Security/Reviews/FxOSGecko/Template: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
No edit summary
Line 1: Line 1:
== Overview ==
== WORK IN PROGRESS ==
 
 
=== FirefoxOS Review Details ===
=== FirefoxOS Review Details ===
* API: XXXXX API
* API: Bluetooth API - Version 2
* Review Date: October 2013
* Review Date: September 2014
* Review Lead: L.E. Taccor
* Review Lead: Paul Theriault


=== Context ===
=== Context ===
* Why are we doing a review
Work is currently underway to implement a new version of the Gecko Bluetooth API. The key changes are:
* Has it been reviewed before
* new API, using webidl
* Any special risks or concerns
* Bluetooth will be exposed to privileged apps
* new bluetooth profiles supported


=== Scope ===
=== Scope ===
* What parts of Gaia, Gecko and or Gonk are we looking.
This review focuses specifically on the new API itself. Review of the Gaia bluetooth app
Configuration of Wifi via the settings (and other Apps)


The following system components were reviewed:
*Gaia
Configuration of Wifi via the settings (and other Apps)
*Gaia
**Foo app
**Web Activities provided by Bar app
* Gecko
* Gecko
** mozXXX interface
** The new interfaces: https://wiki.mozilla.org/B2G/Bluetooth/WebBluetooth-v2#Interfaces
** Gecko Permissions
** Bluetooth permission enforcement (which functions are available to which app types)
** Messaging ( messages, system messages)
** Messaging (child/parent)  
** Interface to XYZ service on IPC socket (JSON-based communication protocol)
*Gonk
** XYZ Service


The following items were deemed lower risk and not reviewed:
The following items were deemed lower risk and not reviewed:
* Communication between XYZ and hardware
* etc etc


===Components===
===Components===
See [[Security/Reviews/B2G/WebNFC#Components| Web NFC review]] for example


===Relevant Source Code===
===Relevant Source Code===
The code for the new API is stored in the /dom/bluetooth2 directory of gecko source code:
http://dxr.mozilla.org/mozilla-central/source/dom/bluetooth2


===Permission Model===
===Permission Model===

Revision as of 02:19, 26 September 2014

WORK IN PROGRESS

FirefoxOS Review Details

  • API: Bluetooth API - Version 2
  • Review Date: September 2014
  • Review Lead: Paul Theriault

Context

Work is currently underway to implement a new version of the Gecko Bluetooth API. The key changes are:

  • new API, using webidl
  • Bluetooth will be exposed to privileged apps
  • new bluetooth profiles supported

Scope

This review focuses specifically on the new API itself. Review of the Gaia bluetooth app Configuration of Wifi via the settings (and other Apps)

The following items were deemed lower risk and not reviewed:

Components

Relevant Source Code

The code for the new API is stored in the /dom/bluetooth2 directory of gecko source code: http://dxr.mozilla.org/mozilla-central/source/dom/bluetooth2

Permission Model

  • Paste from Permissions Table.jsm (see below)
  • Discuss anything special like access
  • Discuss where permissions are enforced (access to object, on IPC messages, at each function call etc)
 "wifi-manage": {
 190                              app: DENY_ACTION,
 191                              privileged: DENY_ACTION,
 192                              certified: ALLOW_ACTION
 193                            },

Review Notes

1. Content/Chrome Segregation

2. Process Segregation

3. Data validation & Sanitization

4. Denial of Service

Security Risks & Mitigating Controls

Actions & Recommendations

  • List of recommendations, and corresponding bug numbers
  • For sensitive bugs, just put bug number (or omit entirely maybe it is really dangerous & obvious)
Retrieved from "https://wiki.allizom.org/index.php?title=Security/Reviews/FxOSGecko/Template&oldid=1018484"