On Wed, Jan 19, 2011 at 8:36 PM, Rudolf Streif <[email protected]> wrote: > What other information/documentation on the security framework besides the > MeeGo conference slides and the basic SMACK documentation is available?
In trying to understand Meego 1.2 security, I placed all the links I found of interest at the end of this message: http://lists.meego.com/pipermail/meego-security-discussion/2011-January/000019.html An interesting counterpoint: http://ols.fedoraproject.org/OLS/Reprints-2008/nakamura-reprint.pdf is suggested in http://lwn.net/Articles/293075/ > What I am looking for is how can I test the security framework by writing a > simple application that tries to > do an open/iotcl on a device it does not have access to? Is there any > documentation that outlines the steps > for application developers? Hmm... not having used such a system, I would imagine you'd write a special unique SMACK label on any protected devices; then access only from processes with a matching label. CAP_MKNOD_POSIX also needs to be disabled per http://www.docstoc.com/docs/68013153/Digital-TV-and-application-store_-solving-security-problems http://www.embeddedalley.com/pdfs/Smack_for_DigitalTV.pdf suggests a test preparation script which among other things, does: ............ Label protected device nodes with 'prot_dev' label Devices labeled as protected are /dev/mem and /dev/hdc Label open device nodes with 'open_dev' label Devices labeled as open are /dev/zero and /dev/null ......... https://help.ubuntu.com/community/SmackConfiguration#The%20System%20Separation%20Configuration shows how to setup wildcard labels on shared devices: ....... /usr/bin/attr -S -s SMACK64 -V '*' /dev/null /usr/bin/attr -S -s SMACK64 -V '*' /dev/zero ........ -- Niels http://nielsmayer.com PS: I noticed some new security packages in meego-handset-armv7l-n900-devel-1.1.80.15.20110118.5-mmcblk0p.raw.bz2 -- would this version give a handset image with a "system separation configuration" ; is there a special script to run or package to intstall to have it come up with "MeeGo 1.2 Security" or is it not ready for use/testing yet? _______________________________________________ MeeGo-dev mailing list [email protected] http://lists.meego.com/listinfo/meego-dev
