Security/Tizen 6.X Security Manager/Security configurations

From Tizen Wiki
Jump to: navigation, search

privilege-group.list

  • Path :
/usr/share/security-manager/policy/privilege-group.list
  • This configuration file is installed by security-manager-policy package. It defines the mapping of privileges and groups.
  • Format :
 <PRIVILEGE> <GROUP>
Each line of this file describes single mapping privilege and group separated by white spaces.
Lines starting with '#' are ignored
  • Example :
 http://tizen.org/privilege/camera priv_camera
If a process has "http://tizen.org/privilege/camera" privilege, "priv_camera" group is given.
In Tizen, daemon processes have all privileges, therefore all groups are given to it, except for lists in "privilege-managed-by-systemd-for-daemons.list".

privilege-managed-by-systemd-for-daemons.list

  • Path :
/usr/share/security-manager/policy/privilege-managed-by-systemd-for-daemons.list
  • This configuration file is installed by security-manager-policy package and only has privilege lists.
List of privileges that are also used for inter-daemon access control. GIDs associated with privileges in this configuration, will not be given by nss plugin.
This means, daemons cannot have those GIDs by default.
  • Example :
 In privilege-group.list :
   http://tizen.org/privilege/internal/livecoredump priv_livecoredump
 In privilege-managed-by-systemd-for-daemons.list :
   http://tizen.org/privilege/internal/livecoredump
 If "privilege-group.list" and "privilege-managed-by-systemd-for-daemons.list " are specified as aboves, daemons cannot have "priv_livecoredump".
To have "priv_livecoredump"...
Systemd Daemons : It should be specifiend in systemd unit as SupplementaryGroups.
Applications : It should have http://tizen.org/privilege/internal/livecoredump privilege.

group-id.list

  • Path :
/usr/share/security-manager/policy/group-id.list
  • This configuration is automatically generated after reading "privilege-group.list" and "privilege-managed-by-systemd-for-daemons.list" when an image is being created ("update_group_id_list.sh" is run)
  • It is used for getting gids when security-manager tries to load group information.
NOTE: Do not modify this configuration intentionally.
  • Format :
 <OPTION ("common" or "systemd_managed")> <GID>
common : All GIDs in "privilege-group.list" but not specified in "privilege-managed-by-systemd-for-daemons.list". System daemons can have all GIDs in this category by default.
systemd_managed : GIDs associated privileges in "privilege-managed-by-systemd-for-daemons.list" and also spcified in "privilege-group.list". To have these GIDs, please refer the description in "privilege-managed-by-systemd-for-daemons.list".

privilege-mount.list

  • Path :
/usr/share/security-manager/policy/privilege-mount.list
  • This configuration is installed by security-manager-policy package.
Additional lists are automatically genearated by "/usr/share/security-config/update_privacy_mount_list.sh" when an image is being created.
Also, "/usr/share/security-config/additional_mount_list" which is installed by security-config-profile_[profile] is used for an additional lists.
  • Format :
 <PRIVILEGE> <MOUNT_POINT> <ALLOW_SRC> <DENY_SRC>
<PRIVILEGE>: name of enforced privilege
<MOUNT_POINT>: mount point location
<ALLOW_SRC>: source directory to bind mount when privilege is allowed (Generally not used. Just set it as "-")
<DENY_SRC>: source directory to bind mount when privilege is denied (One of "/usr/share/security-manager/dummy" or "/opt/share/security-config/dummy_file")
These lists are used for run-time permission control.
  • Example :
if below list is included...
 http://tizen.org/privilege/mediastorage    /opt/usr/media  - /usr/share/security-manager/dummy
Then, it works as ...
  • If an application does not have "http://tizen.org/privilege/mediastorage" privilege, then it cannot access to "/opt/usr/media". ("/usr/share/security-manager/dummy is bind-mounted to "/opt/usr/media")
  • If an application have "http://tizen.org/privilege/mediastorage" privilege, then it access to "/opt/usr/media". ("/usr/share/security-manager/dummy is un-mounted from "/opt/usr/media")

privilege-smack.list

  • Path :
/usr/share/security-manager/policy/privilege-smack.list
  • This configuration is installed by security-manager-policy package.
When an application is launched, additional SMACK rules are added based on this configuration.
  • Format :
 <PRIVILEGE> <SMACK LABEL> <SMACK RULES TEMPLATE>
<PRIVILEGE>: name of enforced privilege
<SMACK LABEL>: unique Smack label mapped to given privilege
<SMACK RULES TEMPLATE>: full filename of existing template file in security-manager policy configuration dir (usually /usr/share/security-manager/policy/privilege-mapping/), which will be used to generate Smack rules. If set it as "default", then "priv-rules-default-template.smack" is used.
  • Example :
if below list is included...
 http://tizen.org/privilege/internet System::Privilege::Internet default
It will refer "priv-rules-default-template.smack".
 ~PROCESS~ ~PRIVILEGE~ w
 ~PRIVILEGE~ ~PROCESS~ w
If application which SMACK process label is "User:Pkg::test" has "http://tizen.org/privilege/internet" privilege, then below rules are added.
 User:Pkg::test http://tizen.org/privilege/internet w
 http://tizen.org/privilege/internet User:Pkg::test w