[Dev] Cynara

Patrick Ohly patrick.ohly at intel.com
Mon Apr 14 13:44:04 GMT 2014


On Mon, 2014-04-14 at 15:09 +0200, Lukasz Wojciechowski wrote:
> I have an impression that discussion went some wrong place. Is this 
> thread still about Cynara?

The display server aspect is going a bit far, but I still think that it
is relevant for assessing Cynara to understand how the rest of the
problem is going to get addressed (or not addressed).

It was not said clearly at the beginning which apps will be denied
access via Cynara, and how said apps will be prevented from accessing
data handled by the service.

In my current understanding, Cynara is targeted at web apps which run
inside a controlled environment already (the web runtime) and can only
access the host through these services. That Cynara checks will also be
applied for native system apps is a side effect that we won't take
advantage of at the moment, because these apps can already do anything
they want to the users data anyway. Note that I am thinking of the PIM
data case here where service and app both run using the user's uid; it
may be different for more privileged and/or special services.

Is that correct?

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.





More information about the Dev mailing list