Detailed Description
The SXEPolicyManager class provides a management interface for Qt Extended Safe Execution Environment policies
In order for Qtopia Safe Execution Environment (SXE) programs to function they must request services and other functionality from other components of Qtopia. However to provide a level of security for the SXE, requests must only be actioned for those programs which are authorised.
The SXEPolicy manager provides an interface to the Qt Extended system policy files which record which programs are authorised for what service requests.
In the context of SXE Policy, the word service request is intended to be more general than Qt Extended Services. Policy does cover these services, but it also is designed to work with any type of inter-process communication which maybe described by a string name.
In the context of SXE Policy, a program is a number of (at least one) binary executable files, and support files that are installed onto the storage media available to the Qt Extended device. Any binary installed with the program or executing on its behalf is identified by that program's unique Program Identity, a number between 1 and 255 inclusive. Program Identity 0 is reserved for the Qt Extended server.
SXE Policies provide a list of profile names for each Program Identity. Each profile name stands for a list of service request names. Some examples of service request names are:
- openURL(QString url)
- removeEvent(PimEvent)
- mtabChanged()
The profile names are documented in the SXE Documentation but as an example the openURL(QString) request is in the web profile, and the removeEvent(PimEvent) request is in the admin profile; and the mtabChanged() request is in the comm profile.
Profiles serve as a level of indirection to lessen the impact of changes in the service names or structures.
To use the SXEPolicyManager class first obtain the Program Identity, then call findPolicy() to get a list of the profile names authorized for the program. In attempting to decide whether to action a request these profile names may be used in application program logic:
QStringList profs = SXEPolicyManager::getInstance()->findPolicy( progId );
if ( profs.contains( "web" ))
processWebRequest();
To find if a particular service request name is allowed call findRequest() to see if a profile authorizes a particular request.
A program may be authorized under zero, one or more than one profile. A request will generally be only included in one profile, but there is nothing to prevent it being present in more than one.
See also QPackageRegistry.
Member Function Documentation
SXEPolicyManager::~SXEPolicyManager ()
Destruct a SXEPolicyManager.
QStringList SXEPolicyManager::findPolicy ( unsigned char progId )
Given the progId return a list of the profile names which that program is authorised to access. The information is read from the Qt Extended SXE policy file [qt_prefix]/etc/sxe.policy. A caching algorithm is used to lessen the number of file accesses required for recurring lookups. The cache is checked for freshness against this files last modify time, as the Qt Extended installer may have changed it since it was last accessed.
Given a request return the profile name containing that request. If the request exists in multiple profiles, this method will return a random profile name which contains that request. If the request is not found, a null string is returned.
If the list prof is non-empty, just those profiles are searched, and a profile name from amongst them returned if the request is found. If the prof list is empty (the default) all profiles are searched.
The meaning of not found (null string return) is defined by the caller. For a secure system not found equals deny.
Note that for a worst case, ie no prof is provided, and the messages request is not found this method will first check its internal cache and then scan the entire file on storage before determining the not found result. For this reason the profile lists should be carefully chosen so that common messages do not cause a worst case.
To avoid worst cases two synthetic profiles "allow" and "deny" should be used to white-list and black-list common service requests.
The search order is
item searched | conditions |
cache | if in cache AND if either the prof is empty, OR prof contains the cached result (counting "deny" or "allow" as listed in prof) |
prof | if non-empty |
"deny" | if exists |
"allow" | if exists |
sxe.profile on disk | always on fall-thru |
Note that a cache freshness check is not performed since the sxe.profiles file is not altered during run-time.
SXEPolicyManager * SXEPolicyManager::getInstance () [static]
Return an pointer to this processes SXEPolicyManager instance.
void SXEPolicyManager::policyCheck ( QTransportAuth::Data & d, const QString & req ) [slot]
This slot is for receiving signals from a QTransportAuth object alerting the presence of an incoming message for authentication against policy. The QTransportAuth should already have taken care of confirming the identity of message originator, and validity of the message transport.
Note that any number of authorisers can connect to this slot. If any one of them sets the permit Status bits to Deny, then the request will be denied regardless of other authorisers. In other words all must either provide Allow status (or leave the status unchanged) for the request to pass.
The QTransportAuth::Data item d is the connection data representing the source of the req.
void SXEPolicyManager::resetDateCheck () [slot]
Receive a time-out signal to reset the checkDate flag. This flag prevents the date check mechanism from DoS'ing the out-of-date code.