diff options
author | Sebastien Douheret <sebastien.douheret@iot.bzh> | 2017-06-19 16:52:06 +0200 |
---|---|---|
committer | Sebastien Douheret <sebastien.douheret@iot.bzh> | 2017-06-19 18:13:44 +0200 |
commit | d1b49a7d26bf344d9f00ae12144cbcc7d930b08b (patch) | |
tree | 58d5276d2b6097e535fe90f447f336b72c4c12e3 /docs/3-permissions.md | |
parent | a07557a06366d5c5ed6e62cd91beb48ae478de1a (diff) |
Re-order doc chapters
Change-Id: I44cf2054fa06816480e26fc19b45c6f8a464a708
Signed-off-by: Sebastien Douheret <sebastien.douheret@iot.bzh>
Diffstat (limited to 'docs/3-permissions.md')
-rw-r--r-- | docs/3-permissions.md | 142 |
1 files changed, 142 insertions, 0 deletions
diff --git a/docs/3-permissions.md b/docs/3-permissions.md new file mode 100644 index 0000000..0c18180 --- /dev/null +++ b/docs/3-permissions.md @@ -0,0 +1,142 @@ +The permissions +=============== + + +Permission's names +------------------ + +The proposal here is to specify a naming scheme for permissions +that allows the system to be as stateless as possible. The current +specification includes in the naming of permissions either +the name of the bound binding when existing and the level of the +permission itself. Doing this, there is no real need for the +framework to keep installed permissions in a database. + +The permission names are [URN][URN] of the form: + + urn:AGL:permission:<api>:<level>:<hierarchical-name> + +where "AGL" is the NID (the namespace identifier) dedicated to +AGL (note: a RFC should be produced to standardize this name space). + +The permission names are made of NSS (the namespace specific string) +starting with "permission:" and followed by colon separated +fields. The 2 first fields are `<api>` and `<level>` and the remaining +fields are grouped to form the `<hierarchical-name>`. + + <api> ::= [ <pname> ] + + <pname> ::= 1*<pchars> + + <pchars> ::= <upper> | <lower> | <number> | <extra> + + <extra> ::= "-" | "." | "_" | "@" + +The field `<api>` can be made of any valid character for NSS except +the characters colon and star (:*). This field designates the api +providing the permission. This scheme is used to deduce binding requirements +from permission requirements. The field `<api>` can be the empty +string when the permission is defined by the AGL system itself. + +[PROPOSAL 1] The field `<api>` if starting with the character "@" represents +a transversal/cross permission not bound to any binding. + +[PROPOSAL 2]The field `<api>` if starting with the 2 characters "@@" +in addition to a permission not bound to any binding, represents a +permission that must be set at installation and that can not be +revoked later. + + <level> ::= 1*<lower> + +The field `<level>` is made only of letters in lower case. +The field `<level>` can only take some predefined values: + + - system + - platform + - partner + - tiers + - owner + - public + +The field `<hierarchical-name>` is made of `<pname>` separated +by colons. + + <hierarchical-name> ::= <pname> 0*(":" <pname>) + +The names at left are hierarchically grouping the +names at right. This hierarchical behaviour is intended to +be used to request permissions using hierarchical grouping. + + +Permission value +---------------- + +In some case, it could be worth to add a value to a permission. + +Currently, the framework allows it for permissions linked to +systemd. But this not currently used. + +Conversely, permissions linked to cynara can't carry data +except in their name. + +Thus to have a simple and cleaner model, it is better to forbid +attachement of value to permission. + + +Example of permissions +---------------------- + +Here is a list of some possible permissions. These +permissions are available the 17th of March 2017. + + - urn:AGL:permission::platform:no-oom + + Set OOMScoreAdjust=-500 to keep the out-of-memory + killer away. + + - urn:AGL:permission::partner:real-time + + Set IOSchedulingClass=realtime to give to the process + realtime scheduling. + + Conversely, not having this permission set RestrictRealtime=on + to forbid realtime features. + + - urn:AGL:permission::public:display + + Adds the group "display" to the list of supplementary groups + of the process. + + - urn:AGL:permission::public:syscall:clock + + Without this permission SystemCallFilter=~@clock is set to + forfid call to clock. + + - urn:AGL:permission::public:no-htdocs + + The http directory served is not "htdocs" but "." + + - urn:AGL:permission::public:applications:read + + Allows to read data of installed applications (and to + access icons). + + - urn:AGL:permission::partner:service:no-ws + + Forbids services to provide its API through websocket. + + - urn:AGL:permission::partner:service:no-dbus + + Forbids services to provide its API through D-Bus. + + - urn:AGL:permission::system:run-by-default + + Starts automatically the application. Example: home-screen. + + - http://tizen.org/privilege/internal/dbus + + Permission to use D-Bus. + + +[URN]: https://tools.ietf.org/rfc/rfc2141.txt "RFC 2141: URN Syntax" + |