1389013 – libvirt must audit resource information about ivshmem

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1389013 - libvirt must audit resource information about ivshmem

Summary: libvirt must audit resource information about ivshmem

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	libvirt
Sub Component:
Version:	7.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Kletzander
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:	1218603
Blocks:
TreeView+	depends on / blocked

Reported:	2016-10-26 16:29 UTC by Jaroslav Reznik
Modified:	2016-12-06 17:11 UTC (History)
CC List:	16 users (show)
Fixed In Version:	libvirt-2.0.0-10.el7_3.1
Doc Type:	No Doc Update
Doc Text:	undefined
Clone Of:	1218603
Environment:
Last Closed:	2016-12-06 17:11:11 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2885	0	normal	SHIPPED_LIVE	libvirt bug fix update	2016-12-06 22:01:23 UTC

Description Jaroslav Reznik 2016-10-26 16:29:03 UTC

This bug has been copied from bug #1218603 and has been proposed
to be backported to 7.3 z-stream (EUS).

Comment 7 Steve Grubb 2016-11-03 13:57:06 UTC

It would also be nice to see the event to make sure it conforms to the coding guidelines:

https://github.com/linux-audit/audit-documentation/wiki/SPEC-Writing-Good-Events
https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv

Comment 8 Martin Kletzander 2016-11-04 10:34:37 UTC

(In reply to Steve Grubb from comment #7)
Example can look like this:

  virt=hvm resrc=shmem reason=start vm_name uuid=vm_uuid size=4096 shmem=name server=/path/to/server.socket_if_there_is_any

This is the same as for other resources, so if this is wrong, all other auditing libvirt does is most likely wrong as well.  So I hope it's not.

Comment 10 Steve Grubb 2016-11-04 10:55:40 UTC

There has to be agreement on the field names. We keep a field name dictionary so that people don't invent new names for the same thing, or use a name that's already taken for something else.

The server field may need some checking on, it may be taken by systemd. Also, is it escaped? The text above shows it not. Anything escaped also has to be reconciled in auparse so that it knows how to interpret the field.

Comment 12 Luyao Huang 2016-11-09 08:31:39 UTC

Verify this bug with libvirt-2.0.0-10.el7_3.1.x86_64:

1. start a guest with ivshmem + ivshmem-plain + ivshmem-doorbell device:

# virsh dumpxml r7
...
    <shmem name='my_shmem1'>
      <model type='ivshmem-plain'/>
      <size unit='M'>4</size>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x0b' function='0x0'/>
    </shmem>
    <shmem name='my_shmem2'>
      <model type='ivshmem-doorbell'/>
      <server path='/tmp/ivshmem_socket'/>
      <msi ioeventfd='on'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
    </shmem>
    <shmem name='my_shmem3'>
      <model type='ivshmem'/>
      <size unit='M'>4</size>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x0d' function='0x0'/>
    </shmem>
...

# virsh start r7
error: Failed to start domain r7
error: internal error: qemu unexpectedly closed the monitor: 2016-11-09T08:07:32.255700Z qemu-kvm: warning: CPU(s) not present in any NUMA nodes: 6 7 8 9
2016-11-09T08:07:32.256038Z qemu-kvm: warning: All CPU(s) up to maxcpus should be described in NUMA config
2016-11-09T08:07:32.331327Z qemu-kvm: -device ivshmem-doorbell,id=shmem1,chardev=charshmem1,ioeventfd=on,bus=pci.0,addr=0x7: Parameter 'driver' expects pluggable device type


2. check audit log

type=VIRT_RESOURCE msg=audit(1478678852.598:2574): pid=31571 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=shmem reason=start vm="r7" uuid=67c7a123-5415-4136-af62-a2ee098ba6cd size=4194304 shmem="my_shmem1" server="?" exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
type=VIRT_RESOURCE msg=audit(1478678852.598:2575): pid=31571 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=shmem reason=start vm="r7" uuid=67c7a123-5415-4136-af62-a2ee098ba6cd size=0 shmem="my_shmem2" server="/tmp/ivshmem_socket" exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
type=VIRT_RESOURCE msg=audit(1478678852.598:2576): pid=31571 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=shmem reason=start vm="r7" uuid=67c7a123-5415-4136-af62-a2ee098ba6cd size=4194304 shmem="my_shmem3" server="?" exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'

3. attach a ivshmem-plain device on a running guest:

# virsh attach-device r7 ivshmem.xml 
Device attached successfully

4. check audit log:

type=VIRT_RESOURCE msg=audit(1478679225.185:2608): pid=31571 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=shmem reason=attach vm="r7" uuid=67c7a123-5415-4136-af62-a2ee098ba6cd size=4194304 shmem="my_shmem1" server="?" exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'

5. attach a ivshmem-doorbell device on a running guest and will get failure:


# virsh attach-device r7 ivshmem-db.xml 
error: Failed to attach device from ivshmem-db.xml
error: internal error: unable to execute QEMU command 'device_add': Parameter 'driver' expects pluggable device type

6. check audit log

type=VIRT_RESOURCE msg=audit(1478679939.991:2679): pid=730 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=shmem reason=attach vm="r7" uuid=67c7a123-5415-4136-af62-a2ee098ba6cd size=0 shmem="my_shmem2" server="/tmp/ivshmem_socket" exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=failed'

7. detach a ivshmem-plain device:

# cat ivshmem.xml 
    <shmem name='my_shmem1'>
<model type='ivshmem-plain'/>
      <size unit='M'>4</size>
    </shmem>

# virsh detach-device r7 ivshmem.xml
Device detached successfully

8. check audit log

type=VIRT_RESOURCE msg=audit(1478680132.736:2788): pid=1138 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=shmem reason=detach vm="r7" uuid=67c7a123-5415-4136-af62-a2ee098ba6cd size=4194304 shmem="my_shmem1" server="?" exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'

Comment 13 Martin Kletzander 2016-11-09 09:31:57 UTC

(In reply to Steve Grubb from comment #10)
So the only things that were thought of were "shmem" and "server" that are not in the dictionary.  That documentation is not really self-explanatory.  The only things names that could possibly be used are device (for the device/shared memory region name) and file (the server socket it connects to), but it would be really confusing to use that when it's probably used for another info already.

Comment 15 errata-xmlrpc 2016-12-06 17:11:11 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2885.html

Note You need to log in before you can comment on or make changes to this bug.