From MozillaWiki
< Apps‎ | Security
Jump to: navigation, search


This section contains questions, sections and comments whose purpose has not been made clear, and open issues.

Kernel permissions manager

{lkcl.15mar12.2223hrs - it's not clear to me what this section refers to: a userspace application that interacts with the user to help them select the level of access that they wish to grant to a particular application, or to the actual kernel-side implementation that enforces the permissions, or a developer "assistance" suite of software which helps the developer to create the permission set that's to be associated with the application when it's installed}

  • separate process that controls access to permissions
  • responsible for
    1. query permissions, true/false if permissions X is granted
      • support for prompting user in event permission isn't granted
    2. add / remove permissions
    3. audit permissions
    4. support observers for permission change
  • permissions requested are based on "uri signatures"
    • to be determined what the signature is: domain, partial url, other?
  • permissions representation
    • type - usb, web, radio, etc
    • uri signature
    • value
    • source - user, manifest, system
    • expiration type - never, time-based, session, other?
    • expiration time
    • allow message - for UI / prompting user
    • deny message
  • app obtains permission by querying / asking central process
  • OS support required for properly constructing signature, app should not be able to influence this
    • there needs to be a unique identifier than an app can't spoof
  • permissions requests can be cached
    • cache needs to be invalidated on permission change

Other (topics that don't fall into above proposals)

  • Last updated March 14, 2012
  • SSL should be used for content delivery
    • can provide authentication for client-store communication
      • complicated compared to code signing since each mirror will either need same key or store/app needs to know each valid mirror
    • provides end-to-end security
    • does not address concerns of a malicious app
  • W^X / NX for WebApps
  • should the JS "eval" function have a permission added to it?
  • should script injection - body.appendChild(createNode("script")) - also be restricted?
  • bypassing the official package system speeds up app development
    • at the risk of destabilising a system!
    • should still be allowed though (with caveat that warranty just got voided)
    • concept of /usr/local and /usr should be mirrored in B2G with e.g. /usr/gaia/apps and /usr/local/gaia/apps
  • self-host discussion
    • The scenario is that we have an untrusted store attempting to sell an app which is hosted on a trusted store, how is this solved?

Open questions

  1. What happens when a WebApp is revoked?
    • removed from store?
    • removed from user device?
    • refund?
  2. What is the identifier used when a WebApp is revoked?
    • origin (scheme + host + port)
    • certificate / hash embed inside WebApp manifest
  3. Should eval() and similar functions such as script-injection be considered sensitive APIs / restricted?
    • Adobe AIR restricts eval() in the application sandbox (docs)
  4. Should self-signed certificates be allowed?
  5. What would be signed?
    • CSS
    • scripts
    • content
    • other