Home · All Classes · Grouped Classes · Annotated · Functions

SXE - Framework Overview

The implementation of the SXE logically categorizes all applications into two domains or profiles: trusted or untrusted. Trusted applications have no restrictions enforced upon them and all applications pre-installed on the Qtopia image are considered trusted while untrusted applications are limited to those capabilities outlined in the SXE - Aims and Limitations.

Downloaded applications can be either untrusted or trusted however the packagemanager would generally be configured to only install untrusted packages, which are subject to sandbox conditions. Downloading trusted packages are usually for development purposes only.

The restrictions of the capabilities and privileges of an application are enforced through two sets of rules:

  1. The operating-system level MAC rules (which can be divided into file system and capability rules)
  2. The application level Qtopia rules.

These are summarized in the table below:

Policy Rule SetEnforced byItems controlledExamples
Mandatory Access Control (MAC) file systemThe MAC enabled Linux kernel entities on the file system
  • /dev/ttyS0 (a device),
  • /tmp/qt-embedded-0 (a Unix Domain Socket) or
  • /etc/passwd (a plain file)
Mandatory Access Control (MAC) capabilitiesThe MAC enabled Linux kernel system capabilities
  • CAP_NET_RAW - write raw socket data,
  • CAP_SYS_ADMIN - range of actions incl forging the PID on a Unix Domain Socket
Application rule-setsthe Qtopia Safe Execution Environment systemrequests for service
  • QCop messages: transmit sms, dial number
  • sound server and other applications

The function of the MAC-enabled Linux kernel is to prevent processes from accessing some parts of the system, for example:

The MAC rule-set can, if needed, allow such access under read-only provisions or deny access altogether. The MAC can also prevent certain system calls via kernel capabilities, such as CAP_SYSADMIN and CAP_RAWIO.

The SXE employs the sandbox MAC rule set which inverts the usual system of allow, unless specifically denied to instead be deny, unless specifically allowed. The sandboxing provided by the MAC kernel patches and its rule-set provides a broad low-level degree of protection against system-level risks from flawed or malicious programs attempting to access system resources. For example, any alteration of data or password files, harvesting of user information, and installation of root-kits is prevented.

At the application level, SXE acts like a firewall to prevent programs making unauthorized access to sensitive system services. Requests received by the Qtopia phone server are first checked to see if the originating program has the correct security domain awarded to allow the sending of such messages.

During the package download process, the user is presented with a confirmation dialog with an easily understood description of the domain under which the package will operate. If approved, Qtopia's package installation facility is responsible for applying the appropriate rules to a package.

If an application violates policy such as making a service request or opening a file that it is not allowed to, the application is of course denied that access. The security monitor process known as SxeMonitor then acts to terminate the application and notify the user.


Copyright © 2008 Nokia Trademarks
Qtopia 4.3.3