Thanks for all answers! Just recapping my questions...
On Tue, Sep 3, 2013 at 8:06 PM, Kok, Auke-jan H <[email protected]>wrote: > On Tue, Sep 3, 2013 at 12:15 PM, Glauco Junquera <[email protected]> > wrote: > > I recently started studying smack on Tizen and I have some questions > that I > > was unable to find answers by searching the web. > > > > The questions are the following: > > - Are Smack rules created at application installation time? > > Tizen RPM's can add more rules, yes. It doesn't mean that they do, or > must, or that providers use this mechanism, but it is encouraged, and > the standard implementation we do in Tizen. > > > - Does privileges declared on application manifest.xml have a > corresponding smack label? > > This question is a bit confusing.... > > I think you are asking "Do privileges declared in an applications' > manifest correspond to SMACK labels?" > > The answer to that would be: They are smack labels. the manifests > declare what labels should be set on the components (files, folders) > that the package installs. > Maybe we are talking about different manifest files. I think you are talking about the rpm's manifest and I am talking about the tpk's manifest. On the tpk's manifest you can declare privileges like this (for example): <Privileges> <Privilege>http://tizen.org/privilege/socket</Privilege> <Privilege>http://tizen.org/privilege/package.info</Privilege> </Privileges> I would like to know if each of these privileges have a corresponding Smack label =). > > - What is responsible for creating smack rules? The kernel? If yes, how > can a userspace program request the kernel to create smack rules? > > The developer is responsible for adding rules to the system such that > they are loaded at startup or package installation time. > > Userspace programs in general should not add/remove rules, as this is > obviously a privilege escalation problem. > > The base system code "loads" these rules into the kernel memory. The > kernel only enforces rules. It does not create new rules or modify > them. > How the developer can add smack rules? Does he add rules on the rpm's manifest file and then rpm applies the rules? For a userspace program creates smack rules it is necessary to write to smackfs (mounted on /smack) and only process that have CAP_MAC_ADMIN capability can write to smackfs. Is it correct? Is yes, how CAP_MAC_ADMIN is granted to rpm? Is there any other userspace program that runs with this capability? > > I would appreciate if someone could help me =) > > I'm not a SMACK expert, there are a few others on this list (including > the author of SMACK) that can better clarify things. Feel free to ask > more if you have more questions. > > Auke >
_______________________________________________ General mailing list [email protected] https://lists.tizen.org/listinfo/general
