Security/Tizen 6.X Internet Access Control
Internet Access Control Mechanisms
On Tizen 6.X there are multiple access control mechanisms, which can be used to control process access to the internet. The main differences are possibility of runtime access changes (allowing/denying access while application is running), support of multiuser, support of IPv6 protocol and requirements for these mechanism to work.
GID based Internet access control
- kernel: patch netfilter: xt_owner: Add supplementary groups option
- iptables: patch extensions: libxt_owner: Add supplementary groups option
- security-manager since version 1.6.0 and security-manager-iptables RPM installed
- [optional] kernel older than 4.0: patch netfilter: xt_owner: A fix for backport of 'xt_owner: Add supplementary groups option'
This mechanism is based on the process supplementary groups and iptables ability of filtering outbound network traffic based on these groups. Security-manager allows privilege-group mapping, which can be used for GID based Internet access control together with proper iptables setup. The latter one is provided by security-manager-iptables.rules and security-manager-ip6tables.rules files from security-manager-policy-iptables RPM package. Security-manager mapping will assign Internet privilege group (by default its priv_internet) when launching application, if given application is allowed the usage of Internet. This group is directly used by provided iptables rules,
-A OUTPUT -m owner --gid-owner priv_internet --suppl-groups -j ACCEPT
This mechanism supports multiuser and IPv6 protocol, but allows control only of outbound network traffic.
GID based access control doesn't support runtime access control changes. When application is launched with given groups, they cannot be changed until application is launched again.
- netfilter: nfnetlink_queue: Solve the NFQUEUE/conntrack clash for NF_REPEAT and its prerequisites or an ugly fix - resolve DNS Packet drop issue. This isn't required on kernels since version 4.18.
- proper kernel configuration (see nether page)
Nether is a standalone system service daemon, based on netfliter-queue and cynara and is described on nether page. It filters outbound network traffic based on application Cynara policy (access to internet privilege).
This mechanism doesn't support IPv6 and allows control only of outbound network traffic.
Nether allows runtime access control changes and supports multiuser, because its access control is based on Cynara policy.
- security-manager since 1.6.0 version
- Tizen running only with single user (no multiuser support)
- CONFIG_SECURITY_SMACK_NETFILTER enabled in kernel
- netlabel and ipv6host configuration (see Smack documentation)
Using security-manager privilege-Smack mapping mechanism, Internet access control can be expressed as Smack label identifying Internet connection (this requires proper configuration of Smack netlabel and ipv6host) and a set of Smack template rules (see here for template rules and privilege-Smack mapping explanation) to allow inbound and outbound traffic. These rules will be applied for each launched application granted Internet privilege.
For connection between application and Internet, default 'priv-rules-default-template.smack' Smack rules template can be used (provided by security-manager-policy RPM package since 1.6.0).
Privilege-Smack mapping rules are based on privilege Smack label and application label. Because currently on Tizen application label is based only on application packaged id and application id (there is no information about user context), rules for different users, but same application and privilege, are the same. Thus this mechanism currently cannot support multiuser.
This mechanism supports IPv6 and allows control of both outbound and inbound network traffic.
Privilege-Smack mapping allows runtime access control changes. When application is allowed/denied the privilege, the Smack rules are applied/removed from the system.
|Mechanism||Multi-user support||IPv6 support||Inbound network control||Outbound network control|