Added policy caching

Policy parser will now be cached and updated only when changes in policy directories occured.
QubesOS · Dec 7, 2019 · 19e79f7 · 19e79f7
1 parent d31c754
commit 19e79f7
Show file tree

Hide file tree

Showing 8 changed files with 133 additions and 24 deletions.
diff --git a/ci/requirements.txt b/ci/requirements.txt
@@ -6,4 +6,5 @@ sphinx
 codecov
 pydbus
 pytest-asyncio
-asynctest
+asynctest
+pyinotify
diff --git a/qrexec/policy/utils.py b/qrexec/policy/utils.py
@@ -0,0 +1,85 @@
+#
+# The Qubes OS Project, http://www.qubes-os.org
+#
+# Copyright (C) 2017 Marta Marczykowska-Górecka
+#                               <[email protected]>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, see <https://www.gnu.org/licenses/>.
+#
+import asyncio
+import pyinotify
+from qrexec import POLICYPATH, POLICYPATH_OLD
+from . import parser
+
+
+class PolicyCache:
+    def __init__(self, path):
+        self.path = path
+        self.outdated = False
+        self.policy = parser.FilePolicy(policy_path=self.path)
+
+        # default policy paths are listed manually, for compatibility with R4.0
+        # to be removed in Qubes 5.0
+        self.default_policy_paths = [str(POLICYPATH), str(POLICYPATH_OLD)]
+
+        self.watch_manager = None
+        self.watches = []
+        self.notifier = None
+
+    def initialize_watcher(self):
+        self.watch_manager = pyinotify.WatchManager()
+        mask = pyinotify.IN_CREATE | pyinotify.IN_DELETE | pyinotify.IN_MODIFY
+
+        loop = asyncio.get_event_loop()
+
+        self.notifier = pyinotify.AsyncioNotifier(
+            self.watch_manager, loop, default_proc_fun=PolicyWatcher(self))
+
+        if str(self.path) not in self.default_policy_paths:
+            self.watches.append(
+                self.watch_manager.add_watch(
+                    str(self.path), mask, rec=True, auto_add=True))
+
+        for path in self.default_policy_paths:
+            self.watches.append(
+                self.watch_manager.add_watch(str(path), mask,
+                                             rec=True, auto_add=True))
+
+    def cleanup(self):
+        for wdd in self.watches:
+            self.watch_manager.rm_watch(wdd.values())
+
+        self.notifier.stop()
+
+    def get_policy(self):
+        if self.outdated:
+            self.policy = parser.FilePolicy(policy_path=self.path)
+            self.outdated = False
+
+        return self.policy
+
+
+class PolicyWatcher(pyinotify.ProcessEvent):
+    def __init__(self, cache):
+        self.cache = cache
+        super(PolicyWatcher, self).__init__()
+
+    def process_IN_CREATE(self, _):
+        self.cache.outdated = True
+
+    def process_IN_DELETE(self, _):
+        self.cache.outdated = True
+
+    def process_IN_MODIFY(self, _):
+        self.cache.outdated = True
diff --git a/qrexec/tests/cli.py b/qrexec/tests/cli.py
@@ -91,13 +91,10 @@ def test_000_allow(self):
             ['--path=' + self.policy_dir.name,
              'source-id', 'source', 'target', 'service', 'process_ident'])
         self.assertEqual(retval, 0)
-
-        print(self.policy_mock.mock_calls)
         self.assertEqual(self.policy_mock.mock_calls, [
             ('', (), {'policy_path': PosixPath(self.policy_dir.name)}),
             ('().evaluate', (self.request_mock(),), {}),
             ('().evaluate().execute', ('process_ident,source,source-id', ), {}),
-            ('().evaluate().target.__str__', (), {}),
         ])
         # remove call used above:
         del self.request_mock.mock_calls[-1]
@@ -290,7 +287,6 @@ def test_030_just_evaluate_allow(self):
             ('', (), {'policy_path': PosixPath(self.policy_dir.name)}),
             ('().evaluate', (self.request_mock(),), {}),
             ('().evaluate().execute', ('process_ident,source,source-id',), {}),
-            ('().evaluate().target.__str__', (), {}),
         ])
         # remove call used above:
         del self.request_mock.mock_calls[-1]
@@ -378,6 +374,5 @@ def test_033_just_evaluate_ask_assume_yes(self):
             ('', (), {'policy_path': PosixPath(self.policy_dir.name)}),
             ('().evaluate', (self.request_mock(),), {}),
             ('().evaluate().execute', ('process_ident,source,source-id', ), {}),
-            ('().evaluate().target.__str__', (), {}),
         ])
         self.assertEqual(self.dbus_mock.mock_calls, [])
diff --git a/qrexec/tests/qrexec_policy_daemon.py b/qrexec/tests/qrexec_policy_daemon.py
@@ -30,6 +30,7 @@
 import unittest.mock
 
 from ..tools import qrexec_policy_daemon
+from qrexec.policy.utils import PolicyCache
 
 class TestPolicyDaemon:
     @pytest.fixture
@@ -42,9 +43,10 @@ def mock_request(self, monkeypatch):
     @pytest.fixture
     async def async_server(self, tmp_path, request):
         log = unittest.mock.Mock()
+
         server = await asyncio.start_unix_server(
             functools.partial(qrexec_policy_daemon.handle_client_connection,
-                              log, "path"),
+                              log, Mock()),
             path=str(tmp_path / "socket.d"))
         # because travis is stuck in python3.5, we can't use yield
         request.addfinalizer(server.close)
@@ -79,7 +81,7 @@ async def test_simple_request(self, mock_request, async_server, tmp_path):
         mock_request.assert_called_once_with(
             domain_id='a', source='b', intended_target='c',
             service_and_arg='d', process_ident='1 9', log=unittest.mock.ANY,
-            path="path",
+            policy_cache=unittest.mock.ANY,
             allow_resolution_type=qrexec_policy_daemon.DaemonResolution,
             origin_writer=unittest.mock.ANY)
 
@@ -99,7 +101,8 @@ async def test_complex_request(self, mock_request, async_server, tmp_path):
         mock_request.assert_called_once_with(
             domain_id='a', source='b', intended_target='c',
             service_and_arg='d', process_ident='9', log=unittest.mock.ANY,
-            assume_yes_for_ask=True, just_evaluate=True, path="path",
+            assume_yes_for_ask=True, just_evaluate=True,
+            policy_cache=unittest.mock.ANY,
             allow_resolution_type=qrexec_policy_daemon.DaemonResolution,
             origin_writer=unittest.mock.ANY)
 
@@ -119,7 +122,8 @@ async def test_complex_request2(self, mock_request, async_server, tmp_path):
         mock_request.assert_called_once_with(
             domain_id='a', source='b', intended_target='c',
             service_and_arg='d', process_ident='9', log=unittest.mock.ANY,
-            assume_yes_for_ask=False, just_evaluate=False, path="path",
+            assume_yes_for_ask=False, just_evaluate=False,
+            policy_cache=unittest.mock.ANY,
             allow_resolution_type=qrexec_policy_daemon.DaemonResolution,
             origin_writer=unittest.mock.ANY)
 

diff --git a/qrexec/tools/qrexec_policy_daemon.py b/qrexec/tools/qrexec_policy_daemon.py
@@ -25,10 +25,11 @@
 import logging
 import os
 
-from .. import POLICYPATH, POLICYSOCKET
-
 from qrexec.policy.parser import AllowResolution
+from qrexec.policy.utils import PolicyCache
+
 from .qrexec_policy_exec import handle_request
+from .. import POLICYPATH, POLICYSOCKET
 
 argparser = argparse.ArgumentParser(description='Evaluate qrexec policy daemon')
 
@@ -65,7 +66,8 @@ async def execute(self, caller_ident):
         await super(DaemonResolution, self).execute(caller_ident)
 
 
-async def handle_client_connection(log, policy_path, reader, writer):
+async def handle_client_connection(log, policy_cache,
+                                   reader, writer):
 
     args = {}
 
@@ -109,9 +111,10 @@ async def handle_client_connection(log, policy_path, reader, writer):
 
         resolution_handler = DaemonResolution
 
-        result = await handle_request(**args, log=log, path=policy_path,
+        result = await handle_request(**args, log=log,
                                       allow_resolution_type=resolution_handler,
-                                      origin_writer=writer)
+                                      origin_writer=writer,
+                                      policy_cache=policy_cache)
 
         if result:
             writer.write(b"result=deny\n")
@@ -128,8 +131,12 @@ async def start_serving(args=None):
     log = logging.getLogger('policy')
     log.setLevel(logging.INFO)
 
+    policy_cache = PolicyCache(args.policy_path)
+    policy_cache.initialize_watcher()
+
     server = await asyncio.start_unix_server(
-        functools.partial(handle_client_connection, log, args.policy_path),
+        functools.partial(
+            handle_client_connection, log, policy_cache),
         path=args.socket_path)
     os.chmod(args.socket_path, 0o660)
 

diff --git a/qrexec/tools/qrexec_policy_exec.py b/qrexec/tools/qrexec_policy_exec.py
@@ -29,23 +29,29 @@
 from .. import exc
 from .. import utils
 from ..policy import parser
+from qrexec.policy.utils import PolicyCache
+
 
 def create_default_policy(service_name):
     with open(str(POLICYPATH / service_name), 'w') as policy:
         policy.write(DEFAULT_POLICY)
 
+
 class JustEvaluateAllowResolution(parser.AllowResolution):
     async def execute(self, caller_ident):
         sys.exit(0)
 
+
 class JustEvaluateAskResolution(parser.AskResolution):
     async def execute(self, caller_ident):
         sys.exit(1)
 
+
 class AssumeYesForAskResolution(parser.AskResolution):
     async def execute(self, caller_ident):
-        return await self.handle_user_response(True, self.request.target).execute(
-            caller_ident)
+        return await self.handle_user_response(
+            True, self.request.target).execute(caller_ident)
+
 
 class DBusAskResolution(parser.AskResolution):
     async def execute(self, caller_ident):
@@ -78,7 +84,7 @@ async def execute(self, caller_ident):
 
 class LogAllowedResolution(parser.AllowResolution):
     async def execute(self, caller_ident):
-        log_prefix = '[LOGALLOWEDRES]qrexec: {request.service}{request.argument}: ' \
+        log_prefix = 'qrexec: {request.service}{request.argument}: ' \
                      '{request.source} -> {request.target}:'.format(
                       request=self.request)
 
@@ -100,6 +106,7 @@ def prepare_resolution_types(*, just_evaluate, assume_yes_for_ask,
         ret['ask_resolution_type'] = AssumeYesForAskResolution
     return ret
 
+
 argparser = argparse.ArgumentParser(description='Evaluate qrexec policy')
 
 argparser.add_argument('--assume-yes-for-ask', action='store_true',
@@ -124,6 +131,7 @@ def prepare_resolution_types(*, just_evaluate, assume_yes_for_ask,
 argparser.add_argument('process_ident', metavar='process-ident',
     help='Qrexec process identifier - for connecting data channel')
 
+
 def main(args=None):
     args = argparser.parse_args(args)
 
@@ -133,22 +141,25 @@ def main(args=None):
         handler = logging.handlers.SysLogHandler(address='/dev/log')
         log.addHandler(handler)
 
+    policy_cache = PolicyCache(args.path)
+
     return asyncio.run(handle_request(
         args.domain_id,
         args.source,
         args.intended_target,
         args.service_and_arg,
         args.process_ident,
         log,
-        path=args.path,
         just_evaluate=args.just_evaluate,
-        assume_yes_for_ask=args.assume_yes_for_ask))
+        assume_yes_for_ask=args.assume_yes_for_ask,
+        policy_cache=policy_cache))
+
 
 # pylint: disable=too-many-arguments,too-many-locals
 async def handle_request(
         domain_id, source, intended_target, service_and_arg, process_ident,
-        log, path=POLICYPATH, just_evaluate=False, assume_yes_for_ask=False,
-        allow_resolution_type=None, origin_writer=None):
+        log, just_evaluate=False, assume_yes_for_ask=False,
+        allow_resolution_type=None, origin_writer=None, policy_cache=None):
     # Add source domain information, required by qrexec-client for establishing
     # connection
     caller_ident = process_ident + "," + source + "," + domain_id
@@ -165,7 +176,10 @@ async def handle_request(
     except ValueError:
         service, argument = service_and_arg, '+'
     try:
-        policy = parser.FilePolicy(policy_path=path)
+        if policy_cache:
+            policy = policy_cache.get_policy()
+        else:
+            policy = parser.FilePolicy(policy_path=POLICYPATH)
 
         if allow_resolution_type is None:
             allow_resolution_class = LogAllowedResolution

diff --git a/rpm_spec/qubes-qrexec-dom0.spec.in b/rpm_spec/qubes-qrexec-dom0.spec.in
@@ -43,6 +43,7 @@ BuildRequires:  qubes-core-qrexec-devel
 Requires:   python3
 Requires:   qubes-core-dom0
 Requires:   qubes-core-qrexec
+Requires:   python3-inotify
 
 Conflicts:  qubes-core-dom0 < 4.0.9999
 Conflicts:  qubes-core-dom0-linux < 4.0.9999

diff --git a/rpm_spec/qubes-qrexec.spec.in b/rpm_spec/qubes-qrexec.spec.in
@@ -98,6 +98,7 @@ rm -f %{name}-%{version}
 %{_bindir}/qrexec-policy-graph
 %{_bindir}/qrexec-policy-restore
 %{_bindir}/qrexec-policy-daemon
+%{_bindir}/qrexec-policy-utils
 %{_bindir}/qubes-policy
 %{_bindir}/qrexec-policy
 
@@ -131,6 +132,7 @@ rm -f %{name}-%{version}
 %{python3_sitelib}/qrexec/tools/qrexec_policy_agent.py
 %{python3_sitelib}/qrexec/tools/qrexec_policy_exec.py
 %{python3_sitelib}/qrexec/tools/qrexec_policy_daemon.py
+%{python3_sitelib}/qrexec/tools/qrexec_policy_utils.py
 %{python3_sitelib}/qrexec/tools/qrexec_policy_graph.py
 %{python3_sitelib}/qrexec/tools/qrexec_policy_restore.py