summaryrefslogtreecommitdiffstats
path: root/README.md
blob: e28eaafb1652a238c1187f87385f792fe922f240 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
<pre>
   ____  __   __  _   _      _       ____    ___    ____       _    
  / ___| \ \ / / | \ | |    / \     / ___|  / _ \  |  _ \     / \   
 | |      \ V /  |  \| |   / _ \   | |  _  | | | | | |_) |   / _ \  
 | |___    | |   | |\  |  / ___ \  | |_| | | |_| | |  _ <   / ___ \ 
  \____|   |_|   |_| \_| /_/   \_\  \____|  \___/  |_| \_\ /_/   \_\

</pre>

# Cynagora

[Cynagora][1] is fast, simple and safe permission database
service.
Functions of *cynagora* are:
 * checking access for certain permission
 * holding permission database
 * simple, single function API - for checking permissions
 * ability to use external agent (in case of policies that can't be full
   processed in *cynagora* and plugins)

## Basics

*Cynagora* delivers permissions based on 4 keys: CLIENT, SESSION, USER,
PERMISSION.

The original principle is that a server ask cynagora if a permission
(the key PERMISSION) is granted for a client identified by:

 - its Smack label (the key CLIENT)
 - its user identifier, uid (the key USER)
 - its process identifier, pid (the key SESSION)

In facts, the keys can be used with other values that the one primarily
designed. For example, using the pid for the session is not safe. So it
can be replaced with a string really identifying a session.

The database of *cynagora* is made of rules. Each cynagora rule is
a tuple of five strings and one integer:

    (CLIENT, SESSION, USER, PERMISSION, RESULT, EXPIRE).

The strings `CLIENT`, `SESSION`, `USER`, `PERMISSION` are arbitrary.
They can also have the special value `*` (STAR) that means that the rule
matches any value. Otherwise, the rule matches a query only if the
value matches the string of the rule. That match is:

  - case sensitive for CLIENT, SESSION, USER
  - case insensitive for PERMISSION

The string RESULT has basically one of the two values `yes` or `no`. It can
also be an agent item that will imply a request to an existing agent (see
file agent.md for details on agents).

When more than one rule match the query, only one is selected to apply using
the following rules:

  1. the rules that matched with the less STAR as possible are selected (it
     means that selected rules must matche more precisely the request)
  2. then from the rules selected above the rule that matches more exactly
     the keys in the following order of priority: session, user, client,
     permission

Cynagora implements handles differently the rules targeting any sessions
and the rules targeting specific sessions. The rules that have SESSION equals
to `*` are stored persistentely in the filesystem. That rule whose SESSION
is not STAR are volatile and only reside in memory.

Expiration is a 64 bits signed integer that express the date of expiration
of the rule in epoch (number of seconds since 1 January 1970). The special
value 0 means no expiration, permanent rule. The negative values are used
to avoid caching, their expiration value is given by the formula `-(1 + x)`.

Cynagora allows tiers programs to add features through the agent mechanism.
The file `agent.md` explains it more in detail.

## API Overview

CYNAGORA comes with 2 APIs:

 - a protocol API that can be easily implemented in most languages
   (see `protocol.md`)

 - a client C library (see `src/cynagora.h`)

It also provide optionally for compatibility a subset of the C client libraries.

## History

Cynagora is a refit of [cynara][2] that allows inclusion of expirations.
It implements the same permission database by principle but the details
changes.

As a possible replacement, cynagora can supply a simple compatibility
library that offers light legacy API of cynara. This would allow to run
simple cynara clients (admin/check/async-check but not agents) without
changes.

# Compiling

Cynagora is written in language C.

Cynagora only depends of _libcap_ that is used by the cynagora server.

The server can be built for using systemd socket activation. In that
case it requires _lisystemd_.

## Compiling with cmake and make

The compilation use the build system *cmake*. 

Example for compiling and installing cynagora:

	mkdir build
	cd build
	cmake ..
	make install

Options to pass to cmake:

 - *WITH_SYSTEMD*: flag for generating systemd compatible units (default ON)

 - *DEFAULT_DB_DIR*: path of the directory for the database (default
   ${CMAKE_INSTALL_FULL_LOCALSTATEDIR}/lib/cynagora)

 - *DEFAULT_SOCKET_DIR*: directory path of the sockets (default 
   ${CMAKE_INSTALL_FULL_RUNSTATEDIR}/cynagora)

 - *DEFAULT_INIT_FILE*: path to the initialization file to use (default 
   ${CMAKE_INSTALL_FULL_SYSCONFDIR}/security/cynagora.initial)

 - *WITH_CYNARA_COMPAT*: flag for producing cynara compatibility artifacts
   (default OFF)

 - *DIRECT_CYNARA_COMPAT*: if true, dont use the shared client library to
   access cynara server but use the static library instead, avoid a dependency
   to the shared library.

Example:

	cmake -DCMAKE_INSTALL_PREFIX=~/.local -DWITH_SYSTEMD=OFF ..
	make install

## Compiling with meson and ninja

You can compile using meson. Example:

	meson --prefix ~/.local -Dwith-systemd=false setup build
	ninja -C build install

Option are the same that above except that they are in lower case with dash:
*with-systemd*, *with-cynara-compat*, *direct-cynara-compat*.

# Licenses

Cynagora is licensed under a Apache License Version 2.0, January 2004,
available on [Apache website][3] or in Apache-2.0 file.

Logo is licensed under Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0),
avaliable on [creative commons website][4] or in CC-BY-SA-3.0 file.

[1]: https://git.automotivelinux.org/src/cynagora/
[2]: https://wiki.tizen.org/wiki/Security:Cynara
[3]: https://www.apache.org/licenses/LICENSE-2.0
[4]: https://creativecommons.org/licenses/by-sa/3.0/