On 11/26/2014 03:41 PM, Patrick Ohly wrote:
I also prepared a wiki page on Cynara/D-Bus integration:
https://wiki.tizen.org/wiki/Security:Cynara:DBus_integration
The example explicitly has a <deny
send_destination="com.example.service"/>. I think this should not be
necessary. Instead we need a default bus config that prevents
communication by default, unless a service-specific configuration
explicitly allows certain kinds of messages again. That's because we
don't want D-Bus services without a suitable config available to
unprivileged apps.
Ok, that's right. I will fix that once the default configuration is
settled. I'll describe default policy there as well.
You wanted to work on such a default config? Have you made progress on
that? It should be part of the initial integration of these patches.
I planned to do it in a separate commit on top of Cynara integration
changes. Such change would also need to be aligned with proper change in
Cynara policy.
But you are right that such change should be ready before these commits
are merged so we know that these patches are sufficient for our needs.
I'll try to prepare my proposal soon (in this week). Currently I don't
see a better approach than the one that you presented some time ago (by
default require "http://tizen.org/privileges/user"; or similar. Write
additional, more fine-grained rules to allow apps ).
Best regards,
--
Jacek Bukarewicz
Samsung R&D Institute Poland
Samsung Electronics
[email protected]
_______________________________________________
Dev mailing list
[email protected]
https://lists.tizen.org/listinfo/dev
