[Dev] Update of security framework repositories

Schaufler, Casey casey.schaufler at intel.com
Mon Feb 24 18:06:40 GMT 2014


> -----Original Message-----
> From: dev-bounces at lists.tizen.org [mailto:dev-bounces at lists.tizen.org] On
> Behalf Of Krzysztof Jackiewicz
> Sent: Monday, February 24, 2014 9:50 AM
> To: 'dev'
> Subject: [Dev] Update of security framework repositories
> 
> Dear All,
> 
> In order to get mobile profile working we (the Samsung Security Framework
> Team) have to update several security framework repositories with changes
> developed by us in parallel with tizen.org. All these commits went through
> Samsung's gerrit code review and were continuously tested (with tests from
> security-tests repo). We have also successfully compiled and tested them on
> tizen.org image. Our changes have been already pushed to sandbox
> branches in corresponding tizen.org repositories.
> 
> Please find the list of affected repositories with changes summary and
> proposed merge strategy:
> 
> 
> *platform/upstream/smack*
> There's one major update in smack code - smackload-fast utility for multiline
> loading startup rules. In addition we have few bug fixes and few modification
> in systemd's startup scripts for smack service. And last but not least  -
> switching from 'smackctl apply' to 'smackload-fast' in systemd's smack
> service.

NAK.

Systemd takes care of loading the Smack rules. The three domain
model eliminates the need for "fast" rule loading.


 
> We have cherry-picked our changes on top of tizen branch and pushed them
> to sandbox:
> https://review.tizen.org/gerrit/gitweb?p=platform%2Fupstream%2Fsmack.g
> it;a=shortlog;h=refs%2Fheads%2Fsandbox%2Fzjasinski%2Fsamsung_devel
> 
> We'd like to do a fast-forward merge of sandbox and tizen branch.

Do not do this.

> *platform/core/security/libprivilege-control*
> One major internal change - use of sqlite3 database instead of plain files for
> privileges & apps associations.
> Extended and updated API: new naming convention, new app permission
> querying & management functions.
> 
> Our branch and tizen.org one have a common history but there were a lot of
> changes on both sides since they diverged so we decided to merge them.
> The merge have been submitted to gerrit for review:
> https://review.tizen.org/gerrit/#/c/16834/

I have -2ed this review.

> *platform/core/security/security-server*
> - Rewriten all code, removed unused api
> - Split code into modules (like: cookies, password, open_for, data_share).
> - Each module has own socket
> - Each socket may have different label

All labels and rules need to be documented in
https://wiki.tizen.org/wiki/Security:SmackThreeDomainModel
and conform to the "peer" domain scheme.

> - Add support for systemd (systemd creates socket and set up labels).
> Please note: currently all labels for sockets are set to "*" because of "policy
> reset" made on tizen.org

We need to talk about this in the context of the three domain model.

> Security-server changes have been cherry-picked on top of tizen.org/tizen
> branch. It's available on sandbox branch:
> https://review.tizen.org/gerrit/gitweb?p=platform%2Fcore%2Fsecurity%2Fs
> ecurity-
> server.git;a=shortlog;h=refs%2Fheads%2Fsandbox%2Fade%2Fsamsung_dev
> el
> 
> We'd like to perform a fast-forward merge of sandbox and tizen branch.

No. Do not do this.

> *platform/core/test/security-tests*
> This is a new repo that covers tests for three repos above. We'd like to do a
> fast-forward merge of sandbox and tizen branch:
> https://review.tizen.org/gerrit/gitweb?p=platform%2Fcore%2Ftest%2Fsecur
> ity-
> tests.git;a=shortlog;h=refs%2Fheads%2Fsandbox%2Fmniesluchow%2Fsams
> ung_devel
> 
> 
> Please let us know if you have any objections or comments.

Done!

 
> Best regards,
> 
> --
> Krzysztof Jackiewicz
> Samsung R&D Institute Poland
> Samsung Electronics
> k.jackiewicz at samsung.com
> 
> _______________________________________________
> Dev mailing list
> Dev at lists.tizen.org
> https://lists.tizen.org/listinfo/dev


More information about the Dev mailing list