audit: also audit cgroup controller path

Although the cgroup device ACL controller path can be worked out
by researching the code, it is more efficient to include that
information directly in the audit message.

* src/util/cgroup.h (virCgroupPathOfController): New prototype.
* src/util/cgroup.c (virCgroupPathOfController): Export.
* src/libvirt_private.syms: Likewise.
* src/qemu/qemu_audit.c (qemuAuditCgroup): Use it.

diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index efcf3c5ec03f5f7fb29c53fd6285abcd5fbdd516..c0da78ec5a4e9ade0cf710c277f71bcfeffeffd9 100644 (file)
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -79,6 +79,7 @@ virCgroupKill;
 virCgroupKillRecursive;
 virCgroupKillPainfully;
 virCgroupMounted;
+virCgroupPathOfController;
 virCgroupRemove;
 virCgroupSetBlkioWeight;
 virCgroupSetCpuShares;

diff --git a/src/qemu/qemu_audit.c b/src/qemu/qemu_audit.c
index 43e903a999e06981d05d252f24ba85d49970fd55..7a8d3ee23a8c5026017265b5fd42a33147094113 100644 (file)
--- a/src/qemu/qemu_audit.c
+++ b/src/qemu/qemu_audit.c
@@ -213,11 +213,13 @@ cleanup:
  * Log an audit message about an attempted cgroup device ACL change.
  */
 void
-qemuAuditCgroup(virDomainObjPtr vm, virCgroupPtr cgroup ATTRIBUTE_UNUSED,
+qemuAuditCgroup(virDomainObjPtr vm, virCgroupPtr cgroup,
                 const char *reason, const char *extra, bool success)
 {
     char uuidstr[VIR_UUID_STRING_BUFLEN];
     char *vmname;
+    char *controller = NULL;
+    char *detail;
 
     virUUIDFormat(vm->def->uuid, uuidstr);
     if (!(vmname = virAuditEncode("vm", vm->def->name))) {
@@ -225,11 +227,18 @@ qemuAuditCgroup(virDomainObjPtr vm, virCgroupPtr cgroup ATTRIBUTE_UNUSED,
         return;
     }
 
+    virCgroupPathOfController(cgroup, VIR_CGROUP_CONTROLLER_DEVICES,
+                              NULL, &controller);
+    detail = virAuditEncode("cgroup", VIR_AUDIT_STR(controller));
+
     VIR_AUDIT(VIR_AUDIT_RECORD_RESOURCE, success,
-              "resrc=cgroup reason=%s %s uuid=%s class=%s",
-              reason, vmname, uuidstr, extra);
+              "resrc=cgroup reason=%s %s uuid=%s %s class=%s",
+              reason, vmname, uuidstr,
+              detail ? detail : "cgroup=?", extra);
 
     VIR_FREE(vmname);
+    VIR_FREE(controller);
+    VIR_FREE(detail);
 }
 
 /**

diff --git a/src/util/cgroup.c b/src/util/cgroup.c
index 8551acda0d9948a88bb59c863e77e1d41500d53c..46358ab5540a7fc9f8f6efcb3754d57b7249b9de 100644 (file)
--- a/src/util/cgroup.c
+++ b/src/util/cgroup.c
@@ -254,10 +254,10 @@ static int virCgroupDetect(virCgroupPtr group)
 #endif
 
 
-static int virCgroupPathOfController(virCgroupPtr group,
-                                     int controller,
-                                     const char *key,
-                                     char **path)
+int virCgroupPathOfController(virCgroupPtr group,
+                              int controller,
+                              const char *key,
+                              char **path)
 {
     if (controller == -1) {
         int i;

diff --git a/src/util/cgroup.h b/src/util/cgroup.h
index d468cb30c65f8877d9223df6df38bcf58490c3ce..b3c5f27f2a754788ce0fd32fd644dc9fc7c3d8d5 100644 (file)
--- a/src/util/cgroup.h
+++ b/src/util/cgroup.h
@@ -40,6 +40,11 @@ int virCgroupForDomain(virCgroupPtr driver,
                        virCgroupPtr *group,
                        int create);
 
+int virCgroupPathOfController(virCgroupPtr group,
+                              int controller,
+                              const char *key,
+                              char **path);
+
 int virCgroupAddTask(virCgroupPtr group, pid_t pid);
 
 int virCgroupSetBlkioWeight(virCgroupPtr group, unsigned int weight);