[Dev] How to share files with Cynara

Schaufler, Casey casey.schaufler at intel.com
Tue Apr 22 16:26:28 GMT 2014


> -----Original Message-----
> From: José Bollo [mailto:jose.bollo at open.eurogiciel.org]
> Sent: Tuesday, April 22, 2014 8:37 AM
> To: Schaufler, Casey
> Cc: dev at lists.tizen.org
> Subject: Re: [Dev] How to share files with Cynara
> 
> On mar, 2014-04-22 at 14:36 +0000, Schaufler, Casey wrote:
> > > -----Original Message-----
> > > From: Dev [mailto:dev-bounces at lists.tizen.org] On Behalf Of José Bollo
> > > Sent: Tuesday, April 22, 2014 7:07 AM
> > > To: dev at lists.tizen.org
> > > Subject: [Dev] How to share files with Cynara
> > >
> > > Hi all,
> > >
> > > I submit you some use cases of file sharing between applications. Can
> > > you please explain how to handle it with Cynara.
> >
> > Alas, we are required to have places where all applications can
> > share files with impunity. No privilege required.
> 
> Making applications collaborating isn't so bad;)
> 
> How will the files be labeled? (security.SMACK64)
>  - User::App::????
>  - User

Caveat: This should be considered design discussion.
While I will attempt to sound authoritative, there is
plenty of room for disagreement, improvement and
correction.

We have more than one sort of sharing to address:
	1. Removable media
	2. Shared by everyone always
	3. Shared among all "privileged" applications
	4. Shared among a specific set of applications

Case 1 is easy.
We mount the media with an unlabeled filesystem type
(FAT) with smackfsdefault='*',smackfsroot='*' and we're done.

Case 2 is also easy, but not quite so simple nor so pretty.
Create a directory $HOME/tmp (for example). Label it User::App::Tmp
and mark it transmuting. When an application is installed a Smack rule
has to be added to allow it access: "AppLabel User::App::Tmp rwxat".

Case 3 is similar.
Create a directory $HOME/managed (for example).
Label it User::App::Managed and mark it transmuting.
When an application is granted the privilege add a Smack rule
to allow it access: "AppLabel User::App::Managed rwxat".
When the application is disallowed the privilege change the
rule to "AppLabel User::App::Managed -".

Case 4 is like case 3, except for how to decide which applications
are given access to the directory. This is left as an exercise for
the reader.

If we want to make applications from all users share data we
can put the data in /opt/apps instead of $HOME.
 
> Best regards
> José
> 
> >
> > > 1. An application downloads a PDF, how to watch it using pdfviewer?
> > >
> > > 2. How to join an image, a playlist, to an email?
> > >
> > > 3. How to import a drawing from inkscape to libreoffice?
> > >
> > > 4. How to cut/copy and paste data from an application to an other? (for
> > > example from a mail to libre office).
> > >
> > > Best regards
> > > José
> > >
> > > _______________________________________________
> > > Dev mailing list
> > > Dev at lists.tizen.org
> > > https://lists.tizen.org/listinfo/dev
> 



More information about the Dev mailing list