polkit (formerly PolicyKit) is a toolkit for defining and handling authorizations. It is used for allowing unprivileged processes to speak to privileged processes.
Other
41
stars
22
forks
source link
Sessions monitor should watch only changes in sessions #445
Currently, the polkitbackendsessionmonitor watches all notifications from sd-login-monitor. This causes waking polkit even four+ times on every login/logout and starting a train of action re-verification several times for each instantiated PolkitAuthority (e.g. applets on gnome-shell panel that utilize PolkitPermission).
This is not necessary, because polkit only needs to watch for sessions that change status from active to online and vice-versa (to maintain security for actions that have is_active defined). This still doesn't resolve the problem completely, but at least halves the impact on system resources.
Detailed description and/or reproducer
On a gnome-shell-fitted system, set dbus-monitor to listen on PolicyKit1.Authority interface and watch the flood on login/logout (e.g. via ssh):
"# dbus-monitor --system "interface=org.freedesktop.PolicyKit1.Authority"
On each signal from logind (uids, seats, sessions,...), polkitbackend sends "Changed" over dbus. The signal is caught by every PolkitAuthority instance and triggers authorization re-check by sending "CheckAuthorization" back to polkitbackend.
Summary
Currently, the polkitbackendsessionmonitor watches all notifications from sd-login-monitor. This causes waking polkit even four+ times on every login/logout and starting a train of action re-verification several times for each instantiated PolkitAuthority (e.g. applets on gnome-shell panel that utilize PolkitPermission). This is not necessary, because polkit only needs to watch for sessions that change status from active to online and vice-versa (to maintain security for actions that have is_active defined). This still doesn't resolve the problem completely, but at least halves the impact on system resources.
Detailed description and/or reproducer
On a gnome-shell-fitted system, set dbus-monitor to listen on PolicyKit1.Authority interface and watch the flood on login/logout (e.g. via ssh): "# dbus-monitor --system "interface=org.freedesktop.PolicyKit1.Authority"
On each signal from logind (uids, seats, sessions,...), polkitbackend sends "Changed" over dbus. The signal is caught by every PolkitAuthority instance and triggers authorization re-check by sending "CheckAuthorization" back to polkitbackend.