8 The proposal here is to specify a naming scheme for permissions
9 that allows the system to be as stateless as possible. The current
10 specification includes in the naming of permissions either
11 the name of the bound binding when existing and the level of the
12 permission itself. Doing this, there is no real need for the
13 framework to keep installed permissions in a database.
15 The permission names are [URN][URN] of the form:
17 urn:AGL:permission:<api>:<level>:<hierarchical-name>
19 where "AGL" is the NID (the namespace identifier) dedicated to
20 AGL (note: a RFC should be produced to standardize this name space).
22 The permission names are made of NSS (the namespace specific string)
23 starting with "permission:" and followed by colon separated
24 fields. The 2 first fields are `<api>` and `<level>` and the remaining
25 fields are grouped to form the `<hierarchical-name>`.
29 <pname> ::= 1*<pchars>
31 <pchars> ::= <upper> | <lower> | <number> | <extra>
33 <extra> ::= "-" | "." | "_" | "@"
35 The field `<api>` can be made of any valid character for NSS except
36 the characters colon and star (:*). This field designates the api
37 providing the permission. This scheme is used to deduce binding requirements
38 from permission requirements. The field `<api>` can be the empty
39 string when the permission is defined by the AGL system itself.
41 [PROPOSAL 1] The field `<api>` if starting with the character "@" represents
42 a transversal/cross permission not bound to any binding.
44 [PROPOSAL 2]The field `<api>` if starting with the 2 characters "@@"
45 in addition to a permission not bound to any binding, represents a
46 permission that must be set at installation and that can not be
51 The field `<level>` is made only of letters in lower case.
52 The field `<level>` can only take some predefined values:
61 The field `<hierarchical-name>` is made of `<pname>` separated
64 <hierarchical-name> ::= <pname> 0*(":" <pname>)
66 The names at left are hierarchically grouping the
67 names at right. This hierarchical behaviour is intended to
68 be used to request permissions using hierarchical grouping.
74 In some case, it could be worth to add a value to a permission.
76 Currently, the framework allows it for permissions linked to
77 systemd. But this not currently used.
79 Conversely, permissions linked to cynara can't carry data
82 Thus to have a simple and cleaner model, it is better to forbid
83 attachement of value to permission.
86 Example of permissions
87 ----------------------
89 Here is a list of some possible permissions. These
90 permissions are available the 17th of March 2017.
92 - urn:AGL:permission::platform:no-oom
94 Set OOMScoreAdjust=-500 to keep the out-of-memory
97 - urn:AGL:permission::partner:real-time
99 Set IOSchedulingClass=realtime to give to the process
102 Conversely, not having this permission set RestrictRealtime=on
103 to forbid realtime features.
105 - urn:AGL:permission::public:display
107 Adds the group "display" to the list of supplementary groups
110 - urn:AGL:permission::public:syscall:clock
112 Without this permission SystemCallFilter=~@clock is set to
113 forfid call to clock.
115 - urn:AGL:permission::public:no-htdocs
117 The http directory served is not "htdocs" but "."
119 - urn:AGL:permission::public:applications:read
121 Allows to read data of installed applications (and to
124 - urn:AGL:permission::partner:service:no-ws
126 Forbids services to provide its API through websocket.
128 - urn:AGL:permission::partner:service:no-dbus
130 Forbids services to provide its API through D-Bus.
132 - urn:AGL:permission::system:run-by-default
134 Starts automatically the application. Example: home-screen.
136 - http://tizen.org/privilege/internal/dbus
138 Permission to use D-Bus.
141 [URN]: https://tools.ietf.org/rfc/rfc2141.txt "RFC 2141: URN Syntax"