Inline Casey can add more if he would like
On Tue, Nov 19, 2013 at 6:34 AM, José Bollo <[email protected]> wrote: > On ven, 2013-11-15 at 21:56 +0000, Schaufler, Casey wrote: > > We're in the process of merging the changes for the 3 Smack domain > policy. > > That is great to go to only 3 smack's domain! > Yes this makes maintenance much easier and much less complex > > We are looking to something a little more sophisticated [1]. Our reasons > to have more domains are: > > - we would like to isolate a core system comprising kernel and packaging > items: all the minimal things that MUST be preserved for a minimal > restart/reinstall. > We wanted to create a minimal set of domains and rules to allow developers to have something reasonable to start with.. It is mush easier to look at < 10 domains and hundreds of rules as opposed to tens of thousands of rules. Nothing stops you from adding additional domains. Remember that for each additional Domain you must create the rules to allow other domains to [rwx] etc. > > - we would like to enforce security and privacy of applications (natives > and WRT) as defined on tizen.org [2] by using SMACK. We want to do it > coarse-grained to minimize the complexity. > Security and privacy yes...Please keep in mind that Smack is an access control mechanism and NOT a policy manager. > > (snip) > > > The changes required for the Linux kernel have been accepted. The > systemd and related changes are poised. The User domain setup will go in > once the systemd changes are in. We're waiting on a toolchain change that > will allow images to be built with the correct labeling. > > I'm curious. What are the poised changes? It seems to touch the kernel, > systemd and the toolchain. I would really appreciate to have some > details and/or pointers to this nearly incoming changes. > There are specific ways that systemd interacts with the running system that Smack needed to take into account. There are some runtime directories that when created by systemd they could no longer be written to by the running application. Also some runtime files created were not labeled correctly There was also additional functionality added to the kernel for read locking Casey can add more detail here... Michael > Cheers > José Bollo > > [1] https://wiki.tizen.org/wiki/Security/A_computer-aided_SMACK > [2] > > https://developer.tizen.org/dev-guide/2.2.1/org.tizen.web.appprogramming/html/basics_tizen_programming/web_security_privacy.htm > > > > > Once that is in place we will start polishing access rules and looking > into peer domains. > > > > _______________________________________________ > > Dev mailing list > > [email protected] > > https://lists.tizen.org/listinfo/dev > > > _______________________________________________ > Dev mailing list > [email protected] > https://lists.tizen.org/listinfo/dev > -- Michael Demeter Sr. Software Engineer Open Source Technology Center - SSG Intel Corporation
_______________________________________________ Dev mailing list [email protected] https://lists.tizen.org/listinfo/dev
