Symbian
Symbian Developer Library

SYMBIAN OS V9.4

Feedback

[Index] [Previous] [Next]


Symbian OS Changes for Platform Security

This page provides details of the API and functional changes from 7.0s as a result of platform security. Also, see this table of new file locations for Symbian OS v9.0 and beyond.

Note: This page contains references to engineering documents that are available on Symbian OS DevKits, but not on public SDKs.

It includes sections for:

[Top]


Application engines

This section describes the changes that must be made to the Application Engines following the introduction of Platform Security. It describes:


Configuration macros

The Application engines APIs must be configured with these macros:


Agenda model

The APIs that expose the underlying stream stores are no longer supported. You must access the agenda model (Agnmodel) indirectly, through the agenda server. Consequently, the following functions are not supported:

The following functions are new:

The filename of an agenda file must now be a combination of a drive letter and a filename, without a full path; for example: c:agenda. This affects the functions: CAgnEntryModel::OpenL() and CAgnIndexedModel::OpenL().


Contacts model

This section describes the following aspects of the Contacts Model (Cntmodel):

New asynchronous functions for opening a contact database

Two new functions introduced with Platform Security use the new CContactOpenOperation active object class to open a contact database asynchronously:

Use these functions when you expect the database to open slowly, for example, when it has been corrupted.

The client must store the CContactOpenOperation object pointer. The TRequestStatus passed to these functions typically belongs to an active object. When the CContactDatabase::Open() completes or fails, the active object is scheduled to run. If the result is KErrNone, the client can take ownership of the opened database with the function:

CContactDatabase* CContactOpenOperation::TakeDatabase()

The CContactOpenOperation object should then be deleted. If it is deleted before CContactOpenOperation::TakeDatabase() succeeds, the Open() is cancelled. If it is deleted after the Open() has completed, the database is closed.

Working with device backup and restore

Contact databases cannot be written to during device Backup or used during device Restore. At these times most applications are closed on the device by the User Interface framework, but some clients of the Contact Model use system services which continue running during Backup and Restore. On Symbian OS up to v8.0 the correct behaviour of these is to get the database filename and observe backup and restore operations affecting that file.

Getting the contact database name and registering for backup/restore notification uses code like this:

class CXyz {
    ...
    CBaBackupSessionWrapper* iBackup;
    TFilename iDatabaseName;
    ...
    }

CContactDatabase::GetDefaultNameL(iDatabaseName);
iBackup = CBaBackupSessionWrapper::NewL();
iBackup->RegisterFileL(iDatabaseName, *this);

Before a Backup or Restore starts, you must close the CContactDatabase. You can re-open it when the operation is complete. New Backup & Restore behaviour was introduced in Symbian OS v8.1 for the Contact Model, and from v9.0 the CContactDatabase::FindContactFile() function is deprecated and you should use CContactDatabase::GetDefaultNameL() instead. The CContactDatabase can be kept during Backup and Restore, but the following new notifications, (in TContactDbObserverEventType), must be acted upon:


Data caging

This section describes the Platform Security data caging used to secure the Agenda and Contacts data files and any plugins used by them.

Capability Level

Under Platform Security, all executables and DLLs have a capability level, which defines their trustworthiness and prevents malicious or badly implemented binaries from using Symbian-provided servers.

Note: The total capability of a process is equal to that of the sub-component with the lowest capability.

Accessing agenda data files

Agenda data files are created and stored on the secure platform in the agenda server’s private directory, which can be on any drive. Only the agenda server can access these private files. Several APIs are used to create, list and delete files in the private directory.

The user capabilities ReadUserData and WriteUserData are required to add, modify and delete agenda and to-do items.

Accessing contacts data files

The default contacts data file (Contacts.cdb) is managed by the Syslibs DBMS component. On the secure platform, this file is stored in the DBMS server’s private directory, which can be on any drive. Contacts databases cannot be created or stored outside this directory. Several APIs are used to create, list and delete files in the private directory.

The CntModel.ini file contains several settings used by the contacts lock server, such as the drive that holds the default database. On the secure platform, CntModel.ini is stored in the contacts lock server’s private directory on the C: drive.

The user capabilities ReadUserData and WriteUserData are required to add, modify and delete contact items, and to create, modify and delete contact views.

Contact database functions affected by platform security

In the data caged environment most applications cannot determine which contact databases exist. Applications with the All Files capability should not assume specific file locations, as these may change. As with the Agenda Model, database filenames passed to the Contact Model no longer contain pathnames.

This affects the following functions:

Several new functions assist clients:

There already is a corresponding delete function for the default database: void CContactDatabase::DeleteDefaultFileL().

In the non-data-caged environment of Symbian OS v8.1, these functions dealt with full pathnames and the ListDatabasesL() functions search for contact databases in any directory on the device.

Note: Owing to data caging, the behaviour of the void CContactDatabase::GetDefaultNameL(TDes &aDes) function may no longer be what you expect.

The TBool CContactDatabase::FindContactFile(TDes &aFileName) function was removed in Symbian OS v9.0. Known callers should use GetDefaultNameL() instead.

Data files used by the App-Engines subsystem

Description

Component

File Name

Location in un-secured platform

Location in secured platform

Agenda data files

Agnmodel

Any name

Anywhere

C:\Private\10003A5B\ (agenda server’s private directory)

Contact database

Cntmodel

Contacts.cdb

C:\System\Data

C:\Private\100012a5\ (DBMS server’s private directory)

Contact lock server INI file

Cntmodel

Cntmodel.ini

C:\System\Data

C:\Private\10003A73 (contact lock server’s private directory)

Contact model resource file

Cntmodel

Cntmodel.rsc

Z:\System\Data

Z:\Resource\Cntmodel

Sheet engine resource file

Sheng

Sheng.rsc

Z:\System\Apps\Sheet

Z:\Resource\Sheng

Backup and restore

To ensure that they are backed-up, Agenda and Contacts data files have corresponding backup registration files (backup_registration.xml) in their private data areas (which are automatically protected). These registration files contain details of the files to be backed up, and the backup/restore mode that is supported (in this case it is passive mode).

In addition, Contacts uses the new, configurable notification mechanism, involving the Publish & Subscribe API, to handle file access during a Backup/Restore. This ensures that views behave safely, and makes Contacts more robust.

Capabilities granted to DLLs and executables

The following App-Engines DLLs have the Platform Security capability All – TCB:

AGNMODEL.DLL

AGNVERSIT.DLL

CALINTERIMAPI.DLL

CHART.DLL

CNTPHONE.DLL

CNTVCARD.DLL

CNTVIEW.DLL

CNTMODEL.DLL

TXTWORD.CNV

DAMODL.DLL

SHENG.DLL

WPENG.DLL

This means that all files are visible, except those under /sys and /resource, and that extra write access is granted to files under /private. These DLLs have a high capability so that most applications can link to them.

The capabilities for subsystem executables are as follows:

Component

Executable

Capabilities

Rationale

Agnmodel

Agsvexe.exe

Protserv ReadUserData WriteUserData WriteDeviceData

ReadUserData, WriteUserData and WriteDeviceData capabilities are required because the agenda server adds and removes alarms using the alarm server.

Agsvexe.exe statically links to agnmodel.dll; which links to alarmclient.dll. AlarmServer.exe prevents access to clients without ReadUserData, WriteDeviceData and WriteUserData capabilities, so AlarmClient.dll must have these capabilities. Therefore, the agenda server must also have ReadUserData/WriteUserData capabilities.

Cntmodel

Cntsrv.exe

Protserv ReadUserData WriteUserData

ReadUserData and WriteUserData capabilities are required to read and write SIM card entries.

Cntsrv.exe links to cntmodel.dll, which dynamically loads Phbksyncplugin.DLL, which uses RPhoneBookSession. RPhoneBookSession prevents access to clients without ReadUserData and WriteUserData capabilities. Therefore, cntsrv.exe needs these capabilities.

Plugin security

Agnmodel and Cntmodel provide several plugins for modularity and licensee extension. On the secure platform, these plugins have all been migrated to the ECOM framework, which uses a file registry rather than a loading process to scan the file system.

A summary of the status of each plugin is given below:

Component

Plugin Name

Framework type, unsecure platform

API classification

Implementation impacted

Agnmodel

Agenda Observer

Custom

Published All

Licensee, Third party

Agnmodel

Connectivity Filter

Custom

Published Partner

Symbian, Licensee, Third Party

Agnmodel

vCalendar converter (Agnversit)

Custom

Published Partner

Symbian, Licensee

Cntmodel

vCard import/export (Cntvcard)

Custom

Published Partner

Symbian

Cntmodel

Phone parser

Custom

Published Partner

Symbian

Cntmodel

Phonebook Synchronisation (implemented by Telephony/Phbksync)

Custom

Published Partner

Symbian

Cntmodel

Contact view find configuration

ECOM

Published All

Licensee

[Top]


Application framework

The application framework in previous releases supported many types of plugin, including GUI applications, that were implemented as polymorphic DLLs. Under platform security, this simple use of polymorphic DLLs is avoided, as:

Details of changes for particular frameworks are given below:


Application architecture and Uikon

Details of API breaks are:

CEikApplication::OpenAppInfoFileLC; CApaApplication::OpenAppInfoFileL; CApaApplication::OpenAppInfoFileLC; CApaAppInfoFileReader

Users should migrate to RApaLsSession's inquiry APIs.

CApaCommandLine::New; CApaCommandLine::NewL; CApaCommandLine::NewLC; CApaCommandLine::SetFullCommandLine; CApaCommandLine::SetFullCommandLineL; CApaCommandLine::FullCommandLine

The equivalent to the old New[L[C]] functions taking a descriptor parameter (which would previously have been passed the descriptor returned by RProcess::CommandLine or User::CommandLine) is CApaCommandLine::GetCommandLineFromProcessEnvironment(). Similarly, the new equivalent of FullCommandLine (and passing this descriptor into the second parameter of RProcess::Create) is to call CApaCommandLine::SetProcessEnvironmentL().

CApaCommandLine::SetLibraryNameL; CApaCommandLine::LibraryName

Users should instead use the equivalent CApaCommandLine::ExecutableName functions.

CApaScanningControlFinder

Users of this class should migrate to RApaLsSession::GetFilteredApps(TApaAppCapability::EControlPanelItem, TApaAppCapability::EControlPanelItem,...).

CApaScanningAppFinder

Users of this class should migrate to RApaLsSession::GetAllApps or GetFilteredApps or GetEmbeddableApps.

CApaSystemControlList::NewL

The three-parameter overload is obsolete. Use the one-parameter version.

CApaProcess::NewL; CApaProcess::AddNewDocumentL; CApaProcess::TempFilePath; CApaProcess::CApaProcess

Users of the obsolete overloads of NewL, AddNewDocumentL and the obsolete constructor, should migrate to the corresponding non-obsolete overloads. Users of TempFilePath should migrate to RFs::PrivatePath(), etc.

CCoeAppUiBase; CCoeAppUiSimple

Users of these classes should migrate to CCoeAppUi.

CCoeEnv::FileNamesOfAvailableFepsL; CCoeEnv::InstallFepL; CCoeEnv::NameOfInstalledFepL; CCoeEnv::ExecuteFepSettingsDialogL

Users of the file name overloads of InstallFepL and ExecuteFepSettingsDialogL should migrate to the uid-based overloads. Users of FileNamesOfAvailableFepsL and NameOfInstalledFepL should migrate to CCoeEnv::AvailableFepsL and CCoeEnv::FepUid respectively.

EikDll::StartDocL; EikDll::StartExeL; EikDll::StartAppL; EikDll::RunAppInsideThread

Users of StartExeL should migrate to using RProcess directly. Users of StartAppL should migrate to RApaLsSession::StartApp(). Users of StartDocL should migrate to RApaLsSession::StartDocument(). Users of RunAppInsideThread should migrate to EikStart::RunApplication().

EikStart::RunApplication

The overload with the command-line buffer parameter is obsolete (this overload was only ever to be called from the WinsMain of an exedll in WINS/EKA1.)

CEikonEnv::ConstructAppFromCommandLineL

The one-parameter overload is obsolete. TApaApplicationFactory is typically created by passing the address of the function that an app used to export when it was a DLL.

CApaAppInfoFileWriter; CApaProcess::AppFinder; CApaScanningFileRecognizer::SetRecognizersFromListL; CApaScanningFileRecognizer::SetRecognizerL; CApaScanningDataRecognizer::SetRecognizersFromListL; CApaScanningDataRecognizer::SetRecognizersFromList; CApaScanningDataRecognizer::SetRecognizerL; AppInfoFileUtils; CEikonEnv::StartAppL; KAppFileExtension; KAppInfoFileExtension; KSystemControlFileExtension; KApaCaptionFileSuffix; KApparcExtraLengthOfCaptionFileName; KAppDllSearchPath; KAppDllSearchAnyFile; KAppDllSearchString; KUidAppInfoFile; KUidAppInfoFile8; KUidAppInfoFile16; KUidAppInfoFileVersion2; TAifVersion; EAifVersionOriginal; EAifVersionAddsDataType; EAifVersionAddsViewData; EAifVersionAddsFileOwnershipInfo

These functions have been withdrawn without replacement. For further migration information, see "How to" porting guides .

CApaCommandLine::SetReserveLengthL

This function was previously there to enable other leaving functions to be able to be called without leaving. This can no longer be guaranteed.


Converter architecture

A new base class CConverterBase2, derived from CConverterBase, is provided for implementing converters as ECom plugins.

Users of the CCnaConvInfoFileReader class should migrate to using CCnaConvInfoFileReader2.

CCnaConvInfoFileWriter and CCnaConverter are withdrawn without replacement.


Control panel plugins

common\generic\app-framework\Documentation\How to port guide - control panel plug-ins.doc describes how to convert control panel plugins into applications.


FEPs

In the previous scheme, CONE searches for available FEPs and loads or unloads on the basis of their file names. In the secure platform, each FEP is an ECom plugin, and CONE queries ECom to get the system's available FEPs.

ECom resource file

Each FEP should be having a ECom resource file. This file contains the information about the interface UID, implementation UID, etc. Each FEP should be using the ECom interface ID {0x1020233F}. If the FEP does not use this ID in the ECom resource file, that particular FEP will not be loaded by CONE.

#include <RegistryInfo.rh>

RESOURCE REGISTRY_INFO theInfo
  {
  dll_uid = 0x102024D0; // UID3 of the DLL
  interfaces = 
    {
    INTERFACE_INFO
      {
      interface_uid = 0x1020233F; // Same for every FEP
      implementations = 
        {
        IMPLEMENTATION_INFO
          {
          implementation_uid = 0x102024D0;
          version_no = 1;
          display_name = "FEPNAME";
          default_data = "";
          opaque_data = "";
          }
        };
      }
    };
  }

Project file

The .mmp file will need modifying as follows:

Example:

target tfep1plugin.dll
targettype plugin
uid       0x10009D8D 0x102024D0

sourcepath    ..\source
source      TFEP1.CPP TFEP1PlugIn.cpp
systeminclude ..\include \epoc32\include \epoc32\include\techview \epoc32\include\ecom

library     EUSER.LIB EFSRV.LIB ESTOR.LIB GDI.LIB ETEXT.LIB FBSCLI.LIB BITGDI.LIB WS32.LIB FORM.LIB CONE.LIB FEPBASE.LIB BAFL.LIB EIKDLG.LIB EIKCOCTL.LIB EIKCTL.LIB
library     ECOM.LIB

lang      01 10

start resource 102024d0.rss
#ifdef SYMBIAN_SECURE_ECOM
target tfep1plugin.rsc
#endif
END

ECom interface

Previously, FEPs had two exported functions, NewFepL and SynchronouslyExecuteSettingsDialogL. These are moved to a C class CCoeFepPlugIn defined in fepplugin.h:

class CCoeFepPlugIn : public CBase
  {
public:
  inline static CCoeFepPlugIn* NewL(TUid aFepUid);
  virtual ~CCoeFepPlugIn();
public:
  virtual CCoeFep* NewFepL(CCoeEnv& aConeEnvironment, const CCoeFepParameters& aFepParameters) = 0;
  virtual void SynchronouslyExecuteSettingsDialogL(CCoeEnv& aConeEnvironment) = 0;

The function SynchronouslyExecuteSettingsDialogL has been redefined and it no longer takes the argument const TDesC& aFullFileNameOfDll. This function should now be providing implementation for locating, loading and unloading the resource files needed for executing the settings dialog.

Each FEP should now:

For example:

// Standard ECom factory code
const TInt KTstFepPlugInImplementationValue = 0x102024D0;
const TImplementationProxy ImplementationTable[] = 
  {
  IMPLEMENTATION_PROXY_ENTRY(KTstFepPlugInImplementationValue, CTstFepPlugIn::NewL )
  };

EXPORT_C const TImplementationProxy* ImplementationGroupProxy(TInt& aTableCount)
  {
  aTableCount = sizeof(ImplementationTable) / sizeof(TImplementationProxy);
  return ImplementationTable;
  }

// Implement class derived from CCoeFepPlugIn
CTstFepPlugIn* CTstFepPlugIn::NewL()
  { // static
  return new(ELeave) CTstFepPlugIn;
  }

CCoeFep* CTstFepPlugIn::NewFepL(CCoeEnv& aConeEnvironment, const CCoeFepParameters& aFepParameters)
  {
  CTstFep* const fep=new(ELeave) CTstFep(aConeEnvironment);
  CleanupStack::PushL(fep);
  fep->ConstructL(aFepParameters);
  CleanupStack::Pop(fep);
  return fep;
  }

void CTstFepPlugIn::SynchronouslyExecuteSettingsDialogL(CCoeEnv& aConeEnvironment)
  {
  _LIT(KLitResourceFileName,"TFEP1PlugIn.rsc");
  
  TFileName* resourceFileName=new(ELeave) TFileName;
  CleanupStack::PushL(resourceFileName);
  Dll::FileName(*resourceFileName); // Get the drive letter

  TParse* parse=new(ELeave) TParse;
  CleanupStack::PushL(parse);
  User::LeaveIfError(parse->SetNoWild(KLitResourceFileName, &KTestFepResFilePath, resourceFileName));
  resourceFileName->Copy(parse->FullName());
  CleanupStack::PopAndDestroy(parse);
  
  BaflUtils::NearestLanguageFile(aConeEnvironment.FsSession(), *resourceFileName);
  TTstResourceFileId resourceFileId(aConeEnvironment, aConeEnvironment.AddResourceFileL(*resourceFileName)); // object must not be an anonymous temporary passed into CleanupStack::PushL, as its lifetime would be too short
  CleanupStack::PopAndDestroy(resourceFileName);
  CleanupStack::PushL(resourceFileId);
  (new(ELeave) CTstSettingsDialog)->ExecuteLD(R_TFP_SETTINGS_DIALOG);
  CleanupStack::PopAndDestroy(&resourceFileId);
  }

Notifiers

The page How To Port Guide: Notifiers describes how to convert notifiers into ECom plugins.


Recognisers

[Top]


Application services


General

The changes are summarised in section 5 Security, in common\generic\app-services\documentation\App-Services_Architectural_Description.doc.


Help files (hlpmodel)

For information on changes to help files as a result of platform security, see common\generic\app-services\documentation\How to make help files upgradeable on the secure platform.doc


Worldserver

The following functions expose the file system and are not supported:

The location of the read-only world server data file, WLD_DATA.DBZ has changed from either Z:\System\Data\, if in ROM, or C:\System\Localization\ if in RAM, to Z:\Resource\worldserver\ or C:\Resource\worldserver\.

The location of the writable file containing user changes to the world server data file, WLD_DATA.DBW has changed from C:\System\Data\ to a directory private to the World Server.

The writable file containing the user's home city, wldsvr.dat, has also been moved to the World Server's private directory.

[Top]


Base


General Base

The document at cedar\generic\base\documentation\Base_Platform_Security_APIs.zip is a zip file that contains a reference of new APIs in Symbian OS that are directly involved with platform security.

The mechanisms available for configuring platform security properties within Symbian OS are described in cedar\generic\base\documentation\Base_How_To_Configure_Platform_Security_Settings.doc.


User library

Symbian OS changes due to platform security: User library (E32) provides details of the API and functional changes as a result of platform security for the User Library.

The Client/Server framework has a revised API that provides a more securable interface. There is a cook-book type guide to migration from the Version 1 to the Version 2 API setdocument at cedar\generic\base\documentation\Base_How_To_Migrate_To_Client-Server_V2_APIs.doc.

In addition, a policy server framework is provided built on top of this Version 2 API. This is designed to make migration to a secure server framework as easy as possible, and is the recommended framework to use for servers from v9. The framework is described in detail in the API reference for CPolicyServer.


File server

Symbian OS changes due to platform security: File Server (F32) provides details of the API and functional changes to Symbian OS as a result of platform security for the File Server.


Device drivers

Platform security migration for device drivers is described in the "Platform security issues" section of the Device Driver Kit documentation.

[Top]


Bluetooth

The publish and subscribe values defined by the Bluetooth stack were changed to secure the usage of the publish and subscribe framework. For details, see common\generic\bluetooth\latest\documentation\Bluetooth_Release_Note.doc.

[Top]


Comms infrastructure

Note new functionality in this subsystem is configured using the SYMBIAN_NETWORKING_PLATSEC macro.


Communications Database (CommDb)

The communications database, commonly called CommDb, provides system-wide storage for communications-related settings. It holds information about Internet Access Providers (IAPs), Internet Service Providers (ISPs), GPRS, modems, locations, charge-cards, proxies, and WAP settings. Information is held in tables. The tables group together related information items.

Reading data

Your applications need the ReadDeviceData capability to read from the Chargecard table.

You do not need any capabilities to read data from other tables.

Writing data

Your applications need the WriteDeviceData capability to write to the tables.

You need both the WriteDeviceData and NetworkControl capabilities to modify the CommDb schema and to create new CommDb databases.

Database file

The database files (previously \system\data\cdbv3.dat; \system\data\defaultcdbv3.dat) are data caged, and moved to \private\100012A5\dbs_<AccessPolicy-UID>_<filename>.<ext>. Test code that accesses the files will need AllFiles capability.

System Agent properties

The following properties are now published through Publish and Subscribe rather than through the System Agent: KUidCommDbSMSReceiveModeChange; KUidCommDbGPRSAttachModeChange; KUidCommDbModemTsyNameChange; KUidCommDbModemDataAndFaxChange; KUidCommDbModemPhoneServicesAndSMSChange; KUidCommDbGPRSDefaultParamsChange; KUidCommDbModemRecordChange; KUidCommDbProxiesRecordChange.

In the CCommsDatabaseBase class, the protected members iSystemAgentNotifier and iSystemAgent are removed, and iNotifications is changed. This is a BC break. Source code should be changed to not use the data members iSystemAgentNotifier and iSystemAgent and instead use the Publish and Subscribe mechanism.

Migration is described in the Developer Library topic Symbian OS guide\System libraries\Using System Agent\Migrating to Publish And Subscribe.


MBufMgr

Three methods of RMBufChain have become virtual. The change is configured using the SYMBIAN_MBUFMGR_API_V2 macro. This change is not related to platform security, but is to avoid a possible memory leak.

In classes deriving from RMBufChain or RMBufPacketBase, make the following methods virtual: Free(), TrimStart() and TrimEnd().


NIFMAN


Sockets server (ESock)

Transferring sockets

There are new rules regarding the transfer of sockets. RSocket::Transfer() allows the transfer of a socket from one ESOCK session to another.

Cloning connections

There are new rules regarding the cloning of connections. They are similar to the new rules for transferring sockets, described above.

RConnection::Open() creates a new RConnection instance. It can create a completely new connection, or it can create another instance of an existing RConnection connection. This second technique is called "cloning a connection". After the operation has completed, the cloned RConnection instance can be used to manage the same underlying interface as that of the original RConnection instance.

Socket clients miscellaneous

In addition to the transfer of sockets and cloning of connections, the following socket client functions have changed:

Socket server protocol (PRT) modules

Initialisation files

Socket protocol initialisation files, including .esk and .ini files are moved from \system\data\ to the private socket server directory \private\101F7989\ESock\.


Rootserver

Note these change are configured using the SYMBIAN_C32ROOT_API_V2 macro.

[Top]


Connectivity


Connectivity rearchitected

v9.0 introduced a new approach to back-up and restore of phone data. This is described in common\generic\connectivity\documentation\.

Developers of all components that own data files will need to make changes to enable these files to be backed up. The steps are described in How-To Write Backup-aware Software.

Capabilities and data caging for the connectivity components are described in PC_Connectivity_Architectural_Description.doc.


Secure backup engine

The OS component, the secure backup engine, that manages backup/restore operations has an API that can be used by phone developers. This is described in PC_Connectivity_How-To_Use_The_Secure_Backup_Engine.doc.

[Top]


J2ME

The following list is a summary of the changes made to the J2ME subsystem to implement Platform Security:

[Top]


Messaging

Platform security changes impact several different types of user of the messaging APIs:

Messaging changes are configured using the __MESSAGING_API_V2__ macro, except for watcher changes which are configured using the __WATCHER_API_V2__ macro.

Details of migration steps to take are at common\generic\messaging\documentation\Messaging_Platsec_migration.doc. The Architectural Description and Functional Specification documents in the same folder were updated for v9.0.

!!!!! make the above an xref !!!!!

[Top]


Multimedia

The changes for Platform Security are:

For information on capabilities needed for Multimedia see section 5 of common\generic\Multimedia\Documentation\designs\Use_Cases\Multimedia_Architectural_Description.doc

[Top]


Networking


DND initialisation files moved

DND initialisation files are moved from \system\data\ to the private directory \private\10000882\.


Generic agent removed

The generic agent, RGenericAgent, deprecated in v7.0s, is removed. Clients should use RConnection.


Secure sockets class hierarchy changed

CSecureSocket is no longer derived from MSecureSocket, and its virtual functions are now non-virtual. This is to future proof the API for future changes, and is not related to platform security.


Networking protocols and sockets

Capabilities are required to open and use sockets. The capabilities depend upon the protocol: for instance, your applications require one range of capabilities to use a Bluetooth socket and another range to use a TCP/IP socket.

The following sections show the capabilities needed for the various protocols. Unless otherwise stated, no capabilities are needed for functions and options that aren't listed:

Two topics that apply to all protocols, described in Comms infrastructure:

The sockets implementation is described in Using Sockets Server (ESOCK).


TCPIP

These are the capabilities needed for the tcpip6.prt protocol module. See Using TCP/IP (INSOCK) for more information about TCP/IP on Symbian OS.

Method Capabilities

RSocket::Open()

TCP and UDP require NetworkServices.

IP and ICMP require NetworkControl.

RSocket::SetOpt()

See the options below.

RSocket::Ioctl()

Depends upon the I/O control operation.

RSocket::Transfer()

TCP and UDP require NetworkServices. IP and ICMP require NetworkControl.

RHostResolver::Open()

NetworkServices

RHostResolver::SetHostName()

NetworkControl

RConnection::Open()

Different for normal opening and cloning; see Cloning connections below.

RConnection::Start()

NetworkServices

RConnection::Stop()

NetworkControl

RConnection::GetIntSetting()

If reading from CommDb's Chargecard table then you need ReadDeviceData. Otherwise no capabilities are needed.

RConnection::GetBoolSetting()

As for RConnection::GetIntSetting()

RConnection::GetDesSetting()

As for RConnection::GetIntSetting()

RConnection::GetLongDesSetting()

As for RConnection::GetIntSetting()

RConnection::Ioctl()

Depends upon the I/O control operation.

RConnection::Control()

Depends upon control operation.

RConnection::GetOpt()

Depends upon option.

RConnection::SetOpt()

Depends upon option.

RConnection::Attach()

NetworkServices

Calls to RSocket::SetOpt()

The KSolInetIfCtrl option level

These capabilities are needed to set options in the KSolInetIfCtrl option level. Set options by calling RSocket::SetOpt().

No capabilities are needed when reading KSolInetIfCtrl options with RSocket::GetOpt().

Option Capabilities

KSoInetEnumInterfaces

none

KSoInetNextInterface

none

KSoInetConfigInterface

NetworkControl

KSoInetDeleteInterface

NetworkControl

KSoInetChangeInterface

NetworkControl

KSoInetResetInterface

NetworkControl

KSoInetStartInterface

NetworkControl

KSoIpv4LinkLocal

NetworkControl

The KSolInetIfQuery option level

These capabilities are needed to set options in the KSolInetIfQuery option level. Set options by calling RSocket::SetOpt().

No capabilities are needed when reading KSolInetIfQuery options with RSocket::GetOpt().

Option Capabilities

KSoInetIfQueryByDstAddr

NetworkControl

KSoInetIfQueryBySrcAddr

NetworkControl

KSoInetIfQueryByIndex

NetworkControl

KSoInetIfQueryByName

NetworkControl

KSoInetInterfaceInfo

NetworkControl

KSoInetAddressInfo

NetworkControl

KSoInetRouteInfo

NetworkControl

The KSolInetRtCtrl option level

These capabilities are needed to set options in the KSolInetIfQuery option level. Set options by calling RSocket::SetOpt().

No capabilities are needed when reading KSolInetRtCtrl options with RSocket::GetOpt().

Option Capabilities

KSoInetEnumRoutes

none

KSoInetNextRoute

none

KSoInetAddRoute

NetworkControl

KSoInetDeleteRoute

NetworkControl

KSoInetChangeRoute

NetworkControl

Other option levels

No capabilities are needed to get or set options in other options levels. These include KSOLSocket, KSolInetTcp, KSolInetIp and KSolInetUdp.


SMS on GSM/WCDMA networks

These are the capabilities needed for the smsprot.prt protocol module:

Method Capabilities

CSmsProvider::SetLocalName()

NetworkServices, WriteUserData and ReadUserData

CSmsProvider::Write()

WriteUserData

CWapSmsProvider::SetLocalName()

NetworkServices, WriteUserData and ReadUserData

CWapSmsProvider::SetOption()

ReadUserData and WriteUserData

CWapSmsProvider::Write()

NetworkServices and WriteUserData

Calls to RSocket::SetOpt()

These capabilities are needed to make calls to RSocket::SetOpt() when using a SMS socket on GSM/WCDMA networks. All these options are in the KLevelIrlap option level, and they all need the LocalServices and NetworkControl capabilities:


SMS on CDMA networks

These are the capabilities for the cdmasms.prt protocol module. See CDMA SMS for more information.

Calls to RSocket::Ioctl()

These capabilities are needed to make calls to RSocket::Ioctl() when using a CDMA SMS socket; see SMS Stack User Guide for CDMA Networks.

Option Capabilities

KIoctlDeleteSmsMessage

WriteUserData

KIoctlEnumerateSmsMessages

ReadUserData

KIoctlReadMessageSucceeded

ReadUserData

KIoctlReadMessageFailed

ReadUserData

KIoctlSendSmsMessage

WriteUserData & NetworkServices

KIoctlWriteSmsMessage

WriteUserData

KIoctlGetMsgId

NetworkServices

KIoctlGetLastSendError

NetworkServices

Calls to RSocket::Bind()

For ECdmaSmsAddrLocalOperation address family, you need the ReadUserData and WriteUserData capabilties.

For all other address types, you need ReadUserData, WriteUserData and NetworkServices.

RSmsSocketWriteStream

Calls to RSmsSocketWriteStream()'s << operator (stream operation to the socket) require WriteUserData.


WAP over SMS on CDMA networks

These are the capabilities are needed for the cdmawapprot.prt protocol module. See CDMA WDP SMS for more information about the WAP over SMS implementation.

Method Capabilities

RSocket::SetOpt()

ReadUserData and WriteUserData

RSocket::Ioctl()

ReadUserData is needed for KSOGetLength.

RSocket::Bind()

ReadUserData, WriteUserData and NetworkServices

RSocket::SendTo() (stream operation to the socket)

WriteUserData and NetworkServices


Bluetooth

These are the capabilities needed for the bt.prt protocol module. See Bluetooth for more information about Symbian's Bluetooth implementation.

Method Capabilities

RSocket::Open()

LocalServices.

RSocket::SetOpt()

LocalServices and NetworkControl are needed to set the EBBBeginRaw option in the KSolBtLMProxyoption level.

RSocket::Ioctl()

LocalServices and NetworkControl are needed for KHCIWaitForVendorSpecificDebugEventIoctl and KHCIWriteVendorSpecificFrameIoctl.

RSocket::Transfer()

LocalServices

RSocket::Shutdown()

LocalServices and NetworkControl

RHostResolver::Open()

LocalServices


Infrared

These are the capabilities needed for the irda.prt protocol module. See Infrared for more information about Symbian's infrared implementation.

Method Capabilities

RSocket::Open()

LocalServices

RSocket::SetOpt()

See the options below.

RSocket::Ioctl()

LocalService and NetworkControl are needed for the KExclusiveModeIoctl, KIrlapResetRequestIoctl and KIrlapDisconnectRequestIoctl.

RSocket::Transfer()

LocalServices

RHostResolver::Open()

LocalServices

RNetDatabase::Open()

LocalServices

Calls to RSocket::Ioctl()

These capabilities are needed to set options with RSocket::Ioctl() when using an infrared socket:

Option Capabilities

KIoctlDeleteSmsMessage

WriteUserData

KIoctlEnumerateSmsMessages

ReadUserData

KIoctlReadMessageSucceeded

ReadUserData

KIoctlReadMessageFailed

ReadUserData

KIoctlSendSmsMessage

WriteUserData & NetworkServices

KIoctlWriteSmsMessage

WriteUserData

KIoctlGetMsgId

NetworkServices

KIoctlGetLastSendError

NetworkServices

[Top]


Security

The Security subsystem components that have been updated, replaced, or redesigned for Platform Security include the Content Access Framework (CAF), Certificate Management, Software Installation, and SIS/package file formats.

The following subsections outline the new published functionality.


Content Access Framework

  1. Addition of a new pure virtual function in CAgentFactory.

    Licensees need to implement virtual CAgentConsumer* CreateConsumerL(RFile& aFile) or undefine SYMBIAN_SECURITY_CAF_RFILE_HANDLE in the variant.hrh

  2. Changes to CAF to support reading from file handles instead of supplying only a file name.

    • ContentAccess::CContent::NewLC(RFile& aFile) - constructs a new CContent object with an open file handle

    • ContentAccess::CContent::NewL(RFile& aFile) - constructs a new CContent object with an open file handle

    • ContentAccess::CAgentFactory::CreateConsumerL(RFile& aFile) = 0 - factory function that creates a consumer object

    • ContentAccess::CAgentManager::IsRecognizedL(RFile& aFile) = 0 - identifies whether or not the given file handle is to be handled by the agent.


Certificate Management

  1. Additional functions have been added to the certificate store interfaces to allow clients to get and set capabilities associated with certificates and a "mandatory for software install" setting. These additional functions are necessary to support software install for platform security.

    Implementers of these interfaces will have to provide implementations of the new functions. Callers of the MCTWritableCertStore interface will need to recompile their code.

    • virtual void MCertStore::Capabilities(const CCTCertInfo& aCertInfo, TUint& aCapbilitiesOut, RequestStatus& aStatus) = 0

    • virtual void MCertStore::CancelCapabilities() = 0

    • virtual void MCertStore::IsMandatory(const CCTCertInfo& aCertInfo, TBool& aMandatoryOut, RequestStatus& aStatus) = 0

    • virtual void MCertStore::CancelIsMandatory() = 0

  2. The implementation of class TCertificateAppInfo has been moved from certstore.dll to ctframework.dll [Plaform: cedar only, v8.1b and onwards]. This is necessary to support platform security. The TCB software install server makes use of the file tokens client, fstokencli, and this uses the TCertificateAppInfo class. This class is currently implemented in certstore.dll, but this library depends on ecom.dll, which is not trusted for use by TCB. Therefore, it is necessary to move the implementation of this class to a DLL that is trusted.

    The def file for certstore.dll has been refrozen. This is an SC break for clients of the moved EXPORTs - they should link against ctframework. This is a BC break for all clients of certstore.dll - they should recompile.

    • TCertificateAppInfo::TCertificateAppInfo(const TUid& aUid, const TName& aName)

    • TCertificateAppInfo& TCertificateAppInfo::operator = (const TCertificateAppInfo& aClient)

    • TCertificateAppInfo::TCertificateAppInfo()

    • const TUid& TCertificateAppInfo::Id() const

    • const TName& TCertificateAppInfo::Name() const

    • void TCertificateAppInfo::ExternalizeL(RWriteStream& aStream) const

    • void TCertificateAppInfo::InternalizeL(RReadStream& aStream)

  3. The following functions have been removed from CUnifiedKeyStore. These are present in v8.0 and v7.0s and marked deprecated. Callers of the removed functions should change to use their non-deprecated overloads.

    • void CUnifiedKeyStore::ExportKey(TCTTokenObjectHandle aHandle, TDes8& aKey, TRequestStatus& aStatus)

    • void CUnifiedKeyStore::ExportEncryptedKey(TCTTokenObjectHandle aHandle, HBufC8*& aKey, TRequestStatus& aStatus)

    • void CUnifiedKeyStore::ExportEncryptedKey(TCTTokenObjectHandle aHandle), TDes8& aKey, TRequestStatus& aStatus)

    • void CUnifiedKeyStore::ImportKey(TInt aKeyStoreIndex, const TDesC8& aKeyData, TBool aIsEncrypted, TKeyUsagePKCS15 aUsage, TUint aSize, const TDesC& aLabel, CCTKeyInfo::EKeyAlgorithm aAlgorithm, TInt aAccessType, TTime aStartDate, TTime aEndDate, CCTKeyInfo*& aKeyInfoOut, TRequestStatus& aStatus)

  4. Removal of deprecated functions in the certificate store interfaces. These have been present since v7.0 and were deprecated in v8.0. Redundant EXPORTs and virtuals in CUnifiedCertStore have been changed.

    The following deprecated functions have been removed. This is an SC break for clients that implement MCTWritableCertStore - they should update their code to use the other version of the function. This is an SC break for callers of the deprecated version of MCTWritableCertStore::SetApplicability() and CUnifiedCertStore::SetApplicability() - they should update to use the non-deprecated overload. This is a BC break for clients of certstore.dll - they should recompile.

    • virtual void MCTWritableCertStore::SetApplicability(const CCTCertInfo& aCertInfo, RArray* aApplications, TRequestStatus &aStatus) = 0

    • virtual void CUnifiedCertStore::SetApplicability(const CCTCertInfo& aCertInfo, RArray* aApplications, TRequestStatus& aStatus)

    The following virtual functions in CUnifiedCertStore will no longer be EXPORTed (this is uncessesary, as they are virtual). This is a BC break for clients of certstore.dll - they should recompile.

    • virtual void CUnifiedCertStore::List(RMPointerArray& aCertInfos, const CCertAttributeFilter& aFilter, TRequestStatus& aStatus)

    • virtual void CUnifiedCertStore::CancelList()

    • virtual void CUnifiedCertStore::GetCert(CCTCertInfo*& aCertInfo, const TCTTokenObjectHandle& aHandle, TRequestStatus& aStatus)

    • virtual void CUnifiedCertStore::CancelGetCert()

    • virtual void CUnifiedCertStore::Applications(const CCTCertInfo& aCertInfo, RArray& aApplications, TRequestStatus &aStatus)

    • virtual void CUnifiedCertStore::CancelApplications()

    • virtual void CUnifiedCertStore::IsApplicable(const CCTCertInfo& aCertInfo, TUid aApplication, TBool& aIsApplicable, TRequestStatus& aStatus)

    • virtual void CUnifiedCertStore::CancelIsApplicable()

    • virtual void CUnifiedCertStore::Trusted(const CCTCertInfo& aCertInfo, TBool& aTrusted, TRequestStatus& aStatus)

    • virtual void CUnifiedCertStore::CancelTrusted()

    • virtual void CUnifiedCertStore::Retrieve(const CCTCertInfo& aCertInfo, TDes8& aEncodedCert, TRequestStatus& aStatus)

    • virtual void CUnifiedCertStore::CancelRetrieve()

    The following EXPORTed functions in CUnifedCertStore will no longer be declared as virtual (this is uncessary, as they are EXPORTed). This is a BC break for clients of certstore.dll - they should recompile.

    • virtual void CUnifiedCertStore::Remove(const CCTCertInfo& aCertInfo, TRequestStatus& aStatus)

    • virtual void CUnifiedCertStore::CancelRemove()

    • virtual void CUnifiedCertStore::SetApplicability(const CCTCertInfo& aCertInfo, RArray* aApplications, TRequestStatus& aStatus)

    • virtual void CUnifiedCertStore::CancelSetApplicability()

    • virtual void CUnifiedCertStore::SetTrust(const CCTCertInfo& aCertInfo, TBool aTrusted, TRequestStatus& aStatus)

    • virtual void CUnifiedCertStore::CancelSetTrust()

  5. The keystore APIs have been changed to allow the policy for key use and key management operations to be specified in terms of capability, secure id and vendor id.

    The first release of the key store restricted key use with a scheme of key owners and key users. This was the best approach at the time, given that platform security was not available. Now this has arrived there have been new requirements raised to police the keystore APIs in terms of capability, secure id and vendor id.

    The following API-items have been removed/replaced. This is an SC break for callers of the removed functions. They must update their code to call the new APIs.

    • inline TUid CKeyInfoBase::Owner()

    • const inline const RArray& CKeyInfoBase::Users()

    • const CKeyInfoBase::CKeyInfoBase(TKeyIdentifier aID, TKeyUsagePKCS15 aUsage, TUint aSize, HBufC* aLabel, TInt aHandle, TUid aOwner, const RArray& aUsers, EKeyAlgorithm aAlgorithm, TInt aAccessType, TBool aNative, TTime aStartDate, TTime aEndDate, HBufC8* aPKCS8AttributeSet)

    • static CCTKeyInfo* CCTKeyInfo::NewL(TKeyIdentifier aID, TKeyUsagePKCS15 aUsage, TUint aSize, MCTAuthenticationObject* aProtector, HBufC* aLabel, MCTToken& aToken, TInt aHandle, TUid aOwner, const RArray& aUsers, EKeyAlgorithm aAlgorithm, TInt aAccessType, TBool aNative, TTime aStartDate, TTime aEndDate, HBufC8* aPKCS8AttributeSet = NULL)

    • TCTKeyAttributeFilter::iOwner

    • const TUid KAnyUsableKey

    • const TUid KAnyKeyIncludingUnusable

    • virtual void MCTKeystoreManager::SetUsers(TCTTokenObjectHandle aHandle, const RArray aUsers, TRequestStatus& aStatus) = 0

    • virtual void MCTKeystoreManager::CancelSetUsers() = 0

    • void CUnifiedKeyStore::SetUsers(TCTTokenObjectHandle aHandle, const RArray aUsers, TRequestStatus& aStatus) = 0

    • void CUnifiedKeyStore::CancelSetUsers() = 0

  6. Use of CPtrCArray class in x509 module has been replaced with RArray, removing the dependency on bafl. This is to support platform security - bafl is not trusted with the TCB capability, but x509 is used by TCB software install.

    Callers of the following functions should change their code to make use of the new return type, RArray.

    • CX509RFC822NameSubtree::Rep()

    • CX509DNSNameSubtree::Rep()

  7. Other additional functions:

    • CX509CertPolicyInfo::NewL(RReadStream& aStream) - creates a new CX509CertPolicyInfo object from a stream

    • CX509CertPolicyInfo::NewLC(RReadStream& aStream) - creates a new CX509CertPolicyInfo object from a stream

    • CX509CertPolicyInfo::ExternalizeL(RWriteStream& aStream) - Externalises a CX509CertPolicyInfo object to a write stream

    • CX509CertPolicyInfo::InternalizeL(RReadStream& aStream) - Internalises a CX509CertPolicyInfo object to a read stream

    • CX509RFC822NameSubtree::Rep() - gets a reference to the array of pointer descriptors representing the subdomains of the RFC 822 email address.


Crypto Token Framework

The def files for ctframework and certstore have been refrozen. This is a BC break for clients of ctframework.dll and certstore.dll - they should recompile.

The implementation of class TCertificateAppInfo has been moved from certstore.dll to ctframework.dll [Plaform: cedar only, v8.1b and onwards] (see Certificate Management above).


Software Installation

  1. Interface has been changed from internal to published to allow installation of Java MIDlets in v9.x. The following classes are published and MIDlet installation is now achieved through these interfaces.

    • CJavaInstaller

    • CJavaRemover

    • MJavaInstallerUI

    • MJavaRemoverUI

    • MJarDownloaderUI

    The security/appinst component has been deprecated.

  2. Includes install and uninstall functionality.

    • Swi::Launcher::Install(MUiHandler& aUiHandler, > RFile& aFileHandle, const CInstallPrefs& aInstallPrefs) - starts software installation with package data provided by means of IPC

    • Swi::Launcher::Uninstall(MUiHandler& aUiHandler, > const CSisRegistryPackage& aPackage) - uninstalls a specific package

    • Swi::TSignatureValidationResult.EMandatorySignatureMissing - a Software Install signature validation result: a signature resolving to one of the mandatory certificates cannot be found

    • Swi::TErrorDialog.EUiMissingBasePackage - Software Install error dialog type for SISX files: a base package missing when installing an augmentation or a partial upgrade

    • MInstallerUiHandler::DisplayMissingDependencyL( const CAppInfo& aAppInfo, const TDesC& aDependencyName, TVersion aWantedVersionFrom, TVersion aWantedVersionTo, TVersion aInstalledVersion) = 0 - informs the user of a missing dependency needed to install the current package.

SIS and package files

SIS and package files have both changed, as described below:

8.X to 9.X SIS file changes

The SIS file format has significantly changed:

Package (.pkg) file enhancements

There are three new directives and some new package-type options. The new directives are specified with the .pkg characters '%', ':' and '=':

For example:

; This is a comment
; Specify the languages - as previously supported
&EN,FR

; List of localised vendor names - one per language. At least one must be provided  (English [EN]). 
; List must correspond to list of languages specified elsewhere in the .pkg
%{"Vendor-EN", "Vendor-FR"}

; The non-localised, globally unique vendor name (mandatory)
:"Symbian Software Ltd"

; Optional Logofile - display logofile of given type mimetype; if targetname is supplied, 
; install file to that location
; <logofile>,<mimetype>[,<targetname>]
="file\mylogo.jpg","image/jpeg","\public\logos\mylogo.jpg"

Three new package types (as specified in the package header) exist. Two of these apply to read-only (RO) media, and one to standard SIS-based applications.

Pre-installed package types

Applications can be delivered in a pre-installed form on media cards. The application is delivered outside a SIS file, so the SIS file itself just needs to contain metadata describing the application. SWI uses this data to validate an application that it hasn't seen before. The OS loader will not load an application from removable media unless SWI has validated it.

Two package types are use to identify these packages: either

Developers therefore generate SIS information with these special types when creating packages designed for end-user deployment on read-only media.

These types should not be used when creating standard SIS archives for deployment over the web, from a PC, etc. Similarly, pre-installed SIS controller information should not be compressed.

Partial upgrade package type

Existing types SA, and SP continue to be supported, but are joined by a new package type: PU.

PU now exists for situations where a partial upgrade is intended. It incorporates default (SA) behaviour, but also indicates to the software installer that the developer is only supplying the new or changed files, and not the whole set. The type means that a large package does not have to be sent again to upgrade, perhaps, just a single file.

Without this type specified, software install assumes that the files that were specified in the original install package, but which are not specified in the new version of the package, are to be removed.

SIS controller files

A SIS controller file is a record file that is designed to exist in ROM. It provides information about the applications or components that are pre-installed on the device and is used, for example, in circumstances where new packages depend on certain OS functionality being present, and it is desirable for installation to fail if certain criteria (e.g. version dependencies) are not met.

A SIS controller file contains only metadata. Such files are usually exported into a controller directory as part of the OS build process. They are built by invoking MakeSIS with the -s option.

There are currently no constraints relating to which package-types are valid in a .pkg file when creating a ROM-based SIS Controller. The SA type is recommended as (a) ROM is not removable in the same way that pre-installed media is and (b) this is consistent with SIS controllers in previous releases.

Installing to private directories

Because of data caging, a package cannot generally install a file into another program's private directory area. To allow for cases where it is desirable to do this, however, a package can install files in or below directories named import in another program's private directory (i.e. \private\<SID>\import\).

Note that the following possible issues concerned with uninstallation:

Example 1:

Example 2:

Note: if App X moves YTheme.dat to a public area of the file system, and App X is uninstalled. YTheme.dat is orphaned.

[Top]


Serial Comms

Applications access serial ports with the serial communications server, commonly called C32. This provides a standard interface for all applications. In turn, the serial communications server uses serial protocol modules (commonly called CSYs) to access serial ports. A CSY may control any number of serial ports. See Serial Comms Overview for more information about this system. See also common\generic\ser-comms\c32\documentation\C32_Design_Document.doc for implementation details.

As an example, a phone could use a CSY to access a USB connection to a PC, and another CSY to send and receive serial data from phone calls. Alternatively, a single CSY may provide multiple ports to read and write from both a PC and phone calls. An application calls RComm::Open() or RComm::OpenWhenAvailable() to choose a CSY and to open a port on that CSY.

Applications need capabilities to open ports. Each port requires different capabilities. When an application asks the serial communications server to open a serial port, the server asks the CSY for the port's required capabilities. The server compares these with the application's capabilities: an application must have all necessary capabilities to use the port. Otherwise the application is returned KErrAccessDenied.

The server calls the CSY's CSerial::PortPlatSecCapability() function to read the capabilities required by a port. The server passes the port as a parameter. This returns a TSecurityPolicy containing the capabilities. The capabilities are normally hard-coded into the CSY, but this is the choice of the CSY implementer.

Additions to the serial comms APIs are configured using the __SECURE_TELEPHONY__ macro. No functions are deprecated.

This process is summarised in the diagram:


What do I need to do?

As a CSY implementer:

Implement CSerial::PortPlatSecCapability() in your CSY. You should choose suitable capabilities for each port and return them in a TSecurityPolicy. Typically, ports should require LocalServices to use personal area networks such as Bluetooth and infra-red. Require NetworkServices for serial ports that stream data to and from phone networks.

When you have chosen capabilities, make sure you inform anyone who needs to know these capabilities. This includes application writers who use your serial ports.

As a serial port user:

You do not need to write any special code for platform security. However, your application must have the necessary capabilities to use each port.

The implementer of the CSY can tell you the capabilities needed for the port. Typically, you will need LocalServices to use personal area networks such as Bluetooth and infra-red, and you will need NetworkServices for serial ports that stream data to and from phone networks. However, this may not apply on your phone.

Alternatively, run your application on the emulator and check the debug output. Look for platform security error messages by searching for the string 'PlatSec'. These messages tell you when function calls fail because the application did not have the necessary capabilities.

[Top]


SyncML

Section 5 of common\generic\SyncML\DataSync\Documentation\Data_Synchronisation_Architectural_Description.doc describes the changes to data synchronisation caused by platform security.

Section 5 of common\generic\SyncML\DevMan\design\documents\Device_Management_Architectural_Description.doc describes the changes to device management caused by platform security.

[Top]


System libraries


Charconv

Charconv plugins must be migrated to the ECom plugin framework. This is described in common\generic\syslibs\charconv\ongoing\group\Charconv_Plugin_Migration_Howto.doc.

!!!! make the above an xref !!!!


Central Repository

Support for specifying access control to repository settings is added to the Central Repository text files used to provision a repository. Access policies:

Repository and range policies are set in a [platsec] section of the file. For example:

[platsec]
# default capabilities for this repository
cap_rd=ReadDeviceData cap_wr = WriteDeviceData

# capabilities defined per range of indexes
0x100 0x200 cap_rd=ReadDeviceData cap_wr=NetworkServices

# or mask
# All zeros in the mask indicate a wild card state to use same semantics as in individual settings
0x0000003 mask=000fffff

This requires clients to have the ReadDeviceData capability to read from the repository, or WriteDeviceData to write to it. However, this default is overridden for settings with identifiers in the range 0x100 to 0x200, which require NetworkServices capability to be written to.

The definitions of individual settings can also specify access policies. If a [platsec] section has been specified, this section must be named [main]. For example:

[main]
6 int 12 0xf cap_rd=NetworkServices
8 real 1.5 1 sid_rd=0x10658945 sid_wr=0x10658945 cap_wr=CommDD,WriteDeviceData

says that the setting 6 requires the NetworkServices capability to be read; while setting 8 requires the client process to have a secure ID of 0x10658945 to read or write, and additionally to have CommDD and WriteDeviceData capabilities for writing.


DBMS

Functions that take the deprecated CSecurityDecryptBase and CSecurityEncryptBase classes as arguments are removed. The affected functions are RDbDatabase::ChangeSecurity(); RDbNamedDatabase::Create(); RDbNamedDatabase::Replace(); RDbNamedDatabase::Open(); RDbStoreDatabase::CreateL(); RDbStoreDatabase::OpenL(). New versions of the same functions that don't use the removed classes are available. The change is configured with the SYMBIAN_REMOVE_TRIVIAL_ENCRYPTION macro.

With this exception, all pre-existing DBMS functionality continues to function as before. However, some additional measures are offered to assist clients wishing to share their databases with other applications in a secure manner. This functionality is described in common\generic\syslibs\documentation\syslibs_functional_specification.doc. It is configured using the SYMBIAN_SECURE_DBMS macro.


ECom

Note for a high level view of ECom, including platform security functionality, see common\generic\syslibs\documentation\syslibs_functional_specification.doc.

Clients:

There is one source compatibility break that requires a change in all clients that create and destroy ECom plugins. Such code is now required to call REComSession::FinalClose() when all implementations that the client has created have been destroyed, and the client is finished using ECom. The function may be called one or more times but only does final cleanup when it detects all plugins have been destroyed. Note that:

Clients should also note that the same security capability rules apply to loading an ECom plugin as loading any other DLL: i.e. the plugin must have equal or greater capabilities than the loading process.

Plugin providers

Changes required for ECom plugin providers all relate to data caging, to relocate binary and ECom registration resource files. ECOM plugin DLLs are now installed in the \sys\bin folder, and the RSC files are installed in the read-only \resource\plugins\ folder where they will be discovered by the ECOM Server.

The build tools have been changed to handle these changes, so developers only need to make small changes to their mmp and (for ROM-based plugins) .iby files:

mmp file:

iby file:

Remove the file= and data= lines that correspond to ECom plugins. For each ECom plugin, add a line as follows:

ECOM_PLUGIN(<filename>.dll,<uid3filename>.rsc)

This macro is conditionally defined so that the correct entries are made for all OS versions.


System agent

The system agent (SA) is withdrawn, and all clients should migrate to using the base Publish and Subscribe (P & S) API. Migration is described in the Developer Library topic Symbian OS guide\System libraries\Using System Agent\Migrating to Publish And Subscribe.


Task scheduler

The task scheduler has changed in the following areas:

[Top]


Telephony

Additions to the telephony APIs are configured using the __SECURE_TELEPHONY__ macro. No functions are deprecated.

Applications will need certain capabilities to call telephony functions. Read the list of capabilities below. It may be obvious which capabilities your application needs.

Read the list of capabilities below. It may be obvious which capabilities your application needs. If not, you can run your application on the emulator and check the debug output. Look for platform security error messages by searching for the string 'PlatSec'. These messages tell you when function calls fail because the application did not have the necessary capabilities.

TSY implementers will need to read the platform security section of common\generic\telephony\documentation\How_to_write_a_TSY.doc.

Capabilities needed to use Telephony APIs

The following capabilities are needed by some Telephony APIs:

NetworkService

Grants access to the network/operator services. An application with this capability can dial numbers, send messages etc.

ReadUserData

Grants read access to user data. An application with this capability can read the user data stored on the phone/ICC, such as phonebook entries or SMS messages.

WriteUserData

Grants write access to user data. An application with this capability can write the user data stored on the phone/ICC, such as phonebook entries or SMS messages.

ReadDeviceData

Grants read access to sensitive system data. An application with this capability can read the settings stored on the phone/ICC (such as obtaining the service provider name from the ICC) or the network (such as interrogating the status of the supplementary services).

WriteDeviceData

Grants write access to phone settings. An application with this capability can write the settings stored on the phone/ICC (such as setting lock settings) or the network (such as setting the password for supplementary services).

NetworkControl

Grants access to read or write to network protocol controls. Any requests that are too sensitive to be granted the above capabilities require this capability.

Telephony APIs that need capabilities

Some functions in the following classes need one or more of capabilities. See the description of individual functions for to find out the exact capabilities needed:

ETel telephony server

RTelServer RPhone RLine RCall RFax

ETelMM mobile telephony services

RMobileCall RMobileConferenceCall RMobileSmsMessaging RMobileBroadcastMessaging RMobileUssdMessaging RMobilePhone RMobilePhoneStore RMobileONStore RMobileNamStore RMobilePhoneBookStore CAsyncRetrieveVariableLengthBuffer CAsyncRetrievePhoneList CRetrieveMobilePhoneDetectedNetworks CRetrieveMobilePhoneCFList CRetrieveMobilePhoneCBList CRetrieveMobilePhoneCWList CRetrieveMobilePhoneCcbsList CRetrieveMobilePhoneSmspList CRetrieveMobilePhoneBroadcastIdList CRetrieveMobilePhoneNamList CRetrieveMobilePhonePreferredNetworks

ETelPckt packet-switched telephony services

RPacketContext RPacketService RPacketQoS

ETelSat SIM application toolkit services

RSat

PhBkSync phone book synchroniser

RPhoneBookSession

Fax

CFaxTransfer

ETelISV simple telephony API for third parties

CTelephony

ETelCDMA telephony for CDMA networks

RCdmaMobilePhone CRetrieveMobilePhonePreferredLanguages RCdmaMobilePhone RCdmaMobileCall

[Top]


Tools


Emulator and ROM building settings

There are a number of settings relating to platform security that can be configured when building a ROM or running the Emulator:

The settings mechanism is described in cedar\generic\base\documentation\Base_How_To_Configure_Platform_Security_Settings.doc.


MMP files

Many projects will require updates to their mmp files in order to build. The changes include the new keywords capability and vendorid. See cedar\generic\base\documentation\Base_How_To_Configure_Platform_Security_Settings.doc.

Many types of project, including GUI applications, will need to alter their targettype and change from using resource and systemresource to using start resource. For details, see the documents listed under Application framework.


Test tools

The Capability Management tools are available for anyone involved in assigning or managing capabilities for Symbian OS ROM images and applications.