Tizen which whom AGL share most of the the security model has released a new version 4.0. Having a look at the correction and improvement done in particular in the security FW would be valuable.
The vision of Samsung for Tizen 4 is mainly that (see 1, 2, 3):
So the security model of Tizen 4 is mainly unchanged.
After reviewing of content, packages and differences (see below) between Tizen and AGL, here are our observations.
There no evolution in the security model of Tizen between version 3 and version 4. However, Tizen is an alive project and even if the model didn't changed, the implementation evolved: bug fixes, enhanced coverage and tuning of functionalities. Consequently, this work checks differences between actual states of Tizen and AGL.
AGL implements the same security model than Tizen. But the application framework differs. Consequently, the set of rules applied to the security model differs at some points without changing the model.
One big difference is that AGL leverage systemd as launcher of applications. Without this mechanism, Tizen needs many services that are otherwise available with systemd: a launcher, a nss library for "initgroups" setting depending on privileges, a mounting/namespace service. This difference makes parts of security-manager useless.
An other difference, is the use by AGL of the "binder". The integration of this "binder" component is, after review, beneficial. At least 2 reasons lead to that good conclusion: the binder integrates cynara checks and provides connection and transport framework.
These differences make that using Tizen's component inside AGL can be difficult. But this is not always the case: Tizen's sources include integration of OPTEE, the open source trusted execution environment within the TrustZone of ARM, that implements key secure key storage. This probably can be used directly.
Upgrade Tizen's components used: dbus, security-manager, cynara.
Use Smack's "onlycap" to restrict CAP_MAC_ADMIN uses. The definition of security basis in platform/core/security/default-ac-domains includes the definition of onlycap values. This has to be done for AGL. Also, platform/core/security/default-ac-domains defines some new Smack labels. These new labels are not actually needed by AGL.
Integrate network enforcement (possibly with platform/core/security/nether). The package platform/core/security/nether uses netlink + netfilter to filter network accesses depending on cynara rules. It can probably be used with little adaptation because it doesn't depend on Tizen's libraries except cynara.
Document and manage permissions (see platform/core/security/privilege-checker). The AGL permissions have to be explained. At the end, the user will not enter in details but the possibility to show details is a legal obligation in some cases. This is a database of knowledge and translation. Procedure to be defined. Extraction possible of Tizen's database.
Add watchdog for applications using the binder (checks the binder aliveness). It will be very simple, with sd_event_set_watchdog, to add to the binder the ability to send watchdog events to systemd -if systemd requires it-. It will allow to detect event loop errors in the binder, that was a common root cause of issues.
Integration of TrustZone or TPM key management (see whether linux keyctl can transparently provide it)
Fault handling, Crash report and system report (see platform/core/system/crash-worker and platform/core/system/faultd but also look at coredumpctl of systemd framework). Fault handling means recovery in case of errors. Obviously to improve everywhere!
Factory reset (see platform/core/system/factory-reset). This is more a platform feature than a framework feature. However, ensuring that factory reset does what is intended to do is a security topic (computer forensics).
Encryption of user data or storage (LUKS). This is a requested feature to sell cars to people that wants to ensure privacy of their data. This is already enforced by the security framework. The issue here is to protect data against super users.
The content of Tizen 4 can be analyzed by looking in the build system of Tizen 5.
This build system shows only the flavours "Base" and "Unified" Tizen 4 (where Tizen 3 shows "Base", "Common", "IVI", "Mobile", "TV", "Wearable"). This results from an effort to provide Tizen as a common basis for all subsystems (see 1).
The build project 6 leads to the repository 7 that contains the binaries and their metadata.
AGL imports very few components of Tizen: Cynara, Security-manager and DBus with cynara patches.
Not checked for all flavour:
This is are old kernel. Actually EEL version of AGL runs the kernel 4.9 for R-CAR.
The AGL version of DBUS is sticked on 1.8.18 (2015-05-14) while Tizen upgraded it to the version 1.10.6 (2015-12-01)
The current stable upstream version is 1.11.6 (see 8)
The version used by AGL tends to be old because their integration layer, 'meta-intel-iot-security', removed these components. So upgrading efforts made at the beginning for AGL was no more possible and AGL stuck to oldest version of 'meta-intel-iot-security' that included it (See SPEC-511).
This is the annotated list of a selection repositories of Tizen:
The work consisted to review the content of these repositories (about 16K files, 371M bytes).
platform/core/csapi/tizenfx - dot.net export of Tizen native API (capi) platform/core/account/account-common platform/core/account/account-manager platform/core/account/account-parser - handle accounts - DBus service but encode calls to cynara platform/core/account/fido-asm platform/core/account/fido-client platform/core/account/fido-syspopup - fido framework platform/core/account/liboauth2 - OAuth2 facility with embedded EFL webview - TODO: check the redirection platform/core/account/sync-manager - queueing of jobs (sync or not) - DBus service but encode calls to cynara platform/core/api/* - Tizen common native API (capi) platform/core/convergence/* - Convergence service (see https://wiki.tizen.org/Convergence) - Similar to Identity Manager - collaboration of apps across devices through convergence platform/core/security/askuser - ask user for permission consent - include the privacy privilege manager platform/core/security/audit-trail - a daemon which is for trailing security logs of auditing platform/core/security/auth-fw - manage user passwords platform/core/security/ca-certificates - root certificates and update scripts platform/core/security/ca-certificates-tizen - Tizen specific certificates platform/core/security/cert-svc - Manage certificates (wifi, vpn, email, system, disabled) platform/core/security/device-certificate-manager - certificate management platform/core/security/cynara - cynara framework platform/core/security/default-ac-domains - definition of the common basis smack policy - include integration of signal/append - include System::Privileged for "onlycap" features - include User::Shell for sdb (the adb equivalent of Tizen) - here is the basis System System::Log rwxa System System::Privileged rwxat System System::Run rwxat System System::Shared rwxat System User rwxa System User::App::Shared rwxat System User::Home rwxat System User::Shell rwxat System _ rwxa System ^ rwxa System::Privileged System rwxat System::Privileged System::Log rwxa System::Privileged System::Run rwxat System::Privileged System::Shared rwxat System::Privileged User rwxa System::Privileged User::App::Shared rwxat System::Privileged User::Home rwxat System::Privileged User::Shell rwxat System::Privileged _ rwxa System::Privileged ^ rwxa User System wx User System::Log rwxa User System::Privileged wx User System::Run rwxat User System::Shared rxl User User::App::Shared rwxat User User::Home rwxat User User::Shell rwxat User::Shell System wx User::Shell System::Log w User::Shell System::Run rxl User::Shell System::Shared rxl User::Shell User wx User::Shell User::App::Shared rwxat User::Shell User::Home rxl _ System wx _ System::Privileged wx _ System::Run rwxat ^ System rwxa ^ System::Log rwxa ^ System::Privileged rwxa ^ System::Run rwxat platform/core/security/device-policy-client - client library for accessing the device policy manager platform/core/security/device-policy-manager - the device policy manager platform/core/security/dpm-application platform/core/security/dpm-auth platform/core/security/dpm-bluetooth platform/core/security/dpm-browser platform/core/security/dpm-email platform/core/security/dpm-location platform/core/security/dpm-media platform/core/security/dpm-security platform/core/security/dpm-storage platform/core/security/dpm-telephony platform/core/security/dpm-usb platform/core/security/dpm-wifi platform/core/security/dpm-zone - same as device-policy-client but splitted platform/core/security/drm-service-core-tizen - decrypt of apps with licensing data platform/core/security/hash-signer - tool for signing widgets off-line platform/core/security/key-manager - key and cert service client of trust zone platform/core/security/klay - library of general use for C++ platform/core/security/krate platform/core/security/libkrate - execution of application in separate user context (krate) - encrypted file-system per user - client library inside the krate - DRAFT platform/core/security/libcryptsvc - crypt wrapper above openssl for drm-service-core-tizen platform/core/security/libwebappenc - service for (de)crypt data per application platform/core/security/nether - service for enforcing network (netlink + netfilter) platform/core/security/nice-lad - DRAFT analysis of audit and logs platform/core/security/ode platform/core/security/ode-ui - encryption/decryption of storage platform/core/security/privacy-guard - client/server for permission management platform/core/security/privilege-checker - manage privileges (definition and translations database) platform/core/security/privilege-info - display name and explanation of privileges platform/core/security/pubkey-pinning - deprecated platform/core/security/security-config - setting of security platform/core/security/security-manager - database of application/package/user/... - smack rules template - service for (de)installing app - service for shared buffers - nss for initialization of supplementary groups - manage of digital license platform/core/security/tef-dummy platform/core/security/tef-optee_client - trust zone environment client library platform/core/security/tef-optee_os - trust zone environment for rpi3 platform/core/security/tef-simulator - trust zone environment simulator platform/core/security/trust-anchor - manage certificates of applications platform/core/security/trusted - key manager in ARM trust zone platform/core/security/yaca - yet another crypto api platform/core/system/argos_watchdog - wrapper above systemd watchdog platform/core/system/buxton2 - storage subsystem platform/core/system/crash-worker - various binaries for dumping system/state/core/stack platform/core/system/deviced - service for hardware device control - use device-node platform/core/system/dlog - logging utility platform/core/system/dockzen-launcher - docker integration service platform/core/system/factory-reset - restore factory settings platform/core/system/faultd - collect faults (audit, systemd, startup) and react to it platform/core/system/feedbackd - vibration feedback platform/core/system/initrd platform/core/system/initrd-fota platform/core/system/initrd-recovery - initial ramdisk platform/core/system/libdbuspolicy - library for querying dbus policy (and cynara) platform/core/system/libdevice-node - manage device platform/core/system/libstorage - library for storage management platform/core/system/libsvi - sound and vibration feedback library platform/core/system/libtota - FOTA with delta files platform/core/system/libtracker - obscure tracking system for download, media, network, location, sensor, iot platform/core/system/memps - dump of memory use platform/core/system/pass - power aware system service - use device-node platform/core/system/peripheral-bus - gpio, i2c, spi, uart, pwm handling platform/core/system/resourced platform/core/system/resourced-headless - daemon that manages resources (with headless version) platform/core/system/sensord - library for accessing sensors platform/core/system/session-utils - utilities for session control in user environment platform/core/system/storaged - daemon for storage management platform/core/system/tizen-platform-config platform/core/system/tizen-platform-config-meta - setting of directories platform/core/system/tlm - Tizen login manager