[Dev] Tizen security workshop - summary

José Bollo jose.bollo at open.eurogiciel.org
Thu Aug 28 14:51:46 GMT 2014


On mer, 2014-08-27 at 18:46 +0200, Rafał Krypa wrote:
> On 2014-08-27 15:16, José Bollo wrote:
> > On lun, 2014-07-14 at 13:06 +0200, Tomasz Swierczek wrote:
> >
> >> 6.      We agreed that we will develop launcher that will be
> >> responsible for native applications
> >>
> >> a.      We decided that for now we will try to perform standard exec()
> >> after setting up proper security context
> >>
> >> b.     Contact point: Jose Bollo
> > Hi all,
> >
> > I just worked on the topic these last 2 days. The main problem currently
> > is to add supplementary groups needed for some privileges (the typical
> > example being video IIRC).
> >
> > To achieve the work, i first want to iterate with you on few items.
> >
> > I'm finding that there is a need to have a kind of database mapping
> > privileges to groups that have to be added to the process. Is there any
> > plan about such knowledge DB? Do you expect it to be sqlite? Should it
> > be queried using client/server or directly?

Hi Rafał,

> Appropriate schema is already in place in internal data base of security-manager.
>  But this should not be touched directly, there will be a function in security-manager
>  simply setting additional groups for current process. I expect to release it this week.

That is great: my job will be very simple now!

> I'm still considering how to populate this data base.
>  Obviously we need some tracking of this configuration in git
>  (so text format is preferred) and it needs to be loaded to
>  security-manager's data base. As Tomasz suggested, something
>  similar to smack-privilege-config from Tizen 2 would be nice. But
>  before we get proper repository in place you could play with
>  /usr/dbspace/.security-manager.db directly, as a temporary solution.

SQL statements are text files. We may consider a sql text file to
populate only that part of the file.

> > After having put the groups directly, I'm now considering that it would
> > be better to ask for Cynara. This will be slower but will let the system
> > decide to grant or not the accesses after user confirmation if needed.
> > Do you agree?
> 
> You are right, this is the proper way.
>  The planned design is to let security-manager ask
>  Cynara for privileges and only use gids for privileges granted by Cynara.

I've identified that the Smack exec label is the main key for doing
that. Do you agree with that?

> > Then what about an integration of the topic into cynara client API? Just
> > an idea because it seems changing too much things while the job can be
> > done in an other way.
> 
> This feature doesn't belong to Cynara itself. It's a Tizen specific thing,
>  using information from Cynara (i.e. allowed privileges) and grant some
>  access basing on that information (i.e. assign process to additional groups).
>  This is the kind of logic that security-manager was created for.
> 
> > I'm also asking me if other clients (tizen-extension-crosswalk for
> > example) will need to add groups dynamically?
> 
> The mentioned security-manager API is intended for application launchers.
>  So it should be used also by Crosswalk for launching extension
>  and browser processes.

great as i wrote

I would really appreciate to have soon a look at the new API.

Best regards
José



More information about the Dev mailing list