Safe Execution Environment is designed to enable Qtopia to allow downloading, installing and running third party native applications. It provides a level of security to address the risk of compromising the operation of the device, or its data, so as allow running such applications with confidence.
Application level policy
A Qtopia program generally will require access to the well known path to the socket for the QWS system in order to send low level requests for the Qtopia windowing system, in order to display its interface to the user.
But this same QWS system carries QCop requests for telephony and messaging.
Downloaded programs are therefore controlled by Application level policies, which allow some requests such as those to the windowing system, while disallowing potentially costly requests such as those related to making phone calls or accessing the network.
Application level policy is implemented via a set of Domains, each associated with a set of request strings. Installed programs are allocated a Program Id, and the sxe.policy file records which Program IDs have which Domain/s, and thus are allowed to issue which requests.
This prevents unauthorized programs issuing a request for a web page to be loaded or an SMS to be sent for example.
The Qtopia programs which are part of the Qtopia Phone or PDA editions for example, such as qtmail or the calendar program must also be controlled by SXE policy. This is because a downloaded program may gain unauthorized access by exploiting a Qtopia program.
Mandatory Access Control (MAC) Linux kernel and Rule-sets
Downloaded programs must also be controlled at the file-system level, to prevent them accessing sensitive system files, such as the sxe.policy file. This is achieved for SXE by a Mandatory Access Control (MAC) system.
The MAC system for SXE is the LIDS (Linux Intrusion Detection) system. The Linux kernel patches required to enable LIDS are available at http://lids.org
MAC policy can prevent a program from accessing the network or the modem device directly. This means that programs must route their requests via the application policy framework mentioned in the previous section.
While the SXE system will run without MAC, it requires MAC to provide a guarantee of security since the modem, the policy files, and other sensitive system resources are not protected.
The MAC system also provides System Hardening by the MAC bounding set. The bounding set comprises global MAC rules which apply to all programs, unless specifically excepted. System hardening makes it much more difficult for a flawed or malicious downloaded program to compromise the device.
Refer to the System Integrators guide and the Qtopia VirtualTargetEnvironment for building the MAC system for a device or platform. The VirtualTargetEnvironment provides a desktop environment for running MAC enabled kernel and file-systems, as well as a sample policy setup.
Sand-boxing
Untrusted applications run under a sandbox MAC rule set which inverts the usual system of allow, unless specifically denied to instead be deny, unless specifically allowed. This ensures that downloaded applications are not able to access any exploitable system resources.
Under 2.4 series kernels the LIDS system provides a specific LIDS_SANDBOX rule for this purpose. This features is to be ported to 2.6 kernels, but in the interim the sandbox is implemented by specifying all the DENY rules manually.
Apart from this the features described in the previous section apply.
Safe Execution Package Manager
The Safe Execution Package Manager provides a number of features required for download and installation of Qtopia 4 Safe Execution packages.
It fetches the Package list from remote server via HTTP; then displays package information, in particular a plain English description of what SXE security domains the package is requesting. Once a package has been selected from the Package list, the package manager will download it uncompress and install it.
