Added policy caching

Policy parser will now be cached and updated only when changes in policy directories
occured.

qrexec/tools/qrexec_policy_daemon.py

@@ -24,11 +24,11 @@
 import asyncio
 import logging
 import os
-
 from .. import POLICYPATH, POLICYSOCKET
 
 from qrexec.policy.parser import AllowResolution
 from .qrexec_policy_exec import handle_request
+from .qrexec_policy_utils import PolicyCache
 
 argparser = argparse.ArgumentParser(description='Evaluate qrexec policy daemon')
 
@@ -65,7 +65,8 @@ async def execute(self, caller_ident):
         await super(DaemonResolution, self).execute(caller_ident)
 
 
-async def handle_client_connection(log, policy_path, reader, writer):
+async def handle_client_connection(log, policy_path, policy_cache,
+                                   reader, writer):
 
     args = {}
 
@@ -111,7 +112,8 @@ async def handle_client_connection(log, policy_path, reader, writer):
 
         result = await handle_request(**args, log=log, path=policy_path,
                                       allow_resolution_type=resolution_handler,
-                                      origin_writer=writer)
+                                      origin_writer=writer,
+                                      policy_cache=policy_cache)
 
         if result:
             writer.write(b"result=deny\n")
@@ -128,8 +130,11 @@ async def start_serving(args=None):
     log = logging.getLogger('policy')
     log.setLevel(logging.INFO)
 
+    policy_cache = PolicyCache(args.policy_path)
+
     server = await asyncio.start_unix_server(
-        functools.partial(handle_client_connection, log, args.policy_path),
+        functools.partial(
+            handle_client_connection, log, args.policy_path, policy_cache),
         path=args.socket_path)
     os.chmod(args.socket_path, 0o660)
 

qrexec/tools/qrexec_policy_exec.py

@@ -30,22 +30,27 @@
 from .. import utils
 from ..policy import parser
 
+
 def create_default_policy(service_name):
     with open(str(POLICYPATH / service_name), 'w') as policy:
         policy.write(DEFAULT_POLICY)
 
+
 class JustEvaluateAllowResolution(parser.AllowResolution):
     async def execute(self, caller_ident):
         sys.exit(0)
 
+
 class JustEvaluateAskResolution(parser.AskResolution):
     async def execute(self, caller_ident):
         sys.exit(1)
 
+
 class AssumeYesForAskResolution(parser.AskResolution):
     async def execute(self, caller_ident):
-        return await self.handle_user_response(True, self.request.target).execute(
-            caller_ident)
+        return await self.handle_user_response(
+            True, self.request.target).execute(caller_ident)
+
 
 class DBusAskResolution(parser.AskResolution):
     async def execute(self, caller_ident):
@@ -78,7 +83,7 @@ async def execute(self, caller_ident):
 
 class LogAllowedResolution(parser.AllowResolution):
     async def execute(self, caller_ident):
-        log_prefix = '[LOGALLOWEDRES]qrexec: {request.service}{request.argument}: ' \
+        log_prefix = 'qrexec: {request.service}{request.argument}: ' \
                      '{request.source} -> {request.target}:'.format(
                       request=self.request)
 
@@ -100,6 +105,7 @@ def prepare_resolution_types(*, just_evaluate, assume_yes_for_ask,
         ret['ask_resolution_type'] = AssumeYesForAskResolution
     return ret
 
+
 argparser = argparse.ArgumentParser(description='Evaluate qrexec policy')
 
 argparser.add_argument('--assume-yes-for-ask', action='store_true',
@@ -124,6 +130,7 @@ def prepare_resolution_types(*, just_evaluate, assume_yes_for_ask,
 argparser.add_argument('process_ident', metavar='process-ident',
     help='Qrexec process identifier - for connecting data channel')
 
+
 def main(args=None):
     args = argparser.parse_args(args)
 
@@ -144,11 +151,12 @@ def main(args=None):
         just_evaluate=args.just_evaluate,
         assume_yes_for_ask=args.assume_yes_for_ask))
 
+
 # pylint: disable=too-many-arguments,too-many-locals
 async def handle_request(
         domain_id, source, intended_target, service_and_arg, process_ident,
         log, path=POLICYPATH, just_evaluate=False, assume_yes_for_ask=False,
-        allow_resolution_type=None, origin_writer=None):
+        allow_resolution_type=None, origin_writer=None, policy_cache=None):
     # Add source domain information, required by qrexec-client for establishing
     # connection
     caller_ident = process_ident + "," + source + "," + domain_id
@@ -165,7 +173,10 @@ async def handle_request(
     except ValueError:
         service, argument = service_and_arg, '+'
     try:
-        policy = parser.FilePolicy(policy_path=path)
+        if policy_cache:
+            policy = policy_cache.get_policy()
+        else:
+            policy = parser.FilePolicy(policy_path=path)
 
         if allow_resolution_type is None:
             allow_resolution_class = LogAllowedResolution

qrexec/tools/qrexec_policy_utils.py

@@ -0,0 +1,86 @@
+#
+# The Qubes OS Project, http://www.qubes-os.org
+#
+# Copyright (C) 2017 Marta Marczykowska-Górecka
+#                               <[email protected]>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, see <https://www.gnu.org/licenses/>.
+#
+import asyncio
+import pyinotify
+from ..policy import parser
+from .. import POLICYPATH, POLICYPATH_OLD
+
+
+class PolicyCache:
+    def __init__(self, path):
+        self.path = path
+        self.outdated = False
+        self.policy = parser.FilePolicy(policy_path=self.path)
+
+        # default policy paths are listed manually, for compatibility with R4.0
+        # to be removed in Qubes 5.0
+        self.default_policy_paths = [str(POLICYPATH), str(POLICYPATH_OLD)]
+
+        self.wm = None
+        self.watches = []
+        self.notifier = None
+
+        self.initialize_watcher()
+
+    def initialize_watcher(self):
+        self.wm = pyinotify.WatchManager()
+        mask = pyinotify.IN_CREATE | pyinotify.IN_DELETE | pyinotify.IN_MODIFY
+
+        loop = asyncio.get_event_loop()
+
+        self.notifier = pyinotify.AsyncioNotifier(
+            self.wm, loop, default_proc_fun=PolicyWatcher(self))
+
+        if str(self.path) not in self.default_policy_paths:
+            self.watches.append(
+                self.wm.add_watch(
+                    str(self.path), mask, rec=True, auto_add=True))
+
+        for p in self.default_policy_paths:
+            self.watches.append(
+                self.wm.add_watch(str(p), mask, rec=True, auto_add=True))
+
+    def cleanup(self):
+        for wdd in self.watches:
+            self.wm.rm_watch(wdd.values())
+
+        self.notifier.stop()
+
+    def get_policy(self):
+        if self.outdated:
+            self.policy = parser.FilePolicy(policy_path=self.path)
+            self.outdated = False
+
+        return self.policy
+
+
+class PolicyWatcher(pyinotify.ProcessEvent):
+    def __init__(self, cache):
+        self.cache = cache
+        super(PolicyWatcher, self).__init__()
+
+    def process_IN_CREATE(self, _):
+        self.cache.outdated = True
+
+    def process_IN_DELETE(self, _):
+        self.cache.outdated = True
+
+    def process_IN_MODIFY(self, _):
+        self.cache.outdated = True

rpm_spec/qubes-qrexec.spec.in

@@ -98,6 +98,7 @@ rm -f %{name}-%{version}
 %{_bindir}/qrexec-policy-graph
 %{_bindir}/qrexec-policy-restore
 %{_bindir}/qrexec-policy-daemon
+%{_bindir}/qrexec-policy-utils
 %{_bindir}/qubes-policy
 %{_bindir}/qrexec-policy
 
@@ -131,6 +132,7 @@ rm -f %{name}-%{version}
 %{python3_sitelib}/qrexec/tools/qrexec_policy_agent.py
 %{python3_sitelib}/qrexec/tools/qrexec_policy_exec.py
 %{python3_sitelib}/qrexec/tools/qrexec_policy_daemon.py
+%{python3_sitelib}/qrexec/tools/qrexec_policy_utils.py
 %{python3_sitelib}/qrexec/tools/qrexec_policy_graph.py
 %{python3_sitelib}/qrexec/tools/qrexec_policy_restore.py