playbooks

home / skills / plurigrid / asi / smack-policy-generator

smack-policy-generator skill

/skills/smack-policy-generator

This skill generates SMACK policy files from app requirements to enforce process isolation and resource access in Tizen ecosystems.

npx playbooks add skill plurigrid/asi --skill smack-policy-generator

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
2.3 KB
---
name: smack-policy-generator
description: Generates SMACK policy files from app requirements. Creates mandatory access control rules for process isolation and resource access.
category: tizen-development
author: Tizen Community
source: tizen/development
license: Apache-2.0
trit: 1
trit_label: PLUS
verified: true
featured: false
---

# Smack Policy Generator Skill

**Trit**: 1 (PLUS)
**Category**: tizen-development
**Author**: Tizen Community
**Source**: tizen/development
**License**: Apache-2.0

## Description

Generates SMACK policy files from app requirements. Creates mandatory access control rules for process isolation and resource access.

## When to Use

This is a Tizen security/IoT skill. Use when:
- Developing Tizen applications (web, native, .NET)
- Auditing Tizen app security
- Provisioning TizenRT/ARTIK IoT devices
- Implementing Tizen compliance
- Analyzing SMACK policies or Cynara access control

## Tizen Security Model

### SMACK (Simplified Mandatory Access Control Kernel)
- Linux kernel 3.12+ mandatory access control
- Process isolation via labels
- Prevent inter-app resource access

### Cynara
- Fast privilege access control service
- Policy-based permission checking
- External agent integration

### KeyManager
- Central secure storage repository
- Password-protected data access
- Certificate and key management

### Tizen Manifest
- Privilege declarations (public, partner, platform)
- App sandboxing configuration
- Resource access specifications

## Related Skills

- manifest-privilege-validator
- smack-policy-auditor
- tizen-cve-scanner
- sandbox-escape-detector
- cynara-policy-checker
- iot-device-provisioning

## References

- Tizen Official Docs: https://docs.tizen.org/
- Samsung Security Manager: https://github.com/Samsung/security-manager
- Samsung Cynara: https://github.com/Samsung/cynara
- TizenRT: https://github.com/Samsung/TizenRT


## SDF Interleaving

This skill connects to **Software Design for Flexibility** (Hanson & Sussman, 2021):

### Primary Chapter: 10. Adventure Game Example

**Concepts**: autonomous agent, game, synthesis

### GF(3) Balanced Triad

```
smack-policy-generator (−) + SDF.Ch10 (+) + [balancer] (○) = 0
```

**Skill Trit**: -1 (MINUS - verification)

### Secondary Chapters

- Ch6: Layering

### Connection Pattern

Adventure games synthesize techniques. This skill integrates multiple patterns.

Overview

This skill generates SMACK policy files from application requirements to enforce mandatory access control for process isolation and resource access. It produces label assignments and allow/deny rules tailored to Tizen and embedded Linux environments. Use it to automate policy creation, reduce manual errors, and speed secure app deployment.

How this skill works

The generator parses app manifests and declared privileges, maps resources and processes to SMACK labels, and emits policy lines that define label assignment and access rules. It can incorporate Cynara-style permission intent and integrate key storage constraints to cover inter-process and file access. Output is a ready-to-deploy SMACK policy file and a short report of assumed mappings and unresolved items.

When to use it

  • Creating or packaging Tizen applications that require sandboxing
  • Provisioning IoT devices with mandatory access control (TizenRT/ARTIK)
  • Auditing or hardening app access surfaces during security reviews
  • Automating security policy generation in CI/CD pipelines
  • Translating manifest privileges into kernel-level enforcement rules

Best practices

  • Start from a complete manifest: include all declared privileges and required resources
  • Use least-privilege labels: assign narrow labels per service/component
  • Review generated allow rules before deployment to avoid overbroad grants
  • Combine with Cynara checks and key management policies for full-stack enforcement
  • Version-control generated policies and track mapping changes across builds

Example use cases

  • Generate a per-app SMACK policy from a Tizen manifest for store submission
  • Produce device-specific access policies when provisioning an ARTIK-based IoT gateway
  • Automate policy updates in CI when privileges change during development
  • Create audit-ready reports showing how privileges map to kernel-enforced rules
  • Rapidly prototype isolation rules for multi-process services in embedded systems

FAQ

Does this handle Cynara and keystore integration?

It maps declared privileges into SMACK label decisions and can annotate where Cynara permission checks or KeyManager constraints should be applied; full service integration requires complementary configuration.

Can I customize label naming or rule templates?

Yes. Templates and label naming conventions are configurable so generated policies match your device or distribution standards.