Security policies
Security policies can make some aspects of security much easier for a developer.
Ideally, no process (except the system process, procnto) runs as
root. Achieving this goal usually requires the configuration of process manager
abilities (for a discussion of these abilities, go to Process manager abilities
).
Although QNX OS allows a process to set which operations it is permitted
to do using the procmgr_ability() function, a better option is to
use the system’s security policies functionality. Security policies provide many
benefits over manually setting process abilities using
procmgr_ability() (these benefits are listed at the start of
the Security Policies
chapter).
When security policies are in use, developers can use the API provided by libsecpol instead of manually configuring the specific privileges a process requires. When using libsecpol, developers only need to indicate when the process has completed initialization. Developers can leave it up to the security policy to ensure that processes have the right set of privileges to start up and the right, hopefully smaller, set for continued operation.
When a privileged process must spawn child processes with varying privilege requirements, libsecpol can make this easy without the need for the developer to know what the requirements are. In the case where all child processes can have the same privileges, the use of security policies can allow the common set to be configured without any action by the developer.
A server process may have to make security decisions as to whether or not a particular client should be allowed to perform a particular operation. This decision might be based on a previously established state (e.g., in a resource manager, whether the client had opened the device for write access), or the server could check whether the client has an ability (static or custom). The libsecpol API provides a third method of checking fine-grained capabilities for a client.
While a process usually must be written to be able to work both when security policies are in use and when they aren’t, when libsecpol is used, it can work under both circumstances without writing code to cover each case. The system is not as secure when security policies are not in use but is still functional.
For more information, go to Security Policies.