blob: ac6d40d22297a0d8702725a4ff98c6da9a344c5a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
|
Application framework
=====================
version: 1
Date: 15 March 2016
Author: José Bollo
Foreword
--------
This document describes what we intend to do. It may happen that our
current implementation and the content of this document differ.
In case of differences, it is assumed that this document is right
and the implementation is wrong.
Overview
--------
The application framework on top of the security framework
provides the components to install and uninstall applications
and to run it in a secured environment.
The goal is to manage applications and to hide the details of
the security framework to the applications.
For the reasons explained in introduction, we did not used the
application framework of Tizen as is but used an adaptation of it.
The basis is kept identical: the applications are distributed
in a digitally signed container that must match the specifications
of widgets (web applications). This is described by the technical
recomendations [widgets] and [widgets-digsig] of the W3 consortium.
This model allows the distribution of HTML, QML and binary applications.
The management of signatures of the widget packages
This basis is not meant as being rigid and it can be extended in the
futur to include for example incremental delivery.
Comparison to other frameworks
------------------------------
### Tizen framework
### xdg-app
### ostro
Organisation of directory of applications
=========================================
The main path for applivcations are: APPDIR/PKGID/VER.
Where:
- APPDIR is as defined above
- PKGID is a directory whose name is the package identifier
- VER is the version of the package MAJOR.MINOR
This organisation has the advantage to allow several versions to leave together.
This is needed for some good reasons (rolling back) and also for less good reasons (user habits).
Identity of installed files
---------------------------
All the files are installed as the user "userapp" and group "userapp".
All files have rw(x) for user and r-(x) for group and others.
This allows any user to read the files.
Labelling the directories of applications
-----------------------------------------
Organisation of data
====================
The data of a user are in its directory and are labelled using the labels of the application
Setting Smack rules for the application
=======================================
For Tizen, the following rules are set by the security manager for each application.
System ~APP~ rwx
System ~PKG~ rwxat
System ~PKG~::RO rwxat
~APP~ System wx
~APP~ System::Shared rxl
~APP~ System::Run rwxat
~APP~ System::Log rwxa
~APP~ _ l
User ~APP~ rwx
User ~PKG~ rwxat
User ~PKG~::RO rwxat
~APP~ User wx
~APP~ User::Home rxl
~APP~ User::App::Shared rwxat
~APP~ ~PKG~ rwxat
~APP~ ~PKG~::RO rxl
Here, ~PKG~ is the identifier of the package and ~APP~ is the identifier of the application.
What user can run an application?
=================================
Not all user are able to run all applications.
How to manage that?
[meta-intel]: https://github.com/01org/meta-intel-iot-security "A collection of layers providing security technologies"
[widgets]: http://www.w3.org/TR/widgets "Packaged Web Apps"
[widgets-digsig]: http://www.w3.org/TR/widgets-digsig "XML Digital Signatures for Widgets"
[libxml2]: http://xmlsoft.org/html/index.html "libxml2"
[openssl]: https://www.openssl.org "OpenSSL"
[xmlsec]: https://www.aleksey.com/xmlsec "XMLSec"
[json-c]: https://github.com/json-c/json-c "JSON-c"
[d-bus]: http://www.freedesktop.org/wiki/Software/dbus "D-Bus"
[libzip]: http://www.nih.at/libzip "libzip"
[cmake]: https://cmake.org "CMake"
[security-manager]: https://wiki.tizen.org/wiki/Security/Tizen_3.X_Security_Manager "Security-Manager"
[app-manifest]: http://www.w3.org/TR/appmanifest "Web App Manifest"
[tizen-security]: https://wiki.tizen.org/wiki/Security "Tizen security home page"
[tizen-secu-3]: https://wiki.tizen.org/wiki/Security/Tizen_3.X_Overview "Tizen 3 security overview"
|