[Dev] Cynara session ID

Patrick Ohly patrick.ohly at intel.com
Fri May 16 08:32:40 GMT 2014


On Fri, 2014-05-16 at 11:00 +0300, Jussi Laako wrote:
> On 16.5.2014 9:58, José Bollo wrote:
> > I share your analysis. It isn't pragmatic to expect that dbus will guess
> > the session id.
> 
> It can provide PID, or other info about the dbus connection, but it 
> could also generate other types of identifiers for the bus connection.

This is also my thinking: the application session identifier is
something separate from the pid or service-specific identifiers, and
therefore must be attached to processes and transferred via IPC
mechanisms just like pid and Smack label are already.

> What is the session id used for anyway?

It's used to grant access temporarily. The Cynara Wiki page has more
information about that:
https://wiki.tizen.org/wiki/Security:Cynara#Policies

> The access rule should be simple, application requests access for 
> privilege X (provided by service in it's manifest and granted for 
> application by it's manifest) and the privilege is either granted or not.
> 
> If it is anything more complex, then you are just over complicating the 
> picture.

I don't have a strong opinion about whether this feature is useful or
not. I'm merely pointing out that it's part of the current Cynara design
and (IMHO) will be a bit problematic to implement reliably the way it is
designed at the moment.

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.





More information about the Dev mailing list