Security

QNX SDP8.0Migrating to QNX OS 8.0Developer

Cryptography

OpenSSL 3.0 is the LTS version shipped with QNX SDP 8.0. The corresponding QNX Cryptography Library (qcrypto) plugin qcrypto-openssl-3.so is available.

For more information, see the QNX Cryptography Library in the QNX OS System Security guide.

For more information about migration to OpenSSL 3.0, go to https://www.openssl.org/docs/man3.0/man7/migration_guide.html.

Security policies

QNX strongly recommends that you use security policies to set the privileges of all processes on a system. Security policies provide the following benefits over manually setting process abilities using procmgr_ability():

  • The location in the path space where a process can attach can only be restricted using a security policy.
  • A security policy can control a process's ability to perform a ConnectAttach() on a public channel of another process.
  • If a process uses procmgr_ability() to set its own permissions independent of an individual system, the developer needs to predict what permissions will be required or use command-line options to discover them. To solve this issue, developers may assign abilities that are too permissive or not needed, which makes the system less secure. Using security policies allows the system integrator to set only the abilities that the process needs for the specific system.
  • The secpolgenerate utility that generates and updates security policies can determine which privileges processes require without needing to know what an individual process does.
  • A system integrator might not be able to examine the arguments to every procmgr_ability() call because he or she does not have access to source code, making it hard to audit a system. Security policies centralize permissions and can be easily audited by the system administrator, even without access to the source code, and
  • Although a system integrator can view the abilities assigned to a process using pidin, he or she only sees the abilities of running processes. A security policy allows the system integrator to view the abilities assigned to all process, including those that are not currently running.
  • Security policies can be extended with other classes as needed.
  • Using centralized security policies means that a resource manager does not have to predict which privileges are needed to operate in an individual system or how those privileges might change over time.

QNX provides the secpolgenerate utility to assist developers in the creation and maintenance of the security policy. It is a convenient way to apply and remove security constraints during development.

For more information, go to the Security Policies chapter of the QNX OS System Security guide.

resmgr_attach()

The new API secpol_resmgr_attach() should replace resmgr_attach() in all drivers. It allows full control of the user and group ID, mode, and ACLs on nodes created by a resource manager directly from the security policy without the need to recompile driver code or provide alternative ways to control behavior. Using secpol_resmgr_attach() avoids the race condition that is produced in system startup when you use waitfor, chmod, chown, and setfacl on driver nodes to set appropriate permissions after the resource manager has already started listening.

On systems that don't use security policies, secpol_resmgr_attach() behaves the same way as resmgr_attach().

For more information, see secpol_resmgr_attach() in the The libsecpol API (secpol.h) section of the QNX OS System Security guide.

interruptevent

The security policies interruptevent ability (and PROCMGR_AID_INTERRUPTEVENT constant) is discontinued. Processes only need the interrupt ability to attach to interrupts. Policy generation tools automatically use interrupt instead.

For more information, go to the Security Policies chapter of the QNX OS System Security guide.

Sandbox

The sandbox feature (and the sandbox ability) is discontinued. Use POSIX permissions and ACLs to achieve similar capabilities.

For more information, go to the Chroot (change root) and Access control sections of the QNX OS System Security guide.

Fortified functions

CAUTION:
Compared to QNX SDP 7.1, a greater number of libc, kernel, and libsocket functions in QNX SDP 8.0 have fortified implementations. Compiling source code with the use of fortified functions enabled might result in changes in program behavior. Misuse of these API functions is more likely to be detected at compile time, runtime, or both.

Setting the _FORTIFY_SOURCE feature test macro to 2 now disables the n conversion specifier for formatted I/O functions (e.g., %n in fprint(), scanf(), etc.).

For more information, see the Fortified System Functions chapter in the QNX OS System Security guide.

Entropy sources for random

The entropy from interrupts that the random service uses is now automatically gathered from the kernel. The following options have been removed:
  • -i (specified interrupts as a source for entropy)
  • -p (polled system information from /proc for entropy)

The functionality of devr-drng.so has been integrated into the random executable. Therefore, no additional module is required.

For more information, see the entry for random in the QNX OS Utilities Reference.

Page updated: