diff options
Diffstat (limited to 'security-blueprint/part-5')
| -rw-r--r-- | security-blueprint/part-5/0_Abstract.md | 4 | ||||
| -rw-r--r-- | security-blueprint/part-5/1-MAC.md | 18 | ||||
| -rw-r--r-- | security-blueprint/part-5/2-SystemD.md | 4 | ||||
| -rw-r--r-- | security-blueprint/part-5/3-SystemBus.md | 4 | ||||
| -rw-r--r-- | security-blueprint/part-5/4-Services.md | 8 | ||||
| -rw-r--r-- | security-blueprint/part-5/5-AppFw.md | 12 | ||||
| -rw-r--r-- | security-blueprint/part-5/6-Utilities.md | 10 | ||||
| -rw-r--r-- | security-blueprint/part-5/7-Users.md | 12 |
8 files changed, 36 insertions, 36 deletions
diff --git a/security-blueprint/part-5/0_Abstract.md b/security-blueprint/part-5/0_Abstract.md index 4cbd17a..e724321 100644 --- a/security-blueprint/part-5/0_Abstract.md +++ b/security-blueprint/part-5/0_Abstract.md @@ -15,12 +15,12 @@ to deal with, we must: - Manage user capabilities (_Users_ part). - Manage application permissions and policies (_AGLFw_ part). -<!-- note --> +<!-- section-note --> The tools and concepts used to meet these needs are only examples. Any other tool that meets the need can be used. -<!-- endnote --> +<!-- end-section-note --> In AGL, as in many other embedded systems, different security mechanisms settle in the core layers to ensure isolation and data privacy. While the Mandatory diff --git a/security-blueprint/part-5/1-MAC.md b/security-blueprint/part-5/1-MAC.md index 9cfc150..02a0e37 100644 --- a/security-blueprint/part-5/1-MAC.md +++ b/security-blueprint/part-5/1-MAC.md @@ -1,12 +1,12 @@ # Mandatory Access Control -<!-- note --> +<!-- section-note --> We decided to put the **MAC** protection on the platform part despite the fact that it applies to the kernel too, since its use will be mainly at the platform level (except floor part). -<!-- endnote --> +<!-- end-section-note --> **M**andatory **A**ccess **C**ontrol (**MAC**) is a protection provided by the Linux kernel that requires a **L**inux **S**ecurity **M**odule (**LSM**). AGL @@ -58,7 +58,7 @@ Label | Name | Execution **SMACK** | File Access **SMACK** `^` | Hat | `---` for all | `rx` on all domains. `*` | Star | `rwx` for all | None -<!-- note --> +<!-- section-note --> - The Hat label is Only for privileged system services (currently only systemd-journal). Useful for backup or virus scans. No file with this label @@ -67,14 +67,14 @@ Label | Name | Execution **SMACK** | File Access **SMACK** - The Star label is used for device files or `/tmp` Access restriction managed via **DAC**. Individual files remain protected by their **SMACK** label. -<!-- endnote --> <!-- config --> +<!-- end-section-note --> <!-- section-config --> Domain | `Label` name | Recommendations ------------------ | ------------ | ----------------------------------------------------------- Kernel-MAC-Floor-1 | `^` | Only for privileged system services. Kernel-MAC-Floor-2 | `*` | Used for device files or `/tmp` Access restriction via DAC. -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -95,7 +95,7 @@ Label | Name | Execution **SMACK** | `System::Log` | Log | `rwa` for System label `xa` for user label | None `System::Sub` | SubSystem | Subsystem Config files | SubSystem only -<!-- config --> +<!-- section-config --> Domain | `Label` name | Recommendations ------------------- | ---------------- | ------------------------------------------------------------------------------------------------------------- @@ -105,7 +105,7 @@ Kernel-MAC-System-3 | `System::Shared` | Files are created with the directory la Kernel-MAC-System-4 | `System::Log` | Some limitation may impose to add `w` to enable append. Kernel-MAC-System-5 | `System::Sub` | Isolation of risky Subsystem. -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -125,7 +125,7 @@ Label | Name | Execution **SMACK** `User::Home` | Home | `rwx-t` from System label `r-x-l` from App | None `User::App-Shared` | Shared | `rwxat` from System and User domains label of $User | None -<!-- config --> +<!-- section-config --> Domain | `Label` name | Recommendations ------------------- | ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -133,4 +133,4 @@ Kernel-MAC-System-1 | `User::Pkg::$AppID` | Only one Label is allowed per App. A Kernel-MAC-System-2 | `User::Home` | AppFw needs to create a directory in `/home/$USER/App-Shared` at first launch if not present with label app-data access is `User::App-Shared` without transmute. Kernel-MAC-System-3 | `User::App-Shared` | Shared space between all App running for a given user. -<!-- endconfig --> +<!-- end-section-config --> diff --git a/security-blueprint/part-5/2-SystemD.md b/security-blueprint/part-5/2-SystemD.md index 903df11..35abe16 100644 --- a/security-blueprint/part-5/2-SystemD.md +++ b/security-blueprint/part-5/2-SystemD.md @@ -6,14 +6,14 @@ - Setup applications and services (_CGroups_, _namespaces_, autostart, permissions). - Use of `libsystemd` for its programs (event management, **D-Bus** interface). -<!-- config --> +<!-- section-config --> Domain | Object | Recommendations ------------------ | -------------- | ------------------------------------ Platform-SystemD-1 | Security model | Use Namespaces for containerization. Platform-SystemD-2 | Security model | Use CGroups to organise processes. -<!-- endconfig --> +<!-- end-section-config --> See [systemd integration and user management](http://iot.bzh/download/public/2017/AMM-Dresden/AGL-systemd.pdf) for more information. diff --git a/security-blueprint/part-5/3-SystemBus.md b/security-blueprint/part-5/3-SystemBus.md index 2a98124..e2af387 100644 --- a/security-blueprint/part-5/3-SystemBus.md +++ b/security-blueprint/part-5/3-SystemBus.md @@ -14,11 +14,11 @@ It is important to protect against this type of attack to keep the system more stable. -<!-- config --> +<!-- section-config --> Domain | Object | Recommendations --------------- | -------------- | ------------------------------------ Platform-DBus-1 | Security model | Use D-Bus as IPC. Platform-DBus-2 | Security model | Apply D-BUS security patches: [D-Bus CVE](https://www.cvedetails.com/vulnerability-list/vendor_id-13442/D-bus-Project.html) -<!-- endconfig -->
\ No newline at end of file +<!-- end-section-config --> diff --git a/security-blueprint/part-5/4-Services.md b/security-blueprint/part-5/4-Services.md index 18f56ec..013f693 100644 --- a/security-blueprint/part-5/4-Services.md +++ b/security-blueprint/part-5/4-Services.md @@ -1,13 +1,13 @@ # System services and daemons -<!-- todo --> +<!-- section-todo --> Domain | Improvement ------------------- | ----------- Platform-Services-1 | SystemD ? Platform-Services-2 | Secure daemon ? -<!-- endtodo --> +<!-- end-section-todo --> ## Tools @@ -25,7 +25,7 @@ Platform-Services-2 | Secure daemon ? - **alsa** is a software framework and part of the Linux kernel that provides an **API** for sound card device drivers. -<!-- config --> +<!-- section-config --> Domain | `Tool` name | _State_ -------------------- | ----------- | ------- @@ -34,4 +34,4 @@ Platform-Utilities-2 | `bluez` | _Used_ as a Bluetooth manager. Platform-Utilities-3 | `gstreamer` | _Used_ to manage multimedia file format. Platform-Utilities-4 | `alsa` | _Used_ to provides an API for sound card device drivers. -<!-- endconfig --> +<!-- end-section-config --> diff --git a/security-blueprint/part-5/5-AppFw.md b/security-blueprint/part-5/5-AppFw.md index 9f67b16..923c591 100644 --- a/security-blueprint/part-5/5-AppFw.md +++ b/security-blueprint/part-5/5-AppFw.md @@ -8,7 +8,7 @@ The application framework manages: - Privileges granting and checking. - API for interaction with applications. -<!-- note --> +<!-- section-note --> - The **security model** refers to the security model used to ensure security and to the tools that are provided for implementing that model. It's an @@ -20,19 +20,19 @@ The application framework manages: ensure security and privacy. It also includes features of reporting using audit features and by managing logs and alerts. -<!-- endnote --> +<!-- end-section-note --> The **AppFw** uses the security model to ensure the security and the privacy of the applications that it manages. It must be compliant with the underlying security model. But it should hide it to the applications. -<!-- config --> +<!-- section-config --> Domain | Object | Recommendations ---------------------- | -------------- | -------------------------------- Platform-AGLFw-AppFw-1 | Security model | Use the AppFw as Security model. -<!-- endconfig --> +<!-- end-section-config --> See [AGL AppFw Privileges Management](http://docs.automotivelinux.org/docs/devguides/en/dev/reference/iotbzh2016/appfw/03-AGL-AppFW-Privileges-Management.pdf) and [AGL - Application Framework Documentation](http://iot.bzh/download/public/2017/SDK/AppFw-Documentation-v3.1.pdf) for more information. @@ -50,13 +50,13 @@ permissions: Currently in AGL, this task depends on a policy-checker service Cynara interact with **D-Bus** in order to deliver this information. -<!-- config --> +<!-- section-config --> Domain | Object | Recommendations ----------------------- | ----------- | ------------------------------------- Platform-AGLFw-Cynara-1 | Permissions | Use Cynara as policy-checker service. -<!-- endconfig --> +<!-- end-section-config --> ### Policies diff --git a/security-blueprint/part-5/6-Utilities.md b/security-blueprint/part-5/6-Utilities.md index d723c10..309cbc4 100644 --- a/security-blueprint/part-5/6-Utilities.md +++ b/security-blueprint/part-5/6-Utilities.md @@ -5,13 +5,13 @@ version of **busybox** in order to avoid all the tools useful only in development mode. -<!-- config --> +<!-- section-config --> Domain | `Tool` name | _State_ -------------------- | ----------- | ---------------------------------------------------------------------- Platform-Utilities-1 | `busybox` | _Used_ to provide a number of tools. Do not compile development tools. -<!-- endconfig --> +<!-- end-section-config --> ## Functionalities to exclude in production mode @@ -21,7 +21,7 @@ thus complicate the fault finding process. The tools used only in development mode are marked by an '**agl-devel**' feature. When building in production mode, these tools will not be compiled. -<!-- config --> +<!-- section-config --> Domain | `Utility` name and normal `path` | _State_ --------------------- | ---------------------------------------------------- | ---------- @@ -69,10 +69,10 @@ Platform-Utilities-41 | `tail` (busybox) | _ Platform-Utilities-42 | `tee` (busybox) | _Enabled_ Platform-Utilities-43 | `test` (busybox) | _Enabled_ -<!-- endconfig --> <!-- note --> +<!-- end-section-config --> <!-- section-note --> The _Enabled_ Unix/Linux utilities above shall be permitted as they are often used in the start-up scripts and for USB logging. If any of these utilities are not required by the device then those should be removed. -<!-- endnote --> +<!-- end-section-note --> diff --git a/security-blueprint/part-5/7-Users.md b/security-blueprint/part-5/7-Users.md index 9fc7a65..af5a686 100644 --- a/security-blueprint/part-5/7-Users.md +++ b/security-blueprint/part-5/7-Users.md @@ -24,18 +24,18 @@ provided by the system's drivers can be shared this way. The other advantage of this approach is that multiple applications can share the same resources at the same time. -<!-- config --> +<!-- section-config --> Domain | Object | Recommendations --------------------- | ---------------- | ----------------------------------------------------- Platform-Users-root-1 | Main application | Should not execute as root. Platform-Users-root-2 | UI | Should run in a context on a user with no capability. -<!-- endconfig --> +<!-- end-section-config --> Root access should not be allowed for the following utilities: -<!-- config --> +<!-- section-config --> Domain | `Utility` name | _State_ --------------------- | -------------- | ------------- @@ -45,7 +45,7 @@ Platform-Users-root-5 | `ssh` | _Not allowed_ Platform-Users-root-6 | `scp` | _Not allowed_ Platform-Users-root-7 | `sftp` | _Not allowed_ -<!-- endconfig --> +<!-- end-section-config --> Root access should not be allowed for the console device. The development environment should allow users to login with pre-created user accounts. @@ -59,14 +59,14 @@ via `sudo`. ## Capabilities -<!-- todo --> +<!-- section-todo --> Domain | Improvement ----------------------------- | ------------------------ Platform-Users-Capabilities-1 | Kernel or Platform-user? Platform-Users-Capabilities-2 | Add config note. -<!-- endtodo --> +<!-- end-section-todo --> The goal is to restrict functionality that will not be useful in **AGL**. They are integrated into the **LSM**. Each privileged transaction is associated with |