Category Archives: Maemo

D-Bus Loadable security module support

December 23, 2011 11:25Leave a Comment

While I was thinking about LSM mediations of the D-Bus messages, I found out a nice work that is being developed by the Ubuntu sec team in order to support the AppArmor mediation on D-Bus message exchange and service acquisition.

Having a chat with John Johansen (from Unbuntu sec team), he said that he was missing a loadable module support on the D-Bus. Allowing the support of different Linux Security Modules mediation without messing up the D-Bus daemon code, which does make sense.

I started to implement a little PoC about this loadable support, which consists in the following: the LSM modules can be dynamically loadable at the d-bus daemon startup. By copying a D-Bus LMS module to a given directory (which can be specified at the d-bus configuration) it will be loaded and registered.

The idea is to have independent modules, if possible use only the D-Bus functions provided by libdbus, however, of course, if needed symbols can be copied from libdbus-internal.a.

Despite the fact that the modules can be independent of the D-Bus internals, they must have at least one known function, this function should be named as “pre_init“, and receives the pointer to the D-Bus internal function “register_security“. The “register_security” function should be called by the module if it is loaded successfully. The “pre_init” function must return a “dbus_bool_t“: true if everything goes right or false if not. Note that audit can be also initialized by this function.

The function “register_security” receives as parameter a pointer to the structure “security_validations” that is part of dbus-security.h. The structure is illustrated bellow:

struct security_validations
{
 char *name;
 dbus_bool_t (*bus_security_allows_send) (DBusConnection *,
                                         DBusConnection*,
                                         const char *,
                                         const char *,
                                         const char *,
                                         const char *,
                                         const char *,
                                         const char *,
                                         const char *,
                                         DBusError *);
 dbus_bool_t (*bus_security_allows_acquire_service) (DBusConnection *,
                                                    const char *,
                                                    const char *,
                                                    DBusError *);
 dbus_bool_t (*shutdown) (void);
};

The structure “security_validations” defines the hooks and the name of the security module and also the function to shutdown the mediation. Two main hooks were needed, the first is the one responsible to mediate the message exchanges and the second is the responsible to avoid unauthorized process to acquire some service. The shutdown hook is not less important, but less used. Shutdown is only called when the D-Bus daemon is hanging out.

The current implementation of SELinux mediation needs more hooks to work than what I am offering in this PoC. Since the SELinux implementation has some performance improvements by doing caching, it will be necessary to create new hooks to gather some information before deciding whether some message is ok to go or not, but this may be a later discussion.

The patched D-Bus code is available at:

http://cgit.collabora.com/git/user/zimmerle/dbus-lsm.git/

And there is a dummy module at:

http://cgit.collabora.com/git/user/zimmerle/dbus-dummy-lsm.git/

Posted in: AppArmor, Collabora, D-Bus, Maemo, MeeGo, Security, UbuntuTagged: , , ,

4×4 inclinometer

January 18, 2010 11:11Leave a Comment

For those who are interested in knowing how steep is your N900, or the object that supports it. Meet the 4×4 inclinometer.

I developed it to use in my car, hence the name 4×4 inclinometer. Using this application I can know the slope of the obstacles or the ground below my car.

According to the manual of the car, it can be in an angle of heel of 45 degrees with no problem, something higher than this is at my own risk. When I read this information, just imagined the software for the N900)

The current version depends on Qt 4.6 with the animation framework. The animation is used to rotate the images of the car, smoothing the movement. I am not an expert in gimp, so forgive me for the images poorly done. Next version I will put a simple support for themes.

The intallation files are already in extras-devel, so you just need to apt-get it. And the sources are available at:

http://git.zimmerle.org/?p=inclinometer.git;a=summary

The car image and the application background are Trademark of Troller Veiculos Especias S/A, http://www.troller.com.br

Posted in: Maemo, MeeGo, Qt, TrollerTagged: , , ,

tcpdump && lipcap on extras-devel

January 1, 2010 11:11Leave a Comment

For those who are playing with Maemo and network, now are available at Maemo extras-devel {fremantle|diablo} the tcpdump package and its dependency (libpcap) working like a charm.

Posted in: Maemo, Network, SecurityTagged: , ,

iptables on extras devel

January 1, 2010 11:11Leave a Comment

The iptables package is on maemo extras devel. There is no support for connection state on the device Kernel consequently the NAT is not working. I tried to compile the modules, but I found myself in trouble trying to load them at the device. If you want to flash a kernel with support for connection state there is one available at my personal repository (read: mWall :: netfilter + ui for maemo for more information). Antoher discussion about that modules can be found: here.

screenshot05

Posted in: Maemo, SecurityTagged: ,

mWall :: netfilter + ui for maemo

December 21, 2009 11:11Leave a Comment

Something that certainly bothers me is the fact that i am always online independent of the network. I walk with my n900 in the pocket and sometimes I am using 3g, sometimes using wifi. I am jumping from trusted to untrusted wifi spots, and I have the strange feeling that maybe once (or more…) I will be part of a honeypot, malicious network or something like that.

As part of this type of network my device can be easily identified as an N900. (e.g. MAC address). Once the device is identified a person or a malicious software can start to guess passwords (rootme?) and can try to exploit softwares that are under development.

Avoiding been hacked on that situation I decided to write a small firewall UI for the n900 (netfilter/iptables back end), that allows me to block any incoming connection that is not authorized.

screenshot021

This is just a very first version of the firewall, a lot to be done yet. To install it on your device, check for mWall at my personal repository.

You can install my repository by clicking here: zimmerle’s repo.

I also provide in my repository: the iptables package and a kernel with support to iptables state match. The iptables binary was marked with the suid bit, allowing its execution by users without super powers. But this should be fixed in the next release.

Let me advise you that the firewall rules are not permanent, I mean, you need to run the firewall in every boot. It is under development.

The code is available at: http://git.zimmerle.org

Posted in: Maemo, Qt, SecurityTagged: ,