On 21.08.2015 14:16, Patrick Ohly wrote:
On Fri, 2015-08-21 at 13:25 +0200, Aleksander Zdyb wrote:
As for Security Manager, there is indeed more than half of dozen buckets
used:
ADMIN MANIFESTS USER_TYPE_ADMIN USER_TYPE_GUEST and more.
It's been designed this way, so it's easier to maintain them and faster to
get matching rules. But this is Tizen 3.0 specific. Other
implementations can
use buckets concept in any other way (see example above) or don't use it
at all.
One more question about this.
When I use security-manager-policy-reload to create the Cynara DB, it'll
create these user profile buckets with:
# Import user-type policies
find "$POLICY_PATH" -name "usertype-*.profile" |
while read file
do
...
# Link the bucket to ADMIN bucket
cyad --set-policy --client="*" --user="*" --privilege="*" --type=BUCKET \
--bucket="$bucket" --metadata="ADMIN"
This creates a BUCKET rule in, for example, USER_TYPE_ADMIN:
*;*;*;0xFFFE;ADMIN
Isn't that the wrong way around? Buckets are linked as follows:
"" (the unnamed bucket) -> MAIN -> MANIFESTS
Nothing links to USER_TYPE_ADMIN, so ADMIN is also not reached.
Does that look right? Then what is the purpose of these usertype
profiles? How do they get activated in Cynara?
Privacy Manager rules will be added to unnamed bucket.
Users will be added to MAIN. Maybe there is currently no admin,
so nothing points USER_TYPE_ADMIN bucket. Security Manager
adds rules as users are created or removed.
You can play with security-manager-cmd to add and remove users
and see what happens.
Please refer to this diagram for more details:
https://github.com/Samsung/security-manager/blob/860305a595d681d650024ad07b3b0977e1fcb0a6/src/common/cynara.cpp#L64
HTH
--
Aleksander Zdyb
Samsung R&D Institute Poland
Samsung Electronics
_______________________________________________
Dev mailing list
[email protected]
https://lists.tizen.org/listinfo/dev
