Re: [libvirt] [PATCH 0/7] Improve performance of polkit checks

This series improves the performance of the polkit driver by switching from use of the pk-check command, to the DBus APIs. As a convenient side effect, this means we are no longer vulnerable to CVE-2013-4311, on any polkit version, since we no longer need pk-check (which is what had the flaw). In terms of performance, with access control checking turned on for all APIs, the time to list 100 VMs dropps from 2.7 secs to 1 sec on my machine. To improve on this further, we would need to find a way to parallelize the issuing of DBus calls for each VM, instead of serialize the access checks. Daniel P. Berrange (7): Add common API for doing polkit authentication Add typesafe APIs for virIdentity attributes Convert callers to use typesafe APIs for setting identity attrs Convert callers to use typesafe APIs for getting identity attrs Convert remote daemon & acl code to use polkit API Support passing dict by reference for dbus messages Convert polkit code to use DBus API instead of CLI helper cfg.mk | 3 + daemon/remote.c | 235 ++---------------------- include/libvirt/virterror.h | 2 + po/POTFILES.in | 2 + src/Makefile.am | 1 + src/access/viraccessdriverpolkit.c | 97 ++++------ src/libvirt_private.syms | 22 +++ src/rpc/virnetserverclient.c | 115 +++--------- src/util/virdbus.c | 274 +++++++++++++++++++--------- src/util/virerror.c | 2 + src/util/viridentity.c | 320 +++++++++++++++++++++++++++------ src/util/viridentity.h | 40 +++++ src/util/virpolkit.c | 255 ++++++++++++++++++++++++++ src/util/virpolkit.h | 34 ++++ src/util/virstring.c | 14 ++ src/util/virstring.h | 2 + tests/Makefile.am | 9 +- tests/virdbustest.c | 218 +++++++++++++++++++++- tests/virpolkittest.c | 360 +++++++++++++++++++++++++++++++++++++ 19 files changed, 1485 insertions(+), 520 deletions(-) create mode 100644 src/util/virpolkit.c create mode 100644 src/util/virpolkit.h create mode 100644 tests/virpolkittest.c