In the sec-lsm-manager, the following system permission is used : redpesk-permissions


Permissions are sent and stored in cynagora. For example, if we add the permission urn:AGL:permission::partner:scope-platform to a demo-app we will have :

CLIENT    SESSION,  USER,  PERMISSION                                  RESULT  EXPIRE
demo-app  *         *      urn:AGL:permission::partner:scope-platform  yes     forever

For more details on cynagora: sec-cynagora

Mandatory Access Control

At this time permissions only have an impact on SELinux. They will allow to add additional authorizations to an application. For example the urn:AGL:permission::partner:scope-platform permission will allow access to the /var/scope-platform folder.

Here is a list of currently supported permissions and their effect :

  • urn:AGL:permission::partner:scope-platform

    Allow access to the /var/scope-platform folder

  • urn:AGL:permission::partner:create-can-socket

    Allow create and write on can socket

  • urn:AGL:permission::partner:read-afbtest

    Allow read binding afbtest

  • urn:AGL:permission::partner:execute-shell

    Allow execute shell and programs in bin directories

  • urn:AGL:permission::partner:manage-tmp

    Allow manage all files types in /tmp

  • urn:AGL:permission::partner:manage-user-shared

    Allow manage all files types in /run/user/[id]/usrshr/