audit: also audit cgroup ACL permissions

* src/qemu/qemu_audit.h (qemuAuditCgroupMajor)
(qemuAuditCgroupPath): Add parameter.
* src/qemu/qemu_audit.c (qemuAuditCgroupMajor)
(qemuAuditCgroupPath): Add 'acl=rwm' to cgroup audit entries.
* src/qemu/qemu_cgroup.c: Update clients.
* src/qemu/qemu_driver.c (qemudDomainSaveFlag): Likewise.

diff --git a/src/qemu/qemu_audit.c b/src/qemu/qemu_audit.c
index 5258c56fa84451c86a9fe803de0ec3215bac0203..5bdf6555efcaaa856ac6ac1cbf583ef18d75e0e9 100644 (file)
--- a/src/qemu/qemu_audit.c
+++ b/src/qemu/qemu_audit.c
@@ -244,6 +244,7 @@ qemuAuditCgroup(virDomainObjPtr vm, virCgroupPtr cgroup,
  * @reason: either "allow" or "deny"
  * @maj: the major number of the device category
  * @name: a textual name for that device category, alphabetic only
+ * @perms: string containing "r", "w", and/or "m" as appropriate
  * @success: true if the cgroup operation succeeded
  *
  * Log an audit message about an attempted cgroup device ACL change.
@@ -251,11 +252,12 @@ qemuAuditCgroup(virDomainObjPtr vm, virCgroupPtr cgroup,
 void
 qemuAuditCgroupMajor(virDomainObjPtr vm, virCgroupPtr cgroup,
                      const char *reason, int maj, const char *name,
-                     bool success)
+                     const char *perms, bool success)
 {
     char *extra;
 
-    if (virAsprintf(&extra, "major category=%s maj=%02X", name, maj) < 0) {
+    if (virAsprintf(&extra, "major category=%s maj=%02X acl=%s",
+                    name, maj, perms) < 0) {
         VIR_WARN0("OOM while encoding audit message");
         return;
     }
@@ -271,6 +273,7 @@ qemuAuditCgroupMajor(virDomainObjPtr vm, virCgroupPtr cgroup,
  * @cgroup: cgroup that manages the devices
  * @reason: either "allow" or "deny"
  * @path: the device being adjusted
+ * @perms: string containing "r", "w", and/or "m" as appropriate
  * @rc: > 0 if not a device, 0 if success, < 0 if failure
  *
  * Log an audit message about an attempted cgroup device ACL change to
@@ -278,7 +281,8 @@ qemuAuditCgroupMajor(virDomainObjPtr vm, virCgroupPtr cgroup,
  */
 void
 qemuAuditCgroupPath(virDomainObjPtr vm, virCgroupPtr cgroup,
-                    const char *reason, const char *path, int rc)
+                    const char *reason, const char *path, const char *perms,
+                    int rc)
 {
     char *detail;
     char *rdev;
@@ -291,8 +295,8 @@ qemuAuditCgroupPath(virDomainObjPtr vm, virCgroupPtr cgroup,
     rdev = qemuAuditGetRdev(path);
 
     if (!(detail = virAuditEncode("path", path)) ||
-        virAsprintf(&extra, "path path=%s rdev=%s",
-                    path, VIR_AUDIT_STR(rdev)) < 0) {
+        virAsprintf(&extra, "path path=%s rdev=%s acl=%s",
+                    path, VIR_AUDIT_STR(rdev), perms) < 0) {
         VIR_WARN0("OOM while encoding audit message");
         goto cleanup;
     }

diff --git a/src/qemu/qemu_audit.h b/src/qemu/qemu_audit.h
index 7921ae38c7d3020412e91866262c2144011bfb92..a2fbe11b0f6d4c4ad517c26c8beae9463c8f6723 100644 (file)
--- a/src/qemu/qemu_audit.h
+++ b/src/qemu/qemu_audit.h
@@ -63,16 +63,18 @@ void qemuAuditCgroupMajor(virDomainObjPtr vm,
                           const char *reason,
                           int maj,
                           const char *name,
+                          const char *perms,
                           bool success)
     ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3)
-    ATTRIBUTE_NONNULL(5);
+    ATTRIBUTE_NONNULL(5) ATTRIBUTE_NONNULL(6);
 void qemuAuditCgroupPath(virDomainObjPtr vm,
                          virCgroupPtr group,
                          const char *reason,
                          const char *path,
+                         const char *perms,
                          int rc)
     ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3)
-    ATTRIBUTE_NONNULL(4);
+    ATTRIBUTE_NONNULL(4) ATTRIBUTE_NONNULL(5);
 void qemuAuditMemory(virDomainObjPtr vm,
                      unsigned long long oldmem,
                      unsigned long long newmem,

diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index 0e81b49115758a9ea68f4db6e21a5e6fda049af6..9a7d42f678b9d75e9603b12024d067aa7a2091f1 100644 (file)
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -68,7 +68,8 @@ qemuSetupDiskPathAllow(virDomainDiskDefPtr disk,
     rc = virCgroupAllowDevicePath(data->cgroup, path,
                                   (disk->readonly ? VIR_CGROUP_DEVICE_READ
                                    : VIR_CGROUP_DEVICE_RW));
-    qemuAuditCgroupPath(data->vm, data->cgroup, "allow", path, rc);
+    qemuAuditCgroupPath(data->vm, data->cgroup, "allow", path,
+                        disk->readonly ? "r" : "rw", rc);
     if (rc < 0) {
         if (rc == -EACCES) { /* Get this for root squash NFS */
             VIR_DEBUG("Ignoring EACCES for %s", path);
@@ -109,7 +110,7 @@ qemuTeardownDiskPathDeny(virDomainDiskDefPtr disk ATTRIBUTE_UNUSED,
     VIR_DEBUG("Process path %s for disk", path);
     rc = virCgroupDenyDevicePath(data->cgroup, path,
                                  VIR_CGROUP_DEVICE_RWM);
-    qemuAuditCgroupPath(data->vm, data->cgroup, "deny", path, rc);
+    qemuAuditCgroupPath(data->vm, data->cgroup, "deny", path, "rwm", rc);
     if (rc < 0) {
         if (rc == -EACCES) { /* Get this for root squash NFS */
             VIR_DEBUG("Ignoring EACCES for %s", path);
@@ -154,7 +155,7 @@ qemuSetupChardevCgroup(virDomainDefPtr def,
     rc = virCgroupAllowDevicePath(data->cgroup, dev->source.data.file.path,
                                   VIR_CGROUP_DEVICE_RW);
     qemuAuditCgroupPath(data->vm, data->cgroup, "allow",
-                        dev->source.data.file.path, rc);
+                        dev->source.data.file.path, "rw", rc);
     if (rc < 0) {
         virReportSystemError(-rc,
                              _("Unable to allow device %s for %s"),
@@ -176,7 +177,7 @@ int qemuSetupHostUsbDeviceCgroup(usbDevice *dev ATTRIBUTE_UNUSED,
     VIR_DEBUG("Process path '%s' for USB device", path);
     rc = virCgroupAllowDevicePath(data->cgroup, path,
                                   VIR_CGROUP_DEVICE_RW);
-    qemuAuditCgroupPath(data->vm, data->cgroup, "allow", path, rc);
+    qemuAuditCgroupPath(data->vm, data->cgroup, "allow", path, "rw", rc);
     if (rc < 0) {
         virReportSystemError(-rc,
                              _("Unable to allow device %s"),
@@ -232,7 +233,7 @@ int qemuSetupCgroup(struct qemud_driver *driver,
         rc = virCgroupAllowDeviceMajor(cgroup, 'c', DEVICE_PTY_MAJOR,
                                        VIR_CGROUP_DEVICE_RW);
         qemuAuditCgroupMajor(vm, cgroup, "allow", DEVICE_PTY_MAJOR,
-                             "pty", rc == 0);
+                             "pty", "rw", rc == 0);
         if (rc != 0) {
             virReportSystemError(-rc, "%s",
                                  _("unable to allow /dev/pts/ devices"));
@@ -247,7 +248,7 @@ int qemuSetupCgroup(struct qemud_driver *driver,
             rc = virCgroupAllowDeviceMajor(cgroup, 'c', DEVICE_SND_MAJOR,
                                            VIR_CGROUP_DEVICE_RW);
             qemuAuditCgroupMajor(vm, cgroup, "allow", DEVICE_SND_MAJOR,
-                                 "sound", rc == 0);
+                                 "sound", "rw", rc == 0);
             if (rc != 0) {
                 virReportSystemError(-rc, "%s",
                                      _("unable to allow /dev/snd/ devices"));
@@ -258,7 +259,7 @@ int qemuSetupCgroup(struct qemud_driver *driver,
         for (i = 0; deviceACL[i] != NULL ; i++) {
             rc = virCgroupAllowDevicePath(cgroup, deviceACL[i],
                                           VIR_CGROUP_DEVICE_RW);
-            qemuAuditCgroupPath(vm, cgroup, "allow", deviceACL[i], rc);
+            qemuAuditCgroupPath(vm, cgroup, "allow", deviceACL[i], "rw", rc);
             if (rc < 0 &&
                 rc != -ENOENT) {
                 virReportSystemError(-rc,

diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 31a8e4872bcfb774e9b392ed7116a579476500fe..2d11da8bb313ba82602eccd7c840470682ffe509 100644 (file)
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -1964,7 +1964,7 @@ static int qemudDomainSaveFlag(struct qemud_driver *driver, virDomainPtr dom,
         }
         rc = virCgroupAllowDevicePath(cgroup, path,
                                       VIR_CGROUP_DEVICE_RW);
-        qemuAuditCgroupPath(vm, cgroup, "allow", path, rc);
+        qemuAuditCgroupPath(vm, cgroup, "allow", path, "rw", rc);
         if (rc < 0) {
             virReportSystemError(-rc,
                                  _("Unable to allow device %s for %s"),
@@ -2015,7 +2015,7 @@ static int qemudDomainSaveFlag(struct qemud_driver *driver, virDomainPtr dom,
     if (cgroup != NULL) {
         rc = virCgroupDenyDevicePath(cgroup, path,
                                      VIR_CGROUP_DEVICE_RWM);
-        qemuAuditCgroupPath(vm, cgroup, "deny", path, rc);
+        qemuAuditCgroupPath(vm, cgroup, "deny", path, "rwm", rc);
         if (rc < 0)
             VIR_WARN("Unable to deny device %s for %s %d",
                      path, vm->def->name, rc);
@@ -2048,7 +2048,7 @@ endjob:
             if (cgroup != NULL) {
                 rc = virCgroupDenyDevicePath(cgroup, path,
                                              VIR_CGROUP_DEVICE_RWM);
-                qemuAuditCgroupPath(vm, cgroup, "deny", path, rc);
+                qemuAuditCgroupPath(vm, cgroup, "deny", path, "rwm", rc);
                 if (rc < 0)
                     VIR_WARN("Unable to deny device %s for %s: %d",
                              path, vm->def->name, rc);