLifecycleAudit(virDomainObjPtr vm,
                                     const char *op,
                                     const char *reason,
@@ -185,6 +238,9 @@ void qemuDomainStartAudit(virDomainObjPtr vm, const char *reason, bool success)
        qemuDomainNetAudit(vm, NULL, net, "start", true);
    }

+    qemuDomainMemoryAudit(vm, 0, vm->def->mem.cur_balloon, "start", true);
+    qemuDomainVcpuAudit(vm, 0, vm->def->vcpus, "start", true);
+
    qemuDomainLifecycleAudit(vm, "start", reason, success);
 }


--- a/src/qemu/qemu_audit.h
+++ b/src/qemu/qemu_audit.h
@@ -45,6 +45,16 @@ void qemuDomainCgroupAudit(virDomainObjPtr vm,
                           const char *item,
                           const char *name,
                           bool success);
+void qemuDomainMemoryAudit(virDomainObjPtr vm,
+                           unsigned long long oldmem,
+                           unsigned long long newmem,
+                           const char *reason,
+                           bool success);
+void qemuDomainVcpuAudit(virDomainObjPtr vm,
+                         unsigned int oldvcpu,
+                         unsigned int newvcpu,
+                         const char *reason,
+                         bool success);
 void qemuDomainSecurityLabelAudit(virDomainObjPtr vm, bool success);

 #endif /* __QEMU_AUDIT_H__ */
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -1604,6 +1604,8 @@ static int qemudDomainSetMemory(virDomainPtr dom, unsigned long newmem) {
    qemuDomainObjEnterMonitor(vm);
    r = qemuMonitorSetBalloon(priv->mon, newmem);
    qemuDomainObjExitMonitor(vm);
+    qemuDomainMemoryAudit(vm, vm->def->mem.cur_balloon, newmem, "update",
+                          r == 1);
    if (r < 0)
        goto endjob;

@@ -2517,8 +2519,9 @@ static void processWatchdogEvent(void *data, void *opaque)
 static int qemudDomainHotplugVcpus(virDomainObjPtr vm, unsigned int nvcpus)
 {
    qemuDomainObjPrivatePtr priv = vm->privateData;
-    int i, rc;
+    int i, rc = 1;
    int ret = -1;
+    int oldvcpus = vm->def->vcpus;

    qemuDomainObjEnterMonitor(vm);

@@ -2553,6 +2556,7 @@ static int qemudDomainHotplugVcpus(virDomainObjPtr vm, unsigned int nvcpus)

 cleanup:
    qemuDomainObjExitMonitor(vm);
+    qemuDomainVcpuAudit(vm, oldvcpus, nvcpus, "update", rc == 1);
    return ret;

 unsupported: