SP Project 4 New SMACK Rules - Tizen Wiki · Linux kernel development Project 0 Tizen porting to...
Transcript of SP Project 4 New SMACK Rules - Tizen Wiki · Linux kernel development Project 0 Tizen porting to...
1
SP Project 4 New SMACK Rules
Tizen project flow
2
Tizen dev. environment
build
Tizen application
development
Tizen security : SMACK
Tizen platform
development
Linux kernel
development
Project 0 Tizen porting to Odroid-U3
Project 1 Tizen web application development
Project 2 Basic SMACK features
Project 3 SMACK security rule modify
Project 4 New SMACK rules
Overview
File in the hole
3
File File
Open
After 3 seconds…
Bomb!
Overview
Part 1. Tizen platform development • Platform provides SMACK interface
Part 2. Linux kernel development • Kernel provides basic SMACK operations
4
User
Tizen platform
Linux kernel
Part 1. Tizen Platform Development
5
Objective
Create a new “vi” command, “smackvi”
6
$ smackvi File.txt
$ chsmack –a “(@)” File.txt
$ smackvi File.txt
• Read File.txt like “vi” Clear console Show contents of File.txt Input ‘q’ to quit
• Update smack label of File.txt “(@)” is pre-defined label string
• Read File.txt like “vi” smackvi checks if the label is “(@)” Count down… Kill itself
Demo
7
$ smackvi File.txt
Hints
1. Get into “smack” directory in Tizen platform
2. Modify “smack/utils/Makefile.am”
8
Hints
3. vi smack/utils/smackvi.c • Your own source code
• Refer other utils such as chsmack.c, smackctl.c
4. GBS build and transmit generated rpm files to Odroid • Review “How to port, Project 1” section
5. Install rpm files • ~/GBS-ROOT/local/repos/tizen2.2/armv7l/RPMS
• There are rpm files you have compiled
• “sdb push” and install smack-…armv7l.rpm
9
Requirement
smackvi.c source code
10
Part 2. Linux Kernel Development
11
Objective
Create a new rule that kills the running process
12
$ chsmack –a “#” File.txt • Update smack label of File.txt
“#” is pre-defined label string
$ vi File.txt • Open File.txt
You should be able to read the contents See the open file disappear after 3 seconds
$ chsmack –a “#” Image.jpg • Update smack label of File.txt
“#” is pre-defined label string
Run “File manager” and open Image.jpg (using VU)
• Open Image.jpg You should be able to see the picture See the open image disappear after 3 seconds
Demo
13
Lable “#”
Demo
14
Demo
15
Implementation Overview
16
User File System Open file
SMACK
Check label
If the label is “#”
Timer Wait 3 sec background and callback
Signal
Kill the process that opened the file with label “#”
Hints
1. Get into Linux kernel directory
2. Modify do_sys_open() in fs/open.c • Seek the best spot to locate “security_file_permission()”
• “security_file_permission()” is in “security/security.c”
17
Hints
3. Modify smack_file_permission() in security/smack/smack_lsm.c
• Luckily, this function is not used by SMACK (dummy function)
• You should consider how to change struct file* to struct inode*
• smk_of_inode(struct inode* ) returns object(file) label string
• To setup a timer…
− Include <linux/timer.h>
− Declare a global struct timer_list variable
− setup_timer( ) connects timer and call back function
− mod_timer( ) runs timer background
and after some time, executes call back function
18
Hints
4. Generate a call back function at “security/smack/smack_lsm.c”
• This function will kill the process that opened the file
• To kill the file…
− Include <linux/signal.h>
− Refer sys_kill() in “kernel/signal.c” (SYSCALL_DEFINE2)
19
Migrate to your callback!
Hints
5. Compile kernel and put zImage in boot partition
• Refer previous project (project 1)
20