SXE - Framework Overview

The implementation of the SXE logically categorizes all applications into two domains or profiles: trusted or untrusted. Trusted applications have no restrictions enforced upon them and all applications pre-installed on the Qt Extended image are considered trusted while untrusted applications are limited to those capabilities outlined in the SXE - Aims and Limitations.

Downloaded applications can be either untrusted or trusted however the packagemanager would generally be configured to only install untrusted packages, which are subject to sandbox conditions. Downloading trusted packages are usually for development purposes only.

The restrictions of the capabilities and privileges of an application are enforced through two sets of rules:

1. The operating-system level MAC rules (which can be divided into file system and capability rules)
2. The application level Qt Extended rules.

These are summarized in the table below:

The function of the MAC-enabled Linux kernel is to prevent processes from accessing some parts of the system, for example:

• /dev entries
• binary libraries
• configuration files.

The MAC rule-set can, if needed, allow such access under read-only provisions or deny access altogether. The MAC can also prevent certain system calls via kernel capabilities, such as CAP_SYSADMIN and CAP_RAWIO.

The SXE employs the sandbox MAC rule set which inverts the usual system of allow, unless specifically denied to instead be deny, unless specifically allowed. The sandboxing provided by the MAC kernel patches and its rule-set provides a broad low-level degree of protection against system-level risks from flawed or malicious programs attempting to access system resources. For example, any alteration of data or password files, harvesting of user information, and installation of root-kits is prevented.

At the application level, SXE acts like a firewall to prevent programs making unauthorized access to sensitive system services. Requests received by the phone server are first checked to see if the originating program has the correct security domain awarded to allow the sending of such messages.

During the package download process, the user is presented with a confirmation dialog with an easily understood description of the domain under which the package will operate. If approved, the Qt Extended package installation facility is responsible for applying the appropriate rules to a package.

If an application violates policy such as making a service request or opening a file that it is not allowed to, the application is of course denied that access. The security monitor process known as SxeMonitor then acts to terminate the application and notify the user.