Add auditing of filesystems

When passing through filesystems from the host to a guest, the
host filesystem passed must be audited

* src/conf/domain_audit.{c,h}: Add virDomainAuditFS

diff --git a/src/conf/domain_audit.c b/src/conf/domain_audit.c
index b3451629e91b51166786ff414f9e0792fbaf25ba..f3bcf34900126b25fede05dd4925fff460bdfd4f 100644 (file)
--- a/src/conf/domain_audit.c
+++ b/src/conf/domain_audit.c
@@ -99,6 +99,47 @@ cleanup:
 }
 
 
+void
+virDomainAuditFS(virDomainObjPtr vm,
+                 virDomainFSDefPtr oldDef, virDomainFSDefPtr newDef,
+                 const char *reason, bool success)
+{
+    char uuidstr[VIR_UUID_STRING_BUFLEN];
+    char *vmname;
+    char *oldsrc = NULL;
+    char *newsrc = NULL;
+
+    virUUIDFormat(vm->def->uuid, uuidstr);
+    if (!(vmname = virAuditEncode("vm", vm->def->name))) {
+        VIR_WARN("OOM while encoding audit message");
+        return;
+    }
+
+    if (!(oldsrc = virAuditEncode("old-fs",
+                                  oldDef && oldDef->src ?
+                                  oldDef->src : "?"))) {
+        VIR_WARN("OOM while encoding audit message");
+        goto cleanup;
+    }
+    if (!(newsrc = virAuditEncode("new-fs",
+                                  newDef && newDef->src ?
+                                  newDef->src : "?"))) {
+        VIR_WARN("OOM while encoding audit message");
+        goto cleanup;
+    }
+
+    VIR_AUDIT(VIR_AUDIT_RECORD_RESOURCE, success,
+              "resrc=fs reason=%s %s uuid=%s %s %s",
+              reason, vmname, uuidstr,
+              oldsrc, newsrc);
+
+cleanup:
+    VIR_FREE(vmname);
+    VIR_FREE(oldsrc);
+    VIR_FREE(newsrc);
+}
+
+
 void
 virDomainAuditNet(virDomainObjPtr vm,
                   virDomainNetDefPtr oldDef, virDomainNetDefPtr newDef,
@@ -433,6 +474,11 @@ virDomainAuditStart(virDomainObjPtr vm, const char *reason, bool success)
             virDomainAuditDisk(vm, NULL, disk, "start", true);
     }
 
+    for (i = 0 ; i < vm->def->nfss ; i++) {
+        virDomainFSDefPtr fs = vm->def->fss[i];
+        virDomainAuditFS(vm, NULL, fs, "start", true);
+    }
+
     for (i = 0 ; i < vm->def->nnets ; i++) {
         virDomainNetDefPtr net = vm->def->nets[i];
         virDomainAuditNet(vm, NULL, net, "start", true);

diff --git a/src/conf/domain_audit.h b/src/conf/domain_audit.h
index 44da344e3d97029234add1266b916c07914bc6bd..0e88fd396a1159b5d06ceffdd52012885c78681b 100644 (file)
--- a/src/conf/domain_audit.h
+++ b/src/conf/domain_audit.h
@@ -40,6 +40,12 @@ void virDomainAuditDisk(virDomainObjPtr vm,
                         const char *reason,
                         bool success)
     ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(4);
+void virDomainAuditFS(virDomainObjPtr vm,
+                      virDomainFSDefPtr oldDef,
+                      virDomainFSDefPtr newDef,
+                      const char *reason,
+                      bool success)
+    ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(4);
 void virDomainAuditNet(virDomainObjPtr vm,
                        virDomainNetDefPtr oldDef,
                        virDomainNetDefPtr newDef,

diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index e3627e528090ee53ff184466d760e20fd8fd771d..3237d186fc285b279a7cb69c531f714108436ebb 100644 (file)
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -207,6 +207,7 @@ virDomainAuditCgroup;
 virDomainAuditCgroupMajor;
 virDomainAuditCgroupPath;
 virDomainAuditDisk;
+virDomainAuditFS;
 virDomainAuditHostdev;
 virDomainAuditMemory;
 virDomainAuditNet;