audit: Audit smartcard devices

diff --git a/docs/auditlog.html.in b/docs/auditlog.html.in
index 8528b5295ed74cadcc933d89adcf2e9ed100648b..8a007caf3524e8904e30fc872b17d54fab520403 100644 (file)
--- a/docs/auditlog.html.in
+++ b/docs/auditlog.html.in
@@ -301,6 +301,26 @@
       <dd>Updated path of the backing character device for given emulated device</dd>
     </dl>
 
+    <h4><a name="typeresourcesmartcard">smartcard</a></h4>
+    <p>
+      The <code>msg</code> field will include the following sub-fields
+    </p>
+
+    <dl>
+      <dt>reason</dt>
+      <dd>The reason which caused the resource to be assigned to happen</dd>
+      <dt>resrc</dt>
+      <dd>The type of resource assigned. Set to <code>smartcard</code></dd>
+      <dt>old-smartcard</dt>
+      <dd>Original path of the backing character device, certificate store or
+          "nss-smartcard-device" for host smartcard passthrough.
+      </dd>
+      <dt>new-smartcard</dt>
+      <dd>Updated path of the backing character device, certificate store or
+          "nss-smartcard-device" for host smartcard passthrough.
+      </dd>
+    </dl>
+
     <h4><a name="typeresourceredir">Redirected device</a></h4>
     <p>
       The <code>msg</code> field will include the following sub-fields

diff --git a/src/conf/domain_audit.c b/src/conf/domain_audit.c
index 23bb4a7e8230e0b679cc89458d16681ff4d529b1..a3d6c67a31bed379e508b188e0df96102cd74b04 100644 (file)
--- a/src/conf/domain_audit.c
+++ b/src/conf/domain_audit.c
@@ -177,6 +177,51 @@ virDomainAuditChardev(virDomainObjPtr vm,
 }
 
 
+static void
+virDomainAuditSmartcard(virDomainObjPtr vm,
+                        virDomainSmartcardDefPtr def,
+                        const char *reason,
+                        bool success)
+{
+    const char *database = VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE;
+    size_t i;
+
+    if (def) {
+        switch ((virDomainSmartcardType) def->type) {
+        case VIR_DOMAIN_SMARTCARD_TYPE_HOST:
+            virDomainAuditGenericDev(vm, "smartcard",
+                                     NULL, "nss-smartcard-device",
+                                     reason, success);
+            break;
+
+        case VIR_DOMAIN_SMARTCARD_TYPE_HOST_CERTIFICATES:
+            for (i = 0; i < VIR_DOMAIN_SMARTCARD_NUM_CERTIFICATES; i++) {
+                virDomainAuditGenericDev(vm, "smartcard", NULL,
+                                         def->data.cert.file[i],
+                                         reason, success);
+            }
+
+            if (def->data.cert.database)
+                database = def->data.cert.database;
+
+            virDomainAuditGenericDev(vm, "smartcard",
+                                     NULL, database,
+                                     reason, success);
+            break;
+
+        case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
+            virDomainAuditGenericDev(vm, "smartcard", NULL,
+                                     virDomainAuditChardevPath(&def->data.passthru),
+                                     reason, success);
+            break;
+
+        case VIR_DOMAIN_SMARTCARD_TYPE_LAST:
+            break;
+        }
+    }
+}
+
+
 void
 virDomainAuditDisk(virDomainObjPtr vm,
                    virStorageSourcePtr oldDef,
@@ -814,6 +859,9 @@ virDomainAuditStart(virDomainObjPtr vm, const char *reason, bool success)
         virDomainAuditChardev(vm, NULL, vm->def->consoles[i], "start", true);
     }
 
+    for (i = 0; i < vm->def->nsmartcards; i++)
+        virDomainAuditSmartcard(vm, vm->def->smartcards[i], "start", true);
+
     if (vm->def->rng)
         virDomainAuditRNG(vm, NULL, vm->def->rng, "start", true);