Home · All Namespaces · All Classes · Grouped Classes · Modules · Functions

SXE - Customizing Domains

Introduction
Modifying application level policy
Modifying OS Level policy
Troubleshooting
Domains

The following sections describe the methods to customize policy domains. The intended audience for this section are system integrators.

Introduction

An SXE domain is a keyword, made up of lower case a-z and the underscore character, for example "untrusted". The domain specifies allowed access rights, both of

SXE applications level policy eg, sending qcop messages
LIDS OS level policy eg, access to devices or capabilities

Modifying application level policy

Application level policy is defined in a file called sxe.profiles. Domains typically follow the following format:

    [Domain]
    requests
    ...
    #

The SXE Discovery Mode can be used to determine what requests a particular application makes as it runs. In this mode all requests are allowed and logged, but doing this has a severe impact on performance. To operate qpe in SXE Discovery Mode, ensure Qt Embedded is compiled in debug mode and that and the SXE_DISCOVERY_MODE environment variable is exported. The requests will all be logged in /tmp/qtopia-0/sxe_discovery.log (where 0 is the session). The requests can be compared with sxe.profiles to see if the domain is lacking requests used by the application.

Alternatively, an application can run without SXE discovery mode and if there is a request made that is not in the application's declared domain then it will breach policy and the qpe console output and/or security log can be viewed to see what request was needed.

If sxe.profiles needs to be updated simply add any extra requests to the appropriate domain. It is helpful to note that the wildcard * maybe be placed at the end of a request. This is useful for situations where a family of requests, which share the same prefix, can be added as one entry.

Note: After changing policy, ensure that sxe.profiles in the image directory is up to date. If shadow building, most of the time copying <qt-extended-root-dir>/etc/sxe.profiles to <image-dir>/etc/sxe.profiles is sufficient.

Modifying OS Level policy

OS Level policy is defined by scripts in the <qt-extended-root-dir>/etc/sxe_domains directory. The script names consist of the domain name preceded by sxe_qtopia, eg sxe_qtopia_untrusted. The scripts run the lidsconf utility which is used to apply a set of MAC rules. See also SXE - System Integration.

Troubleshooting

To trouble-shoot SXE problems try these ideas:

run qbuild && qbuild image in the build root to ensure the image is up to date
flash the image onto your device to make sure the device is up to date
use the dumpsec.pl script. Without parameters it will show the program id associated with each registered binary, by providing a parameter of program name or program id, eg dumpsec.pl Camera or dumpsec.pl 32 a detailed listing with be shown for matching application/s.
check the applications qbuild.pro file to ensure the correct domain has been declared by the application
compile in debug mode and export SXE_DISCOVERY_MODE to see what requests an application is making.
turn on SXE logging in the log utility

Domains

The SXE operates with the two domains listed below:

SXE Profile name	Access Controls Effect	Information display	Risk level
untrusted	Restricts application privileges to that of games	requests minimal access privileges on your device	Low
trusted	Unlimited access to device filesystem and application level service requests	requests unrestricted access on your device	High

(You may notice that there is a "qpe domain" in sxe.profiles, the qpe server needs to declare this for historical reasons so it should not be removed, but for all other intents and purposes it can be ignored)

Trademarks

Qt Extended 4.4.3