[libvirt] [PATCH 0/7] Improve performance of polkit checks

Fri Sep 12 12:20:32 UTC 2014

On 10.09.2014 16:20, Daniel P. Berrange wrote:
> This series improves the performance of the polkit driver by
> switching from use of the pk-check command, to the DBus APIs.
> As a convenient side effect, this means we are no longer
> vulnerable to CVE-2013-4311, on any polkit version, since we
> no longer need pk-check (which is what had the flaw).
>
> In terms of performance, with access control checking turned
> on for all APIs, the time to list 100 VMs dropps from 2.7 secs
> to 1 sec on my machine. To improve on this further, we would
> need to find a way to parallelize the issuing of DBus calls
> for each VM, instead of serialize the access checks.
>
> Daniel P. Berrange (7):
>    Add common API for doing polkit authentication
>    Add typesafe APIs for virIdentity attributes
>    Convert callers to use typesafe APIs for setting identity attrs
>    Convert callers to use typesafe APIs for getting identity attrs
>    Convert remote daemon & acl code to use polkit API
>    Support passing dict by reference for dbus messages
>    Convert polkit code to use DBus API instead of CLI helper
>
>   cfg.mk                             |   3 +
>   daemon/remote.c                    | 235 ++----------------------
>   include/libvirt/virterror.h        |   2 +
>   po/POTFILES.in                     |   2 +
>   src/Makefile.am                    |   1 +
>   src/access/viraccessdriverpolkit.c |  97 ++++------
>   src/libvirt_private.syms           |  22 +++
>   src/rpc/virnetserverclient.c       | 115 +++---------
>   src/util/virdbus.c                 | 274 +++++++++++++++++++---------
>   src/util/virerror.c                |   2 +
>   src/util/viridentity.c             | 320 +++++++++++++++++++++++++++------
>   src/util/viridentity.h             |  40 +++++
>   src/util/virpolkit.c               | 255 ++++++++++++++++++++++++++
>   src/util/virpolkit.h               |  34 ++++
>   src/util/virstring.c               |  14 ++
>   src/util/virstring.h               |   2 +
>   tests/Makefile.am                  |   9 +-
>   tests/virdbustest.c                | 218 +++++++++++++++++++++-
>   tests/virpolkittest.c              | 360 +++++++++++++++++++++++++++++++++++++
>   19 files changed, 1485 insertions(+), 520 deletions(-)
>   create mode 100644 src/util/virpolkit.c
>   create mode 100644 src/util/virpolkit.h
>   create mode 100644 tests/virpolkittest.c
>

ACK series, but see my comment to 7/7.

Michal