[Dev] Tizen security workshop - summary
t.swierczek at samsung.com
Wed Aug 27 13:54:56 GMT 2014
It is planned to be in security-manager (Rafal is working on it). We don't want to put this into Cynara to keep Cynara clean from Tizen-specific things. Security-Manager will contain APIs needed for proper setup of process contest before application launch (incl. calculating proper string of characters for Smack label - this is already there).
As for the DB - currently we have the smack-privilage-config repository that keeps mapping between smack rules and privileges. Obviously, as we all know, we won't use Smack configuration like this, but I believe we should have similar repository for group-to-privilege mapping and keep list of GIDs for each privilege there. Maybe we could even keep it in security-manager, although this is rather a matter of configuration, not code, so probably separate repository is better idea.
@Rafal - when can we expect needed APIs to be implemented?
Samsung R&D Institute Poland
Office +48 22 377 95 59
Cell +48 503 135 021
t.swierczek at samsung.com
From: Dev [mailto:dev-bounces at lists.tizen.org] On Behalf Of José Bollo
Sent: Wednesday, August 27, 2014 3:17 PM
To: dev at lists.tizen.org
Subject: Re: [Dev] Tizen security workshop - summary
On lun, 2014-07-14 at 13:06 +0200, Tomasz Swierczek wrote:
> 6. We agreed that we will develop launcher that will be
> responsible for native applications
> a. We decided that for now we will try to perform standard exec()
> after setting up proper security context
> b. Contact point: Jose Bollo
I just worked on the topic these last 2 days. The main problem currently
is to add supplementary groups needed for some privileges (the typical
example being video IIRC).
To achieve the work, i first want to iterate with you on few items.
I'm finding that there is a need to have a kind of database mapping
privileges to groups that have to be added to the process. Is there any
plan about such knowledge DB? Do you expect it to be sqlite? Should it
be queried using client/server or directly?
After having put the groups directly, I'm now considering that it would
be better to ask for Cynara. This will be slower but will let the system
decide to grant or not the accesses after user confirmation if needed.
Do you agree?
Then what about an integration of the topic into cynara client API? Just
an idea because it seems changing too much things while the job can be
done in an other way.
I'm also asking me if other clients (tizen-extension-crosswalk for
example) will need to add groups dynamically?
Dev mailing list
Dev at lists.tizen.org
More information about the Dev