Usage

Within an application, we can qualify our files according to several types:

default: no specific type, use default
conf: config files
data: data files
exec: executable files
http: http files
icon: icon file
id: basename app directory
lib: libraries files
plug: plugin files
public: public files

Moreover an application can have particular rights, for example for a CAN socket creation.

The first thing to do is to send all this information to the sec-lsm-manager so it can proceed with the installation.

Library

To start using the library, we will create an handler for information:

#include <sec-lsm-manager.h>
sec_lsm_manager_t *sec_lsm_manager = NULL;
sec_lsm_manager_create(&sec_lsm_manager, NULL);

Install

We need to define an id to identify our application:

sec_lsm_manager_set_id(sec_lsm_manager, "demo-app");

An id can only be composed of alpha numeric character, ‘-‘ and ‘_’. It must also be composed of at least two characters.

We will then qualify the different files of our application:

sec_lsm_manager_add_path(sec_lsm_manager, "/opt/demo-app/", "id");

sec_lsm_manager_add_path(sec_lsm_manager, "/opt/demo-app/bin/", "exec");
sec_lsm_manager_add_path(sec_lsm_manager, "/opt/demo-app/bin/launcher.sh", "exec");

sec_lsm_manager_add_path(sec_lsm_manager, "/opt/demo-app/data/", "data");
sec_lsm_manager_add_path(sec_lsm_manager, "/opt/demo-app/data/db.sqlite", "data");
sec_lsm_manager_add_path(sec_lsm_manager, "/opt/demo-app/data/info.json", "data");

sec_lsm_manager_add_path(sec_lsm_manager, "/opt/demo-app/etc/", "conf");
sec_lsm_manager_add_path(sec_lsm_manager, "/opt/demo-app/etc/file1.conf", "conf");
sec_lsm_manager_add_path(sec_lsm_manager, "/opt/demo-app/etc/file2.config", "conf");

sec_lsm_manager_add_path(sec_lsm_manager, "/opt/demo-app/www/", "http");
sec_lsm_manager_add_path(sec_lsm_manager, "/opt/demo-app/www/index.html", "http");
sec_lsm_manager_add_path(sec_lsm_manager, "/opt/demo-app/www/style.css", "http");

A path must be composed of at least two characters.

You can then add permissions:

sec_lsm_manager_add_permission(sec_lsm_manager, "urn:AGL::partner:create-can-socket");

A permission must be composed of at least two characters.

For more information about permissions: Permissions

And finally we can install our application security context:

sec_lsm_manager_install(sec_lsm_manager);

Uninstall

To uninstall the application security context, you must define its id and the installed paths:

sec_lsm_manager_set_id(sec_lsm_manager, "demo-app");
sec_lsm_manager_add_path(....)...
sec_lsm_manager_uninstall(sec_lsm_manager);

Permissions will be automatically removed by just knowing the id.

Additional

It is possible to display the status of a handler with the display function:

sec_lsm_manager_display(sec_lsm_manager);

⚠️ If an error occurs, a flag is raised and it is impossible to continue without using the clear function

sec_lsm_manager_clear(sec_lsm_manager);

It is also necessary to free the handle created at the end:

sec_lsm_manager_destroy(sec_lsm_manager);

Command Line

It is possible to use the previous functions easily on the command line thanks to the binary: sec-lsm-manager-cmd.

$ sec-lsm-manager-cmd
>> initialization success
id demo-app
>> ok
path /opt/demo-app id
>> ok
permission urn:AGL::partner:create-can-socket
>> ok
display
################## SECURE APP ##################
id demo-app
path /opt/demo-app id
permission "urn:AGL::partner:create-can-socket"
################################################
>> ok
install
>> ok

Overview

redpesk OS releases

Security updates

Application Framework Manager

Application Framework Binder

APIs & Services

Security manager

Trusted Boot