casey.schaufler at intel.com
Thu Apr 10 21:38:54 GMT 2014
> -----Original Message-----
> From: Patrick Ohly [mailto:patrick.ohly at intel.com]
> Sent: Thursday, April 10, 2014 12:41 PM
> To: Schaufler, Casey
> Cc: José Bollo; dev at lists.tizen.org; Lukasz Wojciechowski
> Subject: Re: [Dev] Cynara
> On Thu, 2014-04-10 at 19:15 +0000, Schaufler, Casey wrote:
> > > On Thu, 2014-04-10 at 16:06 +0000, Schaufler, Casey wrote:
> > > If Tizen is going to treat system apps (for example: the Lemolo
> > > dialer in IVI) like third-party apps from an app store, then that
> > > concern gets addressed sufficiently well. If not, then I think we should
> reconsider that approach.
> > No. Third party apps from the app store are going to be isolated.
> > That is one thing everyone agrees on. That's the whole reason that we
> > need Cynara, so that the abstract "privileges" these apps are required
> > to be allowed can be managed.
> I still wonder whether we can apply the same concepts and mechanisms for
> app store apps also to system apps. Let's ignore that for now, though.
Of course we can. The biggest problem is that it would require changing
programs that we're getting from the community, and we don't generally
want to change them (for a number of reasons) if we can avoid it.
> However, your comment triggered one more thought about Cynara: even if
> access control is targeted at app store apps, system apps must also pass
Yes. When a system process (Running in the System domain, let's say)
requests a service Cynara will have to report that that is allowed. That’s
a matter of granting System the required privileges. All a matter of
> A service can't tell the two apart easily and will call Cynara for all
> processes which request controlled operation. If Cynara wants to treat
> certain processes in a special way, that should be a Cynara internal
> implementation detail, not something that services need to do.
The service need only call Cynara with the information about the client.
If we break up the System domain (will happen, but not today) there
will need to be more Cynara rules. Note that Cynara will have the UID
and Smack label of the client, so there is opportunity to differentiate
between services within the Smack System domain. There is ongoing
debate regarding what system services will run with unique UIDs and
which should be grouped.
More or less. Cynara won't have to do anything special. It just needs
to be configured to allow clients in the System domain to have the
privileges they need. We could hard code it, but that would be silly.
> Best Regards, Patrick Ohly
> The content of this message is my personal opinion only and although I am an
> employee of Intel, the statements I make here in no way represent Intel's
> position on the issue, nor am I authorized to speak on behalf of Intel on this
More information about the Dev