On gio, 2014-05-15 at 20:22 +0200, Patrick Ohly wrote: > On Thu, 2014-05-15 at 17:02 +0000, Schaufler, Casey wrote: > > > The problem for a hypothetical, patched dbus-daemon calling Cynara will be > > > to identify the session. Probably it will not have enough understanding > > > of the > > > D-Bus interfaces that it is asked to protect to provide a meaningful > > > identifier. > > > > I don't know what you mean by "identify" the session, but expect that > > it would be a matter of configuration. Not necessarily simple configuration, > > mind you. > > I mean this parameter of cynara_check (from the Wiki): > > client_session - /string/ - identifier of application life or > session. It might be needed for checking access granted for > single session. It is service responsibility to define session > properly, e.g. it can be defined as PID of application process > or service-application connection identifier. libCynara do not > interpret this string - it is just compared to previous ones to > distinguish sessions. > > I can image that a modified dbus-daemon can be configured to map a > certain interface or certain methods in an interface to certain > privileges, but configuring it to somehow create a client_session string > for a certain caller is probably going too far. Such functionality is > better provided by custom code in the service itself. >
I share your analysis. It isn't pragmatic to expect that dbus will guess the session id. Best regards José _______________________________________________ Dev mailing list [email protected] https://lists.tizen.org/listinfo/dev
