|
1 <?xml version="1.0" encoding="utf-8"?> |
|
2 <!-- Copyright (c) 2007-2010 Nokia Corporation and/or its subsidiary(-ies) All rights reserved. --> |
|
3 <!-- This component and the accompanying materials are made available under the terms of the License |
|
4 "Eclipse Public License v1.0" which accompanies this distribution, |
|
5 and is available at the URL "http://www.eclipse.org/legal/epl-v10.html". --> |
|
6 <!-- Initial Contributors: |
|
7 Nokia Corporation - initial contribution. |
|
8 Contributors: |
|
9 --> |
|
10 <!DOCTYPE concept |
|
11 PUBLIC "-//OASIS//DTD DITA Concept//EN" "concept.dtd"> |
|
12 <concept id="GUID-DAF86036-CC40-5F26-9F15-2F2093F59C03" xml:lang="en"><title>Security |
|
13 issues</title><shortdesc>This topic explains the security issues while performing a publish |
|
14 and subscribe.</shortdesc><prolog><metadata><keywords/></metadata></prolog><conbody> |
|
15 <ul> |
|
16 <li id="GUID-4BF55D37-742E-527F-9148-57C12164DA1C"><p> <xref href="GUID-DAF86036-CC40-5F26-9F15-2F2093F59C03.dita#GUID-DAF86036-CC40-5F26-9F15-2F2093F59C03/GUID-D2D0BDDF-28A4-5168-B1C5-685E1964C730">Who can define a property?</xref> </p> </li> |
|
17 <li id="GUID-A06C7B43-30B8-5606-B22C-EBB18DBA7554"><p> <xref href="GUID-DAF86036-CC40-5F26-9F15-2F2093F59C03.dita#GUID-DAF86036-CC40-5F26-9F15-2F2093F59C03/GUID-839C5063-3BA1-52E6-BFFE-CF3E18E605EC">Read and write access rights</xref> </p> </li> |
|
18 <li id="GUID-EC225F1D-0B9D-537F-BFC7-10EFBD6B44AE"><p> <xref href="GUID-DAF86036-CC40-5F26-9F15-2F2093F59C03.dita#GUID-DAF86036-CC40-5F26-9F15-2F2093F59C03/GUID-65107093-7C73-5117-88F7-CFB585455CE3">Deletion rights</xref> </p> </li> |
|
19 </ul> |
|
20 <section id="GUID-D2D0BDDF-28A4-5168-B1C5-685E1964C730"><title>Who can define |
|
21 a property?</title> <p>One of the most important attributes of a property |
|
22 is the category to which it belongs. A category is represented by a UID value. </p> <p>The |
|
23 general rule is that the (category) UID must be the same as the Security ID |
|
24 (the SID) of the process in which the code that is performing the define operation |
|
25 is running. In effect, this forms a data cage, preventing a process from defining, |
|
26 or "occupying", another process's property. </p> <p>You define a property |
|
27 using the overload of <codeph>RProperty::Define()</codeph> with the signature: </p> <codeblock id="GUID-B33CDB93-7EB1-5276-B260-AEAB28227FA7" xml:space="preserve">static TInt Define(TUint aKey, TInt aAttr, const TSecurityPolicy& aReadPolicy, const TSecurityPolicy& aWritePolicy, TInt aPreallocate);</codeblock> <p>This function was introduced in V9.1 of Symbian platform, and it does <i>not</i> allow |
|
28 you to explicitly specify the category. Indeed, Symbian platform takes the |
|
29 category to be the value of the process SID. </p> <ul> |
|
30 <li id="GUID-B4257761-359B-5027-93A0-9122EA0D5F21"><p> <xref href="GUID-DAF86036-CC40-5F26-9F15-2F2093F59C03.dita#GUID-DAF86036-CC40-5F26-9F15-2F2093F59C03/GUID-3EBCF236-E88A-5A50-A94E-37FABCD89633">The situation before Version 9.1</xref> </p> </li> |
|
31 <li id="GUID-56A0BBD6-F844-5C5B-8789-A3DF806E7D26"><p> <xref href="GUID-DAF86036-CC40-5F26-9F15-2F2093F59C03.dita#GUID-DAF86036-CC40-5F26-9F15-2F2093F59C03/GUID-05EB14D2-6BA2-5199-A97A-9368AA581922">Migration issues</xref> </p> </li> |
|
32 <li id="GUID-DF9B3F9D-C0A2-536D-BBAA-86FE218A4F21"><p> <xref href="GUID-DAF86036-CC40-5F26-9F15-2F2093F59C03.dita#GUID-DAF86036-CC40-5F26-9F15-2F2093F59C03/GUID-D4FAE1D0-4610-5AAD-802B-62535C6C11BB">Notes</xref> </p> </li> |
|
33 </ul> <p id="GUID-3EBCF236-E88A-5A50-A94E-37FABCD89633"><b>The situation before Version |
|
34 9.1</b> </p> <p>Before version 9.1 of Symbian platform, you had to explicitly |
|
35 define a category using the overload of <codeph>RProperty::Define()</codeph> with |
|
36 the signature: </p> <codeblock id="GUID-0D193896-AB7B-5787-A92C-2CB214C16496" xml:space="preserve">static TInt RProperty::Define(TUid aCategory, TUint aKey, TInt aAttr, const TSecurityPolicy& aReadPolicy, const TSecurityPolicy& aWritePolicy, TInt aPreallocate)</codeblock> <p>This function was introduced in V9.0 of Symbian platform. </p> <p>It |
|
37 was also possible to specify a category, known as the system category, which |
|
38 was reserved for system services. This category was identified by the <xref href="GUID-A85740BD-BC85-345E-B24A-92F68EA56270.dita"><apiname>KUidSystemCategoryValue</apiname></xref> UID; |
|
39 a process required the <i>WriteDeviceData</i> capability, (<xref href="GUID-C607209F-6FC5-31DE-8034-E5B799B857A8.dita"><apiname>ECapabilityWriteDeviceData</apiname></xref>), |
|
40 to use it. </p> <p>This overload is still available, but from V9.1 there are |
|
41 restrictions that govern its use, and it is recommended that, if possible, |
|
42 users of Property & Subscribe services should migrate to using the version |
|
43 of <codeph>RProperty::Define()</codeph> that does not require the category |
|
44 to be specified. </p> <p id="GUID-05EB14D2-6BA2-5199-A97A-9368AA581922"><b>Migration issues</b> </p> <p>Processes |
|
45 that use the 9.0 version of <codeph>RProperty::Define()</codeph> must now |
|
46 have the <i>WriteDeviceData</i> capability to define a property with an explicitly |
|
47 specified category (including the system category), <i>provided that the SID |
|
48 of the process is less than the value</i> <xref href="GUID-4A67D011-CBB6-396F-8104-7B3BECB84460.dita"><apiname>KUidSecurityThresholdCategoryValue</apiname></xref>. </p> <p>A |
|
49 process that has a SID value <i>greater</i> than <xref href="GUID-4A67D011-CBB6-396F-8104-7B3BECB84460.dita"><apiname>KUidSecurityThresholdCategoryValue</apiname></xref> <i>cannot |
|
50 explicitly specify a category</i>. This is an absolute rule that cannot be |
|
51 overridden regardless of the capabilities assigned to that process. </p> <p>The |
|
52 logic here is that all new <filepath>.exe</filepath> s require a SID to be |
|
53 assigned, and that this value will be greater than <xref href="GUID-4A67D011-CBB6-396F-8104-7B3BECB84460.dita"><apiname>KUidSecurityThresholdCategoryValue</apiname></xref>. |
|
54 This means that an associated process is forced to define properties with |
|
55 category values that are the same as the process SID. Older <filepath>.exe</filepath> s |
|
56 are expected to have SID values that are less than <xref href="GUID-4A67D011-CBB6-396F-8104-7B3BECB84460.dita"><apiname>KUidSecurityThresholdCategoryValue</apiname></xref>, |
|
57 and means that an associated process can continue to explicitly specify a |
|
58 category, using the 9.0 version of <codeph>Define()</codeph>, but must have |
|
59 the <i>WriteDeviceData</i> capability. </p> <p>Ideally, all older <filepath>.exe</filepath> s |
|
60 should be migrated to use the 9.1 version of <codeph>Define()</codeph>. </p> <p>The |
|
61 following diagram shows the "category space". </p> <fig id="GUID-ADCDE30C-7D9C-588D-9058-E5491AB626F3"> |
|
62 <image href="GUID-442D216B-117E-538C-A51F-0775BF37673E_d0e248057_href.png" placement="inline"/> |
|
63 </fig> <p>The <xref href="GUID-4A67D011-CBB6-396F-8104-7B3BECB84460.dita"><apiname>KUidSecurityThresholdCategoryValue</apiname></xref> value |
|
64 effectively forms a <i>threshold</i> value. Processes with a SID value below |
|
65 this threshold can define a category that is different from their SID, provided |
|
66 they have the <i>WriteDeviceData</i> capability. Processes with a SID value |
|
67 above this threshold value can only define a category that is the same as |
|
68 the SID - regardless of capability. </p> <p id="GUID-D4FAE1D0-4610-5AAD-802B-62535C6C11BB"><b>Notes</b> </p> <p>When we |
|
69 refer to the SID of the process, we also mean the SID value assigned to the |
|
70 associated <filepath>.exe</filepath> installed on the device. By older or |
|
71 younger processes, we are referring to the age of the associated executables. </p> </section> |
|
72 <section id="GUID-839C5063-3BA1-52E6-BFFE-CF3E18E605EC"><title>Read and write |
|
73 access rights</title> <p>Access rights to a property are set when the property |
|
74 is defined. </p> <p>The process defining the property can specify the rights |
|
75 of access to that property. In particular, it can specify a security policy |
|
76 to control read access (i.e. retrieval of the property) and a separate security |
|
77 policy to control write access (i.e. publication of the property). </p> <p>Access |
|
78 to a property is governed by a pair of security policies, instances of <xref href="GUID-81A285F6-3F87-3E77-9426-61BB16BC7109.dita"><apiname>TSecurityPolicy</apiname></xref> objects. |
|
79 These define the combination of capabilities and/or vendor Id and/or Secure |
|
80 Id that a process must possess before being allowed to write to, or read from, |
|
81 a property. Any attempt to access a property by a thread whose owning process |
|
82 does not have sufficient capability, will fail with <codeph>KErrPermissionDenied</codeph>. </p> <p>The |
|
83 security policies are passed to the <xref href="GUID-C4776034-D190-3FC4-AF45-C7F195093AC3.dita#GUID-C4776034-D190-3FC4-AF45-C7F195093AC3/GUID-58C54D2A-91E0-359B-AA31-69C6C4050173"><apiname>RProperty::Define()</apiname></xref> function |
|
84 when the property is defined. </p> </section> |
|
85 <section id="GUID-65107093-7C73-5117-88F7-CFB585455CE3"><title>Deletion rights</title> <p>Only |
|
86 the owning process, i.e. the process that defined the property, is allowed |
|
87 to delete that property. </p> </section> |
|
88 </conbody></concept> |