checkpoint: add audit support

src/nm-audit-manager.c

@@ -261,7 +261,7 @@ _nm_audit_manager_log_connection_op (NMAuditManager *self, const char *file, gui
 }
 
 void
-_nm_audit_manager_log_control_op (NMAuditManager *self, const char *file, guint line,
+_nm_audit_manager_log_generic_op (NMAuditManager *self, const char *file, guint line,
                                   const char *func, const char *op, const char *arg,
                                   gboolean result, gpointer subject_context,
                                   const char *reason)

src/nm-audit-manager.h

@@ -64,6 +64,10 @@ typedef struct {
 #define NM_AUDIT_OP_DEVICE_MANAGED          "device-managed"
 #define NM_AUDIT_OP_DEVICE_REAPPLY          "device-reapply"
 
+#define NM_AUDIT_OP_CHECKPOINT_CREATE       "checkpoint-create"
+#define NM_AUDIT_OP_CHECKPOINT_ROLLBACK     "checkpoint-rollback"
+#define NM_AUDIT_OP_CHECKPOINT_DESTROY      "checkpoint-destroy"
+
 GType nm_audit_manager_get_type (void);
 NMAuditManager *nm_audit_manager_get (void);
 gboolean nm_audit_manager_audit_enabled (NMAuditManager *self);
@@ -84,7 +88,7 @@ gboolean nm_audit_manager_audit_enabled (NMAuditManager *self);
 		NMAuditManager *_audit = nm_audit_manager_get (); \
 		\
 		if (nm_audit_manager_audit_enabled (_audit)) { \
-			_nm_audit_manager_log_control_op (_audit, __FILE__, __LINE__, G_STRFUNC, \
+			_nm_audit_manager_log_generic_op (_audit, __FILE__, __LINE__, G_STRFUNC, \
 			                                  (op), (arg), (result), (subject_context), (reason)); \
 		} \
 	} G_STMT_END
@@ -99,18 +103,29 @@ gboolean nm_audit_manager_audit_enabled (NMAuditManager *self);
 		} \
 	} G_STMT_END
 
+#define nm_audit_log_checkpoint_op(op, arg, result, subject_context, reason) \
+	G_STMT_START { \
+		NMAuditManager *_audit = nm_audit_manager_get (); \
+		\
+		if (nm_audit_manager_audit_enabled (_audit)) { \
+			_nm_audit_manager_log_generic_op (_audit, __FILE__, __LINE__, G_STRFUNC, \
+			                                  (op), (arg), (result), (subject_context), (reason)); \
+		} \
+	} G_STMT_END
+
 void _nm_audit_manager_log_connection_op (NMAuditManager *self, const char *file, guint line,
                                           const char *func, const char *op, NMSettingsConnection *connection,
                                           gboolean result, const char *args, gpointer subject_context,
                                           const char *reason);
 
-void _nm_audit_manager_log_control_op    (NMAuditManager *self, const char *file, guint line,
+void _nm_audit_manager_log_generic_op    (NMAuditManager *self, const char *file, guint line,
                                           const char *func, const char *op, const char *arg,
                                           gboolean result, gpointer subject_context, const char *reason);
 
 void _nm_audit_manager_log_device_op     (NMAuditManager *self, const char *file, guint line,
                                           const char *func, const char *op, NMDevice *device,
                                           gboolean result, gpointer subject_context, const char *reason);
+
 G_END_DECLS
 
 #endif /* __NM_AUDIT_MANAGER_H__ */

src/nm-manager.c

@@ -5144,17 +5144,22 @@ checkpoint_auth_done_cb (NMAuthChain *chain,
 {
 	NMManager *self = NM_MANAGER (user_data);
 	NMManagerPrivate *priv = NM_MANAGER_GET_PRIVATE (self);
-	char *op, *checkpoint_path, **devices;
+	char *op, *checkpoint_path = NULL, **devices;
 	NMCheckpoint *checkpoint;
 	NMAuthCallResult result;
 	guint32 timeout, flags;
 	GVariant *variant = NULL;
 	GError *error = NULL;
+	const char *arg = NULL;
 
-	op = nm_auth_chain_get_data (chain, "op");
+	op = nm_auth_chain_get_data (chain, "audit-op");
 	priv->auth_chains = g_slist_remove (priv->auth_chains, chain);
 	result = nm_auth_chain_get_result (chain, NM_AUTH_PERMISSION_CHECKPOINT_ROLLBACK);
 
+	if (   nm_streq0 (op, NM_AUDIT_OP_CHECKPOINT_DESTROY)
+	    || nm_streq0 (op, NM_AUDIT_OP_CHECKPOINT_ROLLBACK))
+		arg = checkpoint_path = nm_auth_chain_get_data (chain, "checkpoint_path");
+
 	if (auth_error) {
 		error = g_error_new (NM_MANAGER_ERROR,
 		                     NM_MANAGER_ERROR_PERMISSION_DENIED,
@@ -5165,7 +5170,7 @@ checkpoint_auth_done_cb (NMAuthChain *chain,
 		                             NM_MANAGER_ERROR_PERMISSION_DENIED,
 		                             "Not authorized to checkpoint/rollback");
 	} else {
-		if (nm_streq0 (op, "create")) {
+		if (nm_streq0 (op, NM_AUDIT_OP_CHECKPOINT_CREATE)) {
 			timeout = GPOINTER_TO_UINT (nm_auth_chain_get_data (chain, "timeout"));
 			flags = GPOINTER_TO_UINT (nm_auth_chain_get_data (chain, "flags"));
 			devices = nm_auth_chain_get_data (chain, "devices");
@@ -5176,28 +5181,28 @@ checkpoint_auth_done_cb (NMAuthChain *chain,
 			                                           (NMCheckpointCreateFlags) flags,
 			                                           &error);
 			if (checkpoint) {
-				NMExportedObject *exported;
-
-				exported = NM_EXPORTED_OBJECT (checkpoint);
-				variant = g_variant_new ("(o)", nm_exported_object_get_path (exported));
+				arg = nm_exported_object_get_path (NM_EXPORTED_OBJECT (checkpoint));
+				variant = g_variant_new ("(o)", arg);
 			}
-		} else if (nm_streq0 (op, "destroy")) {
-			checkpoint_path = nm_auth_chain_get_data (chain, "checkpoint_path");
+		} else if (nm_streq0 (op, NM_AUDIT_OP_CHECKPOINT_DESTROY)) {
 			nm_checkpoint_manager_destroy (_checkpoint_mgr_get (self, TRUE),
 			                               checkpoint_path, &error);
-		} else if (nm_streq0 (op, "rollback")) {
-			checkpoint_path = nm_auth_chain_get_data (chain, "checkpoint_path");
+		} else if (nm_streq0 (op, NM_AUDIT_OP_CHECKPOINT_ROLLBACK)) {
 			nm_checkpoint_manager_rollback (_checkpoint_mgr_get (self, TRUE),
 			                                checkpoint_path, &variant, &error);
 		} else
 			g_return_if_reached ();
 	}
 
+	nm_audit_log_checkpoint_op (op, arg ?: "", !error, nm_auth_chain_get_subject (chain),
+	                            error ? error->message : NULL);
+
 	if (error)
 		g_dbus_method_invocation_take_error (context, error);
 	else
 		g_dbus_method_invocation_return_value (context, variant);
 
+
 	nm_auth_chain_unref (chain);
 }
 
@@ -5226,7 +5231,7 @@ impl_manager_checkpoint_create (NMManager *self,
 	}
 
 	priv->auth_chains = g_slist_append (priv->auth_chains, chain);
-	nm_auth_chain_set_data (chain, "op", "create", NULL);
+	nm_auth_chain_set_data (chain, "audit-op", NM_AUDIT_OP_CHECKPOINT_CREATE, NULL);
 	nm_auth_chain_set_data (chain, "devices", g_strdupv ((char **) devices), (GDestroyNotify) g_strfreev);
 	nm_auth_chain_set_data (chain, "flags",  GUINT_TO_POINTER (flags), NULL);
 	nm_auth_chain_set_data (chain, "timeout", GUINT_TO_POINTER (rollback_timeout), NULL);
@@ -5255,7 +5260,7 @@ impl_manager_checkpoint_destroy (NMManager *self,
 	}
 
 	priv->auth_chains = g_slist_append (priv->auth_chains, chain);
-	nm_auth_chain_set_data (chain, "op", "destroy", NULL);
+	nm_auth_chain_set_data (chain, "audit-op", NM_AUDIT_OP_CHECKPOINT_DESTROY, NULL);
 	nm_auth_chain_set_data (chain, "checkpoint_path", g_strdup (checkpoint_path), g_free);
 	nm_auth_chain_add_call (chain, NM_AUTH_PERMISSION_CHECKPOINT_ROLLBACK, TRUE);
 }
@@ -5282,7 +5287,7 @@ impl_manager_checkpoint_rollback (NMManager *self,
 	}
 
 	priv->auth_chains = g_slist_append (priv->auth_chains, chain);
-	nm_auth_chain_set_data (chain, "op", "rollback", NULL);
+	nm_auth_chain_set_data (chain, "audit-op", NM_AUDIT_OP_CHECKPOINT_ROLLBACK, NULL);
 	nm_auth_chain_set_data (chain, "checkpoint_path", g_strdup (checkpoint_path), g_free);
 	nm_auth_chain_add_call (chain, NM_AUTH_PERMISSION_CHECKPOINT_ROLLBACK, TRUE);
 }