OC-KittenOS/code/libs/sys-secpolicy.lua

-- Copyright (C) 2018-2021 by KittenOS NEO contributors
--
-- Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted.
--
-- THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF
-- THIS SOFTWARE.

-- CRITICAL FILE!
-- This file defines how your KittenOS NEO system responds to access requests.
-- Modification, renaming or deletion can disable security features.
-- Usually, a change that breaks the ability for the file to do it's job will cause the "failsafe" to activate,
--  and for the system to become unable to run user applications.
-- However - I would not like to test this in a situation where said user applications were in any way untrusted,
--  for example, if you downloaded them from the Internet, or in particular if someone forwarded them over Discord.
-- IRC is usually pretty safe, but no guarantees.

-- Returns "allow", "deny", or "ask".
local function actualPolicy(pkg, pid, perm, pkgSvcPfx)
 -- System stuff is allowed.
 if pkg:sub(1, 4) == "sys-" then
  return "allow"
 end
 -- svc-t's job is solely to emulate terminals
 -- TO INSTALL YOUR OWN TERMINAL EMULATOR:
 -- perm|app-yourterm|r.neo.t
 if pkg == "svc-t" and perm == "r.neo.pub.t" then
  return "allow"
 end
 -- <The following is for apps & services>
 -- x.neo.pub.* is open to all
 if perm:sub(1, 10) == "x.neo.pub." then
  return "allow"
 end
 -- These signals are harmless, though they identify HW (as does everything in OC...)
 if perm == "s.h.component_added" or perm == "s.h.component_removed" or perm == "s.h.tablet_use" or perm == "c.tablet" then
  return "allow"
 end
 -- Userlevel can register for itself
 if perm == "r." .. pkgSvcPfx then
  return "allow"
 end
 -- Userlevel has no other registration rights
 if perm:sub(1, 2) == "r." then
  return "deny"
 end
 -- app/svc stuff is world-accessible,
 -- but note perm|*| overrides this
 if perm:sub(1, 6) == "x.app." then
  return "allow"
 end
 if perm:sub(1, 6) == "x.svc." then
  return "allow"
 end
 -- For hardware access, ASK!
 return "ask"
end

return function (nexus, settings, pkg, pid, perm, rsp, pkgSvcPfx)
 local res = actualPolicy(pkg, pid, perm, pkgSvcPfx)
 if settings then
  res = settings.getSetting("perm|" .. pkg .. "|" .. perm) or
        settings.getSetting("perm|*|" .. perm) or res
 end
 if res == "ask" and nexus then
  local totalW = 3 + 6 + 2 + 8
  local fmt = require("fmttext").fmtText(unicode.safeTextFormat(string.format("%s/%i wants:\n%s\nAllow this?\n\n", pkg, pid, perm)), totalW)
  local buttons = {
   {"<No>", function (w)
    rsp(false)
    nexus.windows[w.id] = nil
    w.close()
   end},
   {"<Always>", function (w)
    if settings then
     settings.setSetting("perm|" .. pkg .. "|" .. perm, "allow")
    end
    rsp(true)
    nexus.windows[w.id] = nil
    w.close()
   end},
   {"<Yes>", function (w)
    rsp(true)
    nexus.windows[w.id] = nil
    w.close()
   end}
  }
  local cButton = 0
  nexus.create(totalW, #fmt, "security", function (window, ev, a, b, c)
   while ev do
    if ev == "line" or ev == "touch" then
     local cor = b
     local iev = ev
     ev = nil
     if iev == "line" then
      cor = a
      if fmt[a] then
       window.span(1, a, fmt[a], 0xFFFFFF, 0)
      end
     end
     if cor == #fmt then
      local x = 1
      for k, v in ipairs(buttons) do
       if iev == "line" then
        if k ~= cButton + 1 then
         window.span(x, a, v[1], 0xFFFFFF, 0)
        else
         window.span(x, a, v[1], 0, 0xFFFFFF)
        end
       elseif a >= x and a < (x + #v[1]) then
        cButton = k - 1
        ev = "key"
        a = 32
        b = 0
        c = true
        break
       end
       x = x + #v[1] + 1
      end
     end
    elseif ev == "close" then
     rsp(false)
     nexus.windows[window.id] = nil
     window.close()
     ev = nil
    elseif ev == "key" then
     if c and (a == 9 or b == 205) then
      cButton = (cButton + 1) % #buttons
      ev = "line"
      a = #fmt
     elseif c and b == 203 then
      cButton = (cButton - 1) % #buttons
      ev = "line"
      a = #fmt
     elseif c and (a == 13 or a == 32) then
      buttons[cButton + 1][2](window)
      ev = nil
     else
      ev = nil
     end
    else
     ev = nil
    end
   end
  end)
 else
  rsp(res == "allow")
 end
end
License 'change' (Please see #5) This license change should only increase the amount of stuff people can do in countries where the public domain is not a valid concept. If this license somehow restricts you as opposed to the previous one, please file an issue. 2021-01-12 23:11:00 +11:00			`-- Copyright (C) 2018-2021 by KittenOS NEO contributors`
			`--`
			`-- Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted.`
			`--`
			`-- THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF`
			`-- THIS SOFTWARE.`
With SYSTEM HEROES making continuing feasible, FIRST COMMIT 2018-03-19 10:10:54 +11:00
			`-- CRITICAL FILE!`
			`-- This file defines how your KittenOS NEO system responds to access requests.`
			`-- Modification, renaming or deletion can disable security features.`
			`-- Usually, a change that breaks the ability for the file to do it's job will cause the "failsafe" to activate,`
			`-- and for the system to become unable to run user applications.`
			`-- However - I would not like to test this in a situation where said user applications were in any way untrusted,`
			`-- for example, if you downloaded them from the Internet, or in particular if someone forwarded them over Discord.`
			`-- IRC is usually pretty safe, but no guarantees.`

			`-- Returns "allow", "deny", or "ask".`
Bugfixes to Everest, finalize the terminal API 2020-04-02 09:21:36 +11:00			`local function actualPolicy(pkg, pid, perm, pkgSvcPfx)`
With SYSTEM HEROES making continuing feasible, FIRST COMMIT 2018-03-19 10:10:54 +11:00			`-- System stuff is allowed.`
			`if pkg:sub(1, 4) == "sys-" then`
			`return "allow"`
			`end`
Bugfixes to Everest, finalize the terminal API 2020-04-02 09:21:36 +11:00			`-- svc-t's job is solely to emulate terminals`
			`-- TO INSTALL YOUR OWN TERMINAL EMULATOR:`
			`-- perm\|app-yourterm\|r.neo.t`
			`if pkg == "svc-t" and perm == "r.neo.pub.t" then`
			`return "allow"`
			`end`
With SYSTEM HEROES making continuing feasible, FIRST COMMIT 2018-03-19 10:10:54 +11:00			`-- <The following is for apps & services>`
Bugfixes to Everest, finalize the terminal API 2020-04-02 09:21:36 +11:00			`-- x.neo.pub.* is open to all`
With SYSTEM HEROES making continuing feasible, FIRST COMMIT 2018-03-19 10:10:54 +11:00			`if perm:sub(1, 10) == "x.neo.pub." then`
			`return "allow"`
			`end`
Loads of documentation & adjustments. I should probably commit more. 2018-04-07 06:05:47 +10:00			`-- These signals are harmless, though they identify HW (as does everything in OC...)`
Consider 'tablet' component & tablet_use safe in secpolicy, fix incorrect documentation on k.computer 2019-01-03 02:27:23 +11:00			`if perm == "s.h.component_added" or perm == "s.h.component_removed" or perm == "s.h.tablet_use" or perm == "c.tablet" then`
Loads of documentation & adjustments. I should probably commit more. 2018-04-07 06:05:47 +10:00			`return "allow"`
			`end`
Bugfixes to Everest, finalize the terminal API 2020-04-02 09:21:36 +11:00			`-- Userlevel can register for itself`
			`if perm == "r." .. pkgSvcPfx then`
New functions and stuff for R2! Now if only I actually finished us-perms rather than delaying. 2018-04-09 09:04:40 +10:00			`return "allow"`
With SYSTEM HEROES making continuing feasible, FIRST COMMIT 2018-03-19 10:10:54 +11:00			`end`
			`-- Userlevel has no other registration rights`
			`if perm:sub(1, 2) == "r." then`
			`return "deny"`
			`end`
New functions and stuff for R2! Now if only I actually finished us-perms rather than delaying. 2018-04-09 09:04:40 +10:00			`-- app/svc stuff is world-accessible,`
			`-- but note perm\|*\| overrides this`
With SYSTEM HEROES making continuing feasible, FIRST COMMIT 2018-03-19 10:10:54 +11:00			`if perm:sub(1, 6) == "x.app." then`
			`return "allow"`
			`end`
			`if perm:sub(1, 6) == "x.svc." then`
			`return "allow"`
			`end`
			`-- For hardware access, ASK!`
			`return "ask"`
			`end`

Bugfixes to Everest, finalize the terminal API 2020-04-02 09:21:36 +11:00			`return function (nexus, settings, pkg, pid, perm, rsp, pkgSvcPfx)`
			`local res = actualPolicy(pkg, pid, perm, pkgSvcPfx)`
New functions and stuff for R2! Now if only I actually finished us-perms rather than delaying. 2018-04-09 09:04:40 +10:00			`if settings then`
			`res = settings.getSetting("perm\|" .. pkg .. "\|" .. perm) or`
Fix lockPerm and security policy glitchiness regarding it, along with even more licensing fun 2018-04-24 07:18:18 +10:00			`settings.getSetting("perm\|*\|" .. perm) or res`
With SYSTEM HEROES making continuing feasible, FIRST COMMIT 2018-03-19 10:10:54 +11:00			`end`
Finish lowering memory use, R1 Since this is after the technical "release", version numbers have been bumped to 1. Changes before this commit for R1: Kernel memory usage reduction schemes, with some security fixes. Still need to deal w/ proxies (see later) Changes in this commit: Some various little things in apps CLAW inet actually works now on 192K sys-icecap no longer uses the event/neoux combination, and now handles Everest disappearance as a mass-close, but still handles Everest not being around on window create. So it still handles every situation that matters. neoux no longer handles everest crash protection. Security policy and filedialog obviously don't use neoux anymore. Kernel now only guarantees parsing, not event-loop, by executeAsync This is safer and allows app-launcher to get rid of NeoUX by any means necessary. wrapMeta cache now exists, and proxies get wrapMeta'd to deal with various low-priority security shenanigans. This is a stopgap until I work out how to force OCEmu to give me totally accurate boot-time memory figures, so I can create the ultimate lowmem proxy. I'm calling it "puppet". FG knows why. 2018-03-30 22:36:48 +11:00			`if res == "ask" and nexus then`
			`local totalW = 3 + 6 + 2 + 8`
			`local fmt = require("fmttext").fmtText(unicode.safeTextFormat(string.format("%s/%i wants:\n%s\nAllow this?\n\n", pkg, pid, perm)), totalW)`
			`local buttons = {`
			`{"<No>", function (w)`
With SYSTEM HEROES making continuing feasible, FIRST COMMIT 2018-03-19 10:10:54 +11:00			`rsp(false)`
Optimize Icecap Nexus The things I have to destroy, the joy in it! For all I remove the more I save, the better it is! Perfection is when there is nothing to take away, and I revel in this task. 2018-04-26 07:57:25 +10:00			`nexus.windows[w.id] = nil`
			`w.close()`
Finish lowering memory use, R1 Since this is after the technical "release", version numbers have been bumped to 1. Changes before this commit for R1: Kernel memory usage reduction schemes, with some security fixes. Still need to deal w/ proxies (see later) Changes in this commit: Some various little things in apps CLAW inet actually works now on 192K sys-icecap no longer uses the event/neoux combination, and now handles Everest disappearance as a mass-close, but still handles Everest not being around on window create. So it still handles every situation that matters. neoux no longer handles everest crash protection. Security policy and filedialog obviously don't use neoux anymore. Kernel now only guarantees parsing, not event-loop, by executeAsync This is safer and allows app-launcher to get rid of NeoUX by any means necessary. wrapMeta cache now exists, and proxies get wrapMeta'd to deal with various low-priority security shenanigans. This is a stopgap until I work out how to force OCEmu to give me totally accurate boot-time memory figures, so I can create the ultimate lowmem proxy. I'm calling it "puppet". FG knows why. 2018-03-30 22:36:48 +11:00			`end},`
			`{"<Always>", function (w)`
Got rid of the nasty security-request system. The new system is more hook-like, which is both good & bad, but frankly mostly good given the complexity out of kernel. 2018-03-19 14:08:09 +11:00			`if settings then`
			`settings.setSetting("perm\|" .. pkg .. "\|" .. perm, "allow")`
			`end`
With SYSTEM HEROES making continuing feasible, FIRST COMMIT 2018-03-19 10:10:54 +11:00			`rsp(true)`
Optimize Icecap Nexus The things I have to destroy, the joy in it! For all I remove the more I save, the better it is! Perfection is when there is nothing to take away, and I revel in this task. 2018-04-26 07:57:25 +10:00			`nexus.windows[w.id] = nil`
			`w.close()`
Finish lowering memory use, R1 Since this is after the technical "release", version numbers have been bumped to 1. Changes before this commit for R1: Kernel memory usage reduction schemes, with some security fixes. Still need to deal w/ proxies (see later) Changes in this commit: Some various little things in apps CLAW inet actually works now on 192K sys-icecap no longer uses the event/neoux combination, and now handles Everest disappearance as a mass-close, but still handles Everest not being around on window create. So it still handles every situation that matters. neoux no longer handles everest crash protection. Security policy and filedialog obviously don't use neoux anymore. Kernel now only guarantees parsing, not event-loop, by executeAsync This is safer and allows app-launcher to get rid of NeoUX by any means necessary. wrapMeta cache now exists, and proxies get wrapMeta'd to deal with various low-priority security shenanigans. This is a stopgap until I work out how to force OCEmu to give me totally accurate boot-time memory figures, so I can create the ultimate lowmem proxy. I'm calling it "puppet". FG knows why. 2018-03-30 22:36:48 +11:00			`end},`
			`{"<Yes>", function (w)`
			`rsp(true)`
Optimize Icecap Nexus The things I have to destroy, the joy in it! For all I remove the more I save, the better it is! Perfection is when there is nothing to take away, and I revel in this task. 2018-04-26 07:57:25 +10:00			`nexus.windows[w.id] = nil`
			`w.close()`
Finish lowering memory use, R1 Since this is after the technical "release", version numbers have been bumped to 1. Changes before this commit for R1: Kernel memory usage reduction schemes, with some security fixes. Still need to deal w/ proxies (see later) Changes in this commit: Some various little things in apps CLAW inet actually works now on 192K sys-icecap no longer uses the event/neoux combination, and now handles Everest disappearance as a mass-close, but still handles Everest not being around on window create. So it still handles every situation that matters. neoux no longer handles everest crash protection. Security policy and filedialog obviously don't use neoux anymore. Kernel now only guarantees parsing, not event-loop, by executeAsync This is safer and allows app-launcher to get rid of NeoUX by any means necessary. wrapMeta cache now exists, and proxies get wrapMeta'd to deal with various low-priority security shenanigans. This is a stopgap until I work out how to force OCEmu to give me totally accurate boot-time memory figures, so I can create the ultimate lowmem proxy. I'm calling it "puppet". FG knows why. 2018-03-30 22:36:48 +11:00			`end}`
			`}`
Optimize Icecap Nexus The things I have to destroy, the joy in it! For all I remove the more I save, the better it is! Perfection is when there is nothing to take away, and I revel in this task. 2018-04-26 07:57:25 +10:00			`local cButton = 0`
			`nexus.create(totalW, #fmt, "security", function (window, ev, a, b, c)`
			`while ev do`
Finish lowering memory use, R1 Since this is after the technical "release", version numbers have been bumped to 1. Changes before this commit for R1: Kernel memory usage reduction schemes, with some security fixes. Still need to deal w/ proxies (see later) Changes in this commit: Some various little things in apps CLAW inet actually works now on 192K sys-icecap no longer uses the event/neoux combination, and now handles Everest disappearance as a mass-close, but still handles Everest not being around on window create. So it still handles every situation that matters. neoux no longer handles everest crash protection. Security policy and filedialog obviously don't use neoux anymore. Kernel now only guarantees parsing, not event-loop, by executeAsync This is safer and allows app-launcher to get rid of NeoUX by any means necessary. wrapMeta cache now exists, and proxies get wrapMeta'd to deal with various low-priority security shenanigans. This is a stopgap until I work out how to force OCEmu to give me totally accurate boot-time memory figures, so I can create the ultimate lowmem proxy. I'm calling it "puppet". FG knows why. 2018-03-30 22:36:48 +11:00			`if ev == "line" or ev == "touch" then`
			`local cor = b`
Optimize Icecap Nexus The things I have to destroy, the joy in it! For all I remove the more I save, the better it is! Perfection is when there is nothing to take away, and I revel in this task. 2018-04-26 07:57:25 +10:00			`local iev = ev`
			`ev = nil`
			`if iev == "line" then`
Finish lowering memory use, R1 Since this is after the technical "release", version numbers have been bumped to 1. Changes before this commit for R1: Kernel memory usage reduction schemes, with some security fixes. Still need to deal w/ proxies (see later) Changes in this commit: Some various little things in apps CLAW inet actually works now on 192K sys-icecap no longer uses the event/neoux combination, and now handles Everest disappearance as a mass-close, but still handles Everest not being around on window create. So it still handles every situation that matters. neoux no longer handles everest crash protection. Security policy and filedialog obviously don't use neoux anymore. Kernel now only guarantees parsing, not event-loop, by executeAsync This is safer and allows app-launcher to get rid of NeoUX by any means necessary. wrapMeta cache now exists, and proxies get wrapMeta'd to deal with various low-priority security shenanigans. This is a stopgap until I work out how to force OCEmu to give me totally accurate boot-time memory figures, so I can create the ultimate lowmem proxy. I'm calling it "puppet". FG knows why. 2018-03-30 22:36:48 +11:00			`cor = a`
			`if fmt[a] then`
			`window.span(1, a, fmt[a], 0xFFFFFF, 0)`
			`end`
			`end`
			`if cor == #fmt then`
			`local x = 1`
			`for k, v in ipairs(buttons) do`
Optimize Icecap Nexus The things I have to destroy, the joy in it! For all I remove the more I save, the better it is! Perfection is when there is nothing to take away, and I revel in this task. 2018-04-26 07:57:25 +10:00			`if iev == "line" then`
Finish lowering memory use, R1 Since this is after the technical "release", version numbers have been bumped to 1. Changes before this commit for R1: Kernel memory usage reduction schemes, with some security fixes. Still need to deal w/ proxies (see later) Changes in this commit: Some various little things in apps CLAW inet actually works now on 192K sys-icecap no longer uses the event/neoux combination, and now handles Everest disappearance as a mass-close, but still handles Everest not being around on window create. So it still handles every situation that matters. neoux no longer handles everest crash protection. Security policy and filedialog obviously don't use neoux anymore. Kernel now only guarantees parsing, not event-loop, by executeAsync This is safer and allows app-launcher to get rid of NeoUX by any means necessary. wrapMeta cache now exists, and proxies get wrapMeta'd to deal with various low-priority security shenanigans. This is a stopgap until I work out how to force OCEmu to give me totally accurate boot-time memory figures, so I can create the ultimate lowmem proxy. I'm calling it "puppet". FG knows why. 2018-03-30 22:36:48 +11:00			`if k ~= cButton + 1 then`
			`window.span(x, a, v[1], 0xFFFFFF, 0)`
			`else`
			`window.span(x, a, v[1], 0, 0xFFFFFF)`
			`end`
			`elseif a >= x and a < (x + #v[1]) then`
			`cButton = k - 1`
			`ev = "key"`
			`a = 32`
			`b = 0`
			`c = true`
			`break`
			`end`
			`x = x + #v[1] + 1`
			`end`
			`end`
			`elseif ev == "close" then`
			`rsp(false)`
Add memory benchmark tool to repository, perform more memopt! 2018-04-27 01:13:42 +10:00			`nexus.windows[window.id] = nil`
			`window.close()`
Optimize Icecap Nexus The things I have to destroy, the joy in it! For all I remove the more I save, the better it is! Perfection is when there is nothing to take away, and I revel in this task. 2018-04-26 07:57:25 +10:00			`ev = nil`
			`elseif ev == "key" then`
Finish lowering memory use, R1 Since this is after the technical "release", version numbers have been bumped to 1. Changes before this commit for R1: Kernel memory usage reduction schemes, with some security fixes. Still need to deal w/ proxies (see later) Changes in this commit: Some various little things in apps CLAW inet actually works now on 192K sys-icecap no longer uses the event/neoux combination, and now handles Everest disappearance as a mass-close, but still handles Everest not being around on window create. So it still handles every situation that matters. neoux no longer handles everest crash protection. Security policy and filedialog obviously don't use neoux anymore. Kernel now only guarantees parsing, not event-loop, by executeAsync This is safer and allows app-launcher to get rid of NeoUX by any means necessary. wrapMeta cache now exists, and proxies get wrapMeta'd to deal with various low-priority security shenanigans. This is a stopgap until I work out how to force OCEmu to give me totally accurate boot-time memory figures, so I can create the ultimate lowmem proxy. I'm calling it "puppet". FG knows why. 2018-03-30 22:36:48 +11:00			`if c and (a == 9 or b == 205) then`
			`cButton = (cButton + 1) % #buttons`
			`ev = "line"`
			`a = #fmt`
			`elseif c and b == 203 then`
			`cButton = (cButton - 1) % #buttons`
			`ev = "line"`
			`a = #fmt`
			`elseif c and (a == 13 or a == 32) then`
			`buttons[cButton + 1][2](window)`
			`ev = nil`
			`else`
			`ev = nil`
			`end`
			`else`
			`ev = nil`
			`end`
			`end`
			`end)`
With SYSTEM HEROES making continuing feasible, FIRST COMMIT 2018-03-19 10:10:54 +11:00			`else`
			`rsp(res == "allow")`
			`end`
			`end`