What is the metabase?

  • Article

Why do you care?

This might be interesting to you if

- you've ever wondered why people change security policy 4119

- you've ever developed a CeRapiInvoke DLL

- you've ever wondered why DMProcessConfigXML behaves differently for an untrusted process vs. a trusted process

- you're curious about the deep inner workings of Windows Mobile security

 

What is the metabase?

The metabase is a big role-based access control database that lives in mxip_system.vol and mxip_lang.vol. The underlying operating system (Windows CE) doesn't use the metabase, but all XML that is processed by the Configuration Manager is checked against the metabase during processing. There are also a few other places in the system where the metabase is used - most RAPI calls check their arguments against the metabase, and the file explorer on the device also checks most write operations against the metabase before allowing them to proceed. The metabase can be managed and queried via a CSP, like most things on the device.

What is it for?

The metabase handles all security access checks for any XML that goes through the Configuration Manager. It also contains some of the strings and localization info for the control panels on Smartphone.

 

Security Roles

Here are the most common security roles. The full list is here.

SECROLE_MANAGER (8) - Manager is the Windows Mobile equivalent of root or administrator. Manager can read and write any setting on the device. Manager role is held by different entities for different devices - it might be the end user, the mobile operator, or a corporate IT department.

SECROLE_USERAUTH (16) - This is the end user after they have entered a PIN/password to get into the device. (hence User Authenticated) When RAPI is running in restricted mode (the default), all RAPI commands use this role. That is why you can't necessarily modify system files over RAPI. The permissions granted to this role are very similar to the set of permissions that an untrusted application has. This role can't modify system files or write to the protected registry keys.

SECROLE_USER_UNAUTH (64) - This is a very low-privilege role, primarily used to install unsigned themes and homescreens. This role only has permissions to write to the files necessary for a theme.

SECROLE_CARRIER_TPS (128) - This role is assigned to the mobile operator's trusted provisioning server. On a typical Smartphone device, this role is used when the mobile operator sends provisioning commands to the device over the air.

How does the metabase affect you?

The Grant Manager policy can change the behavior of a role. If the Grant Manager policy contains SECROLE_USERAUTH, for instance, then the User Auth role is effectively manager of the device. This means that all RAPI calls in Restricted mode would succeed (since they will be processed as Manager). This is what is happening when someone recommends "Change policy 4119 to 16".

The DMProcessConfigXML API changes its behavior depending on the trust level of the caller. For a "Normal" application, the XML will be processed under SECROLE_USERAUTH. For a Trusted application, the XML is processed with SECROLE_MANAGER. If the Grant Manager policy contains SECROLE_USERAUTH, then a DMProcessConfigXML from a "Normal" application can change any setting on the device.

When a signed CAB is installed, the role for the install XML is assigned by the Role on the associated certificate in the SPC store. For the M2M Unprivileged certs, this role is SECROLE_USERAUTH. For the M2M Privileged certs, the role is SECROLE_MANAGER.

In RAPI Restricted mode (the default), all RAPI calls are checked using SECROLE_USERAUTH. To use a RapiInvoke DLL, you will need to add a metabase entry for the DLL at install time.