Security/Tizen 3.X Security Manager

From Tizen Wiki
Jump to: navigation, search

Security Manager

Introduction

Security-manager is a component for configuring security mechanisms, developed for Tizen 3.0.

Basic way to integrate with security-manager is to use it's client library libsecurity-manager-client. API calls are handled on a RPC basis, by sending requests to the privileged service of security- manager.

Limited functionality of that API can also function in so called “off-line” mode, when the service is not running (e.g. when system image is built). Off-line mode works automatically – the client library detects whether the service is running and for supported operations can degrade itself to run off-line. This mode of operation requires the client process to run as root, because administrative operations need to be performed (e.g. setting Smack policy).

The operations that have off-line support can also be performed by command-line tool security- manager-cmd. It is a helper program wrapping some of libsecurity-manager-client APIs. Automatic off-line mode detection also works in this program, so it is safe to use always, whether the service is running or not.

Project Goals

security-manager provides an interface for managing configuration of applications, users and their privileges. It translates configuration requests into settings of Smack, Cynara, and (some) DAC policies. Every run-time changes to Smack and Cynara policies should be done via security-manager.

Project History

The module is entirely new, as it was created specifically for Tizen 3.0. Previous versions of Tizen use/used security-server module and libprivilege-control library to setup all relevant security attributes for application. However, with Tizen 3.0 the security model has been changed - the most important difference is that application privileges are no longer connected with Smack rules. This required new way for configuring the applications - and resulted in new module being created to handle that.

Contact information

Maintainers:

Rafał Krypa

Developers:

Łukasz Wojciechowski
Roman Kubiak
Zbigniew Jasiński
Zofia Abramowska

All discussion about security manager should be held at the DEV (https://lists.tizen.org/listinfo/dev) mailing list https://lists.tizen.org/

Security manager is included in all tizen images availabe at download.tizen.org.

Git repository for security-manager is available at: https://review.tizen.org/gerrit/gitweb?p=platform%2Fcore%2Fsecurity%2Fsecurity-manager.git;a=summary

To submit bugs please use the tizen.org JIRA.

Tizen Context

Any installer and/org package manager in Tizen should use security-manager to set security policies for newly installed applications and for policy cleanup after application removal. Tizen uses many security policy mechanisms that need to be synchronized & set up for applications to operate normally. Without registering application in security- manager, it will not be able to use Tizen services nor launch properly.

Features & API overview

Main feature of security-manager is to configure security policy for applications: at their install time and at runtime (changes in policy).

Application installation itself should be performed by a designated installer. It's an installer's job to parse application manifest, unpack the files and register it with application framework. But security- manager should be called from the installer in order to register application privileges in the system. Without that, the application wouldn't get access to any privileges. This interface is fully functional on-line and off-line (but the latter requires client to run as root).

A wrapper is also provided for security-manager-cmd.

Security-manager supports both global and per-user application installation.

Tizen 3 handles global applications using a special user account tizenglobalapp (TZ_SYS_GLOBALAPP_USER in tizenplatform-config). Security-manager supports that by detecting which user performs the actual installation.

All public API interfaces are available in the security-manager.h file, it's complete documentation with examples is located at: https://wiki.tizen.org/wiki/Security/Tizen_3.X_Security_Manager/API

Application registration support (installalaion or uninstallation)

Application installation should be performed by a designated installer. It's an installer's job to parse application manifest, unpack the files and register it with application framework. But security-manager should be called from the installer in order to register application privileges in the system. Without that, the application wouldn't get access to any privileges.

This interface is fully functional on-line and off-line (but the latter requires client to run as root). A wrapper is also provided for security-manager-cmd. Security-manager supports both global and per-user application installation. Tizen 3 handles global applications using a special user account tizenglobalapp (TZ_SYS_GLOBALAPP_USER in tizenplatform-config).

Security-manager supports that by detecting which user performs the actual installation.

Application launching support

Launching the application is a job for designated application launcher. Security-manager provides functions for the launcher to let it properly setup security configuration of the application process. It should be integrated in the following manner:

  1. Application launcher needs to run with privilege that will allow configuration of Smack label and supplementary groups. If it doesn't run as root, it must have the following capabilities: CAP_MAC_ADMIN, CAP_SETGID
  2. Whenever the launcher wants to spawn an application, it should fork the application processes
  3. Before running the actual application binary in the forked process, security-manager functions must be called (one or more of the functions described below)
  4. Security-manager provides functions for setting Smack label, supplementary groups and for dropping capabilities
  5. However there is no support for changing uid. If the launcher runs with different uid than the application should, it's the launcher's job to call setuid() after calling security-manager

User management support

Multi-user is a core feature of Tizen 3 and security-manager fully supports it. User should be managed by a designated application. In Tizen 3, there is a special daemon for basic user account operations called gumd. Because management of user accounts is gumd's job, securitymanager doesn't handle that. Instead it creates means for gumd to inform security-manager about created and removed users. It is needed to configure per user policy. When a user is created, it is assigned to one of the four types: guest, normal, admin and system. Each user type defines default set of privileges that can be utilized by a user of such type. These profiles are managed by security-manager. Currently this functionality is configured for testing to allow all user types full set of documented Tizen 3 privileges. When a user is removed, all per-user policy is removed from Cynara database. This interface is fully functional on-line and off-line (but the latter requires client to run as root). A wrapper is also provided for security-manager-cmd.

Privilege management support – privacy-manager and user admin

Privilege management support in security-manager is a flexible interface for handling fine-grained policy configuration for applications, users and privileges. It was designed with two basic use-cases in mind:

privilege checker a.k.a. privacy-manager, for per-user restriction of application privileges
user manager, allowing privileged user to manager privileges of other users

The above use-cases are handled as two simultaneous sets of settings. A user can run his privacymanager only to limit privileges for applications, never elevate them. At the same time administrator can set his settings to give additional privileges to the user or limit them further.

Examples

(warning: checking return codes are omitted in examples just for visibility reasons)

Registering new application

app_inst_req *p_req;

security_manager_app_inst_req_new(&p_req);
security_manager_app_inst_req_set_app_id(p_req, app_id);
security_manager_app_inst_req_set_pkg_id(p_req, pkg_id);
security_manager_app_inst_req_add_path(p_req, app_data_path, SECURITY_MANAGER_PATH_RW);
security_manager_app_inst_req_add_path(p_req, app_code_path, SECURITY_MANAGER_PATH_RO);
security_manager_app_inst_req_add_privilege(p_req, "http://tizen.org/privilege/alarm.set");
security_manager_app_inst_req_add_privilege(p_req, "http://tizen.org/privilege/notification");
security_manager_app_install(p_req);
security_manager_app_inst_req_free(p_req);

Launcher running as root, spawning applications for user app

pid_t pid = fork();
if (!pid) {
    security_manager_prepare_app(app_id);
    setuid(APP_UID);
    // execute the actual application
}

Updating policy for user by himself (privacy-manager)

policy_update_req *policy_update_request;
policy_entry *entry1;
policy_entry *entry2;
policy_entry *entry3;
security_manager_policy_update_req_new(&policy_update_request);
security_manager_policy_entry_new(&entry1);
security_manager_policy_entry_new(&entry2);
security_manager_policy_entry_new(&entry3);
security_manager_policy_entry_set_application(entry1, "MyApp1");
security_manager_policy_entry_set_privilege(entry1, "http://tizen.org/privilege/systemsettings");
security_manager_policy_entry_set_level(entry1, "Deny");
security_manager_policy_entry_set_application(entry2, "MyApp2");
security_manager_policy_entry_set_privilege(entry2, "http://tizen.org/privilege/systemsettings");
security_manager_policy_entry_set_level(entry2, "Deny");
security_manager_policy_entry_set_application(entry3, "MyApp3");
security_manager_policy_entry_set_privilege(entry3, “http://tizen.org/privilege/nfc");
security_manager_policy_entry_set_level(entry3, "Deny");
security_manager_policy_update_req_add_entry(policy_update_request, entry1);
security_manager_policy_update_req_add_entry(policy_update_request, entry2);
security_manager_policy_update_req_add_entry(policy_update_request, entry3);
//do not change entry1, entry2 or entry3!
security_manager_policy_update_send(policy_update_request);
security_manager_policy_entry_free(entry1);
security_manager_policy_entry_free(entry2);
security_manager_policy_entry_free(entry3);
security_manager_policy_update_free(policy_update_request);

Project packages

  1. libsecurity-manager-client - client libraries
  2. libsecurity-manager-client-devel - client library headers and development files
  3. libsecurity-server-client - server libraries
  4. libsecurity-server-client-devel - server library headers and development files
  5. security-manager - security manager binary and related files
  6. security-manager-policy - default security manager policy

Running the project

security-manager is started and managed by systemd. systemd configuration files for security-manager are located at:

/usr/lib/systemd/system/security-manager.service - this file describes the security-manager service and process
/usr/lib/systemd/system/security-manager.socket - this file configures the security-manager socket

Important configuration locations for security-manager are:

  1. /etc/smack/accesses.d - this directory contains SMACK rules for installed applications and packages
  2. TZ_SYS_DB/.security-manager.db (/usr/dbspace) location of the security-manager database files (sqlite3 format)
  3. All logs are managed by systemd and can be accessed via the journal subsystem of systemd (journalctl)
  4. To connect to security-manager you should use the socket located at: /run/security-manager.socket, this socket is managed by systemd

High Level Architecture

The main security-manager process is the only process that needs to be running for the service to work.
There is a single database located at TZ_SYS_DB/.security-manager.db
List of branches for security-manager: https://review.tizen.org/gerrit/#/admin/projects/platform/core/security/security-manager,branches
Database schema is located in the security-manager source repository and can be viewed in plain text format at: https://review.tizen.org/gerrit/gitweb?p=platform/core/security/security-manager.git;a=blob;f=db/db.sql;h=fd3e084a908c3ae83941ae9e2d57b3523a1e3d0f;hb=refs/heads/tizen
All tests for security-manager are kept in the security-tests repository, available at: https://review.tizen.org/gerrit/#/admin/projects/platform/core/test/security-tests