[Dev] Cynara

José Bollo jose.bollo at open.eurogiciel.org
Mon Apr 14 14:22:18 GMT 2014


On lun, 2014-04-14 at 16:07 +0200, Lukasz Wojciechowski wrote:
> W dniu 2014-04-14 15:44, Patrick Ohly pisze:
> > On Mon, 2014-04-14 at 15:09 +0200, Lukasz Wojciechowski wrote:
> >> I have an impression that discussion went some wrong place. Is this
> >> thread still about Cynara?
> > The display server aspect is going a bit far, but I still think that it
> > is relevant for assessing Cynara to understand how the rest of the
> > problem is going to get addressed (or not addressed).
> >
> > It was not said clearly at the beginning which apps will be denied
> > access via Cynara, and how said apps will be prevented from accessing
> > data handled by the service.
> >
> > In my current understanding, Cynara is targeted at web apps which run
> > inside a controlled environment already (the web runtime) and can only
> > access the host through these services. That Cynara checks will also be
> > applied for native system apps is a side effect that we won't take
> > advantage of at the moment, because these apps can already do anything
> > they want to the users data anyway. Note that I am thinking of the PIM
> > data case here where service and app both run using the user's uid; it
> > may be different for more privileged and/or special services.
> >
> > Is that correct?
> >
> I think apps cannot do anything they want with user data. Even native 
> apps have access only to their private data.
> Every application with its data folders should be Smack labeled. Smack 
> labels are added in installation process for all applications: web, 
> native, etc.
> Different Smack labels for apps give us Smack level separation.
> 
> Consider what Rafał Krypa <r.krypa at samsung.com> wrote:
> 
> One assumption for Smack is needed for this model to work: 
> to assign separate Smack labels for the applications.
>  I believe that there is a consensus to go that way.

Oh! I missed it. Is there really a consensus? 

> While different, the app labels would still logically
>  belong to the User domain. This is probably very confusing,
>  given the "3-domain policy" name, but a domain is defined
>  as a set of labels.

Yes confusing.

> Separate Smack labels offer two important benefits:
> - separation: keeping private application files private, 
> hidden from other apps. This also prevents stuff like ptrace() 
> between applications with different privileges.
> - identification: whether a service consults Cynara for policy
>  or implements some policing on itself, it must be sure who is
>  on the other side. Smack label is a perfect unforgeable identifier for user apps.

I'm sceptic

best regards
josé




More information about the Dev mailing list