Policy checking in dbus-daemon

[Adrian Szyndela]

Hi,


Almost two years ago, we, at Samsung, changed the way dbus-daemon checks 
security policy in our environment. By using hash tables and some 
heuristics we managed to make small messages processing about 25% faster 
in contexts with "large" number of rules (like the system bus on my 
pretty standard Ubuntu box).

Is "upstream" interested in adopting that kind of improvement?

I've ported the code to gitlab for reference 
(https://gitlab.freedesktop.org/asz/dbus/-/commits/policy-hash).

Details:

- the current upstream implementation is simply this: having policy 
rules on a list, find the last matching rule.

- if we assign to each rule a number ("score"), based on rule's position 
in the list of rules, then we can store them in different data 
structures. We only need to find a matching rule with the largest score.

- we can divide the list to small lists with rules grouped by an 
attribute and put the small lists into a hash table under indexes based 
on the attribute.

- we've chosen "names" as the attribute (own name, sender name, 
destination name).

This way, if we, e.g. check a message against send policy, we only have 
to check two, probably quite short lists of rules: a list assigned to 
the message's destination name, and a list assigned to "*" (wildcard) 
destination name.

The drawback is that counting the rules that match doesn't work anymore. 
Therefore, the "Rejected" error message doesn't show the correct number 
of matched rules. The same happens for "MatchRules" and "PeakMatchRules" 
in "GetConnectionStats".


So, is "upstream" interested?


Kind Regards,

Adrian Szyndela