[Dev] Cynara

Jussi Laako jussi.laako at linux.intel.com
Mon Apr 14 14:17:47 GMT 2014


On 14.4.2014 17:07, Lukasz Wojciechowski wrote:
> I think apps cannot do anything they want with user data. Even native
> apps have access only to their private data.
> Every application with its data folders should be Smack labeled. Smack
> labels are added in installation process for all applications: web,
> native, etc.
> Different Smack labels for apps give us Smack level separation.

Well, this was also how I understood the original SMACK intention. But 
then someone said that there would be only three SMACK labels and that 
it wouldn't be possible to tell applications apart based on SMACK labels...

If applications can introduce their own SMACK labels to group their 
data, my cases should be fine.

> One assumption for Smack is needed for this model to work: to assign
> separate Smack labels for the applications. I believe that there is a
> consensus to go that way.

OK, sounds good. So I can fetch peer creds and match those against data 
ACLs...

> While different, the app labels would still logically belong to the User
> domain. This is probably very confusing, given the "3-domain policy"
> name, but a domain is defined as a set of labels.

OK, this was confusing me at least. I thought that there would be only 
three SMACK labels...



More information about the Dev mailing list