We're in the process of merging the changes for the 3 Smack domain policy. This
will have a global impact on the Tizen system, but for the most part will make
it much simpler for everyone who is not directly involved with implementing
system security.
Packaging:
We will no longer be doing package based domains. The manifest files have been
changed to reflect this. With rare exception the manifest file should add a
package to the floor domain and do nothing else. The security team, especially
Bumjin and Casey, will be taking the lead on any manifest changes beyond that.
If your manifest has been updated by the security team and you don't know why,
don't hesitate to ask.
The floor domain:
Only kernel helper processes run in the floor ("_") domain. System data files,
programs and libraries are stored in the floor domain. The contents of the
floor domain are generally readable.
The System domain:
We are using systemd as the manager of the domain called "System". Because
systemd is the initial process and its children will inherit the Smack label,
the services launched by systemd will run in the System domain. The /run
directory will be maintained as a transmuting filesystem labeled "System::Run".
The System domain will have full access to the label System::Run. The /run
directory contains all sorts of subdirectories and files used to communicate
between systemd and the services it manages. The network label used for
unlabeled packets (the ambient label) has been set to System, allowing network
services to communicate off-box.
The journal daemon requires read access to all files in /proc. This is
accomplished by running the daemon in a peer domain called hat ("^") of the
System domain.
The User domain:
The user experience is provided by the display manager and the application
launcher. They have been set to run in the User domain. The appropriate
manifest files will be updated as part of the merge. Because these services are
managed by systemd the User domain is granted access to the System::Run label
and hence the /run directory. The /run directory is a resource managed by
systemd and must not be used as a repository for other data.
IVI:
The ivi project has been used to verify the implementation of the 3 domain
policy. Labeling of devices should be complete and correct for ivi. The display
manager used is weston, and the program /usr/bin/weston-launch given a Smack
execution attribute of "User". The application launcher for ivi is
launchpad_preloading_preinitializing_daemon, which has also been given the
Smack execution attribute of "User". These two programs are the basis of the
User domain for ivi.
Mobile:
There is no User domain entry point identified for mobile. The entire system,
including applications, will run in the System domain until the base for the
User domain is fully identified.
Next Step:
The changes required for the Linux kernel have been accepted. The systemd and
related changes are poised. The User domain setup will go in once the systemd
changes are in. We're waiting on a toolchain change that will allow images to
be built with the correct labeling.
Once that is in place we will start polishing access rules and looking into
peer domains.
_______________________________________________
Dev mailing list
[email protected]
https://lists.tizen.org/listinfo/dev
