From: Daniel P. Berrange Date: Wed, 6 Mar 2013 14:56:49 +0000 (+0000) Subject: Include pid namespace inode in LXC audit messages X-Git-Tag: v1.0.4-rc1~135 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ab1ef3bc6ced28d6796eb67151ef5a5328344827;p=thirdparty%2Flibvirt.git Include pid namespace inode in LXC audit messages To allow the efficient correlation of container audit messages with host hosts, include the pid namespace inode in audit messages. --- diff --git a/src/conf/domain_audit.c b/src/conf/domain_audit.c index c00bd116c8..8cd522ab8a 100644 --- a/src/conf/domain_audit.c +++ b/src/conf/domain_audit.c @@ -649,7 +649,8 @@ virDomainAuditStart(virDomainObjPtr vm, const char *reason, bool success) void virDomainAuditInit(virDomainObjPtr vm, - pid_t initpid) + pid_t initpid, + ino_t pidns) { char uuidstr[VIR_UUID_STRING_BUFLEN]; char *vmname; @@ -668,8 +669,9 @@ virDomainAuditInit(virDomainObjPtr vm, } VIR_AUDIT(VIR_AUDIT_RECORD_MACHINE_CONTROL, true, - "virt=%s op=init %s uuid=%s vm-pid=%lld init-pid=%lld", - virt, vmname, uuidstr, (long long)vm->pid, (long long)initpid); + "virt=%s op=init %s uuid=%s vm-pid=%lld init-pid=%lld pid-ns=%lld", + virt, vmname, uuidstr, (long long)vm->pid, (long long)initpid, + (long long)pidns); VIR_FREE(vmname); } diff --git a/src/conf/domain_audit.h b/src/conf/domain_audit.h index 381fe37dc4..9486216801 100644 --- a/src/conf/domain_audit.h +++ b/src/conf/domain_audit.h @@ -32,7 +32,8 @@ void virDomainAuditStart(virDomainObjPtr vm, bool success) ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2); void virDomainAuditInit(virDomainObjPtr vm, - pid_t pid) + pid_t pid, + ino_t pidns) ATTRIBUTE_NONNULL(1); void virDomainAuditStop(virDomainObjPtr vm, const char *reason) diff --git a/src/lxc/lxc_process.c b/src/lxc/lxc_process.c index a0c568e50c..0d5a070469 100644 --- a/src/lxc/lxc_process.c +++ b/src/lxc/lxc_process.c @@ -630,6 +630,36 @@ static void virLXCProcessMonitorExitNotify(virLXCMonitorPtr mon ATTRIBUTE_UNUSED priv->stopReason, status); } +static int +virLXCProcessGetNsInode(pid_t pid, + const char *nsname, + ino_t *inode) +{ + char *path = NULL; + struct stat sb; + int ret = -1; + + if (virAsprintf(&path, "/proc/%llu/ns/%s", + (unsigned long long)pid, nsname) < 0) { + virReportOOMError(); + goto cleanup; + } + + if (stat(path, &sb) < 0) { + virReportSystemError(errno, + _("Unable to stat %s"), path); + goto cleanup; + } + + *inode = sb.st_ino; + ret = 0; + +cleanup: + VIR_FREE(path); + return ret; +} + + /* XXX a little evil */ extern virLXCDriverPtr lxc_driver; static void virLXCProcessMonitorInitNotify(virLXCMonitorPtr mon ATTRIBUTE_UNUSED, @@ -637,8 +667,19 @@ static void virLXCProcessMonitorInitNotify(virLXCMonitorPtr mon ATTRIBUTE_UNUSED virDomainObjPtr vm) { virLXCDomainObjPrivatePtr priv = vm->privateData; + ino_t inode; + priv->initpid = initpid; - virDomainAuditInit(vm, initpid); + + if (virLXCProcessGetNsInode(initpid, "pid", &inode) < 0) { + virErrorPtr err = virGetLastError(); + VIR_WARN("Cannot obtain pid NS inode for %llu: %s", + (unsigned long long)initpid, + err && err->message ? err->message : ""); + virResetLastError(); + inode = 0; + } + virDomainAuditInit(vm, initpid, inode); if (virDomainSaveStatus(lxc_driver->caps, lxc_driver->stateDir, vm) < 0) VIR_WARN("Cannot update XML with PID for LXC %s", vm->def->name);