|
|
| Line 32: |
Line 32: |
| {{:Apps/Security/Permissions}} | | {{:Apps/Security/Permissions}} |
| {{:Apps/Security/StandardWebSecurity}} | | {{:Apps/Security/StandardWebSecurity}} |
| | | {{:Apps/Security/Other}} |
| = Other =
| |
| | |
| This section contains questions, sections and comments whose purpose has not been made clear, and open issues.
| |
| | |
| ==== Kernel permissions manager ====
| |
| | |
| {lkcl.15mar12.2223hrs - it's not clear to me what this section refers to: a userspace application that interacts with the user to help them select the level of access that they wish to grant to a particular application, or to the actual kernel-side implementation that enforces the permissions, or a developer "assistance" suite of software which helps the developer to create the permission set that's to be associated with the application when it's installed} | |
| | |
| * separate process that controls access to permissions
| |
| * responsible for
| |
| *# query permissions, true/false if permissions X is granted
| |
| *#* support for prompting user in event permission isn't granted
| |
| *# add / remove permissions
| |
| *# audit permissions
| |
| *# support observers for permission change
| |
| * permissions requested are based on "uri signatures"
| |
| ** to be determined what the signature is: domain, partial url, other?
| |
| * permissions representation
| |
| ** type - usb, web, radio, etc
| |
| ** uri signature
| |
| ** value
| |
| ** source - user, manifest, system
| |
| ** expiration type - never, time-based, session, other?
| |
| ** expiration time
| |
| ** allow message - for UI / prompting user
| |
| ** deny message
| |
| * app obtains permission by querying / asking central process
| |
| * OS support required for properly constructing signature, app should not be able to influence this
| |
| ** there needs to be a unique identifier than an app can't spoof
| |
| * permissions requests can be cached
| |
| ** cache needs to be invalidated on permission change
| |
| | |
| === Other (topics that don't fall into above proposals) ===
| |
| * Last updated March 14, 2012
| |
| * SSL should be used for content delivery
| |
| ** can provide authentication for client-store communication
| |
| *** complicated compared to code signing since each mirror will either need same key or store/app needs to know each valid mirror
| |
| ** provides end-to-end security
| |
| ** does not address concerns of a malicious app
| |
| * W^X / NX for WebApps
| |
| * should the JS "eval" function have a permission added to it?
| |
| * bypassing the official package system speeds up app development
| |
| ** at the risk of destabilising a system!
| |
| ** should still be allowed though (with caveat that warranty just got voided)
| |
| ** concept of /usr/local and /usr should be mirrored in B2G with e.g. /usr/gaia/apps and /usr/local/gaia/apps
| |
| * self-host discussion http://groups.google.com/group/mozilla.dev.b2g/msg/b079d34ccdec0f85
| |
| ** The scenario is that we have an untrusted store attempting to sell an app which is hosted on a trusted store, how is this solved?
| |
| | |
| == Open questions ==
| |
| # What happens when a WebApp is revoked?
| |
| #* removed from store?
| |
| #* removed from user device?
| |
| #* refund?
| |
| # What is the identifier used when a WebApp is revoked?
| |
| #* origin (scheme + host + port)
| |
| #* certificate / hash embed inside WebApp manifest
| |
| # Should eval() and similar functions be considered sensitive APIs / restricted?
| |
| #* Adobe AIR restricts eval() in the application sandbox [http://help.adobe.com/en_US/air/html/security/WS485a42d56cd1964150c3d3a8124ef1cbd62-7ffe.html (docs)]
| |
| # Should self-signed certificates be allowed?
| |
| # What would be signed?
| |
| #* CSS
| |
| #* scripts
| |
| #* content
| |
| #* other
| |