Security:TizenPrivilegePolicy

From Tizen Wiki
Jump to: navigation, search

Tizen Privilege

  • Privilege is predefined collections of permission that are required to call privileged APIs. Tizen provides API-level access control using it. If an app want to use privileged APIs then it must declare related privileges in its manifest file.
  • Privilege is for user notification of app permissions for doing followings:
    1. Requires charge
      eg. accesses to mobile network or so.
    2. Requires notice
      change device's usage scenario, cause high battery consumption, access to internet or so.
      eg. API set window priority can make following scenario and it may require end user notification: window with the highest priority can display at topmost and other apps may not be shown.
    3. Accesses private information of the user
      eg. pedometer, schedule, contacts, capture screen, record sound or take a picture or so.
    4. Accesses information that can identify an individual
      eg. ID, phone number, IMEI or so.
    5. Changes system settings
      eg. turn on/off GPS, bluetooth, NFC, or so.
  • Privilege list
  • As C#(.NET) APIs are warpper of native APIs, native privileges cover C#(.NET)

Attributes/categories of privileges

  • app type
    • native privilege (used to describe OS system permissions for native & .NET app)
    • web privilege (used to describe OS system permissions for web app)
  • hierarchy (by certificate signing level)
    • public (minimum, at least) - can be used (in package manifest) by any 3rd party developers
    • partner - can be used (in package manifest) by certificate with signature for partner, 2nd party
    • platform (maximum) - can be used (in package manifest) by certificate with signature for vendor
  • provider
    • platform privilege (public Tizen platform supported privileges): uses prefix 'http://tizen.org/privilege/'
    • product privilege (product only privileges)
  • privacy
    • non-privacy related privileges: It doesn't require user consent and is granted at installation time if the app have the privilege in its manifest file and have required level of certificate.
    • privacy releated privileges: It requires the app to get user consent to use the resources protected with the privilege. To ask that, app can use PPM APIs since Tizen platform version 4.0.
      • eg. For privacy privilege (ex. http://tizen.org/privilege/calendar.read), OS asks with popup (ex. "Allow XYZ app to access your Calendar?"), and the end user can grant it or not. If the end user doesn't grant the privilege then the app can not use the privacy privilged APIs even if it has the privilege in its manifest file.
  • blacklist
    • blacklisted privileges by MDM: those privileges are installed with the policy status DENY
    • blacklisted privileges by DPM: installation of the app with those privileges will fail

Note

Note: We avoid using the old terms 'blacklist' and 'whitelist', but we still have them in the APIs and interfaces, so please understand that we have no choice but to use them in this document until the old terms are removed from the entire source code.


Privilege Policies

Privilege verification on app installation time

Tizen version Native Web
2.3 Check name, api-version, level Check level
2.3.1 Check name, api-version, level Mobile: Check level / Wearable: Check name, api-version, level
2.4 ~ 3.0 Check name, api-version, level Check name, api-version, level
4.0 ~ Check level Check level

Privilege management

  1. Tizen version < 3.0
    1. on the basis of SMACK rule
    2. each privilege have mapped smack rules and actual enforcement of security policy is done on smack policy level only
  2. 3.0 <= Tizen version
    1. on the basis of Cynara policy
      • Cynara
        • is a daemon managing privilege policy on the basis of core privilege
        • has a DB that maps apps to their declared privileges and is so called Cynara policy
        • checks policy if services ask whether to allow or deny the request of calling apps to use privileged APIs
        • identifies app by its smack label and validate against the policies in its DB
    2. privilege mapped smack rules are revised as core privileges
      • We introduced core privileges to have similar granularity of privileges to what we have in the underlying Tizen OS.
      • Native and web privileges are now set of core privileges, from set of smack rules. In app fw layer, if a whatever type of app with privileges in its manifest file is trying to be installed then the privileges will be properly mapped to core privileges by privilege-checker and handled by security fw.
      • By mapping native and web privileges to core privileges, Tizen provides backward compatability to the each types of apps with privileges and guarantees similar granurality with the previous privilege check system.
    3. each privilege have mapped core privilege set and is loaded as Cynara policy
      • privilege policy load while app installation in detail
        1. app installer parses app manifest file and get `privilege list` of native/web/.NET app
        2. app installer passes `privilege list` to privilege-checker for verification (verify whether the app can use the given privileges with app's current certificate level)
        3. if privilege verification fails then app install fails.
        4. else, app installer adds "http://tizen.org/privilege/internal/default/{public | partner | platform}" -according to the certificate level- to `privilege list` and pass it to privilege-checker to get `mapped privilege list`
        5. privilege-checker returns `mapped privilege list` to app installer according to the mapping table (Native/.NET privilege mapping, Web privilege mapping)
        6. app installer passes `mapped privilege list` to security-manager for policy load
        7. security-manager checks privilege type by using `privilege_info_get_privilege_type()` of privilege-checker
        8. security-manager loads cynara policy according to the received privilege type {normal | blacklisted | privacy} -> {allow | deny | ask user}
          • ALLOW policy → app can use that privileged APIs
          • DENY policy → app can't use that privileged APIs
          • ASK USER policy → app have to ask permission to the user by using PPM APIs (but until asksed and granted, the Cynara default answer is treated as DENY)
    4. platform dev to check privilege
      • Native: use `cynara_check()` on service side or use dbus configuration
      • Web: webapi-plugin do `cynara_check()` with `mapped privilege list`
    5. security part (add extension privileges)

Privilege for developers

How to use app privilege

  • native
  • web
  • .NET
  • preloaded apps (.rpm) : run tpk-backend -y {package id} --preload after installation

How to check privilege error logs

  1. app installation: check dlog
    • Example) Privilege requries higher certificate signature level
      I/APP_INSTALLERS(10425): | INFO | Signature : step_check_signature.cc:185 : Privilege level: PUBLIC
      D/PRIVILEGE_MANAGER(10425): privilege_manager.c: privilege_manager_verify_privilege(280) > [MISMATCHED_PRIVILEGE_LEVEL] Web http://tizen.org/privilege/bookmark.read requires certificate level: platform and current certificate level: public. Use at least certificate with signature level platform.
      E/APP_INSTALLERS(10425): | ERROR | : certificate_validation.cc:375 : Error while verifing privilege level: Check config.xml| - Current required_version(=api version) = 5.0, | certificate signature level = public||[MISMATCHED_PRIVILEGE_LEVEL]| - http://tizen.org/privilege/bookmark.read%7C >> Use at least platform signatured certificate.|| <-7>
    • Example) Not exist privilege (deprecated since Tizen 4.0)
      Check tizen-manifest.xml| - Current api-version = 2.3.1, | certificate signature level = public||[NO_EXIST_PRIVILEGE]| - http://tizen.org/privilege/wrong.privilege.name%7C >> Check spelling or remove the privilege.||
    • Example) Deprecated privilege (deprecated since Tizen 4.0)
      Check config.xml| - Current required_version(=api version) = 2.4, | certificate signature level = public||[DEPRECATED_PRIVILEGE]| - http://tizen.org/privilege/websetting%7C >> Remove the privilege.||
    • Example) Privilege requires higher api-version (deprecated since Tizen 4.0)
      Check config.xml| - Current required_version(=api version) = 2.4, | certificate signature level = public||[NO_EXIST_PRIVILEGE]| - http://tizen.org/privilege/widget.viewer%7C >> Use at least api version 3 or remove the privilege.||
  2. app runtime
    • dlogutil CYNARA
    • Cynara default log level is "error" and audit level is "deny". You can change it by modifying cynara.service.
      • Un-comment following lines to see all cynara logs
        #Environment="CYNARA_LOG_LEVEL=LOG_DEBUG"
        #Environment="CYNARA_AUDIT_LEVEL=ALL"

Privacy

Privacy is grouped privacy-related privileges depending on its purpose. Most of the privacy privilegs have too high granularity for them to make sense to ask the user about each one separately. With privacy, it's asked at once and given at once.

eg. End user of a device would not probably want to give an app separate access to read & to write contacts. http://tizen.org/privilege/contact.read and http://tizen.org/privilege/contact.write are grouped as Contacts privacy and is asked as "permission access to Contacts". If the user allows then both of the privileges are allowed, or both are denied.

Privacy list

You can see privacy grouped privileges here and following is the list of privacies.

Privacy Name Privacy ID Includes privileges access to
Account 0 User accounts
Bookmark 1 Internet bookmarks
Calendar 2 Calendar
Call 3 Make a call without further user confirmation
Camera 4 Take a picture
Contacts 5 User contacts
DUID 6 Device unique ID such as IMEI (since Tizen 5.5)
Location 7 User location
Message 8 SMS, MMS, or so
Microphone 9 Record sound or so
Sensor 10 Pedometer, heartrate monitor, or so
Storage 11 Media storage, external storage (since Tizen 4.0)
User history 12 App, media, web browser history or so

Privacy whitelist

  1. Some privacy privileges can be necessary for some preloaded apps
  2. Privacy privileges can have ALLOW status as default by privacy whitelist
  3. User can off the whitelisted privileges at Settings app if the privileges are configured as user-settable
  4. Tizen platform whitelists all privacies except location for preloaded apps
  5. Configured for each profile (as each profile's app list differ)
  6. Managed at privilege-checker package

Privilege update tool

  1. Provided by privilege-checker
  2. Use when creating image
  3. Run after installing `security-privilege-manager` and `security-manager-policy`
  4. Guide

Privilege APIs for Apps

  1. Settings - App permissions:
    • privilege_info.h (internal, package: security-privilege-manager)
      • privilege_info_foreach_privilege_group_list_by_pkgid
      • privilege_info_get_privilege_group_display_name
    • privilege_information.h (public, package: privilege-info)
      • privilege_info_get_display_name
      • privilege_info_get_description
  2. Settings - Privacy settings:
    • privilege_info.h (internal, package: security-privilege-manager)
      • privilege_info_get_privacy_display
    • privilege_package_info.h (internal, package: security-privilege-manager)
      • privilege_package_info_is_privacy_requestable
      • privilege_package_info_get_all_privacy_package_list
      • privilege_package_info_get_privacy_list_by_pkgid
      • privilege_package_info_get_privilege_list_by_pkgid_and_privacy
  3. Store client :
    • privilege_information.h (public, package: privilege-info)
      • privilege_info_get_display_name
      • privilege_info_get_description
  4. Common apps with privacy-related privileges: PPM APIs