[libvirt] [PATCH 0/7] Improve performance of polkit checks

Daniel P. Berrange berrange at redhat.com
Wed Sep 10 14:20:53 UTC 2014 

This series improves the performance of the polkit driver by
switching from use of the pk-check command, to the DBus APIs.
As a convenient side effect, this means we are no longer
vulnerable to CVE-2013-4311, on any polkit version, since we
no longer need pk-check (which is what had the flaw).

In terms of performance, with access control checking turned
on for all APIs, the time to list 100 VMs dropps from 2.7 secs
to 1 sec on my machine. To improve on this further, we would
need to find a way to parallelize the issuing of DBus calls
for each VM, instead of serialize the access checks.

Daniel P. Berrange (7):
  Add common API for doing polkit authentication
  Add typesafe APIs for virIdentity attributes
  Convert callers to use typesafe APIs for setting identity attrs
  Convert callers to use typesafe APIs for getting identity attrs
  Convert remote daemon & acl code to use polkit API
  Support passing dict by reference for dbus messages
  Convert polkit code to use DBus API instead of CLI helper

 cfg.mk                             |   3 +
 daemon/remote.c                    | 235 ++----------------------
 include/libvirt/virterror.h        |   2 +
 po/POTFILES.in                     |   2 +
 src/Makefile.am                    |   1 +
 src/access/viraccessdriverpolkit.c |  97 ++++------
 src/libvirt_private.syms           |  22 +++
 src/rpc/virnetserverclient.c       | 115 +++---------
 src/util/virdbus.c                 | 274 +++++++++++++++++++---------
 src/util/virerror.c                |   2 +
 src/util/viridentity.c             | 320 +++++++++++++++++++++++++++------
 src/util/viridentity.h             |  40 +++++
 src/util/virpolkit.c               | 255 ++++++++++++++++++++++++++
 src/util/virpolkit.h               |  34 ++++
 src/util/virstring.c               |  14 ++
 src/util/virstring.h               |   2 +
 tests/Makefile.am                  |   9 +-
 tests/virdbustest.c                | 218 +++++++++++++++++++++-
 tests/virpolkittest.c              | 360 +++++++++++++++++++++++++++++++++++++
 19 files changed, 1485 insertions(+), 520 deletions(-)
 create mode 100644 src/util/virpolkit.c
 create mode 100644 src/util/virpolkit.h
 create mode 100644 tests/virpolkittest.c

-- 
1.9.3

More information about the libvir-list mailing list