Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

qrexec-policy daemon #5125

Closed
marmarek opened this issue Jun 26, 2019 · 5 comments · Fixed by QubesOS/qubes-core-qrexec#6
Closed

qrexec-policy daemon #5125

marmarek opened this issue Jun 26, 2019 · 5 comments · Fixed by QubesOS/qubes-core-qrexec#6
Labels
C: core P: major Priority: major. Between "default" and "critical" in severity. r4.1-bullseye-cur-test r4.1-buster-cur-test r4.1-centos7-cur-test r4.1-dom0-cur-test r4.1-fc29-cur-test r4.1-fc30-cur-test r4.1-fc31-cur-test r4.1-stretch-cur-test release notes This issue should be mentioned in the release notes. T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality.
Milestone
Release 4.1

Comments

@marmarek
Copy link
Member

The most time of opening qrexec call is spent on qrexec-policy process, called to evaluate policy at each call. Each time new (python) process is started, libraries imported etc. In extreme situation it can take up to 300ms per call...

Create policy handling daemon, instead of per-call process. This daemon should:

  • be independent process from qubesd (for stability and isolation reasons), only query qubesd when needed
  • listen on some local unix socket - qrexec-daemon should connect to that socket, instead of spawning separate qrexec-policy process
  • handle multiple requests simultaneously (so one qrexec confirmation prompt do not block other call) - this in practice means usage of asyncio python module

In initial version, it's ok to load policy files at each call, query qubesd about existing VMs etc. Basically, the same thing that current qrexec-policy process do, but avoiding python startup overhead. If further optimizations will be needed, we can do that later.

Originally posted by @marmarek in #3293 (comment)
@marmarek marmarek added C: core P: major Priority: major. Between "default" and "critical" in severity. release notes This issue should be mentioned in the release notes. T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality. labels Jun 26, 2019
@marmarek marmarek added this to the Release 4.1 milestone Jun 26, 2019
@marmarta
Copy link
Member

marmarta commented Aug 8, 2019

The daemon should also notify user if policy was denied, see #3904

@marmarta
Copy link
Member

marmarta commented Aug 9, 2019

  • TODO: do something with unknown/duplicated responses/qrexec client calls (for example ignore them instead of crashing)

marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue Aug 9, 2019
@marmarta
Qrexec policy daemon and tests
e97c5a6 
Also includes rudimentary protocol documentation.
Contains only pure policy daemon that's not used
by anything yet.
references QubesOS/qubes-issues#5125
marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue Aug 9, 2019
@marmarta
Working qrexec-policy-daemon
1919a86 
Rewritten qrexec-daemon to use policy daemon instead of running
policy-exec separately for each call. If daemon fails, falls back
to old solution.

fixes QubesOS/qubes-issues#5125
@marmarta marmarta mentioned this issue Aug 9, 2019
Merged
marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue Aug 9, 2019
@marmarta
Working qrexec-policy-daemon
aa0f3c8 
Rewritten qrexec-daemon to use policy daemon instead of running
policy-exec separately for each call. If daemon fails, falls back
to old solution.

fixes QubesOS/qubes-issues#5125
marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue Aug 9, 2019
@marmarta
Working qrexec-policy-daemon
e3e8707 
Rewritten qrexec-daemon to use policy daemon instead of running
policy-exec separately for each call. If daemon fails, falls back
to old solution.

fixes QubesOS/qubes-issues#5125
marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue Aug 9, 2019
@marmarta
Working qrexec-policy-daemon
c51372a 
Rewritten qrexec-daemon to use policy daemon instead of running
policy-exec separately for each call. If daemon fails, falls back
to old solution.

fixes QubesOS/qubes-issues#5125
marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue Aug 9, 2019
@marmarta
Working qrexec-policy-daemon
967118f 
Rewritten qrexec-daemon to use policy daemon instead of running
policy-exec separately for each call. If daemon fails, falls back
to old solution.

fixes QubesOS/qubes-issues#5125
marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue Aug 9, 2019
@marmarta
Working qrexec-policy-daemon
acce571 
Rewritten qrexec-daemon to use policy daemon instead of running
policy-exec separately for each call. If daemon fails, falls back
to old solution.

fixes QubesOS/qubes-issues#5125
marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue Aug 9, 2019
@marmarta
Working qrexec-policy-daemon
89605d3 
Rewritten qrexec-daemon to use policy daemon instead of running
policy-exec separately for each call. If daemon fails, falls back
to old solution.

fixes QubesOS/qubes-issues#5125
marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue Aug 9, 2019
@marmarta
Working qrexec-policy-daemon
3a632f3 
Rewritten qrexec-daemon to use policy daemon instead of running
policy-exec separately for each call. If daemon fails, falls back
to old solution.

fixes QubesOS/qubes-issues#5125
marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue Aug 9, 2019
@marmarta
Working qrexec-policy-daemon
cf256f5 
Rewritten qrexec-daemon to use policy daemon instead of running
policy-exec separately for each call. If daemon fails, falls back
to old solution.

fixes QubesOS/qubes-issues#5125
marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue Aug 9, 2019
@marmarta
Working qrexec-policy-daemon
a46630d 
Rewritten qrexec-daemon to use policy daemon instead of running
policy-exec separately for each call. If daemon fails, falls back
to old solution.

fixes QubesOS/qubes-issues#5125
marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue Aug 9, 2019
@marmarta
Working qrexec-policy-daemon
1ff0b14 
Rewritten qrexec-daemon to use policy daemon instead of running
policy-exec separately for each call. If daemon fails, falls back
to old solution.

fixes QubesOS/qubes-issues#5125
marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue Aug 9, 2019
@marmarta
Working qrexec-policy-daemon
31de73d 
Rewritten qrexec-daemon to use policy daemon instead of running
policy-exec separately for each call. If daemon fails, falls back
to old solution.

fixes QubesOS/qubes-issues#5125
marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue Aug 9, 2019
@marmarta
Working qrexec-policy-daemon
d88a0da 
Rewritten qrexec-daemon to use policy daemon instead of running
policy-exec separately for each call. If daemon fails, falls back
to old solution.

fixes QubesOS/qubes-issues#5125
marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue Aug 9, 2019
@marmarta
Qrexec policy daemon and tests
f532ee3 
Also includes rudimentary protocol documentation.
Contains only pure policy daemon that's not used
by anything yet.
references QubesOS/qubes-issues#5125
marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue Aug 9, 2019
@marmarta
Working qrexec-policy-daemon
5016d82 
Rewritten qrexec-daemon to use policy daemon instead of running
policy-exec separately for each call. If daemon fails, falls back
to old solution.

fixes QubesOS/qubes-issues#5125
marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue Aug 9, 2019
@marmarta
Working qrexec-policy-daemon
4586fc6 
Rewritten qrexec-daemon to use policy daemon instead of running
policy-exec separately for each call. If daemon fails, falls back
to old solution.

fixes QubesOS/qubes-issues#5125
marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue Aug 9, 2019
@marmarta
Working qrexec-policy-daemon
12f048f 
Rewritten qrexec-daemon to use policy daemon instead of running
policy-exec separately for each call. If daemon fails, falls back
to old solution.

fixes QubesOS/qubes-issues#5125
@marmarek marmarek mentioned this issue Aug 18, 2019
Merged
marmarta added a commit to marmarta/qubes-core-admin-linux that referenced this issue Dec 3, 2019
@marmarta
Added enabling of qrexec-policy-daemon.service
761b5b1 
used by QubesOS/qubes-core-qrexec#6
references QubesOS/qubes-issues#5125
@marmarta marmarta mentioned this issue Dec 3, 2019
Merged
marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue Dec 3, 2019
@marmarta
Qrexec policy daemon and tests
4d7dfbb 
Also includes rudimentary protocol documentation.
Contains only pure policy daemon that's not used
by anything yet.
references QubesOS/qubes-issues#5125
marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue Dec 3, 2019
@marmarta
Working qrexec-policy-daemon
c7fcfc1 
Rewritten qrexec-daemon to use policy daemon instead of running
policy-exec separately for each call. If daemon fails, falls back
to old solution.

fixes QubesOS/qubes-issues#5125
marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue Dec 7, 2019
@marmarta
Qrexec policy daemon and tests
666e8c5 
Also includes rudimentary protocol documentation.
Contains only pure policy daemon that's not used
by anything yet.
references QubesOS/qubes-issues#5125
marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue Dec 7, 2019
@marmarta
Working qrexec-policy-daemon
b76a42f 
Rewritten qrexec-daemon to use policy daemon instead of running
policy-exec separately for each call. If daemon fails, falls back
to old solution.

fixes QubesOS/qubes-issues#5125
marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue Dec 7, 2019
@marmarta
Qrexec policy daemon and tests
75e6802 
Also includes rudimentary protocol documentation.
Contains only pure policy daemon that's not used
by anything yet.
references QubesOS/qubes-issues#5125
marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue Dec 7, 2019
@marmarta
Working qrexec-policy-daemon
2e8b342 
Rewritten qrexec-daemon to use policy daemon instead of running
policy-exec separately for each call. If daemon fails, falls back
to old solution.

fixes QubesOS/qubes-issues#5125
marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue Dec 7, 2019
@marmarta
Qrexec policy daemon and tests
703f6cd 
Also includes rudimentary protocol documentation.
Contains only pure policy daemon that's not used
by anything yet.
references QubesOS/qubes-issues#5125
@qubesos-bot qubesos-bot mentioned this issue Jan 4, 2020
Closed
@qubesos-bot qubesos-bot mentioned this issue Mar 25, 2020
Closed
@qubesos-bot
Copy link

Automated announcement from builder-github

The package qubes-core-qrexec_4.1.4-1 has been pushed to the r4.1 testing repository for the Debian template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing stretch-testing (or appropriate equivalent for your template version), then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The package core-qrexec has been pushed to the r4.1 testing repository for the CentOS centos7 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.1-current-testing

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The package qubes-core-qrexec-4.1.5-1.fc31 has been pushed to the r4.1 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C: core P: major Priority: major. Between "default" and "critical" in severity. r4.1-bullseye-cur-test r4.1-buster-cur-test r4.1-centos7-cur-test r4.1-dom0-cur-test r4.1-fc29-cur-test r4.1-fc30-cur-test r4.1-fc31-cur-test r4.1-stretch-cur-test release notes This issue should be mentioned in the release notes. T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality.
Projects
None yet
Milestone
Release 4.1
Development

Successfully merging a pull request may close this issue.

Qrexec policy daemon marmarta/qubes-core-qrexec
3 participants
@marmarek @marmarta @qubesos-bot