Skip to content

Commit

Permalink
Update enhanced ACG rules
Browse files Browse the repository at this point in the history
  • Loading branch information
Heeam-Shin committed Feb 5, 2024
1 parent f99dbb1 commit bec86ac
Show file tree
Hide file tree
Showing 2 changed files with 64 additions and 14 deletions.
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
title: Developing Built-in JS Services
date: 2023-05-11
date: 2024-01-29
weight: 20
toc: true
---
Expand All @@ -22,6 +22,7 @@ js-services/
└── com.example.service.js/
├── files/sysbus/
│ ├── com.example.service.js.api.json.in
│ ├── com.example.service.js.groups.json.in
│ ├── com.example.service.js.perm.json.in
│ ├── com.example.service.js.role.json.in
│ └── com.example.service.js.service.in
Expand Down Expand Up @@ -176,7 +177,11 @@ This file configures the service metadata and points to the main service file. I
### LS2 Configuration Files
To register and execute a service through LS2, it is necessary to create a Service Configuration file, a Role file, and Permission files. You must create a `files/sysbus` directory in your project so that the configuration files are installed in the right place on the target.
To register and execute a service through LS2, it is necessary to create a Service Configuration file, Role file, Permission file, and Groups file. You must create a `files/sysbus` directory in your project so that the configuration files are installed in the right place on the target.
{{< note >}}
This section briefly describes about configuration files. For more details, see [Security Guide]({{< relref "security-guide" >}}).
{{< /note >}}
#### Service Configuration File
Expand Down Expand Up @@ -205,6 +210,7 @@ This file contains allowed service names for each component and individual secur
{
"appId":"com.example.service.js",
"type": "regular",
"trustLevel": "oem",
"allowedNames": [
"com.example.service.js"
],
Expand All @@ -222,8 +228,9 @@ This file contains allowed service names for each component and individual secur
A brief explanation of the above file:
- Line(4~6) : `allowedNames` - Names that this service is allowed to register. It can be an array of any valid service name strings, empty array [] for none, and empty string "" for an unnamed service.
- Line(7~14) : The permissions for the service.
- Line(4) : Set the [trust level]({{< relref "security-guide#trust-levels" >}}) of the service.
- Line(5~7) : `allowedNames` - Names that this service is allowed to register. It can be an array of any valid service name strings, empty array [] for none, and empty string "" for an unnamed service.
- Line(8~15) : The permissions for the service.
- `outbound` : Array of services that this service is allowed to send requests to. It can include strings of any valid service names. Use "\*" for all, empty array [] for none, and empty string "" for unnamed services. It's possible to use a wildcard (*) at the end of a string.

#### Client Permission File
Expand All @@ -246,12 +253,12 @@ A brief explanation of the above file:
#### API Permission File
This file defines what methods are included into security groups this component provides.
This file defines ACG values of the service and methods those ACG values contain.
{{< code "com.example.service.js.api.json.in" >}}
``` json {linenos=table}
{
"com.example.service.js.group": [
"examplejsservice.acgvalue": [
"com.example.service.js/*"
]
}
Expand All @@ -260,7 +267,24 @@ This file defines what methods are included into security groups this component
A brief explanation of the above file:
- Line(3) : Set this service's group name and specify the methods that belong to the group. In this example, the group name is set to "com.example.service.js.group", and all methods of `com.example.service.js` are added to this group.
- Line(3) : Set an ACG value and specify the methods that belong to the ACG value. In this example, the ACG value is "examplejsservice.acgvalue", and all methods of `com.example.service.js` are added to this value.
#### Groups File
This file defines the trust levels of each ACG value.
{{< code "com.example.service.js.groups.json.in" >}}
``` json {linenos=table}
{
"allowedNames": [ "com.example.service.js" ],
"examplejsservice.acgvalue": [ "oem" ]
}
```
{{< /code >}}
A brief explanation of the above file:
- Line(3) : Set the trust level for `examplejsservice.acgvalue` as `oem`. So the APIs in `examplejsservice.acgvalue` have the `oem` trust level.
### CMakeLists.txt
Expand Down Expand Up @@ -404,6 +428,7 @@ After building the service, you must verify its functionality.
├── README.md
├── files/sysbus
│ ├── com.example.service.js.api.json.in
│ ├── com.example.service.js.groups.json.in
│ ├── com.example.service.js.perm.json.in
│ ├── com.example.service.js.role.json.in
│ └── com.example.service.js.service.in
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
title: Developing Built-in Native Services
date: 2022-12-02
date: 2024-01-29
weight: 20
toc: true
---
Expand All @@ -23,6 +23,7 @@ native-services/built-in/
├── files/
│ ├── sysbus/
│ │ ├── com.example.service.native.api.json.in
│ │ ├── com.example.service.native.groups.json.in
│ │ ├── com.example.service.native.perm.json.in
│ │ ├── com.example.service.native.role.json.in
│ │ └── com.example.service.native.service.in
Expand Down Expand Up @@ -288,7 +289,11 @@ This section describes how to prepare the configuration files required to build
### LS2 Configuration Files
To register and execute a service through LS2, it is necessary to create a Service Configuration file, a Role file, and Permission files. You must create a `files/sysbus` directory in your project so that the configuration files are installed in the right place on the target.
To register and execute a service through LS2, it is necessary to create a Service Configuration file, Role file, Permission file, and Groups file. You must create a `files/sysbus` directory in your project so that the configuration files are installed in the right place on the target.
{{< note >}}
This section briefly describes about configuration files. For more details, see [Security Guide]({{< relref "security-guide" >}}).
{{< /note >}}
#### Service Configuration File
Expand Down Expand Up @@ -319,6 +324,7 @@ This file contains allowed service names for each component and individual secur
{
"exeName":"@WEBOS_INSTALL_SBINDIR@/com.example.service.native",
"type": "regular",
"trustLevel": "oem",
"allowedNames": [
"com.example.service.native"
],
Expand All @@ -338,8 +344,9 @@ A brief explanation of the above file:
- Line(2) : `exeName` - Specify the full path to the binary for a native service. Must be of the form: "/path/to/binary"
- Line(3) : `type` - Indicate whether the app is privileged (can change its role) or regular. Possible values are privileged or regular.
- Line(4~6) : `allowedNames` - Names that this service is allowed to register. It can be an array of any valid service name strings, empty array [] for none, and empty string "" for an unnamed service.
- Line(7~14) : The permissions for the service.
- Line(4) : Set the [trust level]({{< relref "security-guide#trust-levels" >}}) of the service.
- Line(5~7) : `allowedNames` - Names that this service is allowed to register. It can be an array of any valid service name strings, empty array [] for none, and empty string "" for an unnamed service.
- Line(8~15) : The permissions for the service.
- `outbound` - Array of services that this service is allowed to send requests to. It can include strings of any valid service names. Use "\*" for all, empty array [] for none, and empty string "" for unnamed services. It's possible to use a wildcard (*) at the end of a string.
#### Client Permission File
Expand All @@ -362,12 +369,12 @@ A brief explanation of the above file:
#### API Permission File
This file defines what methods are included into security groups this component provides.
This file defines ACG values of the service and methods those ACG values contain.
{{< code "com.example.service.native.api.json.in" >}}
``` json {linenos=table}
{
"com.example.service.native.group": [
"examplenativeservice.acgvalue": [
"com.example.service.native/hello"
]
}
Expand All @@ -376,7 +383,24 @@ This file defines what methods are included into security groups this component
A brief explanation of the above file:
- Line(3) : Set this service's group name and specify the methods that belong to the group. In this example, the group name is set to "com.example.service.native.group", and the `hello` method of `com.example.service.native` is added to this group.
- Line(3) : Set an ACG value and specify the methods that belong to the ACG value. In this example, the ACG value is "examplenativeservice.acgvalue", and the `com.example.service.native/hello` method is added to this value.
#### Groups File
This file defines the trust levels of each ACG value.
{{< code "com.example.service.native.groups.json.in " >}}
``` json {linenos=table}
{
"allowedNames": [ "com.example.service.js" ],
"examplenativeservice.acgvalue": [ "oem" ]
}
```
{{< /code >}}
A brief explanation of the above file:
- Line(3) : Set the trust level for `examplenativeservice.acgvalue` as `oem`. So the APIs in `examplenativeservice.acgvalue` have the `oem` trust level.
### Systemd Configuration File
Expand Down Expand Up @@ -578,6 +602,7 @@ After building the service, you must verify its functionality.
├── files
│ ├── sysbus
│ │ ├── com.example.service.native.api.json.in
│ │ ├── com.example.service.native.groups.json.in
│ │ ├── com.example.service.native.perm.json.in
│ │ ├── com.example.service.native.role.json.in
│ │ └── com.example.service.native.service.in
Expand Down

0 comments on commit bec86ac

Please sign in to comment.