Platform Security Considerations

Symbian platform v9.1 introduced Platform Security (the concept of Capabilities, Signing and Data Caging) to protect a phone against malicious code. Granting a program certain capabilities enables it to use protected operating system functionality, and signing an installation file enables it to be installed onto different phones.

A program using the P.I.P.S. libraries may need certain capabilities in order to use protected functionality to be available. The capabilities required are listed in the program's makefile (or an MMP file on the Symbian platform). For example, the following line added to a Symbian MMP file will grant network access to a program.

CAPABILITY     NetworkServices

Each Symbian program has access to a private area of storage in a /private/<secureid>/ directory where secureid is an identifier specified in the MMP file. If a secureid is not specified in the MMP file, the secureid is set from the program's third UID (Unique Identifier). Some extra capabilities are required if the program wishes to have access to another program's private area. Also it is worth noting that P.I.P.S. does not allow file descriptors in private directories to be inherited.

Capabilities supported for P.I.P.S. APIs

The following table provides details of the P.I.P.S. APIs and the capabilities that may need to be added.

P.I.P.S. API

Capabilities required

lstat(), stat(), tmpnam(), tempnam(), wstat()

None if the path is not in the protected /sys/ or /private/ directory.

AllFiles if the path contains the protected /sys/ directory.

AllFiles if the path contains the protected /private/ directory using another program's Secure Identifier.

open(), wfopen()

None if the path is not in the protected /sys/ or /private/ directory.

AllFiles if the path contains the protected /sys/ directory and read mode is specified.

TCB if the path contains the protected /sys/ directory and write mode is specified. P.I.P.S. libraries do not have the TCB capability, and so it is not possible to write to this directory.

AllFiles if the path contains the protected /private/ directory using another program's Secure Identifier.

access(), chdir(), chmod(), creat(), fchmod(), ftok(), mkdir(), mkfifo(), rename(), rmdir(), utimes(), waccess(), wchdir(), wcreat(), wmkdir(), wrmdir(), wunlink(), unlink(), utime()

None if the path is not in the protected /sys/, /resource/ or /private/ directory.

TCB if the path contains the protected /sys/ or /resource/ directory. P.I.P.S. libraries do not have the TCB capability, and so it is not possible to write to this directory.

AllFiles if the path contains the protected /private/ directory using another program's Secure Identifier.

accept(), bind(), connect(), ioctl(), recv(), recvfrom(), send(), sendto(), recvmsg(), sendmsg()

None if the descriptor does not refer to a socket.

NetworkServices if the descriptor is a socket.

A P.I.P.S. platform security example

The following code illustrates how P.I.P.S. conforms to Data Caging rules while creating a file with and without capabilities.

#include <stdio.h>

int main(int argc, char *argv[])
{
   FILE* file;
   
   //Create the file in another program's private directory
   file = fopen("/private/10004902/out.file", "w");
   if (file == NULL)
   {
      int I = errno;
   
      //Error occurred
      printf("\nError creating file, error=%d", errno);    
      return EXIT_FAILURE;
   }
   else
   {
      //File created
      fprintf(file, "Sample File Output");
      fclose(file);
      
      printf("\nFile created");    
   }

   return EXIT_SUCCESS;
}

If no capabilities are provided, the code will print out an error message due to the attempted use of fopen() on another program's /private/ directory. The error code displayed will be EACCESS, showing a security error.

If, however, the AllFiles capability is listed in the program's MMP file, the file will be generated successfully.

Note: Here, AllFiles represents a system capability and is not something your application should require or use, in most of the cases.