Smack domains User::Home and User::App::Shared

Patrick Ohly patrick.ohly at intel.com
Wed Apr 8 09:41:11 GMT 2015


On Wed, 2015-04-08 at 10:23 +0200, Rafał Krypa wrote:
> On 2015-03-23 10:06, Patrick Ohly wrote:
> 
> > Where can I find more information about the new(ish) domains
> > "User::Home" and "User::App::Shared"? What's the intended usage?
> 
> Hi Patrick,
> The new labels were introduced to provide applications different level
> of access to files in user home directory.
> The following labels in User domain are currently defined:
>       * "User" - files with that label cannot be accessed by
>         applications
>       * "User::Home" - applications can access read only
>       * "User::App::Shared" - applications can freely read and write,
>         with transmute
>       * "User::App::$app_id" - private files of an application
>       * "User::App::$pkg_id" - directories for application package,
>         for exchanging data between apps with the same package id

Thanks, that clarifies it.

> > Commit messages introducing them only refer to September 2014 F2F
> > meeting in Vannes, without explaining the purpose for those who were not
> > at that meeting.
> 
> I thought that the Smack labels were mentioned somewehere on Tizen
> wiki, but it seems that they aren't.
> I will update the Smack page accordingly to fix that.

There is https://wiki.tizen.org/wiki/Security:SmackThreeDomainModel but
as discussed with Casey a year ago [1], it is misleading and/or
outdated, because it does not explain that apps run under their own
Smack label. Quite the opposite, the page still says that "security
domains are explicitly defined in advance" and "role of packaging is
significantly reduced" which IMHO is the opposite of what is expected to
happen (apps again have their own Smack label and package manager is a
crucial component of the system).

[1] https://www.mail-archive.com/dev%40lists.tizen.org/msg02364.html

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.





More information about the Dev mailing list