[Dev] Cynara + DBUS
casey.schaufler at intel.com
Wed Apr 16 20:06:01 GMT 2014
> -----Original Message-----
> From: Patrick Ohly [mailto:patrick.ohly at intel.com]
> Sent: Wednesday, April 16, 2014 9:45 AM
> To: Schaufler, Casey
> Cc: José Bollo; Lukasz Wojciechowski; dev at lists.tizen.org
> Subject: Re: [Dev] Cynara + DBUS
> On Wed, 2014-04-16 at 15:30 +0000, Schaufler, Casey wrote:
> > > > Good question. Applications will need mutual write access with
> > > > dbus to talk to it. Yes, this introduces additional Smack rules.
> > >
> > > So in other words, full access to anything that is on the session D-Bus,
> > > including all other apps. Anything talking on the session D-Bus will
> > > have to be prepared to get potentially malicious messages.
> > No, that's not what I said, I don't think. It's one thing to talk to
> > dbus, it's another to talk to services using dbus.
> So there will be a D-Bus configuration which controls who is allowed to
> talk to whom? Unprivileged apps only get very selective access to some
> services and not to other apps or services which are not prepared to do
> Cynara checks?
The option to configure dbus based on Smack label is available.
I suppose that someone cleverer than I am might be able to
start with the application manifest and create dbus rules for some
The general rule remains that programs providing privileged services
have to be changed to use Cynara. dbus is not a magic wand.
> Best Regards, Patrick Ohly
> The content of this message is my personal opinion only and although
> I am an employee of Intel, the statements I make here in no way
> represent Intel's position on the issue, nor am I authorized to speak
> on behalf of Intel on this matter.
More information about the Dev