Home · All Namespaces · All Classes · Grouped Classes · Modules · Functions |
In general programs may access services, which in the context of the SXE, can mean low level graphical display services provided by QWS to high level Application Services. Service access is achieved by sending IPC calls to the Qt Extended system, for example via QCop messages. Application level policy refers to policy which dictates what services a program may and may not access.
In the current implementation of Qt Embedded the IPC calls are in the form of streamed data sent through a Unix Domain Socket (UDS). Currently the entire graphics subsystem is implemented via a system of QWSCommands over this socket, combined with reads/writes to a piece of shared memory.
Because a program requires access to the well known path to the Unix Domain Socket for the QCop system in order to send low-level requests to the Qt Extended windowing system, it is not practical to use MAC file system rules to control access to services.
Control of access to services involves two important steps:
Now the terms program and request require definition.
A downloaded application package may be thought of as containing one program such as a game, or an image manager.
That application may however be made up of a number of binaries, and other files. In some cases a single binary may make up the totality of the package but sometimes the picture is more complex than that.
For example, a game may have a level editor, the main game binary, and a daemon process. While the game itself and the level editor may also be thought of separate applications, both are considered to be part of the same program.
The SXE system applies policy rules to each program component by associating a progId with all the components of that application. The progId has a one to one relationship with the domain the application operates under, therefore all untrusted applications have the same progId while all trusted applications have another.
When a program wants to access functionality available via Qt Extended in general it must use the QWSCommand system, or send a QCop message or otherwise ask for an application service. Generally these accesses can be expressed as a string for example in the case of a QCop message requesting a wait indicator to be displayed: QPE/System/notBusy()
Such an access for a service, and the string representing it, is referred to as a request.
The procedure for authentication and authorization is presented in the following steps:
In the authorization procedure described above it states that the authentication may be done simply if the message transport is trusted.
If the message transport is trusted four assumptions must be fulfilled. The table below lists these assumptions and how, or if, they hold in the Qt Extended Base module.
Assumption | Comments |
---|---|
The transport cannot be intercepted for example, as in a man-in-the-middle attack or traffic-sniffing scenario. | Unix domain socket traffic cannot be sniffed or rewritten on a standard Linux kernel. However, the following can be sniffed/intercepted:
|
The transport end-points cannot be spoofed or subjected to a symlink attack. |
|
The transport is reliable and well-behaved as determined by the platforms kernel and/or network stack |
|
The client program cannot be compromised for example by an LD_PRELOAD attack or by directly accessing the binary image file on disk |
|
Note: Current QCop messaging (which is used for almost all service requests in Qt Extended) uses Unix Domain Sockets.
Summarizing the above table
If the assumptions hold - the kernel and MAC controls can be relied upon to prevent a range of security risks - a simple password-based mechanism can be used at connection setup time to authenticate the connection, or Unix Domain Socket ancillary data can be used.
The second option is more complex than the password method, and carries a portability warning. However if the Unix Domain Sockets rights methods are required for passing file handles that method can be used.
In several scenarios where one or two of these assumptions are not valid the password based mechanism can be simply expanded to HMAC-MD5 message authentication.
Copyright © 2009 Nokia | Trademarks | Qt Extended 4.4.3 |