[Dev] Access control design for user applications

Patrick Ohly patrick.ohly at intel.com
Wed Apr 16 07:13:33 GMT 2014


On Tue, 2014-04-15 at 18:33 +0200, Rafał Krypa wrote:
> *Smack policy for applications*
> Each application will be run with a separate label, belonging to the
> User domain. Label will be based on package id and allocated during
> installation. Suggested template for application label is
> "User::Application::$PKG_ID".
> Each application label will be given the same set of Smack rules,
> based on a template. These rules should allow applications to contact
> with services for accessing sensitive resources, but prevent direct
> access to these resources. Services will run with either "System" or
> "User" label, so
> applications will be given write permission to these labels.

Just to clarify, "write permission" means "can send messages to a
service via a unix domain socket" but not "write arbitrary data into
files with the User label"?

How does that work? In my (admittedly limited) understanding of SMACK,
if both socket and normal file have the "User" label and there is a
SMACK rule that grants write access to that label, it'll apply to both
socket and files. Not what we want, is it?

How will the app receive the reply if it can't read from the "User"
domain? My guess is that this works because the data that it needs to
read was explicitly written to by a service in the "User" domain, but I
am not sure.

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.





More information about the Dev mailing list