I hope this closes out my audit series. As promised in https://www.redhat.com/archives/libvir-list/2011-March/msg00415.html, here's the updated and tested network device auditing patches. This time, I've completed testing: in virt-manager, I attached a hypervisor default (non-virtio, so no /dev/vhost-net), then detached it, then attached a virtio interface in its place, and got the following audit messages:
type=VIRT_RESOURCE msg=audit(1299702937.924:81114): user pid=499 uid=0 auid=500 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='resrc=net reason=open vm="fedora_12" uuid=51c6fc83-65a4-e627-b698-042b00145201 net='52:54:00:80:C6:06' path="/dev/net/tun" rdev=0A:C8: exe="/home/dummy/libvirt/daemon/.libs/lt-libvirtd" hostname=? addr=? terminal=pts/0 res=success' type=VIRT_RESOURCE msg=audit(1299702937.928:81115): user pid=499 uid=0 auid=500 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='resrc=net reason=attach vm="fedora_12" uuid=51c6fc83-65a4-e627-b698-042b00145201 old-net='?' new-net='52:54:00:80:C6:06': exe="/home/dummy/libvirt/daemon/.libs/lt-libvirtd" hostname=? addr=? terminal=pts/0 res=success' type=VIRT_RESOURCE msg=audit(1299702995.378:81117): user pid=499 uid=0 auid=500 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='resrc=net reason=detach vm="fedora_12" uuid=51c6fc83-65a4-e627-b698-042b00145201 old-net='52:54:00:80:C6:06' new-net='?': exe="/home/dummy/libvirt/daemon/.libs/lt-libvirtd" hostname=? addr=? terminal=pts/0 res=success' type=VIRT_RESOURCE msg=audit(1299703012.919:81119): user pid=499 uid=0 auid=500 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='resrc=net reason=open vm="fedora_12" uuid=51c6fc83-65a4-e627-b698-042b00145201 net='52:54:00:31:26:F9' path="/dev/net/tun" rdev=0A:C8: exe="/home/dummy/libvirt/daemon/.libs/lt-libvirtd" hostname=? addr=? terminal=pts/0 res=success' type=VIRT_RESOURCE msg=audit(1299703012.919:81120): user pid=499 uid=0 auid=500 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='resrc=net reason=open vm="fedora_12" uuid=51c6fc83-65a4-e627-b698-042b00145201 net='52:54:00:31:26:F9' path="/dev/vhost-net" rdev=0A:39: exe="/home/dummy/libvirt/daemon/.libs/lt-libvirtd" hostname=? addr=? terminal=pts/0 res=success' type=VIRT_RESOURCE msg=audit(1299703013.002:81121): user pid=499 uid=0 auid=500 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='resrc=net reason=attach vm="fedora_12" uuid=51c6fc83-65a4-e627-b698-042b00145201 old-net='?' new-net='52:54:00:31:26:F9': exe="/home/dummy/libvirt/daemon/.libs/lt-libvirtd" hostname=? addr=? terminal=pts/0 res=success' Changes in v3: rename the audit method to qemuAuditNetDevice, and insert audit points after all attempts to open a network device that might later be passed to a qemu -netdev; document why I didn't audit closeout of said fds Eric Blake (2): qemu: support vhost in attach-interface audit: audit use of /dev/net/tun, /dev/tapN, /dev/vhost-net src/qemu/qemu_audit.c | 41 ++++++++++++++++++++++++++++++++ src/qemu/qemu_audit.h | 5 ++++ src/qemu/qemu_command.c | 43 ++++++++++++++++----------------- src/qemu/qemu_command.h | 14 ++++++++--- src/qemu/qemu_hotplug.c | 60 ++++++++++++++++++++++++++++++++++++++++------ 5 files changed, 129 insertions(+), 34 deletions(-) -- 1.7.4 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list