<?xml version="1.0" encoding="utf-8"?>

<!-- Copyright (c) 2007-2010 Nokia Corporation and/or its subsidiary(-ies) All rights reserved. -->

<!-- This component and the accompanying materials are made available under the terms of the License 

"Eclipse Public License v1.0" which accompanies this distribution, 

and is available at the URL "http://www.eclipse.org/legal/epl-v10.html". -->

<!-- Initial Contributors:

    Nokia Corporation - initial contribution.

Contributors: 

-->

<!DOCTYPE concept

  PUBLIC "-//OASIS//DTD DITA Concept//EN" "concept.dtd">

<concept id="GUID-A4179FF3-4541-44B8-A8F3-52C1318159B3" xml:lang="en"><title>Platform

Security</title><shortdesc>This document discusses how device drivers should implement platform

security.</shortdesc><prolog><metadata><keywords/></metadata></prolog><conbody>

<p>Device drivers must follow the Symbian platform security guidelines. As

a part of platform security, drivers must be given the necessary platform

security capabilities. A driver can also check the capabilities of a process

opening a channel on the device, in order to restrict access to the device. </p>

<section id="GUID-74BFFE9A-2904-4EFC-952A-581844A9095B"><p><b>Driver-side

definition</b> </p> <p>Because drivers are loaded by the Kernel, both LDDs

and PDDs must have the same level of trust and capability as the Kernel. This

means that platform security capabilities must be set to <codeph>ALL</codeph> in

the LDD and PDD <filepath>.mmp</filepath> files. </p> <codeblock id="GUID-91D17A93-4DFE-58DB-A071-F82399B7D9CE" xml:space="preserve">// LDD: mmp file

...

CAPABILITY     ALL</codeblock> <codeblock id="GUID-68471C34-7E9A-5CE7-BED3-1F3C6AEB08BF" xml:space="preserve">// PDD: mmp file

...

CAPABILITY     ALL</codeblock> <p>The user program must have the necessary

capability set in its <filepath>.mmp</filepath> file to open and access the

driver API. The reference documentation for the API should say what capabilities

are required. Usually, they are the same as the minimum capability that is

required to load the drivers. </p> <codeblock id="GUID-18BF036F-1A2E-59AA-BF8E-05D80B7916B5" xml:space="preserve">// Test application: mmp file

...

CAPABILITY    CommDD ReadDeviceData PowerMgmt</codeblock></section>

<section id="GUID-7177D7FD-088C-432F-BABC-4E5DAA0E07D4"><p><b>User-side verification</b> </p> <p>A

device driver must check the capability of the process that is accessing it.

This is typically done during channel creation and, if required, for specific

requests to the LDD. The Kernel provides the <xref href="GUID-C6946ECB-775F-3EC2-A56F-78F25B9FBE3D.dita#GUID-C6946ECB-775F-3EC2-A56F-78F25B9FBE3D/GUID-E34E27F2-921A-3F78-9DE3-C5B16F37CF8B"><apiname>Kern::CurrentThreadHasCapability()</apiname></xref> API

to check the capability of the calling process. It can check for more than

one capability. </p> <p>The following shows how the example driver checks

during channel creation that the user has the <xref href="GUID-460F2258-02FB-316E-8044-4649E4488486.dita"><apiname>ECapabilityCommD</apiname></xref> capability: </p> <codeblock id="GUID-79B4EB40-14C8-5BDA-9FC9-A82DF87C83A7" xml:space="preserve">TInt DExDriverLogicalChannel::DoCreate(TInt /*aUnit*/, const TDesC8* 

/*anInfo*/, const TVersion& aVer)

    {

    // Capability check - CommDD

    if (!Kern::CurrentThreadHasCapability (ECapabilityCommDD,

    __PLATSEC_DIAGNOSTIC_STRING("Checked by Tutorial Driver")))

        return KErrPermissionDenied;    

    ...

    }</codeblock></section>

<section id="GUID-7B302793-1A00-40D6-8E9A-BA694541D0D4"><p><b>Data caging </b> </p> <p>Symbian

platform security requires that all DLLs and EXEs are placed in the folder <filepath>/sys/bin</filepath>.

Drivers and test application binaries must be placed in the <filepath>/sys/bin</filepath> folder

by their ROM <filepath>.iby</filepath> file. </p> <codeblock id="GUID-42FE3528-37BB-5DD2-B565-4DB527EBC596" xml:space="preserve">// iby file

device[VARID]=KERNEL_DIR\DEBUG_DIR\exdriver_ldd.ldd     \Sys\Bin\exdriver_ldd.ldd

device[VARID]=KERNEL_DIR\DEBUG_DIR\exdriver_pdd.pdd     \Sys\Bin\exdriver_pdd.pdd

file=ABI_DIR\BUILD_DIR\exdriver_test.exe                \Sys\Bin\exdriver_test.exe

</codeblock></section>

</conbody><related-links>

<link href="GUID-EA20E614-C911-4EE9-92B5-C8F9B657D59E.dita"><linktext>Platform

security architecture</linktext></link>