Security/Tizen 2.X Security Server

From Tizen Wiki
Jump to: navigation, search

Introduction

This section describes security-server architecture and main features.

In Tizen 2.x, security-server provides user-space access control, enable and disable app permissions and screen lock password management and security management for Data-control.

Security-server. Architecture.PNG


Note

Note: Get Gid Service - Historical service that retreives Linux group ID from group name which is passed by parameter. This is replaced by Smack based access control.


Note

Note: Shared Memory Service - Historical service that supports for data-control. This is replaced by OpenFor service because of security reason.


User-space access control

For some services which requires find grained access control for the IPC request from applications, we support user-space access control by security-server which provides access check for those daemons by checking Smack rules. To check the Smack rules, security-server uses libsmack API with client identifier, object label and access permission.

Client identifier

Security-server receives client identifier to retrieve Smack label of client process from the service daemon.

Note

Note: You must get the client identifier by trusted provider. For example, getting process ID from SO_PEERCRED is recommended. Don't let the client send the identifier by itself in the data payload.

There are 3 types in client identifier:

  • client process ID
    • Smack label of a process can be retrieved by proc file system in /proc/[pid]/attr/current. Smack label is stored in text in the file.
  • client socket file descriptor
    • Smack supports SO_PEERSEC feature that peer of a Unix domain socket descriptor is stored in the kernel data structure, and can be retrieved by getsockopt() function.
  • cookie
    • When there is no trusted way to find out client identifier, security server provides a random string named cookie indexing a process credential including process ID, user ID, and Smack label. Acquiring and checking access control by cookie is shown in the picture below.

Security-server. User-space Access control.PNG

Cookie is a random bit stream that represents a process information. Cookie is created by security-server when an application request a cookie(#1 above) to security-server. Security-server uses SO_PEERCRED and SO_PEERSEC to generate cookie value and it holds security information of a process. When a service daemon request to check privilege by cookie(#6 above), then security-server searches corresponding cookie value from the cookie list and retrieve the client identifier.

struct Cookie
{
    std::vector<char> cookieId;       // 20 bytes of random bitstream
    pid_t pid;                        // Process ID of the client application
    uid_t uid;                        // Effective user ID of the client application
    gid_t gid;                        // Effective group ID of the client application
    std::string binaryPath;           // Command line path of the client application
    std::string smckLabel;            // Smack label of the client application
    std::vector<int> permissions;     // List of groups of the client application  (deprecated)
};

Cookie is bounded to a process and does not generate multiple cookie for a single process, so it performs garbage collection to synchronize with process status.

Object label, access permission

Service daemon should define the granularity of the access control (such as read/write), and need to arrange corresponding privileges for those granularity, then map to corresponding Smack label which is not assigned to any file.

For example, suppose contact-service has 2 privileges that are contact data reading and writing, then we can arrange them as below:

Privilege SMACK rule API security-server params
contact.read privilege <app_label> contact-service::read r contact read APIs client identifier, "contact-service::read", "r"
contact.write privilege <app_label> contact-service::write w contact write APIs client identifier, "contact-service::write", "w"

Please note that Smack labels contact-service::read, and contact-service::write is not assigned to any file.

API

We have multiple APIs for each client identifier type.




int security_server_check_privilege_by_cookie( const char *cookie, const char *object, const char *access_rights );

  • Description
This API may be used by middleware process to ask the client application has privilege for the given object. When Security Server receives this request, it searches cookie database and check the cookie is there. If there is matching cookie, then it checks the cookie has the privilege.
  • Parameter
param[in] : cookie Received cookie value from client application
param[in] : cookie Received cookie value from client application
  • Return
Privilege confirm or error code
SECURITY_SERVER_API_SUCCESS or SECURITY_SERVER_API_ERROR_*
  • Access to this function requires SMACK rule
<app_label> security-server::api-cookie-check w



int security_server_check_privilege_by_sockfd( int sockfd, const char *object, const char *access_rights );

  • Description
This function allows middleware to check privileges of process with specified socket. Service is able to check process access to the specified object label with specified access rights.
  • Parameter
param[in] : SOCKFD socket file descriptor to be checked
param[in] : SMACK object label
param[in] : SMACK access rights to be checked
  • Return
Privilege confirm or error code
SECURITY_SERVER_API_SUCCESS or SECURITY_SERVER_API_ERROR_*
  • Access to this function requires SMACK rule
<app_label> security-server::api-privilege-by-pid w



int security_server_check_privilege_by_pid(int pid, const char *object, const char *access_rights);

  • Description
This function allows middleware to check privileges of process with specified PID. Service is able to check process access to the specified object label with specified access rights.
  • Parameter
param[in] : PID id of process to be checked
param[in] : SMACK object label
param[in] : SMACK access rights to be checked
  • Return
Privilege confirm or error code
SECURITY_SERVER_API_SUCCESS or SECURITY_SERVER_API_ERROR_*
  • Access to this function requires SMACK rule
<app_label> security-server::api-privilege-by-pid w

security-server denial log

libsmack does not print any log about user-space access check therefore security-server prints denial log in /var/log/audit/audit-smack{random number}.log. Log contains subject label, object label, access type and access checking result. If client identifier is pid or socket fd, pid and path of client application are also printed as example below.

[cookie.cpp:332] privilegeByCookieRequest(): SS_SMACK:  subject=native-tc, object=nfc-manager::tag, access=r, result=0

[privilege-by-pid.cpp:118] processOne(): SS_SMACK: caller_pid=2263, subject=org.tizen.volume, object=e17::notification, access=w, result=0, 
                           caller_path=/usr/bin/launchpad_preloading_preinitializing_daemon

Result denotes the check result of libsmack API.

  • 0: "SMACK DENIED"
  • 1: "SMACK SUCCESS"
  • -1: "Fail to check SMACK"

To play with Smack rules, please refer to Smack section.

Enable/Disable app permissions

Security-server is possible to enable and disable privileges for a specified application. In Tizen 2.3, Privacy Manager uses these APIs.

API

There are just two APIs for enabling and disabling app permission :



int security_server_app_enable_permissions(const char *app_id, app_type_t app_type, const char **perm_list, int persistent);

  • Description
This function allows middleware to enable permissions for specified app_id.
  • Parameter
param[in] : Application ID
param[in] : Application type defined in enum at the beginning of this file
param[in] : Permissions list
param[in] : Persistent
  • Return
Success or error code
SECURITY_SERVER_API_SUCCESS or SECURITY_SERVER_API_ERROR_*
  • Access to this function requires SMACK rule
<app_label> security-server::api-app-permissions w



int security_server_app_disable_permissions(const char *app_id, app_type_t app_type, const char **perm_list);

  • Description
This function allows middleware to disable permissions for specified app_id.
  • Parameter
param[in] : Application ID
param[in] : Application type defined in enum at the beginning of this file
param[in] : Permissions list
  • Return
Success or error code
SECURITY_SERVER_API_SUCCESS or SECURITY_SERVER_API_ERROR_*
  • Access to this function requires SMACK rule
<app_label> security-server::api-app-permissions w

Password management

Security-server manages lockscreen password in Tizen 2.x. To check and set the password any application or service should call corresponding security-server APIs because accessing password database is not allowed to any subject other than security-server. In addition, to call password management APIs, the caller process should have proper Smack rules to perform the API.

Security-server. Password management.PNG

Password data type

Password data types of security-server are :

Password

  • String under 32 characters.
  • Security-server just checks a number of characters and not concern with password type like as PIN number, pattern.
  • SHA-256 hash is applied.

Password active

  • Flag that indicate whether password is existed or not.

Max attempt

  • Maximum number of attempts that user can try to check the password without success in serial. 0 means infinity.

Current attempt

  • Current number of attempts that user try to check the password untill now.
  • If current attempt is equal to max attempt, user can't check the password anymore.
  • Security-server will returns error code(=SECURITY_SERVER_API_ERROR_PASSWORD_EXPIRED).

Expire time

  • Number of days that this password is valid. 0 means infinity.
  • If current password is expired, user can't check the password anymore.
  • Security-server will returns error code(=SECURITY_SERVER_API_ERROR_PASSWORD_EXPIRED).

Password history

  • Password history that is used recent password list.

History size

  • The number of password history which should be maintained.
  • Maximum is currently 50.
  • Once this number set, user cannot reuse recent number of passwords which is described in this history value.
  • Security-server will returns error code(=SECURITY_SERVER_API_ERROR_PASSWORD_REUSED).

Retry timer

  • Timer that prevent password from reply attack.
  • If user checks or set password again within 0.5 sec, Security-server considers reply-attack and returns error code(= SECURITY_SERVER_API_ERROR_PASSWORD_RETRY_TIMER).

Password file

Password files are :


Password file

  • /opt/data/security-server/password
  • attributes - current file version, max attempt, history size, expire time, password active, current password, password history
  • The password file is protected by DAC and Smack that the file is owned by root with 0600 permission, and labeled as "security-server".

Old version password file

  • /opt/data/security-server/password.pwd

Attempt file

  • /opt/data/security-server/attempt
  • attributes - current attempt

API




int security_server_is_pwd_valid(unsigned int *current_attempts, unsigned int *max_attempts,unsigned int *valid_secs);

  • Description
This API checks phone validity of password, to check existance, expiration, remaining attempts.
  • Parameter
param[out] : current_attempts Number of password check missed attempts.
param[out] : max_attempts Number of maximum attempts that the password locks. 0 means infinite.
param[out] valid_secs Remaining time in second which represents this password will be expired. 0xFFFFFFFF means infinite
  • Return
Success or error code
SECURITY_SERVER_API_SUCCESS or SECURITY_SERVER_API_ERROR_*
  • Access to this function requires SMACK rule
<app_label> security-server::api-password-check w



int security_server_chk_pwd(const char *challenge, unsigned int *current_attempt, unsigned int *max_attempt, unsigned int *valid_secs);

  • Description
This API compares stored password with challenged input value.
  • Parameter
param[in] : challenge Null terminated challenged password string. It must not a NULL pointer.
param[out] : current_attempts Number of password check missed attempts.
param[out] : max_attempts Number of maximum attempts that the password locks. 0 means infinite.
param[out] : valid_secs Remaining time in second which represents this password will be expired. 0xFFFFFFFF means infinite.
  • Return
Success or error code
SECURITY_SERVER_API_SUCCESS or SECURITY_SERVER_API_ERROR_*
  • Access to this function requires SMACK rule
<app_label> security-server::api-password-check w



int security_server_set_pwd(const char *cur_pwd, const char *new_pwd, const unsigned int max_challenge, const unsigned int valid_period_in_days);

  • Description
This API sets password only if current password matches.
  • Parameter
param[in] cur_pwd Null terminated current password string or NULL pointer if there is no password set yet.
param[in] new_pwd Null terminated new password string or NULL.
param[in] max_challenge Maximum number of attempts that user can try to check the password without success in serial. 0 means infinity.
param[in] valid_period_in_days. Number of days that this password is valid. 0 means infinity.
  • Return
Success or error code
SECURITY_SERVER_API_SUCCESS or SECURITY_SERVER_API_ERROR_*
  • Access to this function requires SMACK rule
<app_label> security-server::api-password-set w



int security_server_set_pwd_validity(const unsigned int valid_period_in_days);

  • Description
This API sets validity period for currently setup password.
  • Parameter
param[in] valid_period_in_days. Number of days that this password is valid. 0 means infinity
  • Return
Success or error code
SECURITY_SERVER_API_SUCCESS or SECURITY_SERVER_API_ERROR_*
  • Access to this function requires SMACK rule
<app_label> security-server::api-password-set w



int security_server_set_pwd_max_challenge(const unsigned int max_challenge);

  • Description
This API sets maximum number of attempts for currently setup password.
  • Parameter
param[in] max_challenge Maximum number of attempts that user can try to check the password without success in serial. 0 means infinity.
  • Return
Success or error code
SECURITY_SERVER_API_SUCCESS or SECURITY_SERVER_API_ERROR_*
  • Access to this function requires SMACK rule
<app_label> security-server::api-password-set w



int security_server_set_pwd_history(int history_size);

  • Description
This API should be used only by dedicated process in the platform.
  • Parameter
param[in] : history_size Number of history to be checked when user tries to change password. Maximum is currently 50
  • Return
Success or error code
SECURITY_SERVER_API_SUCCESS or SECURITY_SERVER_API_ERROR_*
  • Access to this function requires SMACK rule
<app_label> security-server::api-password-set w



int security_server_reset_pwd(const char *new_pwd, const unsigned int max_challenge, const unsigned int valid_period_in_days);

  • Description
This API sets phone password without performing any checks connected with provided password. It should be used only if current password is invalid or user forgot the password.
  • Parameter
param[in] new_pwd Null terminated new password string. It must not a NULL pointer.
param[in] max_challenge Maximum number of attempts that user can try to check the password without success in serial. 0 means infinity.
param[in] valid_period_in_days. Number of days that this password is valid. 0 means infinity
  • Return
Success or error code
SECURITY_SERVER_API_SUCCESS or SECURITY_SERVER_API_ERROR_*
  • Access to this function requires SMACK rule
<app_label> security-server::api-password-reset w

Data control

Data control ......

Security-server. Data control.PNG

API



int security_server_open_for(const char *filename, int *fd);

  • Description
This function allows to create, if doesn't exist, or open existing file by Security Server on behalf of calling process in secured directory.
  • Parameter
param[in] : File name to create/open
param[out] : File descriptor
  • Return
Success or error code
SECURITY_SERVER_API_SUCCESS or SECURITY_SERVER_API_ERROR_*
  • Access to this function requires SMACK rule
This function does not require any Smack rule.



int security_server_shared_file_open(const char *filename, const char *client_label, int *fd);

  • Description
This function allows to create, if doesn't exist, or open existing file by Security Server on behalf of calling process in secured directory.
  • Parameter
param[in] : File name to create
param[in] : Label of designated client
param[out] : File descriptor
  • Return
Success or error code
SECURITY_SERVER_API_SUCCESS or SECURITY_SERVER_API_ERROR_*
  • Access to this function requires SMACK rule
This function does not require any Smack rule.



int security_server_shared_file_reopen(const char *filename, int *fd);

  • Description
This function allows to open existing file by Security Server on behalf of calling process in secured directory. Security Server checks smack label of calling process and if it's the same as file label access to file is granted.
  • Parameter
param[in] : File name to open
param[out] : File descriptor
  • Return
Success or error code
SECURITY_SERVER_API_SUCCESS or SECURITY_SERVER_API_ERROR_*
  • Access to this function requires SMACK rule
<app_label> security-server::api-open-for-privileged w



int security_server_shared_file_delete(const char *filename);

  • Description
This function allows to delete existing file by Security Server on behalf of calling process in secured directory. Security Server checks smack label of calling process and if it's the same as file label access to file is granted.
  • Parameter
param[in] : File name to delete
  • Return
Success or error code
SECURITY_SERVER_API_SUCCESS or SECURITY_SERVER_API_ERROR_*
  • Access to this function requires SMACK rule
This function does not require any Smack rule.

Error codes

error code value comment
SECURITY_SERVER_API_ERROR_SOCKET -1 indicating the socket between client and Security Server has been failed
SECURITY_SERVER_API_ERROR_BAD_REQUEST -2 indicating the input parmas are malformed
SECURITY_SERVER_API_ERROR_BAD_RESPONSE -3 indicating the response from Security Server is malformed
SECURITY_SERVER_API_ERROR_SEND_FAILED -4 indicating the transmitting request has been failed (deprecated)
SECURITY_SERVER_API_ERROR_RECV_FAILED -5 indicating the receiving response has been failed (deprecated)
SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT -6 indicating requesting object is not exist
SECURITY_SERVER_API_ERROR_AUTHENTICATION_FAILED -7 indicating the authentication between client and server has been failed
SECURITY_SERVER_API_ERROR_INPUT_PARAM -8 indicating the API's input parameter is malformed
SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL -9 indicating the output buffer size which is passed as parameter is too small
SECURITY_SERVER_API_ERROR_OUT_OF_MEMORY -10 indicating system is running out of memory state
SECURITY_SERVER_API_ERROR_ACCESS_DENIED -11 indicating the access has been denied by Security Server
SECURITY_SERVER_API_ERROR_SERVER_ERROR -12 indicating Security Server has been failed for some reason
SECURITY_SERVER_API_ERROR_NO_SUCH_COOKIE -13 indicating given cookie is not exist in the database
SECURITY_SERVER_API_ERROR_NO_PASSWORD -14 indicating there is no phone password set
SECURITY_SERVER_API_ERROR_PASSWORD_EXIST -15 indicating password exists in system
SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH -16 indicating password mismatch
SECURITY_SERVER_API_ERROR_PASSWORD_RETRY_TIMER -17 indicating password retry timeout is not occurred yet
SECURITY_SERVER_API_ERROR_PASSWORD_MAX_ATTEMPTS_EXCEEDED -18 indicating password is failed to check more then max attempt
SECURITY_SERVER_API_ERROR_PASSWORD_EXPIRED -19 indicating password is expired
SECURITY_SERVER_API_ERROR_PASSWORD_REUSED -20 indicating password is reused
SECURITY_SERVER_API_ERROR_GETTING_SOCKET_LABEL_FAILED -21 indicating getting smack label from socket failed
SECURITY_SERVER_API_ERROR_UNKNOWN -255 indicating the error with unknown reason

FAQ