The privileges

Tizen 3 defines several privileges [1].

Tizen 3 also defines 3 levels of privileges [2]:

• Public: for any developer and any application
• Partner: for developers and applications of the partners
• Platform: for developers of platform, for critical items of the system

See the sub page Security/Privileges_Study_For_Tizen3/List_Of_Privileges for listings of the privileges.

Analysis of Tizen 2 use of privileges

Most of this work is focused on the WEB API.

The remaining API and privileges are implemented in the Native OSP API that are not part of Tizen 3.

Privilege checking within WRT (WebRunTime) of Tizen 2.X

Many of the privileges were implemented by the project wrt-plugins-tizen.

This project was using the ACE security module of WRT to check the credentials of the calls to the API. In case of successfully granted privilege, the call was issued to the underlying API.

APPLICATION      JS/C             ACE      PRIV-MGR         API
    |     call    .                .           .             .
    +------------>+                .           .             .
    .             |                .           .             .
    .             +--------------->+           .             .
    .             .                |      dbus .             .
    .             .                +---------->+             .
    .             .                .           |             .
    .             .                +<----------+             .
    .             +<---------------+           .             .
    .             |                .           .             .
    .             +----------------------------------------->+
    .             .                .       API call          |
    .             +<-----------------------------------------+
    .             |                .           .             .
    +<------------+                .           .             .
    |             .                .           .             .

What is interesting here is that most of the privileges are checked on the basis of the API call, not on the basis of the group of call. To well explain it, lets get an example: the function add of the AlarmManager is requiring the privilege http://tizen.org/privilege/alarm. Thus instead of checking granted access to the privilege http://tizen.org/privilege/alarm when the function AlarmManager.add is invoked, the WRT module for bookmarks checks whether the access is granted to AlarmManager.add what indirectly will check the privilege http://tizen.org/privilege/alarm.

How was working ACE checking

Initialise step:

• each instance of WRT that instanciate a plugin also initialize it. It consists to create a table of the AceFunction to check.

Many macro are used to perform that operation. The structure AceFunction records: the name of the function, the device capability name with its param when needed, the features to grant.

Calling the check:

• based on the string name of the function to call, the AceFunction is searched linearly in the table
• the function WrtAccess::checkAccessControl is called with that function description
• the function WrtAccess::checkAccessControl copies the AceFunction data to the request
• the function WrtAccess::checkAccessControl invokes ace_check_access_ex
• the function ace_check_access_ex wraps the data of the request into an other request and then calls the functions checkFunctionCall and checkPrivacy
• at first call, the function checkFunctionCall gets the list of features of the device
• the function checkFunctionCall creates a list of the basic requests from the list of features requested and then validate each by making several queries in the database and using a cache.
• the function checkPrivacy calls the function privacy_checker_check_package_by_privilege for each requested privilege
• the function privacy_checker_check_package_by_privilege indirectly calls through DBUS the privacy-manager

As you can read, all these checks are long and complicated. The code is really hard to follow and some architectural overview would be welcome. Don't hesitate to put here links to additional documentations.

Reconstruction of dependencies of modules of wrt-plugins-tizen

The modules of the project wrt-plugins-tizen (framework/web/wrt-plugins-tizen) were checked to compute:

• the list of the privileges that it is checking;
• the list of dependencies that it have to other projects of tizen.

This is then used to have the list of dependencies. This list if organized by category. CAUTION: the dependencies to libc aren't tracked and thus don't appear here.

Dependencies by modules

Here is the resulting table:

Dependencies by categories

From this table we deduce the dependencies of WRT apis:

dependencies to CAPI

platform/core/api/application
platform/core/api/app-manager
platform/core/api/bluetooth
platform/core/api/connection
platform/core/api/favorites
platform/core/api/media-content
platform/core/api/metadata-extractor
platform/core/api/notification
platform/core/api/package-manager
platform/core/api/power
platform/core/api/runtime-info
platform/core/api/sensor
platform/core/api/system-info
platform/core/api/system-settings
platform/core/api/url-download

dependencies to the framework

platform/core/appfw/ail
platform/core/appfw/aul-1
platform/core/appfw/libslp-db-util
platform/core/appfw/message-port
platform/core/appfw/pkgmgr-info
platform/core/appfw/slp-pkgmgr
platform/core/appfw/sppc
platform/core/appfw/tizen-platform-wrapper
platform/core/appfw/vconf

other dependencies

platform/core/base/bundle
platform/core/connectivity/smartcard-service
platform/core/messaging/email-service
platform/core/messaging/msg-service
platform/core/pim/calendar-service
platform/core/pim/contacts-service
platform/core/security/security-server
platform/core/system/libslp-pm
platform/core/system/libslp-sensor
platform/core/system/sync-agent
platform/core/telephony/libtapi-legacy

Table of privileges and device's capabilities

On Tizen 2, the WRT plugins defines that device capabilities as associated to the privileges.

Privilege use in tizen 3

current state of checking the privileges by crosswalk

From the project platform/framework/web/tizen-extensions-crosswalk it comes that the privileges aren't checked at all by the tizen extensions of crosswalk.

Crosswalk tizen extensions are calling the API (core API and TO BE STUDIED). It is of the responsibility of the called API to check the privileges.

The current state is that the errors linked to permissions aren't well reported using the exception SecurityError.

Overview of the internals of crosswalk extensions for Tizen

• useful link Security and Crosswalk
• useful link 2 write an extension for IVI

The tizen extension process isn't linked with the extensions. In place, it discovers them. Each extension is a loadable plugin (shared library) as it can be seen on a target:

> date
ven  4 lug 2014, 06.58.55, PDT
> rpm -ql tizen-extensions-crosswalk
/usr/bin/tizen-extensions-crosswalk
/usr/lib/tizen-extensions-crosswalk/libtizen.so
/usr/lib/tizen-extensions-crosswalk/libtizen_alarm.so
/usr/lib/tizen-extensions-crosswalk/libtizen_application.so
/usr/lib/tizen-extensions-crosswalk/libtizen_audiosystem.so
/usr/lib/tizen-extensions-crosswalk/libtizen_bluetooth.so
/usr/lib/tizen-extensions-crosswalk/libtizen_bookmark.so
/usr/lib/tizen-extensions-crosswalk/libtizen_content.so
/usr/lib/tizen-extensions-crosswalk/libtizen_download.so
/usr/lib/tizen-extensions-crosswalk/libtizen_filesystem.so
/usr/lib/tizen-extensions-crosswalk/libtizen_mediaserver.so
/usr/lib/tizen-extensions-crosswalk/libtizen_messageport.so
/usr/lib/tizen-extensions-crosswalk/libtizen_network_bearer_selection.so
/usr/lib/tizen-extensions-crosswalk/libtizen_notification.so
/usr/lib/tizen-extensions-crosswalk/libtizen_phone.so
/usr/lib/tizen-extensions-crosswalk/libtizen_power.so
/usr/lib/tizen-extensions-crosswalk/libtizen_speech.so
/usr/lib/tizen-extensions-crosswalk/libtizen_system_info.so
/usr/lib/tizen-extensions-crosswalk/libtizen_systemsetting.so
/usr/lib/tizen-extensions-crosswalk/libtizen_time.so
/usr/lib/tizen-extensions-crosswalk/libtizen_utils.so
/usr/lib/tizen-extensions-crosswalk/libtizen_vehicle.so

Each of this plugin is using the same plugin mechanism as the one described here.

In brief: the plugin declares a javascript module that communicate with the C++ extension using an IPC mechanism.

The call graph for the current state is:

    BROWSER  PROCESS               EXTENSION                      SERVICE
 APPLI       (JS itf of the            C++                            .
   |            extension)              .                             .
   +--------------->+                   .                             .
   .                |  -> json (IPC)    .                             .
   .                +------------------>+                             .
   .                .                   |           >WHAT?>           .
   .                .                   +---------------------------->+
   .                .                   .                             |
   .                .                   +<----------------------------+
   .                .                   |           <WHAT?<           .
   .                +<------------------+                             .
   .                |  <- json (IPC)    .                             .
   +<---------------+                   .                             .
   |                .                   .                             .

What can be summarized by:

    ipc       ?
BP ----- EP ----- SRV