TD0445: User Modifiable File Definition
The SFR uses the term ‘user-modifiable files’ but it is not entirely clear in the Protection Profile what constitutes a ‘user-modifiable file’. Also, the assurance activity for Windows Desktop Applications states: ‘no data files in the application’s install directory’. The application note states: “Executables and user-modifiable files may not share the same parent directory, but may share directories above the parent.” It is unclear how this part of the assurance activity is applied with regards to the application note.
The Application Note for FPT_AEX_EXT.1.4 is modified as shown below, using underlines for added text:
The purpose of this requirement is to help ensure the integrity of application binaries by supporting file protection mechanisms such as directory-level file permissions and application allowlisting.
A user-modifiable file for purposes of this requirement is a file that is writable by an unprivileged user of the application--either directly through application execution or independently of the application. If the application runs in the context of the application user, then the application should not be able to write to the directory containing the application binaries--regardless of whether the files are configuration data, audit data, or temporary files.
Executables and user-modifiable files may not share the same parent directory, but may share directories above the parent.
Also, the Assurance Activity for Windows is modified as shown below (deletions marked by strikethroughs):
For Windows: For Windows Universal Applications the evaluator shall consider the requirement met because the platform forces applications to write all data within the application working directory (sandbox). For Windows Desktop Applications the evaluator shall run the program, mimicking normal usage, and note where all user-modifiable files are written. The evaluator shall ensure that there are no executable files stored in the same directories to which the application wrote user-modifiable files and no data files in the application’s install directory.
See issue description.