1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
|
AGL framework, proposal of IoT.bzh
==================================
version: 1
Date: 29 february 2016
Author: José Bollo
Foreword
--------
This document describes what we intend to do. It may happen that our
current implementation and the content of this document differ.
In case of differences, it is assumed that this document is right
and the implementation is wrong.
Introduction
------------
During the first works in having the security model of Tizen
integrated in AGL (Automotive Grade Linux) distribution, it became
quickly obvious that the count of components specific to Tizen
to integrate was huge.
Here is a minimal list of what was needed:
- platform/appfw/app-installers
- platform/core/security/cert-svc
- platform/core/appfw/ail
- platform/core/appfw/aul-1
- platform/core/appfw/libslp-db-util
- platform/core/appfw/pkgmgr-info
- platform/core/appfw/slp-pkgmgr
But this list is complete because many dependencies are hidden.
Those hidden dependencies are including some common libraries but also many
tizen specific sub-components (iniparser, bundle, dlog, libtzplatform-config,
db-util, vconf-buxton, ...).
This is an issue because AGL is not expected to be Tizen. Taking it would
either need to patch it for removing unwanted components or to take all
of them.
However, a careful study of the core components of the security framework
of Tizen showed that their dependencies to Tizen are light (and since some
of our work, there is no more dependency to tizen).
Those components are **cynara**, **security-manager**, **D-Bus aware of cynara**.
Luckyly, these core security components of Tizen are provided
by [meta-intel-iot-security][meta-intel], a set of yocto layers.
These layers were created by Intel to isolate Tizen specific security
components from the initial port of Tizen to Yocto.
The 3 layers are providing components for:
* Implementing Smack LSM
* Implementing Integrity Measurement Architecture
* Implementing Tizen Security Framework
The figure below shows the history of these layers.
2014 2015
Tizen OBS ----------+--------------------------->
\
\
Tizen Yocto +---------+-------------->
\
\
meta-intel-iot-security +----------->
We took the decision to use these security layers that provides the
basis of the Tizen security, the security framework.
For the components of the application framework, built top of
the security framework, instead of pulling the huge set of packages
from Tizen, we decided to refit it by developping a tiny set of
components that would implement the same behaviour but without all
the dependencies and with minor architectural improvements for AGL.
These components are **afm-system-daemon** and **afm-user-daemon**.
They provides infrastructure for installing, uninstalling,
launching, terminating, stopping and resuming applications in
a multi user secure environment.
A third component exists in the framework, the binder **afb-daemon**.
The binder provides the easiest way to provide secured API for
any tier. Currently, the use of the binder is not absolutely mandatory.
This documentation explains the framework created by IoT.bzh
by rewriting the Tizen Application Framework. Be aware of the
previous foreword.
Overview
--------
The figure below shows the major components of the framework
and their interactions going through the following scenario:
APPLICATION installs an other application and then launch it.
+-----------------------------------------------------------------------+
| User |
| ................................ |
| : Smack isolation context : |
| : : ........................... |
| : +-----------------------+ : : Smack isolation context : |
| : | | : : : |
| : | APPLICATION | : : OTHER application : |
| : | | : :.........................: |
| : +-----------+-----------+ : ^ |
| : | : | |
| : |(1),(7) : |(13) |
| : | : | |
| : +-----------v-----------+ : +---------+---------------+ |
| : | binder afb-daemon | : | | |
| : +-----------------------+ : | afm-user-daemon | |
| : | afm-main-plugin | : | | |
| : +-----+--------------+--+ : +------^-------+------+---+ |
| :........|..............|......: | | : |
| |(2) |(8) |(10) | : |
| | | | | : |
| | +----v--------------------+---+ | : |
| | | D-Bus session | |(11) :(12) |
| | +-------------------------+---+ | : |
| | | | : |
| | |(9) | : |
| | | | : |
:===========|===================================|=======|======:========:
| | | | : |
| | +---v-------v--+ : |
| +------v-------------+ (3) | | : |
| | D-Bus system +-----------------> CYNARA | : |
| +------+-------------+ | | : |
| | +------^-------+ : |
| |(4) | : |
| | |(6) v |
| +------v--------------+ +---------+---------------+ |
| | | (5) | | |
| | afm-system-daemon +-------------> SECURITY-MANAGER | |
| | | | | |
| +---------------------+ +-------------------------+ |
| |
| System |
+-----------------------------------------------------------------------+
Let follow the sequence of calls:
1. APPLICATION calls its **binder** to install the OTHER application.
2. The plugin **afm-main-plugin** of the **binder** calls, through
**D-Bus** system, the system daemon to install the OTHER application.
3. The system **D-Bus** checks wether APPLICATION has the permission
or not to install applications by calling **CYNARA**.
4. The system **D-Bus** transmits the request to **afm-system-daemon**.
**afm-system-daemon** checks the application to install, its
signatures and rights and install it.
5. **afm-system-daemon** calls **SECURITY-MANAGER** for fullfilling
security context of the installed application.
6. **SECURITY-MANAGER** calls **CYNARA** to install initial permissions
for the application.
7. APPLICATION call its binder to start the nearly installed OTHER application.
8. The plugin **afm-main-plugin** of the **binder** calls, through
**D-Bus** session, the user daemon to launch the OTHER application.
9. The session **D-Bus** checks wether APPLICATION has the permission
or not to start an application by calling **CYNARA**.
10. The session **D-Bus** transmits the request to **afm-user-daemon**.
11. **afm-user-daemon** checks wether APPLICATION has the permission
or not to start the OTHER application **CYNARA**.
12. **afm-user-daemon** uses **SECURITY-MANAGER** features to set
the seciruty context for the OTHER application.
13. **afm-user-daemon** launches the OTHER application.
This scenario does not cover all the features of the frameworks.
Shortly because details will be revealed in the next chapters,
the components are:
* ***SECURITY-MANAGER***: in charge of setting Smack contexts and rules,
of setting groups, and, of creating initial content of *CYNARA* rules
for applications.
* ***CYNARA***: in charge of handling API access permissions by users and by
applications.
* ***D-Bus***: in charge of checking security of messaging. The usual D-Bus
security rules are enhanced by *CYNARA* checking rules.
* ***afm-system-daemon***: in charge of installing and uninstalling applications.
* ***afm-user-daemon***: in charge of listing applications, querying application details,
starting, terminating, stopping, resuming applications and their instances
for a given user context.
* ***afb-binder***: in charge of serving resources and features through an
HTTP interface.
* ***afm-main-plugin***: This plugin allows applications to use the API
of the AGL framework.
Links between the "Security framework" and the "Application framework"
----------------------------------------------------------------------
The security framework refers to the security model used to ensure
security and to the tools that are provided for implementing that model.
The security model refers to how DAC (Discretionnary Access Control),
MAC (Mandatory Access Control) and Capabilities are used by the system
to ensure security and privacy. It also includes features of reporting
using audit features and by managing logs and alerts.
The application framework manages the applications:
installing, uninstalling, starting, stopping, listing ...
The application framework uses the security model/framework
to ensure the security and the privacy of the applications that
it manages.
The application framework must be compliant with the underlyiong
security model/framework. But it should hide it to the applications.
The security framework
----------------------
The implemented security model is the security model of Tizen 3.
This model is described [here][tizen-secu-3].
The security framework then comes from Tizen 3 but through
the [meta-intel].
It includes: **Security-Manager**, **Cynara**
and **D-Bus** compliant to Cynara.
Two patches are applied to the security-manager. These patches are removing
dependencies to packages specific of Tizen but that are not needed by AGL.
None of these patches adds or removes any behaviour.
**Theoritically, the security framework/model is an implementation details
that should not impact the layers above the application framework**.
The security framework of Tizen provides "nice lad" a valuable component to
scan log files and analyse auditing. This component is still in developement.
The application framework
-------------------------
The application framework on top of the security framework
provides the compoenents to install and uninstall applications
and to run it in a secured environment.
The goal is to manage applications and to hide the details of
the security framework to the applications.
For the reasons explained in introduction, we did not used the
application framework of Tizen as is but used an adaptation of it.
The basis is kept identical: the applications are distributed
in a digitally signed container that must match the specifications
of widgets (web applications). This is described by the technical
recomendations [widgets] and [widgets-digsig] of the W3 consortium.
This model allows the distribution of HTML, QML and binary applications.
The management of signatures of the widget packages
This basis is not meant as being rigid and it can be extended in the
futur to include for example incremental delivery.
The widgets
-----------
### signature of the
The application framework
This is the original part of our work here
### directory where are stored applications
Applications can be installed in few places: on the system itself or on an extension device.
For my phone, for example, it is the sd card.
This translates to:
- /usr/applications: for system wide applications
- /opt/applications: for removable applications
In the remaining of the document, these places are writen "APPDIR".
Organisation of directory of applications
=========================================
The main path for applivcations are: APPDIR/PKGID/VER.
Where:
- APPDIR is as defined above
- PKGID is a directory whose name is the package identifier
- VER is the version of the package MAJOR.MINOR
This organisation has the advantage to allow several versions to leave together.
This is needed for some good reasons (rolling back) and also for less good reasons (user habits).
Identity of installed files
---------------------------
All the files are installed as the user "userapp" and group "userapp".
All files have rw(x) for user and r-(x) for group and others.
This allows any user to read the files.
Labelling the directories of applications
-----------------------------------------
Organisation of data
====================
The data of a user are in its directory and are labelled using the labels of the application
Setting Smack rules for the application
=======================================
For Tizen, the following rules are set by the security manager for each application.
System ~APP~ rwx
System ~PKG~ rwxat
System ~PKG~::RO rwxat
~APP~ System wx
~APP~ System::Shared rxl
~APP~ System::Run rwxat
~APP~ System::Log rwxa
~APP~ _ l
User ~APP~ rwx
User ~PKG~ rwxat
User ~PKG~::RO rwxat
~APP~ User wx
~APP~ User::Home rxl
~APP~ User::App::Shared rwxat
~APP~ ~PKG~ rwxat
~APP~ ~PKG~::RO rxl
Here, ~PKG~ is the identifier of the package and ~APP~ is the identifier of the application.
What user can run an application?
=================================
Not all user are able to run all applications.
How to manage that?
API of the framework
====================
Data handled
------------
=== description of an application
the JSON object: APPDESC
{
"appid": string, the application id for the framework
"id": string, the application intrinsic id
"version": string, the version of the application
"path": string, the path of the directory of the application
"width": integer, requested width of the application
"height": integer, resqueted height of the application
"name": string, the name of the application
"description": string, the description of the application
"shortname": string, the short name of the application
"author": string, the author of the application
}
The base of the path is FWKAPI = /api/fwk
request FWKAPI/runnables
-- get the list of applications
=> [ APPDESC... ]
request FWKAPI/detail?id=APPID
subject to languages tuning
=> { "id": "APPID", "name": "name", "description": "description", "license": "license", "author": "author" }
/*
request FWKAPI/icon?id=APPID
subject to languages tuning
=> the icon image
*/
request FWKAPI/run?id=APPID
=> { "status": "done/error", "data": { "runid": "RUNID" } }
request FWKAPI/running
=> [ { "id": "RUNID", "appid": "APPID", "state": ... }... ]
request FWKAPI/state?id=RUNID
=> { "id": "RUNID", "appid": "APPID", "state": ... }
request FWKAPI/stop?id=RUNID
=> { "error": "message" ou "done": "RUNID" }
request FWKAPI/suspend?id=RUNID
=> { "error": "message" ou "done": "RUNID" }
request FWKAPI/resume?id=RUNID
=> { "error": "message" ou "done": "RUNID" }
/*
request FWKAPI/features
=> returns the features of the current application
request FWKAPI/preferences
=> returns the features of the current application
*/
API of the store
================
The base of the path is STORAPI = /api/store
request STORAPI/search[?q=...]
subject to languages tuning
=> [ { "id": "APPID", "name": "name", "description": "description", "license": "license", "author": "author", "icon": "url" }... ]
/*
request STORAPI/icon?id=APPID
subject to languages tuning
=> the icon image
*/
request STORAPI/detail?id=APPID
=> { "id": "APPID", "name": "name", "description": "description", "license": "license", "author": "author", "icon": "url", "permissions": [ "perm"... ] }
request STORAPI/install?id=APPID&permissions
=> { "transaction": "XXX", "desc"= { see above } } or error
[meta-intel]: https://github.com/01org/meta-intel-iot-security "A collection of layers providing security technologies"
[widgets]: http://www.w3.org/TR/widgets "Packaged Web Apps"
[widgets-digsig]: http://www.w3.org/TR/widgets-digsig "XML Digital Signatures for Widgets"
[libxml2]: http://xmlsoft.org/html/index.html "libxml2"
[openssl]: https://www.openssl.org "OpenSSL"
[xmlsec]: https://www.aleksey.com/xmlsec "XMLSec"
[json-c]: https://github.com/json-c/json-c "JSON-c"
[d-bus]: http://www.freedesktop.org/wiki/Software/dbus "D-Bus"
[libzip]: http://www.nih.at/libzip "libzip"
[cmake]: https://cmake.org "CMake"
[security-manager]: https://wiki.tizen.org/wiki/Security/Tizen_3.X_Security_Manager "Security-Manager"
[app-manifest]: http://www.w3.org/TR/appmanifest "Web App Manifest"
[tizen-security]: https://wiki.tizen.org/wiki/Security "Tizen security home page"
[tizen-secu-3]: https://wiki.tizen.org/wiki/Security/Tizen_3.X_Overview "Tizen 3 security overview"
|