[Dev] testing cynara

Zhang, Xu U xu.u.zhang at intel.com
Wed May 21 02:26:15 GMT 2014


> -----Original Message-----
> From: Lukasz Wojciechowski [mailto:l.wojciechow at partner.samsung.com]
> Sent: Tuesday, May 20, 2014 9:57 PM
> To: Ohly, Patrick
> Cc: Zhang, Xu U; Kis, Zoltan; José Bollo; dev at lists.tizen.org
> Subject: Re: testing cynara
> 
> In bootstrap version of cynara that is already merged on tizen.org, privilege
> checking and installation processes do work.
[Zhang Xu ] where can I get bootstrap version from tizen.org? Could you please provide a link?
> 
> To install application properly usage of libsecurity-manager-client API is
> needed.
> We have provided a patch for wrt-installer
> https://review.tizen.org/gerrit/#/c/20457/ (already review and verified, but not
> merged yet - we are waiting for maintainers move). If wrt-installer with that
> patch is used an installed application will inject proper policy for privileges
> defined in manifest.
[Zhang Xu ] From https://wiki.tizen.org/wiki/Security:Cynara#libCynaraAdmin, it seems installer should call libCynaraAdmin to add polices such as permissions. What's relationship between libCynaraAdmin and libsecurity-manager-client? Is there a guide for how to insert/update/remove policy? So that crosswalk installer can take use of to install permissions?  
> 
> This policy can be later checked with libcynara-client.
> 
> The only thing You have to remember about is that currently all applications are
> labeled with SMACK label "User" - so defining access to some privilege shall
> grant permission for all applications with that label and uninstallation process
> won't take away rights (as there still may be some applications that needs that
> permission).
> Situation should normalize when all applications will receive different smack
> labels (based on package id of an application).
> 
> I think this is enough for testing libcynara-client usage for now. I don't plan to
> launch any special test procedures in nearest future.
> 
> best wishes
> Lukasz
> 
> W dniu 2014-05-19 14:02, Patrick Ohly pisze:
> > On Mon, 2014-05-19 at 13:39 +0200, Lukasz Wojciechowski wrote:
> >> cynara provides two libraries:
> >> * libcynara-client - accessible for everybody - just for checking
> >> privileges
> >> * libcynara-admin - accessible only for privileged processes
> >> (probably only for SecurityManager - but it is a topic to discuss) -
> >> for managing policies
> > Is there (or will there be) a way to set up a test environment where
> > Cynara's policy database is populated with some policies and a process
> > (ideally a bash shell) runs with reduced privileges?
> >
> > That will be needed by service developers to check that their Cynara
> > calls are working as expected.
> >



More information about the Dev mailing list