[Dev] Understanding Cynara scope.

Patrick Ohly patrick.ohly at intel.com
Wed May 14 07:23:56 GMT 2014


On Tue, 2014-05-13 at 21:44 +0000, Schaufler, Casey wrote:
> The Smack label of the task executing the application code
> (be it a plugin, separate executable or some other mechanism)
> must be set to the label assigned to that application. Once this
> is accomplished the services that use Cynara to make application
> access checks have the information they need to do so. Crosswalk
> need only set the process Smack label before invoking the
> application.

This assumes that Crosswalk runs a separate process for each
application, doesn't it? That assumption has pretty much been shown to
not hold.

> So no, I don't see Crosswalk using Cynara unless Crosswalk
> is providing "privileged" services. If Crosswalk is providing
> privileged services (which seems unreasonable, but is possible)
> it will have to do its part in enforcement. If it is proxying it
> will have to either do the enforcement or pass along the
> application's credential (Smack label and possibly uid)
> information.
> 
> It should be pretty simple.

Then how can Crosswalk pass along the application's credentials to a
D-Bus service such that the D-Bus service can a) receive them and b)
trust the information?

Can someone explain the details and come up with the necessary software
patches? Perhaps it's simple technically, but if no-one can do that for
other reasons (perhaps because he or she has no time), then it is a hard
problem for the project.

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.





More information about the Dev mailing list