The security teams from Intel and Samsung held a face to face meeting in
Vannes, France September 30 through October 2, 2014. This meeting was part of
an ongoing effort to ensure mutual understanding of requirements, directions
and concerns about Tizen security and security feature development. Over the
three days there were 27 sessions, covering issues ranging from certificates to
profiles. Here is a brief synopsis of each session.
Tizen 2.x security update
What is being done in Tizen 2?
Tizen 2.3 will support an EFL based native application runtime environment. The
OSP native runtime environment has been deprecated and will not be included in
Tizen 2.3. The Gear product line is using the new wearable profile. There will
be a beta release of the 2.3 SDK near the end of September, a release of the
system end of October and source by the end of the year. The first TV profile
will be based on Tizen 2.2.1. The Tizen "Knox" facilities will be available
sometime after 2.3. Cynara and Crosswalk will be added to the Tizen 2 line.
Tizen 3.0 security update
What is being done in Tizen 3?
Tizen 3 IVI is scheduled for release by the end of year. There are dependencies
on security manager and the application runtime to resolve. There will be a
solution for native applications based on native application support going into
Tizen 2.3. Some of the communications facilities used in Tizen 3 have
significant problems in a multi-user environment. Tizen 3 needs Cynara,
security manager and user account management complete. Shared directory
management is not fully defined and is a potential obstacle to bringing in new
packages. The end of year objective is to install and update html5 and native
applications. There are no native applications yet.
Replacing GPLv3 coreutils and cpio
Shall the current GPLv3 version of cpio be replaced with the latest GPLv2
version? Shall the GPLv3 version of coreutils be replaced with the latest GPLv2
(6.9) version, busybox or toybox? Who can do the work to make the replacement
Smack aware?
Samsung has agreed to assign a developer to do the work to enhance ToyBox so
that it can be used to replace the GPLv3 coreutils package. Intel will take
care of the packaging work required to replace coreutils with ToyBox.
Profiles
IVI, Mobile, TV, Wearable. Is there security divergence?
The IVI profile has identified and unidentified users, the identity can be by
device (phone, fob) or visual recognition, and the user can be privileged or
not. Tizen TV has parental controls. Tablet may require multi-user. Yes, there
will be profile divergence in how they treat the multi-user environment.
Application Privileges
Smack labels, UIDs, groups and what haven't we addressed yet?
Security manager (cynara) provides session management services. Devices
attributes are generally Smack="*", uid=root, gid=gp1,gp2,... mode=660. The gid
maps to the privilege, Smack+uid are used by services via security
manager/cynara. Smack+uid+gid are used on device files (native applications).
There needs to be a GID associated with each Privilege. If there are multiple
applications in a package each will get its own Smack label. However, they will
be given mutual access, as "AppFirst AppSecond rwxa" "AppSecond AppFirst rwxa".
Multiple Users
Single use devices, account creation, application sharing, gumd
There has been a question about how to create a user at image creation time.
Samsung is providing an offline API to set up cynara data. Security manager
offline interfaces are in progress. Today there are two sorts of users,
privileged and not. Dominique expresses a strong opinion regarding support for
arbitrary uninstall scripts. Gumd will integrate with security manager.
Actually, it seems that security manager ought to invoke gumd. That should make
the upstream integration of gumd easier.
Deviced
Bumjin will provide an Introduction, describe how it is configured, and
provides the schedule for its implementation
The new native "Core API" privilege model resembles the OSP model. For 2.3 Core
API reuses OSP package format. In 2.3 privileges are implemented as Smack
rules. There are five privilege categories. Privilege are intended to map to
APIs. Currently the core API uses 58 privileges. Deviced is a dbus service to
provide access to five specific simple devices. The Smack floor ("_") label
semantics will be modified to include general lock ("l") access.
Device Sharing Control
Analysis, solutions. When a device like /dev/audio is shared between
applications and users what are the security attributes (Smack, UID, GID, ACL
...) assigned to it, and how are they managed?
There is a group ID related to each privilege. This is assigned to the device.
Cynara
API development, Cynara service, updating services, dbus, Buxton
Cynara has demonstrated massively better performance than polkit or
security-server. The 0.3.0 version was available 2014.09.05. The async API is
in progress. The extension mechanism in progress. This will allow "ask user"
and similar policies. There is an administration library for when no service is
running, such as image creation time. Database integrity checks and recovery
modes are in the works. Dominique pointed out that there is already a pop-up
service available, so Cynara does not have to provide one.
Security Manager
What is security manager? What is its scope and what services does it provide?
Why is it becoming so important?
Security manager is a set of APIs and a service to manage security attributes
and configure system policy. It understands the Tizen policies, where the
underlying mechanisms my not. It provides an API to support application
launching. Setting privilege on user session launchers has complexity. AMD is
the native application launcher. TZlauncher configuration will be done using
security manager. Privilege manager from Tizen 2.x. allows the user to
configure privileges on the fly. User manager allows updating the user profile.
Containers (and name spaces) need to be supported and configured by the
security manager.
Application Framework
Samsung would like to understand the relationship between Security Manager and
the Application Framework. Overlap and duplication should be identified and
addressed.
The commonality between a "guest" on a phone and a "guest" in a car was
discussed at length.
Dbus
Cynara integration status
Cynara policy checks are being added in the dbus daemon. Services don't have to
be changed to do the checks, however configuration needs to be provided. Add
check tag for dbus daemon. Dbus uses the Cynara async API. Testing includes
python bindings. New tests are included in the common profile test framework.
Upstream is already looking at allowing interactive authentication.
Implementation is expected to be complete in late October. A new base version
of dbus is required. Email to this effect should go to the dev list.
Buxton
Vconf conversion, Cynara integration
Buxton needs to get used or vconf needs to be changed for multi-user. The plan
is to replace libvconf with libvconfbuxton, add Jose's patches to buxton. We
will deal with the cases that don't work individually.
gSSO
Current integration plan
Everything looks like it is on track. All parties are communicating to mutual
satisfaction.
Crosswalk
Application installer, Application launcher, Cynara issues, Application
Signatures
There is structure for certificate management, but no enforcement. Crosswalk
will need the pop-up cynara extension. Privacy manager could be useful for
dropping application privilege. Tomasz asked about test cases. Terri reports
that they are available on github.
Native Applications
APIs, runtime environment, sandboxing, cryptographic interfaces
There are still questions about the secure certificate and key storage. Samsung
has a key manager repository. There has to be a documented native C/C++ API.
Samsung requires that the key management be FIPS certify able. Intel is still
waiting to see the core API code on Tizen.org. Even native applications get
launched. Native applications use the (TPK) directory structure. Namespace
containers would be interesting. We will need a mechanism for privileged
(system level privilege) native apps. Native apps can tell the window manager
to do things that HTML5 apps can't (today), so services like the window
managers and gstreamer may have some work to do.
AMD, TZlauncher and other application invocation mechanisms
What should we do about all of the non-standard mechanisms we have for
launching applications?
Rafal proposed how to label the content of $HOME. There was much rejoicing.
OIC/CSF
Integration with the Tizen 3 security model. What we know about it so far.
OIC is the group providing guidance on the interfaces for the Internet of
Things. The security team from Samsung is in the dark. The Intel team has been
involved. Samsung has a message protocol, Intel a stream protocol.
CSF is the scanner infrastructure from McAfee. Samsung would like a server
architecture in place of the library architecture. They would like to support
more 3rd party checkers. McAfee does not seem to have made this a high priority.
Smack Bringup mode
How to use it
Going in 3.18. The patch is available for backport.
Kdbus
Status
Upstream project may be stalled. Tizen TV wants kdbus, so we need to track the
progress. It should support Smack when it is accepted upstream.
Security Containers
Current design and status
Two "domains" for Samsung container based solution. SCS spawns containers. It
is Libvert/LXC based. It includes Smack namespaces. No release for the time
being, but they want it on tizen.org.
Security Namespaces
Current design and status
Security namespaces, with a Smack base are 2 months from being done. Then the
kernel patches will be sent for LSM review. Then the fun begins.
Certificate Authority
Strategy and requirements for a Tizen CA infrastructure
The Tizen store has 3 root certificates. Samsung has one for Gear 2 and Gear S.
All issued and managed by Samsung. Multiple chain support may be our best
answer. We should ask about tizen.org chain. Platform development needs to have
a certificate of its own.
Developer Authorization
Current design and status
Samsung wants to use Flora license. Intel says "no". No one is surprised.
Documentation
We got as far as an outline and stopped. How can we progress?
Casey will make preliminary assignments.
Security Features
Schedule, assignments, risks, fallback plans
Network: Content Security Policy. Smack use of secmark for IPTables needs to be
investigated. The strategy for removable media still needs to be fleshed out.
It will require the ExternalMedia privilege. On disk encryption for user data
is required, but not yet available and raises issues for flash filesystems.
Integrity controls, including key management are desired and available. Fast
Boot is critical, security cannot be seen as a bottleneck. Update by image
requires a mechanism to get the Smack configuration for the applications
already installed.
End of 2014 Release
Schedule, assignments, risks, fallback plans
Security manager and Cynara are required and may be at risk for the IVI profile
end of year release.
Final wrap up and action items
What is next?
The next security face to face is proposed for the middle of January in
Hillsboro, Oregon USA. We will also consider returning to Vannes as a "warm
weather" alternate.
_______________________________________________
Dev mailing list
[email protected]
https://lists.tizen.org/listinfo/dev
