Re: [PATCH 0/7] Improve performance of polkit checks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 10.09.2014 16:20, Daniel P. Berrange wrote:

This series improves the performance of the polkit driver by
switching from use of the pk-check command, to the DBus APIs.
As a convenient side effect, this means we are no longer
vulnerable to CVE-2013-4311, on any polkit version, since we
no longer need pk-check (which is what had the flaw).

In terms of performance, with access control checking turned
on for all APIs, the time to list 100 VMs dropps from 2.7 secs
to 1 sec on my machine. To improve on this further, we would
need to find a way to parallelize the issuing of DBus calls
for each VM, instead of serialize the access checks.

Daniel P. Berrange (7):
   Add common API for doing polkit authentication
   Add typesafe APIs for virIdentity attributes
   Convert callers to use typesafe APIs for setting identity attrs
   Convert callers to use typesafe APIs for getting identity attrs
   Convert remote daemon & acl code to use polkit API
   Support passing dict by reference for dbus messages
   Convert polkit code to use DBus API instead of CLI helper

  cfg.mk                             |   3 +
  daemon/remote.c                    | 235 ++----------------------
  include/libvirt/virterror.h        |   2 +
  po/POTFILES.in                     |   2 +
  src/Makefile.am                    |   1 +
  src/access/viraccessdriverpolkit.c |  97 ++++------
  src/libvirt_private.syms           |  22 +++
  src/rpc/virnetserverclient.c       | 115 +++---------
  src/util/virdbus.c                 | 274 +++++++++++++++++++---------
  src/util/virerror.c                |   2 +
  src/util/viridentity.c             | 320 +++++++++++++++++++++++++++------
  src/util/viridentity.h             |  40 +++++
  src/util/virpolkit.c               | 255 ++++++++++++++++++++++++++
  src/util/virpolkit.h               |  34 ++++
  src/util/virstring.c               |  14 ++
  src/util/virstring.h               |   2 +
  tests/Makefile.am                  |   9 +-
  tests/virdbustest.c                | 218 +++++++++++++++++++++-
  tests/virpolkittest.c              | 360 +++++++++++++++++++++++++++++++++++++
  19 files changed, 1485 insertions(+), 520 deletions(-)
  create mode 100644 src/util/virpolkit.c
  create mode 100644 src/util/virpolkit.h
  create mode 100644 tests/virpolkittest.c



ACK series, but see my comment to 7/7.

Michal

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]