[Dev] Tizen security workshop - summary

Rafał Krypa r.krypa at samsung.com
Wed Aug 27 16:46:34 GMT 2014

On 2014-08-27 15:16, José Bollo wrote:
> On lun, 2014-07-14 at 13:06 +0200, Tomasz Swierczek wrote:
>> 6.      We agreed that we will develop launcher that will be
>> responsible for native applications
>> a.      We decided that for now we will try to perform standard exec()
>> after setting up proper security context
>> b.     Contact point: Jose Bollo
> Hi all,
> I just worked on the topic these last 2 days. The main problem currently
> is to add supplementary groups needed for some privileges (the typical
> example being video IIRC).
> To achieve the work, i first want to iterate with you on few items.
> I'm finding that there is a need to have a kind of database mapping
> privileges to groups that have to be added to the process. Is there any
> plan about such knowledge DB? Do you expect it to be sqlite? Should it
> be queried using client/server or directly?

Appropriate schema is already in place in internal data base of security-manager. But this should not be touched directly, there will be a function in security-manager simply setting additional groups for current process. I expect to release it this week.
I'm still considering how to populate this data base. Obviously we need some tracking of this configuration in git (so text format is preferred) and it needs to be loaded to security-manager's data base. As Tomasz suggested, something similar to smack-privilege-config from Tizen 2 would be nice. But
before we get proper repository in place you could play with /usr/dbspace/.security-manager.db directly, as a temporary solution.

> After having put the groups directly, I'm now considering that it would
> be better to ask for Cynara. This will be slower but will let the system
> decide to grant or not the accesses after user confirmation if needed.
> Do you agree?

You are right, this is the proper way. The planned design is to let security-manager ask Cynara for privileges and only use gids for privileges granted by Cynara.

> Then what about an integration of the topic into cynara client API? Just
> an idea because it seems changing too much things while the job can be
> done in an other way.

This feature doesn't belong to Cynara itself. It's a Tizen specific thing, using information from Cynara (i.e. allowed privileges) and grant some access basing on that information (i.e. assign process to additional groups). This is the kind of logic that security-manager was created for.

> I'm also asking me if other clients (tizen-extension-crosswalk for
> example) will need to add groups dynamically?

The mentioned security-manager API is intended for application launchers. So it should be used also by Crosswalk for launching extension and browser processes.

Best regards,
Rafal Krypa

More information about the Dev mailing list