What is the metabase?

Why do you care?

This might be interesting to you if

- you've ever wondered why people change security policy 4119

- you've ever developed a CeRapiInvoke DLL

- you've ever wondered why DMProcessConfigXML behaves differently for an untrusted process vs. a trusted process

- you're curious about the deep inner workings of Windows Mobile security

 

What is the metabase?

The metabase is a big role-based access control database that lives in mxip_system.vol and mxip_lang.vol. The underlying operating system (Windows CE) doesn't use the metabase, but all XML that is processed by the Configuration Manager is checked against the metabase during processing. There are also a few other places in the system where the metabase is used - most RAPI calls check their arguments against the metabase, and the file explorer on the device also checks most write operations against the metabase before allowing them to proceed. The metabase can be managed and queried via a CSP, like most things on the device.

What is it for?

The metabase handles all security access checks for any XML that goes through the Configuration Manager. It also contains some of the strings and localization info for the control panels on Smartphone.

 

Security Roles

Here are the most common security roles. The full list is here.

SECROLE_MANAGER (8) - Manager is the Windows Mobile equivalent of root or administrator. Manager can read and write any setting on the device. Manager role is held by different entities for different devices - it might be the end user, the mobile operator, or a corporate IT department.

SECROLE_USERAUTH (16) - This is the end user after they have entered a PIN/password to get into the device. (hence User Authenticated) When RAPI is running in restricted mode (the default), all RAPI commands use this role. That is why you can't necessarily modify system files over RAPI. The permissions granted to this role are very similar to the set of permissions that an untrusted application has. This role can't modify system files or write to the protected registry keys.

SECROLE_USER_UNAUTH (64) - This is a very low-privilege role, primarily used to install unsigned themes and homescreens. This role only has permissions to write to the files necessary for a theme.

SECROLE_CARRIER_TPS (128) - This role is assigned to the mobile operator's trusted provisioning server. On a typical Smartphone device, this role is used when the mobile operator sends provisioning commands to the device over the air.

How does the metabase affect you?

The Grant Manager policy can change the behavior of a role. If the Grant Manager policy contains SECROLE_USERAUTH, for instance, then the User Auth role is effectively manager of the device. This means that all RAPI calls in Restricted mode would succeed (since they will be processed as Manager). This is what is happening when someone recommends "Change policy 4119 to 16".

The DMProcessConfigXML API changes its behavior depending on the trust level of the caller. For a "Normal" application, the XML will be processed under SECROLE_USERAUTH. For a Trusted application, the XML is processed with SECROLE_MANAGER. If the Grant Manager policy contains SECROLE_USERAUTH, then a DMProcessConfigXML from a "Normal" application can change any setting on the device.

When a signed CAB is installed, the role for the install XML is assigned by the Role on the associated certificate in the SPC store. For the M2M Unprivileged certs, this role is SECROLE_USERAUTH. For the M2M Privileged certs, the role is SECROLE_MANAGER.

In RAPI Restricted mode (the default), all RAPI calls are checked using SECROLE_USERAUTH. To use a RapiInvoke DLL, you will need to add a metabase entry for the DLL at install time.

Comments

  • Anonymous
    October 31, 2006
    Scott, Does the Status and Notification Broker work with the MetaBase? i.e. Can I get notifified if a particular node in the Metabase has changed? Thanks!

  • Anonymous
    October 31, 2006
    Good question. I don't know of any way to do that at the moment. Why do you want to listen for a metabase change?

  • Anonymous
    November 16, 2006
    Hi Scott, Function DMProcessConfigXML() gives access to the Configuration Manager. Is there any API to invoke Configuration Manager2?? My issue is that DMProcessConfigXML() accepts WAP-XML and when trying to use any of the new CSP's, the corresponding OMA XML fails. I couldn't find any exposed API to make use of these CSPs locally from the device. THX GG

  • Anonymous
    December 18, 2006
    Nope, there's no API to access ConfigManager2.

  • Anonymous
    February 06, 2007
    The comment has been removed

  • Anonymous
    September 11, 2007
    The comment has been removed

  • Anonymous
    September 27, 2007
    Dear Scott, I have a problem while trying to create a key and registry values in the key through OMA OTA. The following is the OMA OTA XML file: <wap-provisioningdoc> <characteristic type="Registry"> <characteristic type="HKLMSoftwareMMSProfiles"> <parm name="Profile" value="MMS" datatype="string"/> </characteristic> </characteristic> </wap-provisioningdoc> After receiving the OTA, the creation operation is failed. Should I change the metabase setting of the registry key "HKLMSoftwareOEMMMSProfiles"? If yes, could you please tell me how to modify the metabase so that I can create the registry through OTA? Thank you.

  • Anonymous
    October 18, 2007
    The comment has been removed

  • Anonymous
    October 22, 2007
    Hi Chris, As far as I know, it's not possible to add your own arbitrary nodes to the tree. Some of the CSPs support that inside their own tree but you wouldn't be able to just add them anywhere.

  • Anonymous
    October 31, 2007
    can we add/edit entries in the metabase: mxip_lang.vol mxip_system.vol any suggested tools?

  • Anonymous
    November 01, 2007
    At runtime, you can use the Metabase CSP and DMProcessConfigXML to query and modify the metabase rules. It's documented in MSDN and requires manager role to access.