casey.schaufler at intel.com
Wed Apr 9 16:34:27 GMT 2014
> -----Original Message-----
> From: Dev [mailto:dev-bounces at lists.tizen.org] On Behalf Of Patrick Ohly
> Sent: Wednesday, April 09, 2014 7:39 AM
> To: José Bollo
> Cc: dev at lists.tizen.org; Lukasz Wojciechowski
> Subject: Re: [Dev] Cynara
> On Wed, 2014-04-09 at 15:13 +0200, José Bollo wrote:
> > On mer, 2014-04-09 at 14:35 +0200, Patrick Ohly wrote:
> > > On Wed, 2014-04-09 at 12:27 +0200, José Bollo wrote:
> > > > On mer, 2014-04-09 at 09:30 +0200, Patrick Ohly wrote:
> > > > > Access control: I understand that a service will have to
> > > > > implement this access control mechanism and I see how Cynara
> > > > > will help with this. What hasn't become clear to me is how a
> > > > > service running as a normal user process (same PID as all other
> > > > > apps of the user) will be able to protect its data files from
> > > > > those other processes when using the 3-domain Smack model. Can
> > > > > someone point me towards documentation for that, ideally with an
> > > > > example? Will it be possible to write services that grant direct
> > > > > read-only access to files (for performance reasons) while handling
> writes in the service?
> > > >
> > > > I really agree with that remark. That is why I proposed a launcher
> > > > that is aware of the problem of sharing/not sharing the filesystem.
> > > > (see https://lists.tizen.org/pipermail/dev/2014-April/002292.html)
> > > > I think that because smack rules modification will become lighter,
> > > > the launch time will be less than 1 ms.
> > >
> > > I've seen that. With that approach, apps can be restricted, but
> > > process not getting that treatment would still have full access to
> > > everything. I wonder whether we can do better than that.
> > You are right: apps not launched, not receiving the treatment have
> > full accesses. But to my eyes it is not a problem because:
> > - Tizen enforces the use of launcher (for security) so what are the
> > applications that aren't launched?
> Which Tizen profile do you refer to here?
> In Tizen IVI there are several user processes which do not get spawned by
> the launcher and thus have access to more data than they really need.
Those are mostly services (weston, murphyd) and basic
UI applications (weekeyboard). Everything on Tizen (true
for Android, too BTW) has access to more data than it needs.
The question is whether it has access to data that matters.
Who cares if it can read /etc/tizen-release?
> > - DAC and MAC are still here filtering real intrusions
> But that doesn't help when the uid and smack label are the same.
> > > Regarding "leaving details of multi-threading to the integrator":
> > > that may simplify the work for the lib developer, but it complicates
> > > the usage of the lib for service developers, in particular if those
> > > services are not yet multithreaded. Just saying.
> > Agreed too. But remember only if it doesn't want to block.
> My expectation is that services will not be allowed to block. So either they
> are multithreaded, asynchronous or both. Cynara as currently designed does
> not fit into services which are asynchronous, but not multithreaded.
Do we have services that are asynchronous, but not multithreaded?
I'm all in favor of generality, but I don't believe in solving problems
that we don't have.
> Best Regards, Patrick Ohly
> The content of this message is my personal opinion only and although I am an
> employee of Intel, the statements I make here in no way represent Intel's
> position on the issue, nor am I authorized to speak on behalf of Intel on this
> Dev mailing list
> Dev at lists.tizen.org
More information about the Dev