VIR_FREE(vmname);
}
+/**
+ * qemuAuditNetDevice:
+ * @vm: domain opening a network-related device
+ * @def: details of network device that fd will be tied to
+ * @device: device being opened (such as /dev/vhost-net,
+ * /dev/net/tun, /dev/tanN). Note that merely opening a device
+ * does not mean that qemu owns it; a followup qemuAuditNet
+ * shows whether the fd was passed on.
+ * @success: true if the device was opened
+ *
+ * Log an audit message about an attempted network device open.
+ */
+void
+qemuAuditNetDevice(virDomainDefPtr vmDef, virDomainNetDefPtr netDef,
+ const char *device, bool success)
+{
+ char uuidstr[VIR_UUID_STRING_BUFLEN];
+ char macstr[VIR_MAC_STRING_BUFLEN];
+ char *vmname;
+ char *devname;
+ char *rdev;
+
+ virUUIDFormat(vmDef->uuid, uuidstr);
+ virFormatMacAddr(netDef->mac, macstr);
+ rdev = qemuAuditGetRdev(device);
+
+ if (!(vmname = virAuditEncode("vm", vmDef->name)) ||
+ !(devname = virAuditEncode("path", device))) {
+ VIR_WARN0("OOM while encoding audit message");
+ goto cleanup;
+ }
+
+ VIR_AUDIT(VIR_AUDIT_RECORD_RESOURCE, success,
+ "resrc=net reason=open %s uuid=%s net='%s' %s rdev=%s",
+ vmname, uuidstr, macstr, devname, VIR_AUDIT_STR(rdev));
+
+cleanup:
+ VIR_FREE(vmname);
+ VIR_FREE(devname);
+ VIR_FREE(rdev);
+}
/**
* qemuAuditHostdev:
#include "uuid.h"
#include "c-ctype.h"
#include "domain_nwfilter.h"
+#include "qemu_audit.h"
#include <sys/utsname.h>
#include <sys/stat.h>
/**
* qemuPhysIfaceConnect:
+ * @def: the definition of the VM (needed by 802.1Qbh and audit)
* @conn: pointer to virConnect object
* @driver: pointer to the qemud_driver
* @net: pointer to he VM's interface description with direct device type
* @qemuCaps: flags for qemu
- * @vmuuid: The UUID of the VM (needed by 802.1Qbh)
*
* Returns a filedescriptor on success or -1 in case of error.
*/
int
-qemuPhysIfaceConnect(virConnectPtr conn,
+qemuPhysIfaceConnect(virDomainDefPtr def,
+ virConnectPtr conn,
struct qemud_driver *driver,
virDomainNetDefPtr net,
virBitmapPtr qemuCaps,
- const unsigned char *vmuuid,
enum virVMOperationType vmop)
{
int rc;
vnet_hdr = 1;
rc = openMacvtapTap(net->ifname, net->mac, net->data.direct.linkdev,
- net->data.direct.mode, vnet_hdr, vmuuid,
+ net->data.direct.mode, vnet_hdr, def->uuid,
&net->data.direct.virtPortProfile, &res_ifname,
vmop);
+ qemuAuditNetDevice(def, net, res_ifname, rc >= 0);
if (rc >= 0) {
VIR_FREE(net->ifname);
net->ifname = res_ifname;
}
}
#else
+ (void)def;
(void)conn;
(void)net;
(void)qemuCaps;
(void)driver;
- (void)vmuuid;
(void)vmop;
qemuReportError(VIR_ERR_INTERNAL_ERROR,
"%s", _("No support for macvtap device"));
int
-qemuNetworkIfaceConnect(virConnectPtr conn,
+qemuNetworkIfaceConnect(virDomainDefPtr def,
+ virConnectPtr conn,
struct qemud_driver *driver,
virDomainNetDefPtr net,
virBitmapPtr qemuCaps)
memcpy(tapmac, net->mac, VIR_MAC_BUFLEN);
tapmac[0] = 0xFE; /* Discourage bridge from using TAP dev MAC */
- if ((err = brAddTap(driver->brctl,
- brname,
- &net->ifname,
- tapmac,
- vnet_hdr,
- true,
- &tapfd))) {
+ err = brAddTap(driver->brctl, brname, &net->ifname, tapmac,
+ vnet_hdr, true, &tapfd);
+ qemuAuditNetDevice(def, net, "/dev/net/tun", tapfd >= 0);
+ if (err) {
if (err == ENOTSUP) {
/* In this particular case, give a better diagnostic. */
qemuReportError(VIR_ERR_INTERNAL_ERROR,
int
-qemuOpenVhostNet(virDomainNetDefPtr net,
+qemuOpenVhostNet(virDomainDefPtr def,
+ virDomainNetDefPtr net,
virBitmapPtr qemuCaps,
int *vhostfd)
{
}
*vhostfd = open("/dev/vhost-net", O_RDWR);
+ qemuAuditNetDevice(def, net, "/dev/vhost-net", *vhostfd >= 0);
/* If the config says explicitly to use vhost and we couldn't open it,
* report an error.
if (net->type == VIR_DOMAIN_NET_TYPE_NETWORK ||
net->type == VIR_DOMAIN_NET_TYPE_BRIDGE) {
- int tapfd = qemuNetworkIfaceConnect(conn, driver, net,
+ int tapfd = qemuNetworkIfaceConnect(def, conn, driver, net,
qemuCaps);
if (tapfd < 0)
goto error;
tapfd) >= sizeof(tapfd_name))
goto no_memory;
} else if (net->type == VIR_DOMAIN_NET_TYPE_DIRECT) {
- int tapfd = qemuPhysIfaceConnect(conn, driver, net,
- qemuCaps,
- def->uuid,
- vmop);
+ int tapfd = qemuPhysIfaceConnect(def, conn, driver, net,
+ qemuCaps, vmop);
if (tapfd < 0)
goto error;
network device */
int vhostfd;
- if (qemuOpenVhostNet(net, qemuCaps, &vhostfd) < 0)
+ if (qemuOpenVhostNet(def, net, qemuCaps, &vhostfd) < 0)
goto error;
if (vhostfd >= 0) {
virCommandTransferFD(cmd, vhostfd);
-int qemuNetworkIfaceConnect(virConnectPtr conn,
+int qemuNetworkIfaceConnect(virDomainDefPtr def,
+ virConnectPtr conn,
struct qemud_driver *driver,
virDomainNetDefPtr net,
virBitmapPtr qemuCaps)
- ATTRIBUTE_NONNULL(1);
+ ATTRIBUTE_NONNULL(2);
-int qemuPhysIfaceConnect(virConnectPtr conn,
+int qemuPhysIfaceConnect(virDomainDefPtr def,
+ virConnectPtr conn,
struct qemud_driver *driver,
virDomainNetDefPtr net,
virBitmapPtr qemuCaps,
- const unsigned char *vmuuid,
enum virVMOperationType vmop);
-int qemuOpenVhostNet(virDomainNetDefPtr net,
+int qemuOpenVhostNet(virDomainDefPtr def,
+ virDomainNetDefPtr net,
virBitmapPtr qemuCaps,
int *vhostfd);
return -1;
}
- if ((tapfd = qemuNetworkIfaceConnect(conn, driver, net, qemuCaps)) < 0)
+ if ((tapfd = qemuNetworkIfaceConnect(vm->def, conn, driver, net,
+ qemuCaps)) < 0)
return -1;
- if (qemuOpenVhostNet(net, qemuCaps, &vhostfd) < 0)
+ if (qemuOpenVhostNet(vm->def, net, qemuCaps, &vhostfd) < 0)
goto cleanup;
} else if (net->type == VIR_DOMAIN_NET_TYPE_DIRECT) {
if (priv->monConfig->type != VIR_DOMAIN_CHR_TYPE_UNIX) {
return -1;
}
- if ((tapfd = qemuPhysIfaceConnect(conn, driver, net,
+ if ((tapfd = qemuPhysIfaceConnect(vm->def, conn, driver, net,
qemuCaps,
- vm->def->uuid,
VIR_VM_OP_CREATE)) < 0)
return -1;
- if (qemuOpenVhostNet(net, qemuCaps, &vhostfd) < 0)
+ if (qemuOpenVhostNet(vm->def, net, qemuCaps, &vhostfd) < 0)
goto cleanup;
}
projects / libvirt.git / commitdiff