On Wed, 2014-04-16 at 20:06 +0000, Schaufler, Casey wrote: > > -----Original Message----- > > From: Patrick Ohly [mailto:[email protected]] > > Sent: Wednesday, April 16, 2014 9:45 AM > > To: Schaufler, Casey > > Cc: José Bollo; Lukasz Wojciechowski; [email protected] > > Subject: Re: [Dev] Cynara + DBUS > > > > On Wed, 2014-04-16 at 15:30 +0000, Schaufler, Casey wrote: > > > > > Good question. Applications will need mutual write access with > > > > > dbus to talk to it. Yes, this introduces additional Smack rules. > > > > > > > > So in other words, full access to anything that is on the session D-Bus, > > > > including all other apps. Anything talking on the session D-Bus will > > > > have to be prepared to get potentially malicious messages. > > > > > > No, that's not what I said, I don't think. It's one thing to talk to > > > dbus, it's another to talk to services using dbus. > > > > So there will be a D-Bus configuration which controls who is allowed to > > talk to whom? Unprivileged apps only get very selective access to some > > services and not to other apps or services which are not prepared to do > > Cynara checks? > > The option to configure dbus based on Smack label is available. > I suppose that someone cleverer than I am might be able to > start with the application manifest and create dbus rules for some > cases.
Do we have documentation for that somewhere? I know that we had D-Bus patches for SMACK, I just don't know what of that is in Tizen and where up-to-date documentation is. > The general rule remains that programs providing privileged services > have to be changed to use Cynara. dbus is not a magic wand. True, but it may be more reliable and safer in some cases to update the D-Bus configuration instead of patching the source of the service. For example, if EDS was considered a system component that third-party apps are never meant to use, then doing a privilege check in one place (the message routing in dbus-daemon) instead of multiple places (each method handler in EDS) would be a lot easier. -- Best Regards, Patrick Ohly The content of this message is my personal opinion only and although I am an employee of Intel, the statements I make here in no way represent Intel's position on the issue, nor am I authorized to speak on behalf of Intel on this matter. _______________________________________________ Dev mailing list [email protected] https://lists.tizen.org/listinfo/dev
