[systemd-devel] [PATCH 0/12] kdbus: policy tests and fixes
Daniel Mack
daniel at zonque.org
Fri Jun 20 10:21:25 PDT 2014
Hi Djalal,
On 06/20/2014 06:49 PM, Djalal Harouni wrote:
> This series adds the test-kdbus-policy test. The first patches are
> prepration then you have the test.
>
> Later there are several fixes and improvments, I've performed all the
> tests with success.
Very nice, thanks a lot for doing this!
I'll comment on the individual patches.
> I still have another series which deals with the send access cache, will
> send it soon, or perhaps tomorrow it should go on top of this.
Ok, great.
> Please Kay, Daniel allow me this question:
>
> The policy holders are just connections that register policy entries!
> They dont register names, so the registered policy entry wont take any
> effect unless you acquire (register into database) its name !
That's correct. The idea here is to close the gap between name
acquisition and the policy being applied, and the owner of a name should
not be the same instance that decides who's allowed to own it, who may
talk to it or see it.
Likewise, a connection can only own a name on the system bus if there's
a policy rule that allows just that, and the rule has to be added
beforehand by the bus owner.
> We need here two operations:
> 1) register as a policy holder
> 2) acquire the name to be able to send to that name and to activate
> the policy rules.
>
> Is this the intended behaviour ?
Yes, exactly, and installing a policy is a privileged operation. We
thought a lot about the design here, and I think this is a good and
clean solution. Did you understand that right away? Is there anything
illogical about the idea you're concerned about? We're open to
suggestions. After all, the code is not yet in production :)
Thanks,
Daniel
More information about the systemd-devel
mailing list