Apps/Security/Other
From MozillaWiki
Contents
Other
This section contains questions, sections and comments whose purpose has not been made clear, and open issues.
Kernel permissions manager
{lkcl.15mar12.2223hrs - it's not clear to me what this section refers to: a userspace application that interacts with the user to help them select the level of access that they wish to grant to a particular application, or to the actual kernel-side implementation that enforces the permissions, or a developer "assistance" suite of software which helps the developer to create the permission set that's to be associated with the application when it's installed}
- separate process that controls access to permissions
- responsible for
- query permissions, true/false if permissions X is granted
- support for prompting user in event permission isn't granted
- add / remove permissions
- audit permissions
- support observers for permission change
- query permissions, true/false if permissions X is granted
- permissions requested are based on "uri signatures"
- to be determined what the signature is: domain, partial url, other?
- permissions representation
- type - usb, web, radio, etc
- uri signature
- value
- source - user, manifest, system
- expiration type - never, time-based, session, other?
- expiration time
- allow message - for UI / prompting user
- deny message
- app obtains permission by querying / asking central process
- OS support required for properly constructing signature, app should not be able to influence this
- there needs to be a unique identifier than an app can't spoof
- permissions requests can be cached
- cache needs to be invalidated on permission change
Other (topics that don't fall into above proposals)
- Last updated March 14, 2012
- SSL should be used for content delivery
- can provide authentication for client-store communication
- complicated compared to code signing since each mirror will either need same key or store/app needs to know each valid mirror
- provides end-to-end security
- does not address concerns of a malicious app
- can provide authentication for client-store communication
- W^X / NX for WebApps
- should the JS "eval" function have a permission added to it?
- should script injection - body.appendChild(createNode("script")) - also be restricted?
- bypassing the official package system speeds up app development
- at the risk of destabilising a system!
- should still be allowed though (with caveat that warranty just got voided)
- concept of /usr/local and /usr should be mirrored in B2G with e.g. /usr/gaia/apps and /usr/local/gaia/apps
- self-host discussion http://groups.google.com/group/mozilla.dev.b2g/msg/b079d34ccdec0f85
- The scenario is that we have an untrusted store attempting to sell an app which is hosted on a trusted store, how is this solved?
Open questions
- What happens when a WebApp is revoked?
- removed from store?
- removed from user device?
- refund?
- What is the identifier used when a WebApp is revoked?
- origin (scheme + host + port)
- certificate / hash embed inside WebApp manifest
- Should eval() and similar functions such as script-injection be considered sensitive APIs / restricted?
- Adobe AIR restricts eval() in the application sandbox (docs)
- Should self-signed certificates be allowed?
- What would be signed?
- CSS
- scripts
- content
- other