summaryrefslogtreecommitdiffstats
path: root/README.md
blob: 812374583b917646b6d02ef5800ffa9742f01566 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
<pre>
   ____  __   __  _   _      _       ____    ___    ____       _    
  / ___| \ \ / / | \ | |    / \     / ___|  / _ \  |  _ \     / \   
 | |      \ V /  |  \| |   / _ \   | |  _  | | | | | |_) |   / _ \  
 | |___    | |   | |\  |  / ___ \  | |_| | | |_| | |  _ <   / ___ \ 
  \____|   |_|   |_| \_| /_/   \_\  \____|  \___/  |_| \_\ /_/   \_\

</pre>

# Cynagora

[Cynagora][1] is fast, simple and safe permission database
service.
Functions of *cynagora* are:
 * checking access for certain permission
 * holding permission database
 * simple, single function API - for checking permissions
 * ability to use external agent (in case of policies that can't be full
   processed in *cynagora* and plugins)

## Basics

*Cynagora* delivers permissions based on 4 keys: CLIENT, SESSION, USER,
PERMISSION.

The original principle is that a server ask cynagora if a permission
(the key PERMISSION) is granted for a client identified by:

 - its Smack label (the key CLIENT)
 - its user identifier, uid (the key USER)
 - its process identifier, pid (the key SESSION)

In facts, the keys can be used with other values that the one primarily
designed. For example, using the pid for the session is not safe. So it
can be replaced with a string really identifying a session.

The database of *cynagora* is made of rules that set permissions 

Cynagora implements handles differently the rules targeting any sessions
and the rules targeting specific sessions. 

## API Overview

CYNAGORA comes with 2 APIs:

 - a protocol API that can be easily implemented in most languages
   (see src/cynagora-protocol.txt)

 - a client C library (see src/cynagora.h)

It also provide optionally for compatibility a subset of the C client libraries.

## History

Cynagora is a refit of [cynara][2] that allows inclusion of expirations.
It implements the same permission database by principle but the details
changes.

# Compiling

The compilation use the build system *cmake*. Cynagora has no dependencies.
However, it can be built for using it with systemd activation. In that
case it requires _lisystemd_.

Example for compiling and installing cynagora:

	mkdir build
	cd build
	cmake ..
	make install

Options to pass to cmake:

 - *WITH_SYSTEMD*: flag for generating systemd compatible units (default ON)

 - *WITH_CYNARA_COMPAT*: flag for producing cynara compatibility artifacts
   (default OFF)

 - *DEFAULT_DB_DIR*: path of the directory for the database (default
   ${CMAKE_INSTALL_FULL_LOCALSTATEDIR}/lib/cynagora)

 - *DEFAULT_SOCKET_DIR*: directory path of the sockets (default 
   ${CMAKE_INSTALL_FULL_RUNSTATEDIR}/cynagora)

 - *DEFAULT_INIT_FILE*: path to the initialization file to use (default 
   ${CMAKE_INSTALL_FULL_SYSCONFDIR}/security/cynagora.initial)

Example:

	cmake -DCMAKE_INSTALL_PREFIX=~/.local -DWITH_SYSTEMD=OFF ..

# License

Cynagora is licensed under a Apache License Version 2.0, January 2004.
Available on Apache [website][3] or in LICENSE file.

[1]: https://git.automotivelinux.org/src/cynagora/
[2]: https://wiki.tizen.org/wiki/Security:Cynara
[3]: https://www.apache.org/licenses/LICENSE-2.0