Security/Tizen 2.X wrt-security

From Tizen Wiki
Jump to: navigation, search

Introduction

Wrt-security manages API access control for web applications. Application's invocation of security sensitive API SHOULD be granted or denied based on the privileges that the application has.

Terms

Privilege.

Please refer to Privileges section.

Device Capability

Features that the target device provides
Most of device capabilities are 1:1 mapped to privilege
 - ex) http://tizen.org/privilege/alarm (privilege) :: alarm (device capability)
Defined in policy file (ex. TizenPolicy.xml in tizen-security-policy package. Since 2013.12.5)
Device API plugins define privileges and the device capabilities needed by their APIs.

Policy

A collection of access control constraints
Describes which web applications are permitted to access device capabilities.
Policy files are moved in tizen-security-policy package. (Since 2013.12.5)

Subject

A web application itself that requires access to device APIs.

ACE

Acronym of Access Control Engine of wrt-security.


Privilege & Device capability management in install time

1. Device API Plugins(wrt-plugins-...) installed at very first time only.
2. Register privilege :: device capability mapping information to WRT DB.
3. Install web application. This step is triggered when user install specific web application.
   3-1. The privilege whose mapped device capabilities are permitted is permitted.
   3-2. If all privileges web application needed is permitted, the web application is installed successfully.
4. The permitted privileges and mapped device capabilities to permitted privileges are registered on ACE DB.
Wrt security install time.PNG


Privilege & Device capability management in runtime

1. Device API called from web application.
2. Generate ACE check request based on privilege-device capability mapping information in plugin_config file per plugin
3. ACE check by using wrt-security client API.
   Check requested privileges are normally registered in install time.
   Check that cached result(in ACE DB) of request is exists. If cached result exists, return result.
   (4). If cached result not exists, connect wrt-security-daemon by socket
   (5). Save result in cache(ACE DB) and go back to step 3.
Wrt security run time.PNG


How to add device capability

  • Define privilege and device capability mapping information in config.xml of wrt-plugins-tizen package.

WRT Security Plugin config.PNG

  • Add device capability to TizenPolicy.xml(in tizen-security-policy package)
    • If privilege level of privilege mapped to device capability is..
      • Platform level : device capability has to be added to in Public-API level, Partner-API level and Platform-API level.
      • Partner level : device capability has to be added to in Public-API level and Partner-API level.
      • Public level : device capability has to be added to only in Public-API level.