[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] [PATCH 0/3] more cgroup ACL audit improvements



Based on some feedback from Steve Grubb, Stephan Mueller, and others
(unfortunately most of it on some non-public lists), I'm proposing the
following patches to enhance my earlier audits for device cgroup ACLs.

Pre-patch, cgroup audits looked like:

type=VIRT_RESOURCE msg=audit(1298068194.479:83142): user pid=23863 uid=0 auid=500 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='resrc=cgroup reason=deny vm="fedora_12" uuid=51c6fc83-65a4-e627-b698-042b00145201 item=all: exe="/home/dummy/libvirt/daemon/.libs/lt-libvirtd" hostname=? addr=? terminal=pts/0 res=success'
type=VIRT_RESOURCE msg=audit(1298068194.480:83143): user pid=23863 uid=0 auid=500 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='resrc=cgroup reason=allow vm="fedora_12" uuid=51c6fc83-65a4-e627-b698-042b00145201 item=major type="pty": exe="/home/dummy/libvirt/daemon/.libs/lt-libvirtd" hostname=? addr=? terminal=pts/0 res=success'
type=VIRT_RESOURCE msg=audit(1298068194.480:83145): user pid=23863 uid=0 auid=500 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='resrc=cgroup reason=allow vm="fedora_12" uuid=51c6fc83-65a4-e627-b698-042b00145201 item=file path="/dev/null": exe="/home/dummy/libvirt/daemon/.libs/lt-libvirtd" hostname=? addr=? terminal=pts/0 res=success'

Post-patch, the same three audits are modified to include cgroup
controller, rdev information for files, major device number for
categories, and better names so as not to collide with well-known
audit field names (for example, audit libraries expect item= to match
a decimal integer, so I used class= instead).

type=VIRT_RESOURCE msg=audit(1299541864.111:78295): user pid=30632 uid=0 auid=500 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='resrc=cgroup reason=deny vm="fedora_12" uuid=51c6fc83-65a4-e627-b698-042b00145201 cgroup="/cgroup/devices/libvirt/qemu/fedora_12/" class=all: exe="/home/dummy/libvirt/daemon/.libs/lt-libvirtd" hostname=? addr=? terminal=pts/0 res=success'
type=VIRT_RESOURCE msg=audit(1299541864.112:78296): user pid=30632 uid=0 auid=500 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='resrc=cgroup reason=allow vm="fedora_12" uuid=51c6fc83-65a4-e627-b698-042b00145201 cgroup="/cgroup/devices/libvirt/qemu/fedora_12/" class=major category=pty maj=88: exe="/home/dummy/libvirt/daemon/.libs/lt-libvirtd" hostname=? addr=? terminal=pts/0 res=success'
type=VIRT_RESOURCE msg=audit(1299541864.112:78297): user pid=30632 uid=0 auid=500 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='resrc=cgroup reason=allow vm="fedora_12" uuid=51c6fc83-65a4-e627-b698-042b00145201 cgroup="/cgroup/devices/libvirt/qemu/fedora_12/" class=path path=/dev/null rdev=01:03: exe="/home/dummy/libvirt/daemon/.libs/lt-libvirtd" hostname=? addr=? terminal=pts/0 res=success'

Eric Blake (3):
  audit: tweak audit messages to match conventions
  audit: split cgroup audit types to allow more information
  audit: also audit cgroup controller path

 src/libvirt_private.syms |    1 +
 src/qemu/qemu_audit.c    |  115 ++++++++++++++++++++++++++++++++++++++++------
 src/qemu/qemu_audit.h    |   14 +++++-
 src/qemu/qemu_cgroup.c   |   29 ++++++------
 src/qemu/qemu_driver.c   |    8 ++--
 src/util/cgroup.c        |    8 ++--
 src/util/cgroup.h        |    5 ++
 7 files changed, 142 insertions(+), 38 deletions(-)

-- 
1.7.4


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]