[Dev] SMACK in Tizen

Vyacheslav Barinov v.barinov at samsung.com
Thu Oct 30 05:25:21 GMT 2014


Philippe Coval <philippe.coval at open.eurogiciel.org> writes:

> On Wed, Oct 29, 2014 at 11:09 AM, Vyacheslav Barinov
> <v.barinov at samsung.com> wrote:
>> Hello,
>> José Bollo <jose.bollo at open.eurogiciel.org> writes:
>>> Le mercredi 29 octobre 2014 à 10:08 +0300, Vyacheslav Barinov a écrit :
>>>> Hello,
>>>>  What is current SMACK state in Tizen:Common builds?
>>> Hi Vyacheslav,
>>> Tizen:Common is a work in progress implementation of the Security model
>>> of tizen 3 described by this wiki page:
>>> https://wiki.tizen.org/wiki/Security:SmackThreeDomainModel
>>>>  I see smack-related packages installed into firmware but there are neither rules in
>>>>  /etc/smack/accesses.d nor security labels on binaries in latest snapshot firmware.
>>> It is not true. What did you inspected? Which image?
>> I've just tested tizen-common_20141028.4_common-x11-2parts-armv7l.tar.gz image from
>> https://download.tizen.org/snapshots/tizen/common/latest/images/arm-x11/common-x11-2parts-armv7l/
> hi,
> What kernel are you using with this rootfs ?  and what device ?
> default one is vexpress but only for QEmu then you need some adapation
> to other boards like renesas one :
> https://dockr.eurogiciel.fr/blogs/embedded/tizen-arm-images-to-renesas/
> But make sure your kernel has SMACK support to support full Tizen security model
> note X11 is not in best shape AFAIK I invite you to check wayland
> image if you can
> And if you use odroid board
> there are some WIP image to be released soon at :
> http://download.tizen.org/snapshots/tizen/common/latest/repos/arm-wayland/

I'm using kernel from kernel-common RPM package and Arndale board as a hardware.
And yes, kernel supports SMACK, I can set labels, I see rules loaded in /sys/fs/smack and so on.

Actually my question was more about organization and rules, than about technical issues: I'm working
now on AArch64 port and trying to reproduce all the functionality from armv7l Tizen. 

I've built a kernel from linaro master branch switching on SMACK there.
Technically it also works (at least in qemu and FastModels, waiting for hardware shipment to test)
but I saw Tizen of version 2 and there was pretty interesting system — every application owned its own
domain and every file in /usr/apps/org.tizen.calculator/, for instance, has been marked with
access="org.tizen.calculator" xattr. And there was a really huge ruleset to manage all interactions
between domains.

Now I see there is a rather simple new security model. Thanks to José Bollo: that domain model
description was the thing I've been looking for.

And the only question left — is there a possibility to get a SMACK access denial in a snapshot
firmware boot? Just for testing purposes.

Best Regards,
Vyacheslav Barinov

More information about the Dev mailing list