Home · All Classes · Grouped Classes · Annotated · Functions

SXE - Mandatory Access Control

The core of the security framework is implemented by two sets of rules:

The operating-system level MAC rules (which can be divided into file system and capability rules)
The application level Qtopia rules.

These are summarized in the table below:

Policy Rule Set	Enforced by	Items controlled	Examples
Mandatory Access Control (MAC) file system	The MAC enabled Linux kernel	entities on the file system	`/dev/ttyS0` (a device), `/tmp/qt-embedded-0` (a Unix Domain Socket) or `/etc/passwd` (a plain file)
Mandatory Access Control (MAC) capabilities	The MAC enabled Linux kernel	system capabilities	`CAP_NET_RAW` - write raw socket data, `CAP_SYS_ADMIN` - range of actions incl forging the PID on a Unix Domain Socket
Application rule-sets	the Qtopia Safe Execution Environment system	requests for service	`QCop` messages: transmit sms, dial number shared memory, for example, dictionary `QDawg` or `QWS` buffer sound server and other applications

Both rule-sets are maintained by Qtopia's package installation facility. When a package, for example a downloaded game, is installed, a unique program identity is associated with the installed binaries, scripts and other package executables, and the identity is recorded in an installation table.

The program identity is used to index into the above rule-sets to decide what controls to apply.

Trademarks

Qtopia 4.2.5