[Dev] Update of security framework repositories
casey.schaufler at intel.com
Mon Feb 24 18:06:40 GMT 2014
> -----Original Message-----
> From: dev-bounces at lists.tizen.org [mailto:dev-bounces at lists.tizen.org] On
> Behalf Of Krzysztof Jackiewicz
> Sent: Monday, February 24, 2014 9:50 AM
> To: 'dev'
> Subject: [Dev] Update of security framework repositories
> Dear All,
> In order to get mobile profile working we (the Samsung Security Framework
> Team) have to update several security framework repositories with changes
> developed by us in parallel with tizen.org. All these commits went through
> Samsung's gerrit code review and were continuously tested (with tests from
> security-tests repo). We have also successfully compiled and tested them on
> tizen.org image. Our changes have been already pushed to sandbox
> branches in corresponding tizen.org repositories.
> Please find the list of affected repositories with changes summary and
> proposed merge strategy:
> There's one major update in smack code - smackload-fast utility for multiline
> loading startup rules. In addition we have few bug fixes and few modification
> in systemd's startup scripts for smack service. And last but not least -
> switching from 'smackctl apply' to 'smackload-fast' in systemd's smack
Systemd takes care of loading the Smack rules. The three domain
model eliminates the need for "fast" rule loading.
> We have cherry-picked our changes on top of tizen branch and pushed them
> to sandbox:
> We'd like to do a fast-forward merge of sandbox and tizen branch.
Do not do this.
> One major internal change - use of sqlite3 database instead of plain files for
> privileges & apps associations.
> Extended and updated API: new naming convention, new app permission
> querying & management functions.
> Our branch and tizen.org one have a common history but there were a lot of
> changes on both sides since they diverged so we decided to merge them.
> The merge have been submitted to gerrit for review:
I have -2ed this review.
> - Rewriten all code, removed unused api
> - Split code into modules (like: cookies, password, open_for, data_share).
> - Each module has own socket
> - Each socket may have different label
All labels and rules need to be documented in
and conform to the "peer" domain scheme.
> - Add support for systemd (systemd creates socket and set up labels).
> Please note: currently all labels for sockets are set to "*" because of "policy
> reset" made on tizen.org
We need to talk about this in the context of the three domain model.
> Security-server changes have been cherry-picked on top of tizen.org/tizen
> branch. It's available on sandbox branch:
> We'd like to perform a fast-forward merge of sandbox and tizen branch.
No. Do not do this.
> This is a new repo that covers tests for three repos above. We'd like to do a
> fast-forward merge of sandbox and tizen branch:
> Please let us know if you have any objections or comments.
> Best regards,
> Krzysztof Jackiewicz
> Samsung R&D Institute Poland
> Samsung Electronics
> k.jackiewicz at samsung.com
> Dev mailing list
> Dev at lists.tizen.org
More information about the Dev