[Meego-architecture] [MeeGo-dev] MSSF manifests in RPM

Mon May 2 07:41:26 PDT 2011

Hi Alberto,

On Mon, May 2, 2011 at 17:12, Alberto Mardegan
<mardy at users.sourceforge.net> wrote:
> (moving thread to meego-architecture)
>
> On 05/02/2011 04:53 PM, Arjan van de Ven wrote:
>>
>> On 5/2/2011 5:39 AM, Alberto Mardegan wrote:
>>>
>>> Hi all,
>>> what is the current state of MSSF manifest files in MeeGo?
>>
>> the current state is that MSSF is not part of, or integrated into,
>> MeeGo... and
>> won't be.
>
> Mmm... but I think we all agree that a security framework is needed. What
> will it be, then?
>
> In your mail from March 7th, you announced that the long term focus for the
> MeeGo security would be end-user privacy. To me, that also means having the
> means for a process which "owns" some of the user data to establish the
> identity of another process which requests access to the said data. IMHO,
> this is something that MSSF is doing very well in Harmattan, so I hope that
> this possibility will also come to MeeGo.
>
> Without this, you basically cannot give different access rights to
> applications which are coming from a trusted origin (such as the device
> manufacturer or an approved application store) and applications coming from
> the community.
Security polices in many security frameworks are properties of the
platform rather than applications themselves. Take, for example, SE
Linux. Applications don't need to request resources explicitly marked;
rather, a correct security policy configuration (confinement) defines
how system thinks this application should be confined.

In very rare cases application itself needs to be aware about such
polices. This, for example, is required when application is knownly
switching between different contexts and wants to known in which
context it is (though this behaviour is far from being trusted).

In the end, such policy definitions become centralized -- either per
repository as in MSSF and Aegis or per system as with other
approaches. This is largerly a system design task than application
developer task.

I would argue that most likely MeeGo will end up using some of
existing Linux upstream security frameworks -- either SE Linux,
TOMOYO, or SMACK. SMACK is what lies in the core of MSSF. All three
are about policies and ability to set them by the administrator (and
confine others to limit such activity). In case of mobile devices "the
administrator" is more complex entity than just a user, of course, so
you need to deploy some dynamically adoptable infrastructure to it.

It is the infrastructure that is actually missing here.

As an example, here is 2009's presentation how CE Linux consortium
tried to use SMACK for the same purpose on TV environments:
http://www.celinuxforum.org/CelfPubWiki/ELCEurope2009Presentations?action=AttachFile&do=get&target=Buzov-SMACK.pdf
-- 
/ Alexander Bokovoy