Home · All Classes · Grouped Classes · Annotated · Functions

SXE - Customizing Domains

The following sections describe the methods to customize policy domains. The intended audience for this section are system integrators.

Introduction

An SXE domain is a keyword, made up of lower case a-z and the underscore character, for example "untrusted". The domain specifies allowed access rights, both of

Modifying application level policy

Application level policy is defined in a file called sxe.profiles. Domains typically follow the following format:

    [Domain]
    requests
    ...
    #

The SXE Discovery Mode can be used to determine what requests a particular application makes as it runs. In this mode all requests are allowed and logged, but doing this has a severe impact on performance. To operate qpe in SXE Discovery Mode, ensure Qtopiacore is compiled in debug mode and that and the SXE_DISCOVERY_MODE environment variable is exported. The requests will all be logged in /tmp/qtopia-0/sxe_discovery.log (where 0 is the session). The requests can be compared with sxe.profiles to see if the domain is lacking requests used by the application.

Alternatively, an application can run without SXE discovery mode and if there is a request made that is not in the application's declared domain then it will breach policy and the qpe console output and/or security log can be viewed to see what request was needed.

If sxe.profiles needs to be updated simply add any extra requests to the appropriate domain. It is helpful to note that the wildcard * maybe be placed at the end of a request. This is useful for situations where a family of requests, which share the same prefix, can be added as one entry.

Note: After changing policy, ensure that sxe.profiles in the image directory is up to date. If shadow building, most of the time copying <qtopia-root-dir>/etc/sxe.profiles to <image-dir>/etc/sxe.profiles is sufficient.

Modifying OS Level policy

OS Level policy is defined by scripts in the <qtopia-root-dir>/etc/sxe_domains directory. The script names consist of the domain name preceded by sxe_qtopia, eg sxe_qtopia_untrusted. The scripts run the lidsconf utility which is used to apply a set of MAC rules. See also SXE - System Integration.

Troubleshooting

To trouble-shoot SXE problems try these ideas:

Domains

The SXE operates with the two domains listed below:

SXE Profile nameAccess Controls EffectInformation displayRisk level
untrustedRestricts application privileges to that of gamesrequests minimal access privileges on your deviceLow
trustedUnlimited access to device filesystem and application level service requestsrequests unrestricted access on your deviceHigh

(You may notice that there is a "qpe domain" in sxe.profiles, the qpe server needs to declare this for historical reasons so it should not be removed, but for all other intents and purposes it can be ignored)


Copyright © 2008 Nokia Trademarks
Qtopia 4.3.3