Tizen which whom AGL share most of the the security model has released a new version 4.0. Having a look at the correction and improvement done in particular in the security FW would be valuable.
The vision of Samsung for Tizen 4 is mainly that (see 1, 2, 3):
So the security model of Tizen 4 is mainly unchanged.
After reviewing of content, packages and differences (see below) between Tizen and AGL, here are our observations.
There no evolution in the security model of Tizen between version 3 and version 4. However, Tizen is an alive project and even if the model didn't changed, the implementation evolved: bug fixes, enhanced coverage and tuning of functionalities. Consequently, this work checks differences between actual states of Tizen and AGL.
AGL implements the same security model than Tizen. But the application framework differs. Consequently, the set of rules applied to the security model differs at some points without changing the model.
One big difference is that AGL leverage systemd as launcher of applications. Without this mechanism, Tizen needs many services that are otherwise available with systemd: a launcher, a nss library for "initgroups" setting depending on privileges, a mounting/namespace service. This difference makes parts of security-manager useless.
An other difference, is the use by AGL of the "binder". The integration of this "binder" component is, after review, beneficial. At least 2 reasons lead to that good conclusion: the binder integrates cynara checks and provides connection and transport framework.
These differences make that using Tizen's component inside AGL can be difficult. But this is not always the case: Tizen's sources include integration of OPTEE, the open source trusted execution environment within the TrustZone of ARM, that implements key secure key storage. This probably can be used directly.
Upgrade Tizen's components used: dbus, security-manager, cynara.
Use Smack's "onlycap" to restrict CAP_MAC_ADMIN uses. The definition of security basis in platform/core/security/default-ac-domains includes the definition of onlycap values. This has to be done for AGL. Also, platform/core/security/default-ac-domains defines some new Smack labels. These new labels are not actually needed by AGL.
Integrate network enforcement (possibly with platform/core/security/nether). The package platform/core/security/nether uses netlink + netfilter to filter network accesses depending on cynara rules. It can probably be used with little adaptation because it doesn't depend on Tizen's libraries except cynara.
Document and manage permissions (see platform/core/security/privilege-checker). The AGL permissions have to be explained. At the end, the user will not enter in details but the possibility to show details is a legal obligation in some cases. This is a database of knowledge and translation. Procedure to be defined. Extraction possible of Tizen's database.
Add watchdog for applications using the binder (checks the binder aliveness). It will be very simple, with sd_event_set_watchdog, to add to the binder the ability to send watchdog events to systemd -if systemd requires it-. It will allow to detect event loop errors in the binder, that was a common root cause of issues.
Integration of TrustZone or TPM key management (see whether linux keyctl can transparently provide it)
Fault handling, Crash report and system report (see platform/core/system/crash-worker and platform/core/system/faultd but also look at coredumpctl of systemd framework). Fault handling means recovery in case of errors. Obviously to improve everywhere!
Factory reset (see platform/core/system/factory-reset). This is more a platform feature than a framework feature. However, ensuring that factory reset does what is intended to do is a security topic (computer forensics).
Encryption of user data or storage (LUKS). This is a requested feature to sell cars to people that wants to ensure privacy of their data. This is already enforced by the security framework. The issue here is to protect data against super users.
The content of Tizen 4 can be analyzed by looking in the build system of Tizen 5.
This build system shows only the flavours "Base" and "Unified" Tizen 4 (where Tizen 3 shows "Base", "Common", "IVI", "Mobile", "TV", "Wearable"). This results from an effort to provide Tizen as a common basis for all subsystems (see 1).
The build project 6 leads to the repository 7 that contains the binaries and their metadata.
AGL imports very few components of Tizen: Cynara, Security-manager and DBus with cynara patches.
Not checked for all flavour:
This is are old kernel. Actually EEL version of AGL runs the kernel 4.9 for R-CAR.
The AGL version of DBUS is sticked on 1.8.18 (2015-05-14) while Tizen upgraded it to the version 1.10.6 (2015-12-01)
The current stable upstream version is 1.11.6 (see 8)
The version used by AGL tends to be old because their integration layer, 'meta-intel-iot-security', removed these components. So upgrading efforts made at the beginning for AGL was no more possible and AGL stuck to oldest version of 'meta-intel-iot-security' that included it (See SPEC-511).
This is the annotated list of a selection repositories of Tizen:
The work consisted to review the content of these repositories (about 16K files, 371M bytes).
platform/core/csapi/tizenfx
- dot.net export of Tizen native API (capi)
platform/core/account/account-common
platform/core/account/account-manager
platform/core/account/account-parser
- handle accounts
- DBus service but encode calls to cynara
platform/core/account/fido-asm
platform/core/account/fido-client
platform/core/account/fido-syspopup
- fido framework
platform/core/account/liboauth2
- OAuth2 facility with embedded EFL webview
- TODO: check the redirection
platform/core/account/sync-manager
- queueing of jobs (sync or not)
- DBus service but encode calls to cynara
platform/core/api/*
- Tizen common native API (capi)
platform/core/convergence/*
- Convergence service (see https://wiki.tizen.org/Convergence)
- Similar to Identity Manager
- collaboration of apps across devices through convergence
platform/core/security/askuser
- ask user for permission consent
- include the privacy privilege manager
platform/core/security/audit-trail
- a daemon which is for trailing security logs of auditing
platform/core/security/auth-fw
- manage user passwords
platform/core/security/ca-certificates
- root certificates and update scripts
platform/core/security/ca-certificates-tizen
- Tizen specific certificates
platform/core/security/cert-svc
- Manage certificates (wifi, vpn, email, system, disabled)
platform/core/security/device-certificate-manager
- certificate management
platform/core/security/cynara
- cynara framework
platform/core/security/default-ac-domains
- definition of the common basis smack policy
- include integration of signal/append
- include System::Privileged for "onlycap" features
- include User::Shell for sdb (the adb equivalent of Tizen)
- here is the basis
System System::Log rwxa
System System::Privileged rwxat
System System::Run rwxat
System System::Shared rwxat
System User rwxa
System User::App::Shared rwxat
System User::Home rwxat
System User::Shell rwxat
System _ rwxa
System ^ rwxa
System::Privileged System rwxat
System::Privileged System::Log rwxa
System::Privileged System::Run rwxat
System::Privileged System::Shared rwxat
System::Privileged User rwxa
System::Privileged User::App::Shared rwxat
System::Privileged User::Home rwxat
System::Privileged User::Shell rwxat
System::Privileged _ rwxa
System::Privileged ^ rwxa
User System wx
User System::Log rwxa
User System::Privileged wx
User System::Run rwxat
User System::Shared rxl
User User::App::Shared rwxat
User User::Home rwxat
User User::Shell rwxat
User::Shell System wx
User::Shell System::Log w
User::Shell System::Run rxl
User::Shell System::Shared rxl
User::Shell User wx
User::Shell User::App::Shared rwxat
User::Shell User::Home rxl
_ System wx
_ System::Privileged wx
_ System::Run rwxat
^ System rwxa
^ System::Log rwxa
^ System::Privileged rwxa
^ System::Run rwxat
platform/core/security/device-policy-client
- client library for accessing the device policy manager
platform/core/security/device-policy-manager
- the device policy manager
platform/core/security/dpm-application
platform/core/security/dpm-auth
platform/core/security/dpm-bluetooth
platform/core/security/dpm-browser
platform/core/security/dpm-email
platform/core/security/dpm-location
platform/core/security/dpm-media
platform/core/security/dpm-security
platform/core/security/dpm-storage
platform/core/security/dpm-telephony
platform/core/security/dpm-usb
platform/core/security/dpm-wifi
platform/core/security/dpm-zone
- same as device-policy-client but splitted
platform/core/security/drm-service-core-tizen
- decrypt of apps with licensing data
platform/core/security/hash-signer
- tool for signing widgets off-line
platform/core/security/key-manager
- key and cert service client of trust zone
platform/core/security/klay
- library of general use for C++
platform/core/security/krate
platform/core/security/libkrate
- execution of application in separate user context (krate)
- encrypted file-system per user
- client library inside the krate
- DRAFT
platform/core/security/libcryptsvc
- crypt wrapper above openssl for drm-service-core-tizen
platform/core/security/libwebappenc
- service for (de)crypt data per application
platform/core/security/nether
- service for enforcing network (netlink + netfilter)
platform/core/security/nice-lad
- DRAFT analysis of audit and logs
platform/core/security/ode
platform/core/security/ode-ui
- encryption/decryption of storage
platform/core/security/privacy-guard
- client/server for permission management
platform/core/security/privilege-checker
- manage privileges (definition and translations database)
platform/core/security/privilege-info
- display name and explanation of privileges
platform/core/security/pubkey-pinning
- deprecated
platform/core/security/security-config
- setting of security
platform/core/security/security-manager
- database of application/package/user/...
- smack rules template
- service for (de)installing app
- service for shared buffers
- nss for initialization of supplementary groups
- manage of digital license
platform/core/security/tef-dummy
platform/core/security/tef-optee_client
- trust zone environment client library
platform/core/security/tef-optee_os
- trust zone environment for rpi3
platform/core/security/tef-simulator
- trust zone environment simulator
platform/core/security/trust-anchor
- manage certificates of applications
platform/core/security/trusted
- key manager in ARM trust zone
platform/core/security/yaca
- yet another crypto api
platform/core/system/argos_watchdog
- wrapper above systemd watchdog
platform/core/system/buxton2
- storage subsystem
platform/core/system/crash-worker
- various binaries for dumping system/state/core/stack
platform/core/system/deviced
- service for hardware device control
- use device-node
platform/core/system/dlog
- logging utility
platform/core/system/dockzen-launcher
- docker integration service
platform/core/system/factory-reset
- restore factory settings
platform/core/system/faultd
- collect faults (audit, systemd, startup) and react to it
platform/core/system/feedbackd
- vibration feedback
platform/core/system/initrd
platform/core/system/initrd-fota
platform/core/system/initrd-recovery
- initial ramdisk
platform/core/system/libdbuspolicy
- library for querying dbus policy (and cynara)
platform/core/system/libdevice-node
- manage device
platform/core/system/libstorage
- library for storage management
platform/core/system/libsvi
- sound and vibration feedback library
platform/core/system/libtota
- FOTA with delta files
platform/core/system/libtracker
- obscure tracking system for download, media, network, location, sensor, iot
platform/core/system/memps
- dump of memory use
platform/core/system/pass
- power aware system service
- use device-node
platform/core/system/peripheral-bus
- gpio, i2c, spi, uart, pwm handling
platform/core/system/resourced
platform/core/system/resourced-headless
- daemon that manages resources (with headless version)
platform/core/system/sensord
- library for accessing sensors
platform/core/system/session-utils
- utilities for session control in user environment
platform/core/system/storaged
- daemon for storage management
platform/core/system/tizen-platform-config
platform/core/system/tizen-platform-config-meta
- setting of directories
platform/core/system/tlm
- Tizen login manager