tizen 2.3.1 release

[framework/web/mobile/wrt-security.git] / ace / configuration / WAC2.0Policy.xml

<policy-set id="WAC-Policy" combine="first-matching-target">
    <policy id="WAC-Policy-Trusted" description="WAC's policy for trusted domain" combine="permit-overrides">
        <target>
            <subject>
                <!-- This is finger-print of certificate for WAC Test Widget (operator.root.cert.pem) --> 
                <subject-match attr="distributor-key-root-fingerprint" func="equal">
                    sha-1 4A:9D:7A:4B:3B:29:D4:69:0A:70:B3:80:EC:A9:44:6B:03:7C:9A:38
                </subject-match>
            </subject>
            <subject>
                <!-- This is finger-print of certificate for WAC Publish ID (wac.publisher.pem) --> 
                <subject-match attr="author-key-root-fingerprint" func="equal">
                    sha-1 A6:00:BC:53:AC:37:5B:6A:03:C3:7A:8A:E0:1B:87:8B:82:94:9B:C2
                </subject-match>
            </subject>
            <subject>
                <!-- This is finger-print of certificate for WAC Production (wac.root.production.pem) --> 
                <subject-match attr="distributor-key-root-fingerprint" func="equal">
                    sha-1 A0:59:D3:37:E8:C8:2E:7F:38:84:7D:21:A9:9E:19:A9:8E:EC:EB:E1
                </subject-match>
            </subject>
            <subject>
                <!-- This is finger-print of certificate for WAC Preproduction (wac.root.preproduction.pem) --> 
                <subject-match attr="distributor-key-root-fingerprint" func="equal">
                    sha-1 8D:1F:CB:31:68:11:DA:22:59:26:58:13:6C:C6:72:C9:F0:DE:84:2A
                </subject-match>
            </subject>
        </target> 

        <!-- access to external network -->
        <!--
        <rule effect="permit">
            <condition combine="and">
                <condition combine="or">
                    <resource-match attr="device-cap" func="equal" match="XMLHttpRequest" />
                    <resource-match attr="device-cap" func="equal" match="externalNetworkAccess" />
                    <resource-match attr="device-cap" func="equal" match="messaging.send" />
                </condition>
                <environment-match attr="roaming" match="true" />
            </condition>
        </rule>
        -->
        <rule effect="permit" />
    </policy>

    <policy id="WAC-Policy-Untrusted" description="WAC's policy for untrusted domain" combine="deny-overrides">
        <!-- Specific Untrusted Policy for WAC -->
        <!-- access to accelerometer -->
        <rule effect="permit">
            <condition combine="or">
                <resource-match attr="device-cap" func="equal" match="accelerometer" />
            </condition>
        </rule>

        <!-- access to calendar -->
        <rule effect="permit">
            <condition combine="or">
                <resource-match attr="device-cap" func="equal" match="pim.calendar.read" />
                <resource-match attr="device-cap" func="equal" match="pim.calendar.write" />
            </condition>
        </rule>

        <!-- access to camera -->
        <rule effect="permit">
            <condition combine="or">
                <resource-match attr="device-cap" func="equal" match="camera.show" />
            </condition>
        </rule>
        <rule effect="permit">
            <condition combine="or">
                <resource-match attr="device-cap" func="equal" match="camera.capture" />
            </condition>
        </rule>

        <!-- access to contact -->
        <rule effect="permit">
            <condition combine="or">
                <resource-match attr="device-cap" func="equal" match="pim.contact.read" />
                <resource-match attr="device-cap" func="equal" match="pim.contact.write" />
            </condition>
        </rule>

        <!-- access to device-interaction -->
        <rule effect="permit">
            <condition combine="or">
                <resource-match attr="device-cap" func="equal" match="deviceinteraction" />
            </condition>
        </rule>

        <!-- access to device-status -->
        <rule effect="permit">
             <condition combine="or">
                <resource-match attr="device-cap" func="equal" match="devicestatus.deviceinfo" />
                <resource-match attr="device-cap" func="equal" match="devicestatus.networkinfo" />
            </condition>
        </rule>

        <!-- access to filesystem -->
        <rule effect="permit">
            <condition combine="and">
                <condition combine="or">
                    <resource-match attr="device-cap" func="equal" match="filesystem.read" />
                    <resource-match attr="device-cap" func="equal" match="filesystem.write" />
                </condition>
                <condition combine="or">
                    <resource-match attr="param:location" func="equal">wgt-private</resource-match>
                    <resource-match attr="param:location" func="equal">wgt-private-tmp</resource-match>
                    <resource-match attr="param:location" func="equal">wgt-package</resource-match>
                </condition>
            </condition>
        </rule>

        <!-- access to messaging -->
        <rule effect="permit">
            <condition combine="or">
                <resource-match attr="device-cap" func="equal" match="messaging.find" />
                <resource-match attr="device-cap" func="equal" match="messaging.subscribe" />
                <resource-match attr="device-cap" func="equal" match="messaging.write" />
            </condition>
        </rule>

        <!-- access to message send on roaming status -->
        <!--
        <rule effect="deny">
            <condition combine="and">
                <resource-match attr="device-cap" func="equal" match="messaging.send" />
                <environment-match attr="roaming" match="true" />
            </condition>
        </rule>
        -->

        <!-- access to geolocation -->
        <rule effect="permit">
            <condition combine="or">
                <resource-match attr="device-cap" func="equal" match="geolocation" />
            </condition>
        </rule>

        <!-- access to orientation -->
        <rule effect="permit">
            <condition combine="or">
                <resource-match attr="device-cap" func="equal" match="orientation" />
            </condition>
        </rule>

        <!-- access to task -->
        <rule effect="permit">
            <condition combine="or">
                <resource-match attr="device-cap" func="equal" match="pim.task.read" />
                <resource-match attr="device-cap" func="equal" match="pim.task.write" />
            </condition>
        </rule>
        <!-- access to external network -->
        <rule effect="permit">
            <condition combine="or">
                <resource-match attr="device-cap" func="equal" match="XMLHttpRequest" />
                <resource-match attr="device-cap" func="equal" match="externalNetworkAccess" />
            </condition>
        </rule>

        <!-- access to external network on roaming status -->
        <!--
        <rule effect="permit">
            <condition combine="and">
                <condition combine="or">
                    <resource-match attr="device-cap" func="equal" match="XMLHttpRequest" />
                    <resource-match attr="device-cap" func="equal" match="externalNetworkAccess" />
                </condition>
                <environment-match attr="roaming" match="true" />
            </condition>
        </rule>
        -->

    </policy>
</policy-set>