"Raindrop" is an API to use standard Linux or BSD capabilities as a means to track and isolate programs that can be added to the Plug Computer after distribution.

Contents 1 Software Modules for the Masses (Windows and Linux Developers) 1.1 What Raindrop is Not! 1.1.1 Why Include a Software Distribution Method with Raindrop? 2 SELinux on the SheevaPlug 2.1 SELinux on UBIFS 2.1.1 UBIFS Kernel Support with Extended Attributes 2.1.2 Patches to Most Distribution's Standard Policy 2.2 SELinux on JFFS2 2.3 Using SELinux for Raindrop

Software Modules for the Masses (Windows and Linux Developers)

The Plug Computer is designed for a cost-effective hardware development platform for everybody! The relatively high-performance ARM SoC by Marvell, Inc. is affordable for everyone. To that end, we needed methods to allow any software developer from any platform the ability to add software to the Plug Computer. One does not need to be a Linux or FreeBSD expert.

What Raindrop is Not!

Why Include a Software Distribution Method with Raindrop?

Although Raindrop does include a modified version of AppSnap [1], an alternate means of finding, downloading, tracking and installing, 3rd party applications, raindrop is not trying to replace the excellent software distribution methods in each Linux version. The Raindrop API should work with normal Linux distribution methods (e.g., RPM accompanied by Yum) or with OSGi for the Java community. The use of AppSnap is a demonstration of how to make mandatory access controls (MACs) inside Linux and FreeBSD more accessible to non-security experts to isolate installed software developed outside (ie., on a USB thumb drive perhaps) the core flash OS distributions.

SELinux on the SheevaPlug

The Raindrop framework requires some form of Mandatory Access Controls (MACs), and for the first prototypes, SELinux is used. SELinux requires a custom kernel and some other utilities to be used to support JFFS2 and UBIFS.

SELinux on UBIFS

The UBI file system (UBIFS) can be used on the Sheeva Plug platform. However, this requires some a custom kernel and typically some changes to the core SELinux policy modules on any of the distributions.

The following changes are needed on the Ubuntu Jaunty distribution for armel:

1. UBIFS extended attributes must be turned on
2. The UBIFS must be recognized by the core policy filesystem.te file
3. The SELinux support must allow u-boot

UBIFS Kernel Support with Extended Attributes

Patches to Most Distribution's Standard Policy

The use of SELinux on UBIFS has been before on the NSA SELinux mailing list.

The core policy needs to recognize and support UBIFS as on the NSA SELinux mailing list. For Ubuntu Jaunty, there is a package available to supply an updated version of the selinux-policy-ubuntu.

SELinux on JFFS2

Using SELinux for Raindrop

Raindrop does not require SELinux but rather makes the distribution of third-party software more robust since the additional software was probably unknown to the original product distributor.