Brussels / 30 & 31 January 2016


Tizen 3.0 platform security model

Security framework for constraining applications' privileges

Most important design goal of Tizen 3.0 security framework is to separate applications from user private data and from fragile parts of the operating system. Another important aspect is security policy that is easy to configure. To meet these requirements, we combined usage of widely known DAC and one of the most simple Linux Security Modules - Smack. The talk will also cover set of tools used to control access to abstract resources (Cynara) and tools used to configure all needed policy mechanisms (Security-Manager). Finally, a new module for controlling multi-container virtual environments will be presented (Vasum), that is also part of the Tizen 3.0 security framework. Described security model is open source with repositories publicly available both on and github. It is successfully implemented and used on Tizen 3.0 platform with increasing interest from other Linux distributions.

Presentation will introduce design of security framework created for Linux based system - Tizen in version 3.0. This framework main goal is separating third party applications running in user context from user private data and privileged resources (like devices, sockets and services providing access to sensitive resources). We have chosen to combine usage of DAC and MAC, for the latter choosing Linux Security Module - Smack, which is easy to configure and easy to understand. Smack is mainly used to protect data, which can be mapped to system resources - files, sockets, databases. Some resources are more abstract, so they need different kind of protection. Assuming that such resources would be provided by privileged services, each service is encouraged to check access permission through access control tool provided by system. During our research we discovered, that existing tools do not meet all of our requirements (as Polkit proved to be inefficient), hence we have created our own access control tool - Cynara. It's main purpose is to store system policy and provide interfaces for policy changes and permission checks. Such policy is based on identifier of possibly unprivileged application, user in which context this application is running at and privilege - abstract sensitive system resource. To expand possible types of supported policies, Cynara supports custom plugins, which can declare any type of policy. We created AskUser plugin as example, which produces policy based on user decision, through pop-up windows. For creating and maintaining of system policy Security Manager service was created. It allows to configure and enforce system policy through proper actions taken during application installation and launch. During installation application declares used privileges, then proper system policy is created to allow such usage. User is allowed to change system policy configuration for each application - granting or denying access to each declared privilege even after the application is installed. Finally, a new module for controlling multi-container virtual environments will be presented. This enables creation of containers which separate processes and graphical environments.


Photo of Aleksander Zdyb Aleksander Zdyb