177
edits
Changes
m
=== Trusted store with permissions delegation ===
{{note|Last updated March 14, 2012}}
* Mozilla (telco store) acts as an authority for permissions requests
* WebApps request permissions in manifest
* Each store contains a set of permissions they can grant
* The "root" store may grant any permissions
* A store (parent) may permit a trusted store (child) to grant a subset of parent's permissions
** {{note|This is opposite of the FLASK model which does not use a permissions hierarchy. There are problems if a child store inadvertently grants too permissive of permissions to an app (genie out of the bottle).}}
** ACME is a root store
** ACME allows Roadrunner Store to grant (Throw, Eat) permissions to WebApps it trusts
** Roadrunner Store may further permit Coyote store a subset of (Throw, Eat) permissions
** Coyote Store may then grant WebApps it trust a subset of what Roadrunner Store granted
* Permissions granted to a WebApp are the intersection of permissions requested by manifest and permissions a store may grant
** WidgetIncApp is listed on ACME store
** WidgetIncApp requests Hammer, Nail permissions
** ACME store has been granted Hammer, Screw permissions by telco
** WidgetIncApp receives (Hammer, Nail)∩(Hammer, Screw) == Hammer permissions
** There was discussion of a "privileged store" which is a store blessed to allow access to certain APIs such as dialer
** "blessed" apps must always be served from the store with access to source code
* Selfhosting of WebApp
** A WebApp can be self-hosted and query a trusted store on install
** The WebApp will be granted permissions based on what the trusted store would have granted the WebApp
*** WidgetInc wants to host WidgetIncApp from widget.lol
*** WidgetInc has already uploaded WidgetIncApp to ACME Store
*** User visits widget.lol to install WidgetIncApp which contains a pointer to ACME Store
*** Runtime queries ACME Store to see what permissions should be given to WidgetIncApp
no edit summary
There are multiple layers of applications underneath these web apps, which make up the B2G OS, but these are beyond the scope of the permissions model. It is noted however that the permissions model might influence the design of lower layers: for example, ideally Web Apps of differing permission levels would be sandboxed to limit the impact of memory corruption vulnerabilities. For further detail on the underlying B2G architecture see: [[B2G/Architecture]]
=== [http://www.cs.utah.edu/flux/fluke/html/flask.html FLASK] and SELinux for enforcing permissions ===
== Proposals ==
=== Trusted store with permissions delegation ===
{{note|Last updated March 14, 2012}}
* Mozilla (telco store) acts as an authority for permissions requests
* WebApps request permissions in manifest
* Each store contains a set of permissions they can grant
* The "root" store may grant any permissions
* A store (parent) may permit a trusted store (child) to grant a subset of parent's permissions
** {{note|This is opposite of the FLASK model which does not use a permissions hierarchy. There are problems if a child store inadvertently grants too permissive of permissions to an app (genie out of the bottle).}}
** ACME is a root store
** ACME allows Roadrunner Store to grant (Throw, Eat) permissions to WebApps it trusts
** Roadrunner Store may further permit Coyote store a subset of (Throw, Eat) permissions
** Coyote Store may then grant WebApps it trust a subset of what Roadrunner Store granted
* Permissions granted to a WebApp are the intersection of permissions requested by manifest and permissions a store may grant
** WidgetIncApp is listed on ACME store
** WidgetIncApp requests Hammer, Nail permissions
** ACME store has been granted Hammer, Screw permissions by telco
** WidgetIncApp receives (Hammer, Nail)∩(Hammer, Screw) == Hammer permissions
** There was discussion of a "privileged store" which is a store blessed to allow access to certain APIs such as dialer
** "blessed" apps must always be served from the store with access to source code
* Selfhosting of WebApp
** A WebApp can be self-hosted and query a trusted store on install
** The WebApp will be granted permissions based on what the trusted store would have granted the WebApp
*** WidgetInc wants to host WidgetIncApp from widget.lol
*** WidgetInc has already uploaded WidgetIncApp to ACME Store
*** User visits widget.lol to install WidgetIncApp which contains a pointer to ACME Store
*** Runtime queries ACME Store to see what permissions should be given to WidgetIncApp
= Application Permissions Enforcement =
