Hi all,
It is great project for privilege control by Cynara in Tizen, however,
there are some issues which confused me now. We have spent some time
investigating how to enable Cynara security policy, this email maybe will cover
some technical details in Cynara. I am not sure that which Samsung guys are
very familar with Cynara API in details. However, we will be very appreciated
that if whoever can help in the tizen-mailist because it could let us more
clear about how to integrate Cynara API into other new package which need
security check. All I concern and investigation about Cynara is from the Cynara
definition in
https://wiki.tizen.org/wiki/Security/Tizen_3.0_security_porting_guide and
example of platform/core/connectivity/bluetooth-frwk/bt-service.
So I summarize two APIs question one by one as below:
1. int cynara_initialize(
cynara **pp_cynara
const cynara_configuration *p_conf)
The first question is about cynara_initialize function. As we all know,
parameter pp_cynara would be used in cynara_check to Check privilege if client
(application or process) running as some user has access to a service or not.
However, we couldn't find the cynara_configuration definition. The link
https://wiki.tizen.org/wiki/Security:Cynara:API:client#cynara_configuration
statement about cynara_configuration is: Structure representing cynara client
configuration. Not yet defined.
And we also find in bt-service that cynara_configuration *conf is NULL.
So we have to be clear about this parameter when we used it, we can think that
cynara_configuration has not been defined now. And we use cynara_initialize
function in other package just to put NULL to it like bt-service did, right ?
2. int cynara_check(
cynara *p_cynara,
const char *client,
const char *client_session,
const char *user,
const char *privilege)
For cynara *p_cynara parameter, there is no doubt that we will use
cyrana_initialize to get p_cynara
For const *client and const char*user parameters, these two parameter is output
from Functions cynara_creds_dbus_get_client() and
cynara_creds_socket_get_client() , we find in bt-service example to use
CLIENT_METHOD_SMACK and USER_METHOD_UID as input to get const char *client and
const char*user parameters by cynara_creds_dbus_get_client() or
cynara_creds_socket_get_client() function. Can we use these two Marco parameter
as input in other package? Because bt-service is based on Tizen OS, so is the
Macro definition either conform to other OS security or only compatible with
Tizen OS?
For client_session parameter, it should be application launch identifier.
However, in the bt-service example ,we can see client_session is NULL as input.
So is this make sense ? can we do the same in other package ?
For privilege parameter, this privilege string should be core privilege list in
the system just like Tizen such as the list in
https://wiki.tizen.org/wiki/Security:Tizen_3.0_Core_Privileges . My question is
who will be in charge of this part work in Tizen security? For this part work,
what can package developer do for this security privilege definition and
enabling?
Above is all my question about Cynara API used in bt-service example, If we are
clear about these, It will greatly help us to enable Cynara in security check.
Best Regards
Chaojie Gu
_______________________________________________
Dev mailing list
[email protected]
https://lists.tizen.org/listinfo/dev
