[Dev] Cynara buckets

Aleksander Zdyb a.zdyb at samsung.com
Fri Aug 21 12:53:47 GMT 2015


On 21.08.2015 14:16, Patrick Ohly wrote:
> On Fri, 2015-08-21 at 13:25 +0200, Aleksander Zdyb wrote:
>> As for Security Manager, there is indeed more than half of dozen buckets
>> used:
>> ADMIN MANIFESTS USER_TYPE_ADMIN USER_TYPE_GUEST and more.
>> It's been designed this way, so it's easier to maintain them and faster to
>> get matching rules. But this is Tizen 3.0 specific. Other
>> implementations can
>> use buckets concept in any other way (see example above) or don't use it
>> at all.
> One more question about this.
>
> When I use security-manager-policy-reload to create the Cynara DB, it'll
> create these user profile buckets with:
>
> # Import user-type policies
> find "$POLICY_PATH" -name "usertype-*.profile" |
> while read file
> do
> ...
>
>      # Link the bucket to ADMIN bucket
>      cyad --set-policy --client="*" --user="*" --privilege="*" --type=BUCKET \
>          --bucket="$bucket" --metadata="ADMIN"
>
> This creates a BUCKET rule in, for example, USER_TYPE_ADMIN:
> *;*;*;0xFFFE;ADMIN
>
> Isn't that the wrong way around? Buckets are linked as follows:
> "" (the unnamed bucket) -> MAIN -> MANIFESTS
>
> Nothing links to USER_TYPE_ADMIN, so ADMIN is also not reached.
>
> Does that look right? Then what is the purpose of these usertype
> profiles? How do they get activated in Cynara?
>

Privacy Manager rules will be added to unnamed bucket.
Users will be added to MAIN. Maybe there is currently no admin,
so nothing points USER_TYPE_ADMIN bucket. Security Manager
adds rules as users are created or removed.

You can play with security-manager-cmd to add and remove users
and see what happens.

Please refer to this diagram for more details:
https://github.com/Samsung/security-manager/blob/860305a595d681d650024ad07b3b0977e1fcb0a6/src/common/cynara.cpp#L64

HTH

-- 
Aleksander Zdyb
Samsung R&D Institute Poland
Samsung Electronics



More information about the Dev mailing list