From: Eric Blake <eblake@redhat.com>
Date: Mon, 7 Mar 2011 23:41:40 +0000 (-0700)
Subject: audit: also audit cgroup controller path
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=f2512684ad5d68aba322d202e735d0992327a8f3;p=libvirt.git

audit: also audit cgroup controller path

Although the cgroup device ACL controller path can be worked out
by researching the code, it is more efficient to include that
information directly in the audit message.

* src/util/cgroup.h (virCgroupPathOfController): New prototype.
* src/util/cgroup.c (virCgroupPathOfController): Export.
* src/libvirt_private.syms: Likewise.
* src/qemu/qemu_audit.c (qemuAuditCgroup): Use it.
---

diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index efcf3c5ec0..c0da78ec5a 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -79,6 +79,7 @@ virCgroupKill;
 virCgroupKillRecursive;
 virCgroupKillPainfully;
 virCgroupMounted;
+virCgroupPathOfController;
 virCgroupRemove;
 virCgroupSetBlkioWeight;
 virCgroupSetCpuShares;
diff --git a/src/qemu/qemu_audit.c b/src/qemu/qemu_audit.c
index 43e903a999..7a8d3ee23a 100644
--- a/src/qemu/qemu_audit.c
+++ b/src/qemu/qemu_audit.c
@@ -213,11 +213,13 @@ cleanup:
  * Log an audit message about an attempted cgroup device ACL change.
  */
 void
-qemuAuditCgroup(virDomainObjPtr vm, virCgroupPtr cgroup ATTRIBUTE_UNUSED,
+qemuAuditCgroup(virDomainObjPtr vm, virCgroupPtr cgroup,
                 const char *reason, const char *extra, bool success)
 {
     char uuidstr[VIR_UUID_STRING_BUFLEN];
     char *vmname;
+    char *controller = NULL;
+    char *detail;
 
     virUUIDFormat(vm->def->uuid, uuidstr);
     if (!(vmname = virAuditEncode("vm", vm->def->name))) {
@@ -225,11 +227,18 @@ qemuAuditCgroup(virDomainObjPtr vm, virCgroupPtr cgroup ATTRIBUTE_UNUSED,
         return;
     }
 
+    virCgroupPathOfController(cgroup, VIR_CGROUP_CONTROLLER_DEVICES,
+                              NULL, &controller);
+    detail = virAuditEncode("cgroup", VIR_AUDIT_STR(controller));
+
     VIR_AUDIT(VIR_AUDIT_RECORD_RESOURCE, success,
-              "resrc=cgroup reason=%s %s uuid=%s class=%s",
-              reason, vmname, uuidstr, extra);
+              "resrc=cgroup reason=%s %s uuid=%s %s class=%s",
+              reason, vmname, uuidstr,
+              detail ? detail : "cgroup=?", extra);
 
     VIR_FREE(vmname);
+    VIR_FREE(controller);
+    VIR_FREE(detail);
 }
 
 /**
diff --git a/src/util/cgroup.c b/src/util/cgroup.c
index 8551acda0d..46358ab554 100644
--- a/src/util/cgroup.c
+++ b/src/util/cgroup.c
@@ -254,10 +254,10 @@ static int virCgroupDetect(virCgroupPtr group)
 #endif
 
 
-static int virCgroupPathOfController(virCgroupPtr group,
-                                     int controller,
-                                     const char *key,
-                                     char **path)
+int virCgroupPathOfController(virCgroupPtr group,
+                              int controller,
+                              const char *key,
+                              char **path)
 {
     if (controller == -1) {
         int i;
diff --git a/src/util/cgroup.h b/src/util/cgroup.h
index d468cb30c6..b3c5f27f2a 100644
--- a/src/util/cgroup.h
+++ b/src/util/cgroup.h
@@ -40,6 +40,11 @@ int virCgroupForDomain(virCgroupPtr driver,
                        virCgroupPtr *group,
                        int create);
 
+int virCgroupPathOfController(virCgroupPtr group,
+                              int controller,
+                              const char *key,
+                              char **path);
+
 int virCgroupAddTask(virCgroupPtr group, pid_t pid);
 
 int virCgroupSetBlkioWeight(virCgroupPtr group, unsigned int weight);