Hello! Is there further documentation about the Cynara "bucket" concept, in particular an explanation how using buckets will affect privilege checks?
The admin API [1] introduces buckets as "objects in which policies are kept" and mentions that there is a default policy for each bucket. What does not become clear to me is how a cynara_check() call is mapped to buckets. Are all buckets searched? In which order? What does it mean when a policy refers to another bucket (example: MAIN bucket has a rule of type 0xFFFE = CYNARA_ADMIN_BUCKET pointing to bucket MANIFESTS)? This example is part of the policy which is set by security-manager [2]. That policy also has "user profiles", which get translated into Cynara buckets. While the exact mechanism is unclear to me, it seems that the intention is to limit certain privileges to certain kinds of users. Correct? It seems that these profiles grant access to all privileges to all users. If that's the goal, can't it be expressed a bit more concisely so that the purpose and (eventually) exceptions from it are more obvious? [1] https://wiki.tizen.org/wiki/Security:Cynara:API:admin [2] https://review.tizen.org/git?p=platform/core/security/security-manager.git;a=tree;f=policy;h=59f1fb583228c48b0b8ffa1f6a82f4887aa1a3c5;hb=refs/heads/tizen -- Best Regards, Patrick Ohly The content of this message is my personal opinion only and although I am an employee of Intel, the statements I make here in no way represent Intel's position on the issue, nor am I authorized to speak on behalf of Intel on this matter. _______________________________________________ Dev mailing list [email protected] https://lists.tizen.org/listinfo/dev
