From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: What fields should be used for reporting shared memory?
Date: Thu, 16 Mar 2017 21:04:52 -0400
Message-ID: <1547121.n0WsK5LWQM@x2>
References: <20170314114227.GB6248@wheatley>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <20170314114227.GB6248@wheatley>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: Martin Kletzander <mkletzan@redhat.com>
List-Id: linux-audit@redhat.com

Hello,

I apologize for the delay.

On Tuesday, March 14, 2017 7:42:27 AM EDT Martin Kletzander wrote:
> I am going through the fields in the dictionary and I can't find any
> name to use for the following scenario.
> 
> We (libvirt) are running virtual machines and there's a thing nowadays,
> that people like to use, called ivshmem (Inter-VM SHared MEMory).  From
> host's point of view this is just a shared memory region accessed by
> multiple VMs (and possibly to host as well).  The machine maps the
> shared memory given a name (e.g. name "asdf" results in /dev/shm/asdf to
> be mapped) *or* it can communicate with a server over UNIX socket and
> that server handles interrupts and also tells the client which shared
> memory region to map.

If both of these result in a path, then I think we want to log it as a 
resource event.

> Talking about information we have; in server-less
> setup it's the shared memory region that is shared, in the server
> scenario it is the socket.  That's information we can output.

Above you mentioned that the server communicates which region to map. Can you 
explain what that means?

> So my question is, when starting a domain or hot-(un)plugging, what
> naming should we use for this kind of device and what are the things
> that we should describe about it?  Basically, how would you like the
> message to look?

We need a record recording what is getting assigned to the VM. In the case of 
the /dev/shm, you can record that as a path which must be escaped. In the case 
of the server, I think we still need to understand what is happening. Just 
recording a socket number or path is not terribly useful in reconstructing the 
resources given to the VM.

Audit events have to tell a story. There is a subect, object, action, and 
results. It kind of needs to be a sentence. "libvirtd successfully assigned 
____ to vm-name."

-Steve

> Thanks in advance for any info.
> 
> Have a nice day,
> Martin