samsung / security-manager Goto Github PK

Central Tizen service for configuration of security policy for applications and users. This component encapsulates logic for configuration of security mechanisms in Tizen. It is responsible for configuring proper policy to enforce privileges for applications and users. Configured security mechanisms: - Smack - Cynara - DAC (with respect to privilege enforcement) - Network filtering (enforcement of network access privilege) It supports multi-user, applications installed per user or globally and integrates with Vasum for setting security policy in multi-container environment.

License: Apache License 2.0

CMake 2.68% PLSQL 0.04% Shell 1.29% C++ 88.59% C 7.37% SQLPL 0.03%

security-manager's Introduction

README for security-manager project

The security manager is project forked from security-server, from which
it inherits its main design: division for two parts:
* system daemon (security-manager)
* library for communication with daemon (libsecurity-manager).

The implementation of daemon part is divided into:
    manager part: that is responsible for threads and communication management
    with no awareness of what information is being transferred. This part is
    implemented by SocketManager class that works with GenericSocketService as
    a generalization for services that security-server provides.
and
    services part: implemented as classes derived from GenericSocketService
    grouped in src/server/service directory that defines actions done by
    security-manager after receiving certain requests from client side.

The security-manager's manager part is fully inherited from security-server,
while services are completely diffrent.

The security-manager services are ment to gather information about security
permissions in the system and provide access to that data via means of
libsecurity-manager.

security-manager's People

Contributors

Stargazers

Watchers

Forkers

jancybulski krzsas pohly ajoyacr lukaszwojciechowski jobol linearregression cnxtech ljh9248 cyd3nt kimkiwoong1

security-manager's Issues

Question: Smack relation with Privileges

there is any way to add different smack rules depending what Privilege do you have? this directly from calling the Security-Manager client Api?

Feature Request - Add/Remove "b" option for given APPID

We would like to add simple functionality to security manager regarding the smack-bringup mode "b" option. Let's say we have the following two functions:

enable_bringup_for_app(APPID)
disable_bringup_for_app(APPID)

The enable function will search for the given APPID and append the "b" rule

App Foo w  ->  wb

The disable function will search for the given APPID and remove the "b" rule if exists

App Foo wb  ->  w

This should be temporary until next reboot/restart or if disable function is called explicitly

security-manager has hardcoded constants from tizen-platfrom config TZ_

Would it be acceptable to change security-manager to have OS-unified prefixes for constants? So, instead of TZ_xyz have OS_xyz?

Otherwise we have to patch this internally and it is quite ugly. I can submit a patch on this, but it would also require a patch to tizen-platform-config (I can also do that, but there is no github repo).

security_manager_app_uninstall does not remove from .security-manager.db

I am using SecurityManager 1.0.2 (rev 860305a). To get familar with the API, I wrote a test tool (available here: https://github.com/pohly/meta-intel-iot-security/blob/app-runas/meta-security-framework/recipes-test/app-runas/files/app-runas.cpp)

I noticed that uninstall did not remove the app entry in the sqlite3 DB. To reproduce with the tool (run as root):

adduser -D tester
app-runas -a appid -p pkgid -u `id -u tester` -i
app-runas -a appid -p pkgid -u `id -u tester` -d
sqlite3 /usr/dbspace/.security-manager.db SELECT app_name from app_pkg_view

Debug output from SecurityManager shows:

Sep 17 13:09:04 qemux86 security-manager[776]: [service_impl.cpp:287] appInstall(): Install parameters: appId: appid, pkgId: pkgid, uidstr 1000, app label: User::App::appid, pkg label: User::Pkg::pkgid
...
Sep 17 13:09:33 qemux86 security-manager[776]: [service_impl.cpp:374] appUninstall(): Uninstall parameters: appId: appid, pkgId: pkgid, uidstr *, generated smack label: User::App::appid

Note that the actual uidstr was replaced by *. When inserting that into QueryType::ERemoveApplication, "DELETE FROM app_pkg_view WHERE app_name=? AND uid=?" the WHERE clause does not match the existing entry with uid=1000 (in my case) and therefore nothing gets removed.

The logic in appInstall and appUninstall around uid is different. Is that intentional? Am I perhaps not using the API correctly?

samsung / security-manager Goto Github PK

security-manager's Introduction

security-manager's People

Contributors

Stargazers

Watchers

Forkers

security-manager's Issues

Question: Smack relation with Privileges

Feature Request - Add/Remove "b" option for given APPID

security-manager has hardcoded constants from tizen-platfrom config TZ_

security_manager_app_uninstall does not remove from .security-manager.db

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent