[Dev] Cynara (filesystem)

Jussi Laako jussi.laako at linux.intel.com
Mon Apr 14 11:27:29 GMT 2014


On 11.4.2014 19:42, Schaufler, Casey wrote:
> No. Libraries are not security elements in a Linux system.
> There is nothing you can do in a library that you can't do
> directly in the client code. There is no way for Cynara to tell
> if the application is lying to it. You can certainly add Cynara
> calls to a library, but it is pointless because any denial can
> be circumvented.

One way to work around this is do it like we do in gSSO for method 
plugins. Each plugin is loaded by a loader binary as a separate process 
and library calls are translated over IPC.

This way the library doesn't run within the same process context, but is 
still as easy to implement as a library.



More information about the Dev mailing list