1

SP Project 4 New SMACK Rules

Tizen project flow

2

Tizen dev. environment

build

Tizen application

development

Tizen security : SMACK

Tizen platform

development

Linux kernel

development

Project 0 Tizen porting to Odroid-U3

Project 1 Tizen web application development

Project 2 Basic SMACK features

Project 3 SMACK security rule modify

Project 4 New SMACK rules

Overview

File in the hole

3

File File

Open

After 3 seconds…

Bomb!

Overview

Part 1. Tizen platform development • Platform provides SMACK interface

Part 2. Linux kernel development • Kernel provides basic SMACK operations

4

User

Tizen platform

Linux kernel

Part 1. Tizen Platform Development

5

Objective

Create a new “vi” command, “smackvi”

6

$ smackvi File.txt

$ chsmack –a “(@)” File.txt

$ smackvi File.txt

• Read File.txt like “vi” Clear console Show contents of File.txt Input ‘q’ to quit

• Update smack label of File.txt “(@)” is pre-defined label string

• Read File.txt like “vi” smackvi checks if the label is “(@)” Count down… Kill itself

Demo

7

$ smackvi File.txt

Hints

1. Get into “smack” directory in Tizen platform

2. Modify “smack/utils/Makefile.am”

8

Hints

3. vi smack/utils/smackvi.c • Your own source code

• Refer other utils such as chsmack.c, smackctl.c

4. GBS build and transmit generated rpm files to Odroid • Review “How to port, Project 1” section

5. Install rpm files • ~/GBS-ROOT/local/repos/tizen2.2/armv7l/RPMS

• There are rpm files you have compiled

• “sdb push” and install smack-…armv7l.rpm

9

Requirement

smackvi.c source code

10

Part 2. Linux Kernel Development

11

Objective

Create a new rule that kills the running process

12

$ chsmack –a “#” File.txt • Update smack label of File.txt

“#” is pre-defined label string

$ vi File.txt • Open File.txt

You should be able to read the contents See the open file disappear after 3 seconds

$ chsmack –a “#” Image.jpg • Update smack label of File.txt

“#” is pre-defined label string

Run “File manager” and open Image.jpg (using VU)

• Open Image.jpg You should be able to see the picture See the open image disappear after 3 seconds

Demo

13

Lable “#”

Demo

14

Demo

15

Implementation Overview

16

User File System Open file

SMACK

Check label

If the label is “#”

Timer Wait 3 sec background and callback

Signal

Kill the process that opened the file with label “#”

Hints

1. Get into Linux kernel directory

2. Modify do_sys_open() in fs/open.c • Seek the best spot to locate “security_file_permission()”

• “security_file_permission()” is in “security/security.c”

17

Hints

3. Modify smack_file_permission() in security/smack/smack_lsm.c

• Luckily, this function is not used by SMACK (dummy function)

• You should consider how to change struct file* to struct inode*

• smk_of_inode(struct inode* ) returns object(file) label string

• To setup a timer…

− Include <linux/timer.h>

− Declare a global struct timer_list variable

− setup_timer( ) connects timer and call back function

− mod_timer( ) runs timer background

and after some time, executes call back function

18

Hints

4. Generate a call back function at “security/smack/smack_lsm.c”

• This function will kill the process that opened the file

• To kill the file…

− Include <linux/signal.h>

− Refer sys_kill() in “kernel/signal.c” (SYSCALL_DEFINE2)

19

Migrate to your callback!

Hints

5. Compile kernel and put zImage in boot partition

• Refer previous project (project 1)

20