diff options
| author |   Sebastien Douheret <sebastien.douheret@iot.bzh> | 2018-07-10 12:22:23 +0200 |
|---|---|---|
| committer |   ronan [iot.bzh] <ronan.lemartret@iot.bzh> | 2018-07-12 13:33:16 +0200 |
| commit | 65e5842f843aa67395fce171c8ce602c085d0c11 (patch) | |
| tree | 9e58ab8293478064bc9df116aa55411f6e06dcca /sec-blueprint/06-application-security.md | |
| parent | e0df0544ae03e4b5021a4264c608d481659a4be2 (diff) | |
Removed old Security Blueprint chapter: SPEC-1502
As announced on the AGL mailing list and knowing that all sections
and info of old Security Blueprint have been included into 'new'
Security Blueprint, the 'old' Sec Blueprintpart can be removed from
documentation.
Signed-off-by: Sebastien Douheret <sebastien.douheret@iot.bzh>
Diffstat (limited to 'sec-blueprint/06-application-security.md')
| -rw-r--r-- | sec-blueprint/06-application-security.md | 67 |
1 files changed, 0 insertions, 67 deletions
diff --git a/sec-blueprint/06-application-security.md b/sec-blueprint/06-application-security.md deleted file mode 100644 index 44a4622..0000000 --- a/sec-blueprint/06-application-security.md +++ /dev/null @@ -1,67 +0,0 @@ ---- - -title : Application Security -date : 2017-07-07 -categories: architecture, automotive -tags: architecture, automotive, linux -layout: techdoc - ---- - -**Table of Content** - -1. TOC -{:toc} - -This section describes how the Automotive Grade Linux (AGL) platform -applies some of the previously described security concepts to -implement application security - -# Application Definition -The term of Application (App) has a very wide definition in AGL. -Almost anything which is not in the core Operating System (OS) is an Application. -Applications can be included in the base software package (image) or -can be added at run-time. - -# Application Installation -Applications are installed under the control of the Application Framework (AppFw). -Applications can be delivered and installed with the base image using a -special offline-mode provided by the Application Framework. Apps can also be installed -at runtime. - -**Note** In early release, default Apps are installed on the image at first boot. - -# Application Containment -Application containment is achieved using the following protections: - -* **Linux Native protection** - * Mandatory Access Control (SMACK) -* **AGL Platform protections** - * Origin Tracking and Validation - * Application Privilege Management and Enforcement via Cynara - * Authenticated Transport via D-Bus - -## Mandatory Access Control -Mandatory Access Control (MAC) is a protection provided -by the Linux kernel that requires a Linux Security Module (LSM). -AGL uses an LSM called Simplified Mandatory Access Control Kernel (SMACK). -This protection requires writing SMACK *labels* to the extended attributes of the file -and then writing a policy to define the behavior of each label. -The kernel controls access based on these labels -and this policy. -For more details on SMACK scheme in AGL, please refer to the -security platform security document in the security blueprint. - -## Origin Tracking and Validation -Currently, AGL applications are tracked and verified at installation -time by the application and security framework using SMACK labels. -For more details, please refer to the application framework documentation. - -## Privilege Management and Enforcement -Application priveleges are managed by Cynara and the security manager -in the application framework. -For more details, please refer to the application framework documentation. - -## Autenticated Message Transport -Currently AGL uses the D-Bus interface for transport, using the security -inherent in this interface. |