aboutsummaryrefslogtreecommitdiffstats
path: root/docs/3-permissions.md
blob: 0c18180116bfa03f72c1509fceb9c0bb89911494 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
The permissions
===============


Permission's names
------------------

The proposal here is to specify a naming scheme for permissions
that allows the system to be as stateless as possible. The current
specification includes in the naming of permissions either
the name of the bound binding when existing and the level of the
permission itself. Doing this, there is no real need for the
framework to keep installed permissions in a database.

The permission names are [URN][URN] of the form:

	urn:AGL:permission:<api>:<level>:<hierarchical-name>

where "AGL" is the NID (the namespace identifier) dedicated to
AGL (note: a RFC should be produced to standardize this name space).

The permission names are made of NSS (the namespace specific string)
starting with "permission:" and followed by colon separated
fields. The 2 first fields are `<api>` and `<level>` and the remaining
fields are grouped to form the `<hierarchical-name>`.

	<api> ::= [ <pname> ]

	<pname> ::= 1*<pchars>

	<pchars> ::= <upper> | <lower> | <number> | <extra>

	<extra> ::= "-" | "." | "_" | "@"

The field `<api>` can be made of any valid character for NSS except
the characters colon and star (:*). This field designates the api
providing the permission. This scheme is used to deduce binding requirements
from permission requirements. The field `<api>` can be the empty
string when the permission is defined by the AGL system itself.

[PROPOSAL 1] The field `<api>` if starting with the character "@" represents
a transversal/cross permission not bound to any binding.

[PROPOSAL 2]The field `<api>` if starting with the 2 characters "@@"
in addition to a permission not bound to any binding, represents a
permission that must be set at installation and that can not be
revoked later.

	<level> ::= 1*<lower>

The field `<level>` is made only of letters in lower case.
The field `<level>` can only take some predefined values:

 - system
 - platform
 - partner
 - tiers
 - owner
 - public

The field `<hierarchical-name>` is made of `<pname>` separated
by colons.

	<hierarchical-name> ::= <pname> 0*(":" <pname>)

The names at left are hierarchically grouping the
names at right. This hierarchical behaviour is intended to
be used to request permissions using hierarchical grouping.


Permission value
----------------

In some case, it could be worth to add a value to a permission.

Currently, the framework allows it for permissions linked to
systemd. But this not currently used.

Conversely, permissions linked to cynara can't carry data
except in their name.

Thus to have a simple and cleaner model, it is better to forbid
attachement of value to permission.


Example of permissions
----------------------

Here is a list of some possible permissions. These
permissions are available the 17th of March 2017. 

 - urn:AGL:permission::platform:no-oom

   Set OOMScoreAdjust=-500 to keep the out-of-memory
   killer away.

 - urn:AGL:permission::partner:real-time

   Set IOSchedulingClass=realtime to give to the process
   realtime scheduling.

   Conversely, not having this permission set RestrictRealtime=on
   to forbid realtime features.

 - urn:AGL:permission::public:display

   Adds the group "display" to the list of supplementary groups
   of the process.

 - urn:AGL:permission::public:syscall:clock

   Without this permission SystemCallFilter=~@clock is set to
   forfid call to clock.

 - urn:AGL:permission::public:no-htdocs

   The http directory served is not "htdocs" but "."

 - urn:AGL:permission::public:applications:read

   Allows to read data of installed applications (and to
   access icons).

 - urn:AGL:permission::partner:service:no-ws

   Forbids services to provide its API through websocket.

 - urn:AGL:permission::partner:service:no-dbus

   Forbids services to provide its API through D-Bus.

 - urn:AGL:permission::system:run-by-default

   Starts automatically the application. Example: home-screen.

 - http://tizen.org/privilege/internal/dbus

   Permission to use D-Bus.


[URN]: https://tools.ietf.org/rfc/rfc2141.txt "RFC 2141: URN Syntax"