[Dev] Cynara (filesystem)
jussi.laako at linux.intel.com
Mon Apr 14 11:27:29 GMT 2014
On 11.4.2014 19:42, Schaufler, Casey wrote:
> No. Libraries are not security elements in a Linux system.
> There is nothing you can do in a library that you can't do
> directly in the client code. There is no way for Cynara to tell
> if the application is lying to it. You can certainly add Cynara
> calls to a library, but it is pointless because any denial can
> be circumvented.
One way to work around this is do it like we do in gSSO for method
plugins. Each plugin is loaded by a loader binary as a separate process
and library calls are translated over IPC.
This way the library doesn't run within the same process context, but is
still as easy to implement as a library.
More information about the Dev