Other

This section contains questions, sections and comments whose purpose has not been made clear, and open issues.

Kernel permissions manager

{lkcl.15mar12.2223hrs - it's not clear to me what this section refers to: a userspace application that interacts with the user to help them select the level of access that they wish to grant to a particular application, or to the actual kernel-side implementation that enforces the permissions, or a developer "assistance" suite of software which helps the developer to create the permission set that's to be associated with the application when it's installed}

• separate process that controls access to permissions
• responsible for
  1. query permissions, true/false if permissions X is granted
     • support for prompting user in event permission isn't granted
  2. add / remove permissions
  3. audit permissions
  4. support observers for permission change
• permissions requested are based on "uri signatures"
  • to be determined what the signature is: domain, partial url, other?
• permissions representation
  • type - usb, web, radio, etc
  • uri signature
  • value
  • source - user, manifest, system
  • expiration type - never, time-based, session, other?
  • expiration time
  • allow message - for UI / prompting user
  • deny message
• app obtains permission by querying / asking central process
• OS support required for properly constructing signature, app should not be able to influence this
  • there needs to be a unique identifier than an app can't spoof
• permissions requests can be cached
  • cache needs to be invalidated on permission change

Other (topics that don't fall into above proposals)

• Last updated March 14, 2012
• SSL should be used for content delivery
  • can provide authentication for client-store communication
    • complicated compared to code signing since each mirror will either need same key or store/app needs to know each valid mirror
  • provides end-to-end security
  • does not address concerns of a malicious app
• W^X / NX for WebApps
• should the JS "eval" function have a permission added to it?
• should script injection - body.appendChild(createNode("script")) - also be restricted?
• bypassing the official package system speeds up app development
  • at the risk of destabilising a system!
  • should still be allowed though (with caveat that warranty just got voided)
  • concept of /usr/local and /usr should be mirrored in B2G with e.g. /usr/gaia/apps and /usr/local/gaia/apps
• self-host discussion http://groups.google.com/group/mozilla.dev.b2g/msg/b079d34ccdec0f85
  • The scenario is that we have an untrusted store attempting to sell an app which is hosted on a trusted store, how is this solved?

Open questions

1. What happens when a WebApp is revoked?
   • removed from store?
   • removed from user device?
   • refund?
2. What is the identifier used when a WebApp is revoked?
   • origin (scheme + host + port)
   • certificate / hash embed inside WebApp manifest
3. Should eval() and similar functions such as script-injection be considered sensitive APIs / restricted?
   • Adobe AIR restricts eval() in the application sandbox (docs)
4. Should self-signed certificates be allowed?
5. What would be signed?
   • CSS
   • scripts
   • content
   • other