On Fri, Mar 30, 2012 at 10:30:01AM -0400, Laine Stump wrote:
> On 03/30/2012 06:25 AM, Daniel P. Berrange wrote:
> > On Fri, Mar 30, 2012 at 03:13:31AM -0400, Laine Stump wrote:
> >> On 03/29/2012 05:52 PM, Daniel P. Berrange wrote:
> >>> On Thu, Mar 29, 2012 at 04:38:50PM -0400, Laine Stump wrote:
> >>>> +    if (oldbridge &&
> >>>> +        virNetDevBridgeRemovePort(oldbridge, olddev->ifname) < 0) {
> >>>> +        return -1;
> >>>> +    }
> >>>> +    if (virNetDevBridgeAddPort(newbridge, olddev->ifname) < 0) {
> >>>> +        if (virNetDevBridgeAddPort(oldbridge, olddev->ifname) < 0) {
> >>>> +            qemuReportError(VIR_ERR_OPERATION_FAILED,
> >>>> +                            _("unable to recover former state by adding 
> >>>> port"
> >>>> +                              "to bridge %s"), oldbridge);
> >>>> +        }
> >>>> +        return -1;
> >>>> +    }
> >>> I think you need to emit 2 audit notifications here, one for the bridge
> >>> being removed and one for the bridge being added.
> >> That does sound like a good idea, but the current virDomainAuditNet()
> >> function only reports MAC address, and virDomainAuditNetDevice() only
> >> reports "/dev/net/tun" - neither of them gives any information about the
> >> name of tap device or which bridge it is being attached to.
> >>
> >> Right now, here are the audit messages that are logged when I do a full
> >> device detach/attach of a network device:
> >>
> >> type=VIRT_RESOURCE msg=audit(1333090567.694:1051): pid=0 uid=0
> >> auid=4294967295 ses=4294967295
> >> subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=net
> >> reason=detach vm="F14" uuid=de3aa186-be64-088e-b64a-a1a03e023ffd
> >> old-net=52:54:00:00:01:81 new-net=?: exe="/usr/sbin/libvirtd" hostname=?
> >> addr=? terminal=? res=success'
> >>
> >> type=VIRT_RESOURCE msg=audit(1333090573.195:1053): pid=0 uid=0
> >> auid=4294967295 ses=4294967295
> >> subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=net
> >> reason=open vm="F14" uuid=de3aa186-be64-088e-b64a-a1a03e023ffd
> >> net=52:54:00:00:01:81 path="/dev/net/tun" rdev=0A:C8:
> >> exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
> >> type=VIRT_RESOURCE msg=audit(1333090573.196:1054): pid=0 uid=0
> >> auid=4294967295 ses=4294967295
> >> subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=net
> >> reason=open vm="F14" uuid=de3aa186-be64-088e-b64a-a1a03e023ffd
> >> net=52:54:00:00:01:81 path="/dev/vhost-net" rdev=0A:EE:
> >> exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
> >> type=VIRT_RESOURCE msg=audit(1333090574.092:1055): pid=0 uid=0
> >> auid=4294967295 ses=4294967295
> >> subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=net
> >> reason=attach vm="F14" uuid=de3aa186-be64-088e-b64a-a1a03e023ffd
> >> old-net=? new-net=52:54:00:00:01:81: exe="/usr/sbin/libvirtd" hostname=?
> >> addr=? terminal=? res=success'
> >>
> >> It does a good job of telling me the MAC address that's going to be used
> >> by the domain, but nothing about how it's connected to the network.
> > Hmm, this seems flawed to me.  The intent of the auditing code we added
> > was to provide information about any host resource that the VM is
> > associated with. So I'm really surprised we're not providing any info
> > about the host network interface. I suspect this should be fixed.
> >
> >> If we're staying within the current boundaries of reporting, is there
> >> really value in logging a pair of messages that are ultimately just
> >> telling us that the same mac address was detached then immediately
> >> reattached, but not saying anything about what it was connected to?
> >> Alternately, if we're going to start reporting about changes in network
> >> connection, shouldn't we also be reporting what those connections are to
> >> begin with? (I think that's a change in scope of what's being audited,
> >> and requires a separate patch if we decide we want to do that).
> > I think we should still audit this change, even though current audit
> > rules appear broken.
> 
> Okay. Would the patch I've attached here be adequate? If so, I'll squash
> it into the rest of the patch.
> 
> Beyond that, to fix the problem of general inadequacy in the current
> audits, would it be enough to add tap device and bridge names to the
> current attach and detach log messages? Or is the audit message format
> very strict, and we would need to do a separate log message for tap
> device and for bridge device?

> From 3b277f2c2138b98145d6b5e18c844be5d43b8b29 Mon Sep 17 00:00:00 2001
> From: Laine Stump <la...@laine.org>
> Date: Fri, 30 Mar 2012 10:13:37 -0400
> Subject: [PATCH] qemu: add audit logs when switching bridges
> 
> This adds in a standard audit log for detaching and attaching a
> network device when the bridge being used is changed.
> 
> The discussion about this led to the idea that the audit logs being
> generated are insufficient, since they don't say anything about which
> tap device is used, nor about which bridge it is attached to, but that
> should be fixed by a separate patch, and this gets the current patch
> properly wired into the infrastructure.
> ---
>  src/qemu/qemu_hotplug.c |    8 +++++---
>  1 files changed, 5 insertions(+), 3 deletions(-)
> 
> diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
> index 66837c4..7699e9d 100644
> --- a/src/qemu/qemu_hotplug.c
> +++ b/src/qemu/qemu_hotplug.c
> @@ -1194,7 +1194,8 @@ static virDomainNetDefPtr 
> qemuDomainFindNet(virDomainObjPtr vm,
>  }
>  
>  static
> -int qemuDomainChangeNetBridge(virDomainNetDefPtr olddev,
> +int qemuDomainChangeNetBridge(virDomainObjPtr vm,
> +                              virDomainNetDefPtr olddev,
>                                virDomainNetDefPtr newdev)
>  {
>      const char *oldbridge = olddev->data.bridge.brname;
> @@ -1221,9 +1222,11 @@ int qemuDomainChangeNetBridge(virDomainNetDefPtr 
> olddev,
>          }
>          return -1;
>      }
> +    virDomainAuditNet(vm, NULL, olddev, "detach", true);

This needs to be moved up, otherwise if we successfully detach, but
fail to attach we'll not emit the audit message. Also we I think
we should log "detach", false  if detaching fails, and likewise
'attach', false' if attaching fails

>      VIR_FREE(olddev->data.bridge.brname);
>      olddev->data.bridge.brname = newdev->data.bridge.brname;
>      newdev->data.bridge.brname = NULL;
> +    virDomainAuditNet(vm, NULL, olddev, "attach", true);
>      return 0;
>  }
>  

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Reply via email to