A proposal for a permission model.
Created by: ticki
Instead of adopting the conventional *nix model, I suggest that we make a permission model that follows the principle of least common privilege (POLP).
The idea
The idea is that every program gets assigned a permanent basic permission level (can be changed on the request of the user), the program can, on the accept of the user, extend the permissions for a session. The permissions are described in a simple, compact language described below.
Focus
A program can, in this proposal, be either focused or unfocused. This is not necessarily related to the window management, but rather on system level. Window management can (and should) utilize this by focusing programs having windows focused.
The reason for having focus is that you can tell a program that it can only do certain things when the user focus the program (such as logging the keys and so on). For example, there are no reason that a text editor should be able to write to the file system when it's inactive.
Automatic permission extensions
A program which can save files shouldn't be able to write in the whole filesystem. On the other hand, the user shouldn't click "accept" every time he or she wants to save a file. The solution here is that the DE should automatically give the program permission when clicking "Open" in the file dialog. However, this is up to the DE, not the kernel.
Making use of "Everything is an URL"
The "Everything is an URL" principle fits well with this proposal. This proposal utilitize that it does not have to handle special cases, but instead just defining rules on the different URLs.
The language
The language consists of three different types:
- Modifiers: defining permission types such as read/write
- Parameters: defining where the permission applies
- Operators: defining how the different permission units "stitchs toghether". For example "unless" or "and".
Modifiers
I propose two modifiers:
-
r
for reading a given source (URL) -
w
for writing a given source (URL)
Each of these comes in two different types. An uppercase and a lowercase. Uppercase means "only when focused". Lowercase means "when open".
Modifiers can be placed next to each other applying both with the same parameter (URL) see below.
Parameters
Parameters are just descriptions of which URLs can be read/wroted two. Before the parameter a '
is placed. Before that '
the modifiers are set. Parameters and modifiers toghether make a permission unit.
In a parameter * is the wildcard char (like in unix). This means that I could for example get recursive permissions over a folder using folder/*
.
Operators
Operators is placed between the permission units. There are two operators:
-
+
: and. -
-
: except or unless.
If I for example write {PATTERN1}+{PATTERN2}-{PATTERN3}, then I get PATTERN1 and PATTERN2 unless PATTERN3 applies. In this way I can, for example, get permission over all files in a folder except one (by using -
).
Note that -
only removes permissions before itself, not after. So if I do A-B+B
, then I get permission B
.
Example
This means that my program have read and write access to all files in my home, except the veryimportantfile
, only if the program is focused:
rw'/home/ticki-rw'/home/ticki/veryimportantfile+RW'/home/ticki/veryimportantfile
Spaces can be added for making it more clear:
rw 'file:/home/ticki/* - rw 'file/home/ticki/veryimportantfile + RW 'file/home/ticki/veryimportantfile
If I want my program to get TCP access I could write:
RW 'tcp:*
What do you think?