> -----Original Message----- > From: Dev [mailto:[email protected]] On Behalf Of Patrick Ohly > Sent: Tuesday, May 13, 2014 5:39 AM > To: Rafał Krypa > Cc: [email protected] > Subject: Re: [Dev] Understanding Cynara scope. > > On Tue, 2014-05-13 at 14:11 +0200, Rafał Krypa wrote: > > On 2014-05-13 11:36, Counihan, Tom wrote: > > > > > > Hi Folks, > > > > > > > > > > > > Reading all the extensive traffic on the topic, I come away with a vision > > > of > the Cynara scope. > > > > > > I would like to ask the question to get it validated. > > > > > > > > > > > > Is Cynara’s exclusive goal to service ‘downloadable’ Web applications > from an ‘app store’? > > > > > > > Let me try to answer that question. > > The main purpose for Cynara is to implement user space access control > > between downloadable applications and built-in services. We are > > considering both web applications and native applications (OSP, or > > potentially other native app framwork). > > What are your thoughts on Crosswalk in this context (see the "enforcing > priviliges of web apps" discussion)? > > Your assumption seems to be that each application has its own Unix process; > at least that's how the methods described under "gather required info" > sections for D-Bus work. Correct? > > As identified in the other mail thread, Crosswalk itself is not a simple > native > application. Instead it is a system component which hosts multiple other > downloadable web applications. > > Do you envision Crosswalk calling Cynara to check app privileges?
The Smack label of the task executing the application code (be it a plugin, separate executable or some other mechanism) must be set to the label assigned to that application. Once this is accomplished the services that use Cynara to make application access checks have the information they need to do so. Crosswalk need only set the process Smack label before invoking the application. Crosswalk might need to ask Cynara if it is appropriate to invoke an application (e.g. if a privilege is required to run during daylight hours) at all, but I don't believe we have any application privileges of that sort. So no, I don't see Crosswalk using Cynara unless Crosswalk is providing "privileged" services. If Crosswalk is providing privileged services (which seems unreasonable, but is possible) it will have to do its part in enforcement. If it is proxying it will have to either do the enforcement or pass along the application's credential (Smack label and possibly uid) information. It should be pretty simple. > -- > Best Regards, Patrick Ohly > > The content of this message is my personal opinion only and although I am an > employee of Intel, the statements I make here in no way represent Intel's > position on the issue, nor am I authorized to speak on behalf of Intel on this > matter. > > > > _______________________________________________ > Dev mailing list > [email protected] > https://lists.tizen.org/listinfo/dev _______________________________________________ Dev mailing list [email protected] https://lists.tizen.org/listinfo/dev
