Security/WebApps and Smack

From Tizen Wiki
Jump to: navigation, search

This page describes how the WebApps of Tizen are secured by Smack.

CAUTION: This description was made the february 21th, 2014 and reflects what is made in Tizen Mobile 2.2.

Application model

The Application model of Tizen is documented here. It describes the Web Application Packages and the Hybrid Application Packages.

The applications are managed by the application package manager and installed by the WRT-installer as shown below:

application_package_manager.png

The installer will use the content of the manifest file (see below Manifest) to set security context of the installed application.

The installer also uses the signature file if present (see here). That file contains the hash of the files and may have a certificate (RFC5280). That certificate if present will be used to create a trusted context between applications having the same certificate.

Smack labels, smack rules

The component libprivilege-control is used by WRT-installer to handle the Smack security database.

Using libprivilege-control,, the WRT-installer will:

  • create the smack label for the application: the smack label is the package id of the application;
  • compute the shared and shared trusted smack label (the last if a the application has a certificate);
  • tag the files and directories installed with the appropriate smack labels;
  • compute the accesses required by the requested privileges;
  • update the database of the application's smack rules (in /opt/dbspace/.rules-db.db3);
  • update the current smack set of rules with the new one.

After installation, the directories of installation receive the smack labels as set at the table below:

DESIGNATION PATH SMACK LABEL
PackageInstallationDir /opt/usr/apps/pkgid _
UserDataRootDir /opt/usr/apps/pkgid _
Resources /opt/usr/apps/pkgid/res _ (to acces icons)
PrivateStorageDir /opt/usr/apps/pkgid/data pkgid
PrivateTempStorageDir /opt/usr/apps/pkgid/tmp pkgid
BinaryDir /opt/usr/apps/pkgid/bin pkgid
SharedRootDir /opt/usr/apps/pkgid/shared
SharedResourceDir /opt/usr/apps/pkgid/shared/res _
SharedTrustedDir /opt/usr/apps/pkgid/shared/trusted sha(cert)
SharedDataDir /opt/usr/apps/pkgid/shared/data crypt($1$pkgid,path)

Where:

  • _ is the floor label;
  • pkgid is the package ID;
  • sha(cert) is a SHA derived of the certificate (could be improved)
  • crypt($1$pkgid,path) is derived of the package ID and the directory path

At runtime, the Web app will run with the Smack Context Label pkgid.

Sharing

The Tizen WWebRuntime Framework provides a specific MessagePort API that allow applications signed with a same certificate to communicate one with an other in a trusted way.

Setting manifest

Manifest for WebApps

In the WebApps case, the application is installed in the file system as shown below:

web_app_directory_structure.png

When packaging the application, the developer takes care of filling, generally using the IDE, the manifests of the application: the file config.xml.

The content of the manifest is described here and also here.

The application package id is given by the tizen:application element as described here

Example: Annex application, file 33CFo0eFJe/res/wgt/config.xml

<?xml version="1.0" encoding="UTF-8"?>
  <widget xmlns="http://www.w3.org/ns/widgets" xmlns:tizen="http://tizen.org/ns/widgets" id="https://github.com/01org/webapps-annex" version="1.0"  width="512" height="300">
   <icon src="annex-icon.png"/>
   <content src="index.html"/>
  <name>annex</name>
  <tizen:application id="33CFo0eFJe.annex" package="33CFo0eFJe" required_version="1.0"/>
  <tizen:setting screen-orientation="portrait" contextmenu="enable"/>
</widget>

Manifest for HybridApps

In the hybrid case, the application is installed in the file system as shown below:

hybrid_app_package_manager.png

When packaging the application, the developer takes care of filling, generally using the IDE, the manifests of the application: the file manifest.xml.

The content of the manifest is described ???WHERE???

Example 2: Camera application, file hdufar9ycj/info/manifest.xml

 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <Manifest xmlns="http://schemas.tizen.org/2012/12/manifest">
   <Id>hdufar9ycj</Id>
   <Version>1.0.0</Version>
   <Type>C++App</Type>
   <Requirements>
       <Feature Name="http://tizen.org/feature/platform.core.cpu.arch.x86">true</Feature>
       <Feature Name="http://tizen.org/feature/platform.core.fpu.arch.vfpv3">true</Feature>
   </Requirements>
   <Apps>
       <ApiVersion>2.2</ApiVersion>
       <Privileges>
           <Privilege>http://tizen.org/privilege/content.read</Privilege>
           <Privilege>http://tizen.org/privilege/location</Privilege>
           <Privilege>http://tizen.org/privilege/videorecorder</Privilege>
           <Privilege>http://tizen.org/privilege/alarm</Privilege>
           <Privilege>http://tizen.org/privilege/application.launch</Privilege>
           <Privilege>http://tizen.org/privilege/camera</Privilege>
           <Privilege>http://tizen.org/privilege/power</Privilege>
           <Privilege>http://tizen.org/privilege/content.write</Privilege>
           <Privilege>http://tizen.org/privilege/telephonymanager</Privilege>
           <Privilege>http://tizen.org/privilege/systeminfo</Privilege>
       </Privileges>
       <UiApp HwAcceleration="On" LaunchingHistoryVisible="True" Main="True" MenuIconVisible="True" Name="Camera" SubMode="True">
           <UiScalability BaseScreenSize="Normal" CoordinateSystem="Logical" LogicalCoordinate="720"/>
           <UiTheme SystemTheme="White"/>
           <DisplayNames>
               <DisplayName Locale="eng-PH">Camera</DisplayName>
               ...
           </DisplayNames>
           <Icons>
               <Icon Section="MainMenu" Type="Xhigh">mainmenu.png</Icon>
           </Icons>
           <AppControls>
               <AppControl>
                   <MimeType>image/jpg</MimeType>
                   <MimeType>video/3gp</MimeType>
                   <MimeType>video/3gpp</MimeType>
                   <Operation>http://tizen.org/appcontrol/operation/create_content</Operation>
               </AppControl>
           </AppControls>
           <LaunchConditions/>
           <Notifications>
               <Notification Name="Ticker">On</Notification>
               <Notification Name="Sound">On</Notification>
               <Notification Name="Contents">Off</Notification>
               <Notification Name="Badge">On</Notification>
           </Notifications>
       </UiApp>
   </Apps>
 </Manifest>