On lun, 2014-04-14 at 16:07 +0200, Lukasz Wojciechowski wrote: > W dniu 2014-04-14 15:44, Patrick Ohly pisze: > > On Mon, 2014-04-14 at 15:09 +0200, Lukasz Wojciechowski wrote: > >> I have an impression that discussion went some wrong place. Is this > >> thread still about Cynara? > > The display server aspect is going a bit far, but I still think that it > > is relevant for assessing Cynara to understand how the rest of the > > problem is going to get addressed (or not addressed). > > > > It was not said clearly at the beginning which apps will be denied > > access via Cynara, and how said apps will be prevented from accessing > > data handled by the service. > > > > In my current understanding, Cynara is targeted at web apps which run > > inside a controlled environment already (the web runtime) and can only > > access the host through these services. That Cynara checks will also be > > applied for native system apps is a side effect that we won't take > > advantage of at the moment, because these apps can already do anything > > they want to the users data anyway. Note that I am thinking of the PIM > > data case here where service and app both run using the user's uid; it > > may be different for more privileged and/or special services. > > > > Is that correct? > > > I think apps cannot do anything they want with user data. Even native > apps have access only to their private data. > Every application with its data folders should be Smack labeled. Smack > labels are added in installation process for all applications: web, > native, etc. > Different Smack labels for apps give us Smack level separation. > > Consider what Rafał Krypa <[email protected]> wrote: > > One assumption for Smack is needed for this model to work: > to assign separate Smack labels for the applications. > I believe that there is a consensus to go that way.
Oh! I missed it. Is there really a consensus? > While different, the app labels would still logically > belong to the User domain. This is probably very confusing, > given the "3-domain policy" name, but a domain is defined > as a set of labels. Yes confusing. > Separate Smack labels offer two important benefits: > - separation: keeping private application files private, > hidden from other apps. This also prevents stuff like ptrace() > between applications with different privileges. > - identification: whether a service consults Cynara for policy > or implements some policing on itself, it must be sure who is > on the other side. Smack label is a perfect unforgeable identifier for user > apps. I'm sceptic best regards josé _______________________________________________ Dev mailing list [email protected] https://lists.tizen.org/listinfo/dev
