MokSec - The Security Framework
mcrane03 at harris.com
Mon Jul 14 16:57:26 CEST 2008
I would think on a phone the primary concern is protecting the user
E.g. sms, contacts, history.
If somebody was able to malicously install software on the phone, your
pretty much already $%@#'ed. Not letting it call out helps, but it's
already defeated. I'm assuming we're not installing a lot of new
unknowns on a secure device, and anything trying to make network
connections is evol.
I've been picturing running an encrypted rootfs image off an SD card.
There could be multiple encrypted rootfs images, only one would be the
real one, or they all could be used for different reasons.
Once the system boots it's up to the user to unlock the keys to the
encrypted image to be used and that gets booted from the already running
From: community-bounces at lists.openmoko.org
[mailto:community-bounces at lists.openmoko.org] On Behalf Of Tilman
Sent: Monday, July 14, 2008 10:38 AM
To: List for Openmoko community discussion
Subject: Re: MokSec - The Security Framework
Kalle Happonen wrote:
> However, later on an easily configurable firewall would be almost
> essential imho. Connecting to the phone (any port) over the wifi
> (almost?)never be allowed as default. Even if the point with the phone
> is that users can do what they want, it doesn't mean that the apps
> install shouldn't be protected. And a firewall is almost the only
> way. There's no easy way of making all the apps listen to just one
> interface, and while host.allow/deny is more lightweight than a
> firewall, those don't allow distinguishing of interface.
SELinux comes to mind. Or at least the capabilites framework.
This way i could choose to allow a app to open sockets. (Little bit like
As far as i know we could even have a popup asking for permission.
And to give my 2 Eurocents to the everything as root discusion.
Running user apps as root must end, better soon.
If apps need things only root can do (not much comes to my mind) we
could use sudo wrapper or SELinux rules.
Drucken Sie diese Mail bitte nur auf Recyclingpapier aus.
Please print this mail only on recycled paper.
Openmoko community mailing list
community at lists.openmoko.org
More information about the community