[javispedro]

So, beta2 Harmattan firmware was released.

I've generally liked it (specially now that RSS viewer app http:// links open in new browser windows, the first feature request I filled in developer.nokia.com!).

However, one of the things I wanted to check was what was going to happen to the develsh application, because in the beta1 release, this application was granted so many privileges that one could use it to even disable Aegis itself, therefore enabling development of stuff that Aegis would otherwise prohibit, like qole's easy debian, the insertion of kernel modules, or running random binaries without having to care about packaging them previously, a thing developers usually like to do.

I wanted to check what happened to develsh because I published one method of disabling Aegis "using" the privileges granted by develsh. Despite what many people thought, this does not "crack" Aegis, but rather uses privileges that were granted to us. I avoided using the word "hole" while describing the method because I thought it was not a security hole: rather, this had to be an allowed, premeditated thing. A kind of "yes, Aegis is there for the average user, but you install develsh and you still have the hackable device you've come to love from earlier incantations".

Oh, how wrong I was!

Nokia has now greatly reduced the amount of privileges granted to develsh in beta2. Up to the point you now CANNOT even issue a deadly simple dmesg command to _read_ the kernel log.

Is this a reaction from Nokia because the above method allowed you to disable Aegis? Is this the first move from Nokia in the cat and mouse game that is going to be played starting now -- the same game Apple likes to play with jailbreakers?

I don't know. I would like a clear answer here.

Because I am going to play for another turn in this cat and mouse game. I've found yet another "security hole" -- this time, I'm slightly more confident to use the "hole" word, which is _really_ sad -- in Aegis, and thus, I'm again running the device the way I intended, loading kernel modules and running arbitrary binaries. Which is also the way many other developers would like to run their devices.

But, if this new "Aegis hole" is fixed, I am not playing any more turns. That's it for me at least. What I do afterwards, I don't know, but it surely doesn't include the word Harmattan.


Some clarifications:
- To slightly increase the chances of not having the hole "fixed" by next firmware release, I'm not telling publicly this time.
- I am NOT against Aegis per se. Aegis could eventually turn into a wonderful per-app permissions system that rivals Android's in features, all while still allowing you to use a normal GNU libc instead of some crap Java layer. I am _completely_ against not having control of Aegis.
- _If_ the answer includes something that mentions "open mode", my next question will be Where is the promised open mode? . _No one_ has found it.
Now, as I am told, you _can_ run realMeego on the N9/50, and since that doesn't have Aegis, well, it's as good as open mode. But you _lose_ Harmattan in the process. We were told Open Mode would mean we'd lose a few things, some DRM'd apps, potentially Ovi Music, and god knows. But I at least was SURELY not told I'd lose THE ENTIRE OPERATING SYSTEM AND THAT I'D HAVE TO INSTALL MY OWN IF WANTED TO GO OPEN MODE!
- I still don't know what's exactly the point of Aegis on the N9/N950. It is clearly not finished. The level of granularity that has been reached with the current set of tokens is nowhere near being ideal for a per-app permissions system (an app could silently turn on the microphone on the device, record _everything_, and send it all via the Internet to a random host in North Korea, all without needing a SINGLE Aegis token!).

So, why are you _pissing_ developers by not allowing at least ONE clear, official, approved way to disable Aegis _without_ losing the operating system?

[joergrw]

Many thanks javispedro for this very clear explanation of the whole aegis situation. I couldn't have put it better, and I just second on every word you wrote.

/j

[hawaii]

I completely and whole-heartedly agree. This clearly alienates both power users and developers on the platform, which is the only driving force behind the upcoming N9 -- which is the reason, as I see it, for the N950 to have been distributed to us.

It seems completely backwards to put stoppers in that "we" have to waste time circumventing in order to do things, that essentially, provide a positive increase in awareness for the platform and devices.

[djszapi]

Quote:

So, beta2 Harmattan firmware was released.

I've generally liked it (specially now that RSS viewer app http:// links open in new browser windows, the first feature request I filled in developer.nokia.com!).

However, one of the things I wanted to check was what was going to happen to the develsh application, because in the beta1 release, this application was granted so many privileges that one could use it to even disable Aegis itself, therefore enabling development of stuff that Aegis would otherwise prohibit, like qole's easy debian, the insertion of kernel modules

As I said more times on IRC, Kernel module injection is a fundamental principle in more security models out there. I can explain the reasons later if you do not understand that. What SELinux does in that sense is a bit different from what are designed in other models, and SELinux and generally mainline thinking about it is a bit different, and more tolerant (Which might not be the best for an industrial product, where you would like to make the safest platform ever).

Quote:

or running random binaries without having to care about packaging them previously, a thing developers usually like to do.

As I said more times on IRC, it might be a not well-properly tested regression as well. I think if there is such a situation, you do not need to think the worst about the platform developers, ever as a starting point. As I said, I started asking the relevant people about it internally. However I think it is again something that will end up by not fine-grained enough general posix capability set from mainline. That would need investigation in aegis-enabler either way.

Quote:

I wanted to check what happened to develsh because I published one method of disabling Aegis "using" the privileges granted by develsh. Despite what many people thought, this does not "crack" Aegis, but rather uses privileges that were granted to us. I avoided using the word "hole" while describing the method because I thought it was not a security hole: rather, this had to be an allowed, premeditated thing. A kind of "yes, Aegis is there for the average user, but you install develsh and you still have the hackable device you've come to love from earlier incantations".

Oh, how wrong I was!

As I said more times on IRC, Develsh is supposed to help the development for OVI, not for everything. What you could use from OVI, you can do it from develsh. Develsh properly represents /all/ the OVI needs. You can even use the developers tools (valgrind, gdb, strace, ptrace and other ones) with those credentials.

Quote:

Nokia has now greatly reduced the amount of privileges granted to develsh in beta2. Up to the point you now CANNOT even issue a deadly simple dmesg command to _read_ the kernel log.

As I said more times on IRC, but for book keeping then:
According to my testing, dmesg worked previously because of the DAC_OVERRIDE credential. My understand is the following: That credential is a very powerful one, it can be abused in many different ways. Since you can read syslog, and that does read dmesg, it is not really a big lost (Yes, I know there is no 1:1 equivalent for dmesg -n X), but I am afraid, that is how upstream worked. Feel free to prove me wrong, and point me out a simple credential that we can pass into OVI and develsh and dmesg still works (including that we will not have that very powerful credential anymore). If that is not the case, I would say that is how we got from upstream, and had no real manpower to confine it down. It needs investigation either way before saying anything about it.

Reading syslog instead of dmesg and avoid a huge security hole is more than welcome in my opinion.

Quote:

Because I am going to play for another turn in this cat and mouse game. I've found yet another "security hole" -- this time, I'm slightly more confident to use the "hole" word, which is _really_ sad -- in Aegis, and thus, I'm again running the device the way I intended, loading kernel modules and running arbitrary binaries. Which is also the way many other developers would like to run their devices.

As I said more times on IRC, See my first sentences. I told a way on IRC more times, how you can do your own kernel. You can check the log out. It was a very simple kernel modification, but that needs more thorought test for making sure userspace is completely working. I have spent couple of days with that, and it was not desperate from my experience.

Quote:

- I am NOT against Aegis per se. Aegis could eventually turn into a wonderful per-app permissions system that rivals Android's in features,
[snip]

As I said more times on IRC, We should post our IRC conversations more time on the forum for book keeping (or at least share it on some wiki pages)

Aegis actually provides a more fine grained opportunity for platform application developers than Android in fact. Android credential management is/was rather static, but they are changing their way according to the Aegis-way in the dynamical sense nowadays.

What you are actually complaining about is the application policies which are made by application developers. If they do not use what aegis ships (more fine-grained than Android), it is not an aegis issue.

Quote:

- _If_ the answer includes something that mentions "open mode", my next question will be Where is the promised open mode? . _No one_ has found it.
Now, as I am told, you _can_ run realMeego on the N9/50, and since that doesn't have Aegis, well, it's as good as open mode. But you _lose_ Harmattan in the process. We were told Open Mode would mean we'd lose a few things, some DRM'd apps, potentially Ovi Music, and god knows. But I at least was SURELY not told I'd lose THE ENTIRE OPERATING SYSTEM AND THAT I'D HAVE TO INSTALL MY OWN IF WANTED TO GO OPEN MODE!

As I said more times on IRC (See my previous sentences here and on IRC). You have been told more times how to modify the validator.

Quote:

- I still don't know what's exactly the point of Aegis on the N9/N950. It is clearly not finished. The level of granularity that has been reached with the current set of tokens is nowhere near being ideal for a per-app permissions system (an app could silently turn on the microphone on the device, record _everything_, and send it all via the Internet to a random host in North Korea, all without needing a SINGLE Aegis token!).

As I said more times on IRC. Same answer as about the Android/Aegis fine-granularity. Aegis ships a much more flexible system (even heard that from relevant Android developers).

Quote:

So, why are you _pissing_ developers by not allowing at least ONE clear, official, approved way to disable Aegis _without_ losing the operating system?

As I said more times on IRC. Harmattan is harmattan. It contains aegis. If you would not like to have the platform, you can flash any custom kernel, that Nokia does not guarantee for any users. It is not any Harmattan specific only, it happens in other mobile platforms if you (can) disable it, you are going to lose the warranty.

PS.: I am sorry for starting every answer with "As I said more times on IRC", but I think it is unfair to not share those answers with public, just the questions...

[javispedro]

Quote:

Originally Posted by djszapi

As I said more times on IRC, Kernel module injection is a fundamental principle in more security models out there.

Obviously. But EXACTLY who are you trying to prevent loading modules from? Me? Are you trying to prevent _me_ from loading modules? What's so bad about giving out sys_module to develsh again? Who's going to die? Whose device is going to break?

Quote:

Originally Posted by djszapi

As I said more times on IRC, it might be a not well-properly tested regression as well.

The problem is that for --relaxed-exec, you need, for obvious reasons, the tcb token. Which would bring us back to day 1.

Quote:

Originally Posted by djszapi

As I said more times on IRC, Develsh is supposed to help the development for OVI, not for everything. What you could use from OVI, you can do it from develsh. Develsh properly represents /all/ the OVI needs. You can even use the developers tools (valgrind, gdb, strace, ptrace and other ones) with those credentials.

You cannot strace a system process, dbus-monitor whatever you'd want to, or _replace_ a system library to debug one of the many bugs in for example Qt itself. Stuff that we used to do and that I _at least_ still expect to be able to do on this platform!

Quote:

Originally Posted by djszapi

As I said more times on IRC, but for book keeping then:
According to my testing, dmesg worked previously because of the DAC_OVERRIDE credential. My understand is the following: That credential is a very powerful one, it can be abused in many different ways.

Again, WHAT'S THE PROBLEM? Whose device is going to break?

Quote:

Originally Posted by djszapi

As I said more times on IRC, See my first sentences. I told a way on IRC more times, how you can do your own kernel. You can check the log out. It was a very simple kernel modification, but that needs more thorought test for making sure userspace is completely working.

I am _yet_ to be able to boot any other kernel than the the stock one. Even with the same config.
They say to me there's a bug in beta1 than prevents this, and I cannot test for beta2 because we are missing the kernel source, but, after the reduced develsh fiasco, I am starting to doubt it will ever work.

Plus, that's not the definition of open mode. If that ever succeeds, what you'll boot into is more like security hole mode. Aegis will still believe it's in normal mode, and MALF if you change any of the "magic list" of system files.

As seen in Aegis source, open mode can only be truly entered with either
A ) A rootfs that does not call validator-ini (aka MeegoCE), or,
B ) the R&D certificate

And we're not going to get B for reasons unknown.

Quote:

Originally Posted by djszapi

Aegis actually provides a more fine grained opportunity for platform application developers than Android in fact. Android credential management is/was rather static, but they are changing their way according to the Aegis-way in the dynamical sense nowadays.

What you are actually complaining about is the application policies which are made by application developers. If they do not use what aegis ships (more fine-grained than Android), it is not an aegis issue.

As said on IRC _and on this very post_ I don't have anything against Aegis itself but rather it's incomplete implementation on Harmattan,where the User doesn't have control of it AND the set of tokens is clearly INADEQUATE.

_EVEN_ in Android the User is more in control of the security system that on this half-assed implementation. Remember the "This application wants to do -Audio Recording -Network access?" dialogs that you _CAN_ get on Android but _NOT_ on Harmattan?

So don't come saying to me that the Android one is better. Aegis could be made better, but it currently is surely worse. As it stands now, _I STILL DON'T KNOW WHAT IT PROTECTS ANYONE FROM_. The policy has so many holes it is virtually useless for any real security and the only thing it does is to annoy developers.

Quote:

Originally Posted by djszapi

As I said more times on IRC. Harmattan is harmattan. It contains aegis. If you would not like to have the platform, you can flash any custom kernel, that Nokia does not guarantee for any users. It is not any Harmattan specific only, it happens in other mobile platforms if you (can) disable it, you are going to lose the warranty.

Well, I'm going to say that I need an answer from somebody else. Your opinion here has been heard so many times. It's just so completely different from previous devices that, to put it plainly, I don't believe it. Nothing against you. I'm maybe being naive. I just want to hear it for someone else.

Because if it were true, if Nokia is now really against hacking, then it's true than the last Maemo device was the N900.

But I really hope that's not the case.

[mja]

Let's all take a deep breath..

[wicket]

I'd like to echo everything Javi has said. Nokia has been very quiet about Aegis and the difficulties it poses to developers. For example, I still haven't seen any official documentation on --relaxed-exec.

Quote:

Originally Posted by javispedro

But, if this new "Aegis hole" is fixed, I am not playing any more turns. That's it for me at least. What I do afterwards, I don't know, but it surely doesn't include the word Harmattan.

It's pretty clear that at this moment in time that Javi is the most significant community contributor to Harmattan. He has obviously spent a lot of his own time pushing the hardware to its limits, contributing stuff to help/enable developers, fixing the platform's shortcomings, etc. To be quite honest, many of his contributions should probably have been implemented by Nokia themselves. It would be a huge blow to the community to loose him.

Nokia, please start giving some answers or watch this platform die as your small developer base rapidly disappears.

[javispedro]

Quote:

Originally Posted by wicket

It's pretty clear that at this moment in time that Javi is the most significant community contributor to Harmattan.

Well, it's quite an honor to hear that but I have to disagree There are far more significant contributors around. But most are, in a way or other, bitten in some way by Aegis.

Up to the point I've heard someone complain that we _swear_ too much when talking about aegis in #harmattan. That's how bad the situation is.

[almehdi]

Aegis has deprecating a lot of stuff... not just dmesg which is bad. Sure syslog can be used instead but are a lot more bloated. How am i supposed to do a simple find? Aegis has made it a complete nightmare to do stuff. Are this the plan? Are Elop behind this move?

I have been living Maemo/Meego ever since i got hands on my first n900... this is killing me. It scares the **** out of me if javis, MAG, qole or any other of the crucial contributors leaves us.

[djszapi]

Quote:

Originally Posted by javispedro

Obviously. But EXACTLY who are you trying to prevent loading modules from? Me? Are you trying to prevent _me_ from loading modules? What's so bad about giving out sys_module to develsh again? Who's going to die? Whose device is going to break?

It can hurt anybody where develsh is somehow run. Then again, you got all the needs for developing an application into OVI store.

Quote:

The problem is that for --relaxed-exec, you need, for obvious reasons, the tcb token. Which would bring us back to day 1.

It does not require "tcb" token, dac_override is more than enough.

Quote:

You cannot strace a system process, dbus-monitor whatever you'd want to, or _replace_ a system library to debug one of the many bugs in for example Qt itself. Stuff that we used to do and that I _at least_ still expect to be able to do on this platform!

Again, WHAT'S THE PROBLEM? Whose device is going to break?

Then again, if you want to change the platform, use custom kernel.

Quote:

I am _yet_ to be able to boot any other kernel than the the stock one. Even with the same config.
They say to me there's a bug in beta1 than prevents this, and I cannot test for beta2 because we are missing the kernel source, but, after the reduced develsh fiasco, I am starting to doubt it will ever work.

Beta1 is called that way for a reason, it can contain bugs. It is quite normal in a product management. Custom kernel has nothing to do with develsh in that close sense.

Quote:

Plus, that's not the definition of open mode. If that ever succeeds, what you'll boot into is more like security hole mode. Aegis will still believe it's in normal mode, and MALF if you change any of the "magic list" of system files.

Open mode is open mode, you can do whatever you would just like to do in open mode. Either just make small modifications, or modifying userspace components. You can even replace the whole system with a completely different kernel, like MeeGo CE.

Quote:

As seen in Aegis source, open mode can only be truly entered with either
A ) A rootfs that does not call validator-ini (aka MeegoCE), or,
B ) the R&D certificate

And we're not going to get B for reasons unknown.

R&D is only for platform development, but I think you do know that well, we cannot talk about that too much under NDA. I am not even sure what you can call "truly open mode". If it means without any aegis, then I am afraid that claim is not true for R&D, but we cannot talk about that too much.

Quote:

As said on IRC _and on this very post_ I don't have anything against Aegis itself but rather it's incomplete implementation on Harmattan,where the User doesn't have control of it AND the set of tokens is clearly INADEQUATE.

_EVEN_ in Android the User is more in control of the security system that on this half-assed implementation. Remember the "This application wants to do -Audio Recording -Network access?" dialogs that you _CAN_ get on Android but _NOT_ on Harmattan?

I would approciate, if you read what was written more times. Aegis is not just halfly implemented, but better than for "Android Users". Again, it is application policy. It is not aegis itself. It is like not using valgrind (or basically anything) properly and we start blaming the valgrind (or basically anything) tool as such.

Quote:

So don't come saying to me that the Android one is better. Aegis could be made better, but it currently is surely worse. As it stands now, _I STILL DON'T KNOW WHAT IT PROTECTS ANYONE FROM_.

The policy has so many holes it is virtually useless for any real security and the only thing it does is to annoy developers.

I can make a package for N900. I guess you would not like to install that. It cannot be abused on N950/N9 with aegis, and I can enumerate a lot of surface attacks on other platforms, like Maemo5, if you cannot really imagine it yourself.

Quote:

Well, I'm going to say that I need an answer from somebody else. Your opinion here has been heard so many times. It's just so completely different from previous devices that, to put it plainly, I don't believe it. Nothing against you. I'm maybe being naive. I just want to hear it for someone else.

Because if it were true, if Nokia is now really against hacking, then it's true than the last Maemo device was the N900.

But I really hope that's not the case.

Once, there were ideas about a developer signing opportunity where the credentials could be set separately as it happens for OVI store. I am not sure whether I am allowed talk about the circumstances of those ideas, implementations, design and outcome. Hence I am skipping the explanation of that for now..

You can send your device back, if you do not enjoy the hardware or/and software. There is no obligation for you to ship an application, if you do not have time and sake to do it anymore. I know many people out there waiting for this device. At least when I showed them, they were happy and I mentioned the general complains.

Do not take it offense, please, but it might be that, it is that platform you do not enjoy, and would be better to give to those people who would die for one with its current state.