From mboxrd@z Thu Jan  1 00:00:00 1970
From: Martin Kletzander <mkletzan@redhat.com>
Subject: Re: What fields should be used for reporting shared memory?
Date: Mon, 20 Mar 2017 12:36:14 +0100
Message-ID: <20170320113614.GS6248@wheatley>
References: <20170314114227.GB6248@wheatley>
 <1547121.n0WsK5LWQM@x2>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6081573049319814477=="
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1547121.n0WsK5LWQM@x2>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com


--===============6081573049319814477==
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="U5J2I87mWnf1KeOw"
Content-Disposition: inline


--U5J2I87mWnf1KeOw
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline

On Thu, Mar 16, 2017 at 09:04:52PM -0400, Steve Grubb wrote:
>Hello,
>
>I apologize for the delay.
>
>On Tuesday, March 14, 2017 7:42:27 AM EDT Martin Kletzander wrote:
>> I am going through the fields in the dictionary and I can't find any
>> name to use for the following scenario.
>>
>> We (libvirt) are running virtual machines and there's a thing nowadays,
>> that people like to use, called ivshmem (Inter-VM SHared MEMory).  From
>> host's point of view this is just a shared memory region accessed by
>> multiple VMs (and possibly to host as well).  The machine maps the
>> shared memory given a name (e.g. name "asdf" results in /dev/shm/asdf to
>> be mapped) *or* it can communicate with a server over UNIX socket and
>> that server handles interrupts and also tells the client which shared
>> memory region to map.
>
>If both of these result in a path, then I think we want to log it as a
>resource event.
>

Yes, and they both are resources in its sense. So you are talking
particularly about the resrc= field?  Should that also have category and
class or anything else set?  Or do you mean we report the path in the
resrc= field?

>> Talking about information we have; in server-less
>> setup it's the shared memory region that is shared, in the server
>> scenario it is the socket.  That's information we can output.
>
>Above you mentioned that the server communicates which region to map. Can you
>explain what that means?
>

The server sends a file descriptor to the VM over the socket, details
can be found here:

http://git.qemu-project.org/?p=qemu.git;a=blob;f=docs/specs/ivshmem-spec.txt#l151

>> So my question is, when starting a domain or hot-(un)plugging, what
>> naming should we use for this kind of device and what are the things
>> that we should describe about it?  Basically, how would you like the
>> message to look?
>
>We need a record recording what is getting assigned to the VM. In the case of
>the /dev/shm, you can record that as a path which must be escaped. In the case
>of the server, I think we still need to understand what is happening. Just
>recording a socket number or path is not terribly useful in reconstructing the
>resources given to the VM.
>
>Audit events have to tell a story. There is a subect, object, action, and
>results. It kind of needs to be a sentence. "libvirtd successfully assigned
>____ to vm-name."
>
>-Steve
>
>> Thanks in advance for any info.
>>
>> Have a nice day,
>> Martin
>
>

--U5J2I87mWnf1KeOw
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEiXAnXDYdKAaCyvS1CB/CnyQXht0FAljPvq4ACgkQCB/CnyQX
ht1JGhAAoWh/+YgmyBBPE1mM9ZJk3DjFcv3OB/0QksvkzxQ9svoO9GhZJGo/IWhC
puXVvlqFM4pq4H/QfW3cIe5RCnuBeWemqn1IQXdveMAMjM/Zf5vcotXnApcW1q/3
B4sPdQ6ihxzHF0/Gfz1saWENcO9g0VytA4CHcAujbY8wIQ9MCWiPUwRaWefEZkKT
c8szvKy01e4A2fLyUNzyGKLp+UJJJc3gnfNuJn5gKP6ESVvSYFT0wHZoC8saXI/U
xLMYzG4x66ovqJvyDuUa2nEsEmSfKBoHdAMveR2c0HI6zIXG53CRUljZtMUdWpwD
qNoO8KZ5U+k134F0s5YquNDKi/oem6UpxpU+dgNDhJ0Oj2zUK7MxFL11iSibWjv6
mKswq/B7Lx1/vM1/9oPL8XNVi73OzrZQl7Dl3/TtNrp0SIP1viPRb3VC2uRyCuxU
n6JatWvZA4VrrxjKky5ulJzOqevf2HCJ5vyNcEQ8mVG6B6IZSlzYlGIrqdMDsRca
k0ynp3YN0lM2wE02pQQvDhyzi/486VEuhWPboUjTdFfVEGx2Y728Lj0azD2sFVH7
R4PLwiVcZm+Xe2lvKT/YYKw99SZ1+eluYNNfZUpS0Vff1JHo6f6oThyxuvvLOpK7
VZ+/pHIBxan2OVIc6wDtTWa7EqL7ZVAz28oCjXfrLbv/rtwoq1s=
=f7A6
-----END PGP SIGNATURE-----

--U5J2I87mWnf1KeOw--


--===============6081573049319814477==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============6081573049319814477==--