Mandatory Access Control

We decided to put the MAC protection on the platform part despite the fact that it applies to the kernel too, since its use will be mainly at the platform level (except floor part).

Mandatory Access Control (MAC) is a protection provided by the Linux kernel that requires a Linux Security Module (LSM). AGL uses an LSM called Simplified Mandatory Access Control Kernel (SMACK). This protection involves the creation of SMACK labels as part of the extended attributes SMACK labels to the file extended attributes. And a policy is also created to define the behaviour of each label.

The kernel access controls is based on these labels and this policy. If there is no rule, no access will be granted and as a consequence, what is not explicitly authorized is forbidden.

There are two types of SMACK labels:

  • Execution SMACK (Attached to the process): Defines how files are accessed and created by that process.
  • File Access SMACK (Written to the extended attribute of the file): Defines which process can access the file.

By default a process executes with its File Access SMACK label unless an Execution SMACK label is defined.

AGL’s SMACK scheme is based on the Tizen 3 Q2/2015. It divides the System into the following domains:

  • Floor.
  • System.
  • Applications, Services and User.

See AGL security framework review and Smack White Paper for more information.


Floor

The floor domain includes the base system services and any associated data and libraries. This data remains unchanged at runtime. Writing to floor files or directories is allowed only in development mode or during software installation or upgrade.

The following table details the floor domain:

Label Name Execution SMACK File Access SMACK
- Floor r-x for all Only kernel and internal kernel thread.
^ Hat --- for all rx on all domains.
* Star rwx for all None
  • The Hat label is Only for privileged system services (currently only systemd-journal). Useful for backup or virus scans. No file with this label should exist except in the debug log.

  • The Star label is used for device files or /tmp Access restriction managed via DAC. Individual files remain protected by their SMACK label.

Domain Label name Recommendations
Kernel-MAC-Floor-1 ^ Only for privileged system services.
Kernel-MAC-Floor-2 * Used for device files or /tmp Access restriction via DAC.

System

The system domain includes a reduced set of core system services of the OS and any associated data. This data may change at runtime.

The following table details the system domain:

Label Name Execution SMACK File Access SMACK
System System None Privileged processes
System::Run Run rwxatl for User and System label None
System::Shared Shared rwxatl for system domain r-x for User label None
System::Log Log rwa for System label xa for user label None
System::Sub SubSystem Subsystem Config files SubSystem only
Domain Label name Recommendations
Kernel-MAC-System-1 System Process should write only to file with transmute attribute.
Kernel-MAC-System-2 System::run Files are created with the directory label from user and system domain (transmute) Lock is implicit with w.
Kernel-MAC-System-3 System::Shared Files are created with the directory label from system domain (transmute) User domain has locked privilege.
Kernel-MAC-System-4 System::Log Some limitation may impose to add w to enable append.
Kernel-MAC-System-5 System::Sub Isolation of risky Subsystem.

Applications, Services and User

The application, services and user domain includes code that provides services to the system and user, as well as any associated data. All code running on this domain is under Cynara control.

The following table details the application, services and user domain:

Label Name Execution SMACK File Access SMACK
User::Pkg::$AppID AppID rwx (for files created by the App). rx for files installed by AppFw $App runtime executing $App
User::Home Home rwx-t from System label r-x-l from App None
User::App-Shared Shared rwxat from System and User domains label of $User None
Domain Label name Recommendations
Kernel-MAC-System-1 User::Pkg::$AppID Only one Label is allowed per App. A data directory is created by the AppFw in rwx mode.
Kernel-MAC-System-2 User::Home AppFw needs to create a directory in /home/$USER/App-Shared at first launch if not present with label app-data access is User::App-Shared without transmute.
Kernel-MAC-System-3 User::App-Shared Shared space between all App running for a given user.