Greetings from a grey Guildford,

From version 0.15.4725 of the Linux SDK, fresh support for persistent permission storage and sub-features has been added!

Once installed, check everything is working correctly by visiting:

• http://example.webvm.net/info
• http://example.webvm.net/simpler — You should be prompted, Click: “Just this time”

If you receive an error code -6 it generally means that a requested module could not be found. Other error codes are listed in webvm.h.

<rule effect="prompt-blanket"></rule>

<rule effect="prompt-session"></rule>

<rule effect="prompt-oneshot"></rule>

Permission storage

The default policy example is installed at /usr/lib/webvm/policy.conf. How permissions are set is described by BONDI 1.0. Specifically:

• The end of the BONDI Architecture and Security document
• http://bondi.omtp.org/1.0/security/BONDI_Architecture_and_Security_Appendices_v1.0.pdf

The http://example.webvm.net/simpler test utilises the simpler module (look in sdk/example/simpler/) which identifies itself as the http://webvm.net/api/simpler.get42 feature that implements the “device capability” test.get42.

static const WVMFeature features[] = {
    { "http://webvm.net/api/simpler.get42", "test.get42" },
    { 0, 0 }
};

Walkthrough WebVM

1. http://example.webvm.net/simpler with our /usr/lib/webvm/policy.conf we run through the Security Manager with first-applicable combining rules…
2. example.webvm.net is first matched by the second *.webvm.net subject match in the first policy
3. In the prompt-blanket rule, the device capability test.get42 has a resource match, completing our first rule!
4. Since our combining rule for this example is first-matching-target, we stop processing the policy.conf and show a prompt of type blanket.
5. A ‘blanket prompt’ allows the user to decide whether to save his or her decision (as well as make non-persistant oneshot and session choices). Select Always for the purposes of this example.
6. Have a look inside ~/.webvm/http%3A%2F%2Fexample.webvm.net%2Fsimpler%2F/policy, that’s where your decision is stored.

Validating your policy.conf

Everytime you edit the policy.conf, you should validate it to make sure it’s correct.

Using rnv, a Relax NG Compact Syntax validator tool.

1. wget -q http://bondi.omtp.org/1.0/security/bondixml.rnc http://bondi.omtp.org/1.0/security/xmldsig-core-schema.rnc
2. rnv bondixml.rnc /usr/lib/webvm/policy.conf

I’ve created a couple of aliases for my ~/.bashrc that you may find helpful. To quickly edit my main policy, I just type pol:

pol () {
sudo vim /usr/lib/webvm/policy.conf
}

To quickly check a policy (I’ve placed the schemas in a ~/policy directory):

valpol () {
for i in "$@"
do
    rnv ~/policy/bondixml.rnc $i
done

If you want to alter the policy on the fly for testing add misc.debug.policy: yes to your /etc/webvm.conf and try some examples that utilise setPolicy functionality.