ace/configuration/TizenPolicy.xml

   1 <policy-set id="Tizen-Policy" combine="first-matching-target">
   2     <policy id="Tizen-Policy-Partner-API" description="Partner API" combine="permit-overrides">
   3         <!-- Partner API. This is finger-print of tizen-distributor-root-ca-partner.pem -->
   4         <target>
   5             <subject>
   6                 <subject-match attr="distributor-key-root-fingerprint" func="equal">
   7                     sha-1 67:37:DE:B7:B9:9D:D2:DB:A5:2C:42:DE:CB:2F:2C:3E:33:97:E1:85
   8                 </subject-match>
   9             </subject>
  10         </target>
  11
  12         <rule effect="permit">
  13             <condition combine="or">
  14                 <resource-match attr="device-cap" func="equal" match="tizen" />
  15             </condition>
  16         </rule>
  17
  18         <!-- access to application -->
  19         <rule effect="permit">
  20             <condition combine="or">
  21                 <resource-match attr="device-cap" func="equal" match="application.kill" />
  22                 <resource-match attr="device-cap" func="equal" match="application.launch" />
  23                 <resource-match attr="device-cap" func="equal" match="application.read" />
  24             </condition>
  25         </rule>
  26
  27         <!-- access to bluetooth -->
  28         <rule effect="permit">
  29             <condition combine="or">
  30                 <resource-match attr="device-cap" func="equal" match="bluetooth.admin" />
  31                 <resource-match attr="device-cap" func="equal" match="bluetooth.gap" />
  32                 <resource-match attr="device-cap" func="equal" match="bluetooth.spp" />
  33             </condition>
  34         </rule>
  35
  36         <!-- access to calendar -->
  37         <rule effect="permit">
  38             <condition combine="or">
  39                 <resource-match attr="device-cap" func="equal" match="calendar.read" />
  40                 <resource-match attr="device-cap" func="equal" match="calendar.write" />
  41             </condition>
  42         </rule>
  43
  44         <!-- access to call history -->
  45         <rule effect="permit">
  46             <condition combine="or">
  47                 <resource-match attr="device-cap" func="equal" match="callhistory.read" />
  48                 <resource-match attr="device-cap" func="equal" match="callhistory.write" />
  49             </condition>
  50         </rule>
  51
  52         <!-- access to contact -->
  53         <rule effect="permit">
  54             <condition combine="or">
  55                 <resource-match attr="device-cap" func="equal" match="contact.read" />
  56                 <resource-match attr="device-cap" func="equal" match="contact.write" />
  57             </condition>
  58         </rule>
  59
  60         <!-- access to content -->
  61         <rule effect="permit">
  62             <condition combine="or">
  63                 <resource-match attr="device-cap" func="equal" match="content.read" />
  64                 <resource-match attr="device-cap" func="equal" match="content.write" />
  65             </condition>
  66         </rule>
  67
  68         <!-- access to NFC -->
  69         <rule effect="permit">
  70             <condition combine="or">
  71                 <resource-match attr="device-cap" func="equal" match="nfc.admin" />
  72                 <resource-match attr="device-cap" func="equal" match="nfc.tag" />
  73                 <resource-match attr="device-cap" func="equal" match="nfc.p2p" />
  74                 <resource-match attr="device-cap" func="equal" match="nfc.cardemulation" />
  75                 <resource-match attr="device-cap" func="equal" match="nfc.common" />
  76             </condition>
  77         </rule>
  78
  79         <!-- access to systeminfo -->
  80         <rule effect="permit">
  81             <condition combine="or">
  82                 <resource-match attr="device-cap" func="equal" match="systeminfo" />
  83             </condition>
  84         </rule>
  85
  86         <!-- access to system setting -->
  87         <rule effect="permit">
  88             <condition combine="or">
  89                 <resource-match attr="device-cap" func="equal" match="setting" />
  90             </condition>
  91         </rule>
  92
  93         <!-- access to download feature -->
  94         <rule effect="permit">
  95             <condition combine="or">
  96                 <resource-match attr="device-cap" func="equal" match="download" />
  97             </condition>
  98         </rule>
  99
 100         <!-- access to power feature -->
 101         <rule effect="permit">
 102             <condition combine="or">
 103                 <resource-match attr="device-cap" func="equal" match="power" />
 104             </condition>
 105         </rule>
 106
 107         <!-- access to push feature -->
 108         <rule effect="permit">
 109             <condition combine="or">
 110                 <resource-match attr="device-cap" func="equal" match="push" />
 111             </condition>
 112         </rule>
 113
 114         <!-- access to timeutil -->
 115         <rule effect="permit">
 116             <condition combine="or">
 117                 <resource-match attr="device-cap" func="equal" match="time" />
 118             </condition>
 119         </rule>
 120
 121         <!-- access to external network -->
 122         <!-- XMLHttpRequestTizen and externalNetworkAccessTizen defined for Tizen Webapp -->
 123         <!-- Function of two capabilities are same to XMLHttpRequest and externalNetworkAccess of WAC -->
 124         <rule effect="permit">
 125             <condition combine="or">
 126                 <resource-match attr="device-cap" func="equal" match="XMLHttpRequest" />
 127                 <resource-match attr="device-cap" func="equal" match="externalNetworkAccess" />
 128             </condition>
 129         </rule>
 130
 131         <!-- access to external network on roaming status -->
 132         <rule effect="permit">
 133             <condition combine="and">
 134                 <condition combine="or">
 135                     <resource-match attr="device-cap" func="equal" match="XMLHttpRequest" />
 136                     <resource-match attr="device-cap" func="equal" match="externalNetworkAccess" />
 137                 </condition>
 138                 <environment-match attr="roaming" match="true" />
 139             </condition>
 140         </rule>
 141
 142         <rule effect="permit">
 143             <condition combine="or">
 144                 <resource-match attr="device-cap" func="equal" match="alarm" />
 145             </condition>
 146         </rule>
 147
 148         <rule effect="permit">
 149             <condition combine="or">
 150                 <resource-match attr="device-cap" func="equal" match="log" />
 151             </condition>
 152         </rule>
 153
 154         <rule effect="permit">
 155             <condition combine="or">
 156                 <resource-match attr="device-cap" func="equal" match="messaging.read" />
 157                 <resource-match attr="device-cap" func="equal" match="messaging.write" />
 158                 <resource-match attr="device-cap" func="equal" match="messaging.send" />
 159             </condition>
 160         </rule>
 161
 162         <rule effect="permit">
 163             <condition combine="or">
 164                 <resource-match attr="device-cap" func="equal" match="filesystem.read" />
 165                 <resource-match attr="device-cap" func="equal" match="filesystem.write" />
 166             </condition>
 167         </rule>
 168
 169         <rule effect="permit">
 170             <condition combine="or">
 171                 <resource-match attr="device-cap" func="equal" match="notification.read" />
 172                 <resource-match attr="device-cap" func="equal" match="notification.write" />
 173             </condition>
 174         </rule>
 175
 176         <rule effect="permit">
 177             <condition combine="or">
 178                 <resource-match attr="device-cap" func="equal" match="networkbearerselection" />
 179             </condition>
 180         </rule>
 181
 182         <rule effect="permit">
 183             <condition combine="or">
 184                 <resource-match attr="device-cap" func="equal" match="datacontrol.consumer" />
 185             </condition>
 186         </rule>
 187
 188         <rule effect="permit">
 189             <condition combine="or">
 190                 <resource-match attr="device-cap" func="equal" match="se" />
 191             </condition>
 192         </rule>
 193
 194         <rule effect="permit">
 195             <condition combine="or">
 196                 <resource-match attr="device-cap" func="equal" match="account.read" />
 197                                 <resource-match attr="device-cap" func="equal" match="account.write" />
 198             </condition>
 199         </rule>
 200
 201         <rule effect="deny" />
 202     </policy>
 203     <policy id="Tizen-Policy-Trusted" description="Tizen's policy for trusted domain" combine="permit-overrides">
 204         <!-- This is finger-print of certificate for TIZEN SDK (tizen.root.preproduction.cert.pem) -->
 205         <target>
 206             <subject>
 207                 <subject-match attr="distributor-key-root-fingerprint" func="equal">
 208                     sha-1 AD:A1:44:89:6A:35:6D:17:01:E9:6F:46:C6:00:7B:78:BE:2E:D9:4E
 209                 </subject-match>
 210             </subject>
 211         </target>
 212
 213         <rule effect="permit">
 214             <condition combine="or">
 215                 <resource-match attr="device-cap" func="equal" match="tizen" />
 216             </condition>
 217         </rule>
 218
 219         <!-- access to application -->
 220         <rule effect="permit">
 221             <condition combine="or">
 222                 <resource-match attr="device-cap" func="equal" match="application.launch" />
 223                 <resource-match attr="device-cap" func="equal" match="application.read" />
 224             </condition>
 225         </rule>
 226
 227         <!-- access to bluetooth -->
 228         <rule effect="permit">
 229             <condition combine="or">
 230                 <resource-match attr="device-cap" func="equal" match="bluetooth.admin" />
 231                 <resource-match attr="device-cap" func="equal" match="bluetooth.gap" />
 232                 <resource-match attr="device-cap" func="equal" match="bluetooth.spp" />
 233             </condition>
 234         </rule>
 235
 236         <!-- access to calendar -->
 237         <rule effect="permit">
 238             <condition combine="or">
 239                 <resource-match attr="device-cap" func="equal" match="calendar.read" />
 240                 <resource-match attr="device-cap" func="equal" match="calendar.write" />
 241             </condition>
 242         </rule>
 243
 244         <!-- access to call history -->
 245         <rule effect="permit">
 246             <condition combine="or">
 247                 <resource-match attr="device-cap" func="equal" match="callhistory.read" />
 248                 <resource-match attr="device-cap" func="equal" match="callhistory.write" />
 249             </condition>
 250         </rule>
 251
 252         <!-- access to contact -->
 253         <rule effect="permit">
 254             <condition combine="or">
 255                 <resource-match attr="device-cap" func="equal" match="contact.read" />
 256                 <resource-match attr="device-cap" func="equal" match="contact.write" />
 257             </condition>
 258         </rule>
 259
 260         <!-- access to content -->
 261         <rule effect="permit">
 262             <condition combine="or">
 263                 <resource-match attr="device-cap" func="equal" match="content.read" />
 264                 <resource-match attr="device-cap" func="equal" match="content.write" />
 265             </condition>
 266         </rule>
 267
 268         <!-- access to NFC -->
 269         <rule effect="permit">
 270             <condition combine="or">
 271                 <resource-match attr="device-cap" func="equal" match="nfc.admin" />
 272                 <resource-match attr="device-cap" func="equal" match="nfc.tag" />
 273                 <resource-match attr="device-cap" func="equal" match="nfc.p2p" />
 274                 <resource-match attr="device-cap" func="equal" match="nfc.cardemulation" />
 275                 <resource-match attr="device-cap" func="equal" match="nfc.common" />
 276             </condition>
 277         </rule>
 278
 279         <!-- access to systeminfo -->
 280         <rule effect="permit">
 281             <condition combine="or">
 282                 <resource-match attr="device-cap" func="equal" match="systeminfo" />
 283             </condition>
 284         </rule>
 285
 286         <!-- access to system setting -->
 287         <rule effect="permit">
 288             <condition combine="or">
 289                 <resource-match attr="device-cap" func="equal" match="setting" />
 290             </condition>
 291         </rule>
 292
 293         <!-- access to download feature -->
 294         <rule effect="permit">
 295             <condition combine="or">
 296                 <resource-match attr="device-cap" func="equal" match="download" />
 297             </condition>
 298         </rule>
 299
 300         <!-- access to power feature -->
 301         <rule effect="permit">
 302             <condition combine="or">
 303                 <resource-match attr="device-cap" func="equal" match="power" />
 304             </condition>
 305         </rule>
 306
 307         <!-- access to push feature -->
 308         <rule effect="permit">
 309             <condition combine="or">
 310                 <resource-match attr="device-cap" func="equal" match="push" />
 311             </condition>
 312         </rule>
 313
 314         <!-- access to timeutil -->
 315         <rule effect="permit">
 316             <condition combine="or">
 317                 <resource-match attr="device-cap" func="equal" match="time" />
 318             </condition>
 319         </rule>
 320
 321         <!-- access to external network -->
 322         <!-- XMLHttpRequestTizen and externalNetworkAccessTizen defined for Tizen Webapp -->
 323         <!-- Function of two capabilities are same to XMLHttpRequest and externalNetworkAccess of WAC -->
 324         <rule effect="permit">
 325             <condition combine="or">
 326                 <resource-match attr="device-cap" func="equal" match="XMLHttpRequest" />
 327                 <resource-match attr="device-cap" func="equal" match="externalNetworkAccess" />
 328             </condition>
 329         </rule>
 330
 331         <!-- access to external network on roaming status -->
 332         <rule effect="permit">
 333             <condition combine="and">
 334                 <condition combine="or">
 335                     <resource-match attr="device-cap" func="equal" match="XMLHttpRequest" />
 336                     <resource-match attr="device-cap" func="equal" match="externalNetworkAccess" />
 337                 </condition>
 338                 <environment-match attr="roaming" match="true" />
 339             </condition>
 340         </rule>
 341
 342         <rule effect="permit">
 343             <condition combine="or">
 344                 <resource-match attr="device-cap" func="equal" match="alarm" />
 345             </condition>
 346         </rule>
 347
 348         <rule effect="permit">
 349             <condition combine="or">
 350                 <resource-match attr="device-cap" func="equal" match="log" />
 351             </condition>
 352         </rule>
 353
 354         <rule effect="permit">
 355             <condition combine="or">
 356                 <resource-match attr="device-cap" func="equal" match="messaging.read" />
 357                 <resource-match attr="device-cap" func="equal" match="messaging.write" />
 358                 <resource-match attr="device-cap" func="equal" match="messaging.send" />
 359             </condition>
 360         </rule>
 361
 362         <rule effect="permit">
 363             <condition combine="or">
 364                 <resource-match attr="device-cap" func="equal" match="filesystem.read" />
 365                 <resource-match attr="device-cap" func="equal" match="filesystem.write" />
 366             </condition>
 367         </rule>
 368
 369         <rule effect="permit">
 370             <condition combine="or">
 371                 <resource-match attr="device-cap" func="equal" match="notification.read" />
 372                 <resource-match attr="device-cap" func="equal" match="notification.write" />
 373             </condition>
 374         </rule>
 375
 376         <rule effect="deny" />
 377     </policy>
 378
 379     <policy id="Tizen-Policy-Untrusted" description="Tizen's policy for untrusted domain" combine="permit-overrides">
 380         <!-- Specific Untrusted Policy for Tizen -->
 381
 382         <rule effect="permit">
 383             <condition combine="or">
 384                 <resource-match attr="device-cap" func="equal" match="tizen" />
 385             </condition>
 386         </rule>
 387
 388         <!-- access to application -->
 389         <rule effect="permit">
 390             <condition combine="or">
 391                 <resource-match attr="device-cap" func="equal" match="application.launch" />
 392                 <resource-match attr="device-cap" func="equal" match="application.read" />
 393             </condition>
 394         </rule>
 395
 396         <!-- access to bluetooth -->
 397         <rule effect="permit">
 398             <condition combine="or">
 399                 <resource-match attr="device-cap" func="equal" match="bluetooth.admin" />
 400                 <resource-match attr="device-cap" func="equal" match="bluetooth.gap" />
 401                 <resource-match attr="device-cap" func="equal" match="bluetooth.spp" />
 402             </condition>
 403         </rule>
 404
 405         <!-- access to calendar -->
 406         <rule effect="permit">
 407             <condition combine="or">
 408                 <resource-match attr="device-cap" func="equal" match="calendar.read" />
 409                 <resource-match attr="device-cap" func="equal" match="calendar.write" />
 410             </condition>
 411         </rule>
 412
 413         <!-- access to call history -->
 414         <rule effect="permit">
 415             <condition combine="or">
 416                 <resource-match attr="device-cap" func="equal" match="callhistory.read" />
 417                 <resource-match attr="device-cap" func="equal" match="callhistory.write" />
 418             </condition>
 419         </rule>
 420
 421         <!-- access to contact -->
 422         <rule effect="permit">
 423             <condition combine="or">
 424                 <resource-match attr="device-cap" func="equal" match="contact.read" />
 425                 <resource-match attr="device-cap" func="equal" match="contact.write" />
 426             </condition>
 427         </rule>
 428
 429         <!-- access to content -->
 430         <rule effect="permit">
 431             <condition combine="or">
 432                 <resource-match attr="device-cap" func="equal" match="content.read" />
 433                 <resource-match attr="device-cap" func="equal" match="content.write" />
 434             </condition>
 435         </rule>
 436
 437         <!-- access to NFC -->
 438         <rule effect="permit">
 439             <condition combine="or">
 440                 <resource-match attr="device-cap" func="equal" match="nfc.admin" />
 441                 <resource-match attr="device-cap" func="equal" match="nfc.tag" />
 442                 <resource-match attr="device-cap" func="equal" match="nfc.p2p" />
 443                 <resource-match attr="device-cap" func="equal" match="nfc.cardemulation" />
 444                 <resource-match attr="device-cap" func="equal" match="nfc.common" />
 445             </condition>
 446         </rule>
 447
 448         <!-- access to systeminfo -->
 449         <rule effect="permit">
 450             <condition combine="or">
 451                 <resource-match attr="device-cap" func="equal" match="systeminfo" />
 452             </condition>
 453         </rule>
 454
 455         <!-- access to system setting -->
 456         <rule effect="permit">
 457             <condition combine="or">
 458                 <resource-match attr="device-cap" func="equal" match="setting" />
 459             </condition>
 460         </rule>
 461
 462         <!-- access to download feature -->
 463         <rule effect="permit">
 464             <condition combine="or">
 465                 <resource-match attr="device-cap" func="equal" match="download" />
 466             </condition>
 467         </rule>
 468
 469         <!-- access to power feature -->
 470         <rule effect="permit">
 471             <condition combine="or">
 472                 <resource-match attr="device-cap" func="equal" match="power" />
 473             </condition>
 474         </rule>
 475
 476         <!-- access to push feature -->
 477         <rule effect="permit">
 478             <condition combine="or">
 479                 <resource-match attr="device-cap" func="equal" match="push" />
 480             </condition>
 481         </rule>
 482
 483         <!-- access to timeutil -->
 484         <rule effect="permit">
 485             <condition combine="or">
 486                 <resource-match attr="device-cap" func="equal" match="time" />
 487             </condition>
 488         </rule>
 489
 490         <!-- access to external network -->
 491         <!-- XMLHttpRequestTizen and externalNetworkAccessTizen defined for Tizen Webapp -->
 492         <!-- Function of two capabilities are same to XMLHttpRequest and externalNetworkAccess of WAC -->
 493         <rule effect="permit">
 494             <condition combine="or">
 495                 <resource-match attr="device-cap" func="equal" match="XMLHttpRequest" />
 496                 <resource-match attr="device-cap" func="equal" match="externalNetworkAccess" />
 497             </condition>
 498         </rule>
 499
 500         <!-- access to external network on roaming status -->
 501         <rule effect="permit">
 502             <condition combine="and">
 503                 <condition combine="or">
 504                     <resource-match attr="device-cap" func="equal" match="XMLHttpRequest" />
 505                     <resource-match attr="device-cap" func="equal" match="externalNetworkAccess" />
 506                 </condition>
 507                 <environment-match attr="roaming" match="true" />
 508             </condition>
 509         </rule>
 510
 511         <rule effect="permit">
 512             <condition combine="or">
 513                 <resource-match attr="device-cap" func="equal" match="alarm" />
 514             </condition>
 515         </rule>
 516
 517         <rule effect="permit">
 518             <condition combine="or">
 519                 <resource-match attr="device-cap" func="equal" match="log" />
 520             </condition>
 521         </rule>
 522
 523         <rule effect="permit">
 524             <condition combine="or">
 525                 <resource-match attr="device-cap" func="equal" match="messaging.read" />
 526                 <resource-match attr="device-cap" func="equal" match="messaging.write" />
 527                 <resource-match attr="device-cap" func="equal" match="messaging.send" />
 528             </condition>
 529         </rule>
 530
 531         <rule effect="permit">
 532             <condition combine="or">
 533                 <resource-match attr="device-cap" func="equal" match="filesystem.read" />
 534                 <resource-match attr="device-cap" func="equal" match="filesystem.write" />
 535             </condition>
 536         </rule>
 537
 538         <rule effect="permit">
 539             <condition combine="or">
 540                 <resource-match attr="device-cap" func="equal" match="notification.read" />
 541                 <resource-match attr="device-cap" func="equal" match="notification.write" />
 542             </condition>
 543         </rule>
 544
 545         <rule effect="deny" />
 546     </policy>
 547 </policy-set>