summaryrefslogtreecommitdiffstats
path: root/security-blueprint/part-5/1-MAC.md
diff options
context:
space:
mode:
Diffstat (limited to 'security-blueprint/part-5/1-MAC.md')
-rw-r--r--security-blueprint/part-5/1-MAC.md136
1 files changed, 136 insertions, 0 deletions
diff --git a/security-blueprint/part-5/1-MAC.md b/security-blueprint/part-5/1-MAC.md
new file mode 100644
index 0000000..9cfc150
--- /dev/null
+++ b/security-blueprint/part-5/1-MAC.md
@@ -0,0 +1,136 @@
+# Mandatory Access Control
+
+<!-- note -->
+
+We decided to put the **MAC** protection on the platform part despite the fact
+that it applies to the kernel too, since its use will be mainly at the platform
+level (except floor part).
+
+<!-- endnote -->
+
+**M**andatory **A**ccess **C**ontrol (**MAC**) is a protection provided by the
+Linux kernel that requires a **L**inux **S**ecurity **M**odule (**LSM**). AGL
+uses an **LSM** called **S**implified **M**andatory **A**ccess **C**ontrol
+**K**ernel (**SMACK**). This protection involves the creation of **SMACK**
+labels as part of the extended attributes **SMACK** labels to the file extended
+attributes. And a policy is also created to define the behaviour of each label.
+
+The kernel access controls is based on these labels and this policy. If there
+is no rule, no access will be granted and as a consequence, what is not
+explicitly authorized is forbidden.
+
+There are two types of **SMACK** labels:
+
+- **Execution SMACK** (Attached to the process): Defines how files are
+ _accessed_ and _created_ by that process.
+- **File Access SMACK** (Written to the extended attribute of the file): Defines
+ _which_ process can access the file.
+
+By default a process executes with its File Access **SMACK** label unless an
+Execution **SMACK** label is defined.
+
+AGL's **SMACK** scheme is based on the _Tizen 3 Q2/2015_. It divides the System
+into the following domains:
+
+- Floor.
+- System.
+- Applications, Services and User.
+
+See [AGL security framework review](http://iot.bzh/download/public/2017/AMMQ1Tokyo/AGL-security-framework-review.pdf) and [Smack White Paper](http://schaufler-ca.com/yahoo_site_admin/assets/docs/SmackWhitePaper.257153003.pdf)
+for more information.
+
+--------------------------------------------------------------------------------
+
+<!-- pagebreak -->
+
+## Floor
+
+The _floor_ domain includes the base system services and any associated data and
+libraries. This data remains unchanged at runtime. Writing to floor files or
+directories is allowed only in development mode or during software installation
+or upgrade.
+
+The following table details the _floor_ domain:
+
+Label | Name | Execution **SMACK** | File Access **SMACK**
+----- | ----- | ------------------- | ---------------------------------------
+`-` | Floor | `r-x` for all | Only kernel and internal kernel thread.
+`^` | Hat | `---` for all | `rx` on all domains.
+`*` | Star | `rwx` for all | None
+
+<!-- note -->
+
+- The Hat label is Only for privileged system services (currently only
+ systemd-journal). Useful for backup or virus scans. No file with this label
+ should exist except in the debug log.
+
+- The Star label is used for device files or `/tmp` Access restriction managed
+ via **DAC**. Individual files remain protected by their **SMACK** label.
+
+<!-- endnote --> <!-- config -->
+
+Domain | `Label` name | Recommendations
+------------------ | ------------ | -----------------------------------------------------------
+Kernel-MAC-Floor-1 | `^` | Only for privileged system services.
+Kernel-MAC-Floor-2 | `*` | Used for device files or `/tmp` Access restriction via DAC.
+
+<!-- endconfig -->
+
+--------------------------------------------------------------------------------
+
+<!-- pagebreak -->
+
+## System
+
+The _system_ domain includes a reduced set of core system services of the OS and
+any associated data. This data may change at runtime.
+
+The following table details the _system_ domain:
+
+Label | Name | Execution **SMACK** | File Access **SMACK**
+---------------- | --------- | ----------------------------------------------- | ---------------------
+`System` | System | None | Privileged processes
+`System::Run` | Run | `rwxatl` for User and System label | None
+`System::Shared` | Shared | `rwxatl` for system domain `r-x` for User label | None
+`System::Log` | Log | `rwa` for System label `xa` for user label | None
+`System::Sub` | SubSystem | Subsystem Config files | SubSystem only
+
+<!-- config -->
+
+Domain | `Label` name | Recommendations
+------------------- | ---------------- | -------------------------------------------------------------------------------------------------------------
+Kernel-MAC-System-1 | `System` | Process should write only to file with transmute attribute.
+Kernel-MAC-System-2 | `System::run` | Files are created with the directory label from user and system domain (transmute) Lock is implicit with `w`.
+Kernel-MAC-System-3 | `System::Shared` | Files are created with the directory label from system domain (transmute) User domain has locked privilege.
+Kernel-MAC-System-4 | `System::Log` | Some limitation may impose to add `w` to enable append.
+Kernel-MAC-System-5 | `System::Sub` | Isolation of risky Subsystem.
+
+<!-- endconfig -->
+
+--------------------------------------------------------------------------------
+
+<!-- pagebreak -->
+
+## Applications, Services and User
+
+The _application_, _services_ and _user_ domain includes code that provides
+services to the system and user, as well as any associated data. All code
+running on this domain is under _Cynara_ control.
+
+The following table details the _application_, _services_ and _user_ domain:
+
+Label | Name | Execution **SMACK** | File Access **SMACK**
+------------------- | ------ | --------------------------------------------------------------------------- | ---------------------------
+`User::Pkg::$AppID` | AppID | `rwx` (for files created by the App). `rx` for files installed by **AppFw** | $App runtime executing $App
+`User::Home` | Home | `rwx-t` from System label `r-x-l` from App | None
+`User::App-Shared` | Shared | `rwxat` from System and User domains label of $User | None
+
+<!-- config -->
+
+Domain | `Label` name | Recommendations
+------------------- | ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------
+Kernel-MAC-System-1 | `User::Pkg::$AppID` | Only one Label is allowed per App. A data directory is created by the AppFw in `rwx` mode.
+Kernel-MAC-System-2 | `User::Home` | AppFw needs to create a directory in `/home/$USER/App-Shared` at first launch if not present with label app-data access is `User::App-Shared` without transmute.
+Kernel-MAC-System-3 | `User::App-Shared` | Shared space between all App running for a given user.
+
+<!-- endconfig -->