Security/Tizen 3.X Denial messages

From Tizen Wiki
Jump to: navigation, search

Smack denial message

Description

  • The smack is the MAC mechanism for access control based on smack rules which consists of subject / object / rule.
  • It denies access and returns denial message when the proper rule is not existed.
  • Depending on the system call used, it is printed in a different format. This can be found in the fn field of the denial message.

How to see

  • It is printed as kernel log, you can see it by using the following command.
 $ dmesg | grep SMACK

Example (need to add more examples)

 lsm=SMACK fn=smack_inode_permission action=denied subject="test" object="User::Home" requested=x pid=4279 comm="bash" name="owner" dev="mmcblk0p25" ino=59
  • fn : system call name
  • action : smack rule check result
  • subject : subject label
  • object : object label
  • requested : operation that the subject requests to the object
  • pid : pid of subject
  • comm : command line name of subject
  • name : file/directory name of object
  • dev : device where object is located
  • ino : inode number of object
These items can be different as per the fn. (used system call)

How to resolve

  • The request is denied because "subject object requested" rule, this denial message can be disappeared if that rule is added. But the smack rule should not be added arbitrarily.
  • If the necessary rule is not existed, it may be the timing issue. Ask to the security part.
  • It is natural that deny occurs for unauthorized actions, so modify the module to avoid such actions.
  • Note that, the smack denial means that the operation is 'denied', not an 'error'.

Cynara denial message

Description

  • Check that the app has a privilege, and if it doesn't have it, return the permission denied error and deny access.

How to see

  • It is printed as dlog log, you can see it by using the following command.
 $ dlogutil CYNARA

Example (need to add more examples)

 CYNARA AUDIT MESSAGE=User::Pkg::org.tizen.msg-manager;5001;http://tizen.org/privilege/camera => DENY
  • User::Pkg::$pkg_id : smack label of the client
  • 5001 : uid of the client
  • http://tizen.org/privilege/camera : privilege name requested to be checked

How to resolve

  • Check whether an application has that privilege or not.
  • When the privacy feature is enabled, the policy stored as 'ask' type is returned as DENY by cynara. In this case, get user consent by the PPM API or process by the whitelist.
  • In some cases, DENY is returned for privilege that the app does not actually have by privilege - gid mapping or privilege - mount mapping. Ignore these denial messages.