User:Javispedro/Activities blocked by the N9 and N950 security policy

This page should list activities that are blocked by the stock Aegis configuration.

Contents 1 Use cases that are blocked 2 Forbidden stuff 3 Frequently asked questions 4 Privileges not available

Use cases that are blocked

1. Can no longer develop an application that allows you to access your Windows / Unix shares from your N950, as you cannot use the in-kernel CIFS or NFS drivers to mount those shares.
2. Will not be able to use USB hostmode.
3. Cannot run Easy Debian, as it requires both mounting and running unsigned binaries as root.
4. Cannot test applications by just copying the binary to the device. If it requires a single Aegis token, it has to be packaged and installed. This can take several minutes depending on the size of the application, severely reducing productivity, and unnecessarily puts extra wear to the device's flash.
5. A Community SSU would be impossible.
6. Can not properly implement Tor support, as most of the applications don't honor proxy settings and transparent proxying is impossible due to missing NAT kernel modules.
7. Cannot develop an application that uses the N950/N9 LED for notifications like it was used on the N900. See http://www.youtube.com/watch?v=FTw-nQVMPng , which currently requires disabling the security system.
8. This: http://conversations.nokia.com/2011/10/25/worlds-first-mobile-brain-scanner-with-a-nokia-n900/
9. Can not develop application that changes Flight mode or battery saving mode, for example to automatically switch on Flight mode/battery saving mode on for the night and off again in the morning.
10. ...

Feel free to edit and put your own stuff.

Forbidden stuff

On this list you can put generic, more technical and generic use cases that are blocked, like "can't insert modules into the kernel". Any use case blocked above will be blocked by one or more of the technical reasons that follow.

• Can't insert modules into the kernel.
• Can't mount.
• Can't call setgid/setuid.
• Can't replace packages from Nokia (either closed or open source) that demand tokens from the list below.
• Root cannot access all the files of the device.
• Can't control the notification LED.
• Can't enable relaxed exec which allowed running unsigned/unpackaged as "user" (this is supposed to be re-enabled in a future release).
• Can't run unsigned/unpackaged binaries as root.

Frequently asked questions

Aren't those privileges specifiable in an aegis manifest?

No, you cannot request any of these tokens in a manifest file.

Privileges not available

This is a list of the set of all tokens available in Aegis minus the ones that develsh has in its stock configuration, to be used as reference. Anything on this list is therefore forbidden.

Note that this list was extracted by using uniq on the restok.conf file which was found to be available here: http://paste.ubuntu.com/693098/ . Any errors are the result of the use of automated tools and not intentional.

account-plugin-ovi::noaaccess
account-plugin-ovi::sso-encryption-token
aegis-certman-common-ca::CertCACodeSignAdd
aegis-certman-common-ca::CertCACodeSignUse
aegis-certman-common-ca::CertCACommonAdd
aegis-certman-common-ca::CertCAGlobalCodeSignAdd
aegis-certman-common-ca::CertCASMIMEAdd
aegis-certman-common-ca::CertCASSLAdd
aegis-certman-common-ca::CertCAWifiAdd
aegis-certman-common-ca::CertUserSMIMEUse
aegis-certman-common-ca::CertUserSSLUse
aegis-certman-common-ca::CertUserWifiUse
aegisfs::AegisFSMountAdd
aegisfs::aegisfs-verify
applauncherd-launcher::access
backup-framework::backup
bme::BatteryControl
call-ui::call-ui
CAP::dac_override
CAP::mac_admin
CAP::mac_override
CAP::mknod
CAP::setgid
CAP::setpcap
CAP::setuid
CAP::sys_admin
CAP::sys_module
CAP::sys_rawio
clean-device::CUDOrRFS
csd-base::csd-plugin
devicelock::DeviceLockControl
devicelock::DeviceLockServiceOwn
devicelock::DeviceLock_SetPassword
devicelock::DeviceLockStorageAccess
devicelock::ProvisioningSettings_MinimalDeviceWipeTypeRequired
devicelock::ProvisioningSettings_PasswordForceChange
devicelock::ProvisioningSettings_RnD_additional_Debug
devicelock::SSO_Exchange
devicelock::State_Inhibit
devicelock::State_Locked
devicelock::State_Unlocked
devicelock::State_WipeMMC
dsme::DeviceStateControl
facebookqml::facebook-token
GRP::acm
GRP::adc
GRP::adm
GRP::audio
GRP::backup
GRP::bin
GRP::cal
GRP::cdrom
GRP::crypto
GRP::csd
GRP::daemon
GRP::developer
GRP::dip
GRP::disk
GRP::fax
GRP::floppy
GRP::games
GRP::gnats
GRP::haldaemon
GRP::i2c
GRP::input
GRP::irc
GRP::kmem
GRP::libaccounts-noa
GRP::libuuid
GRP::list
GRP::location
GRP::lp
GRP::lpm
GRP::mail
GRP::man
GRP::messagebus
GRP::news
GRP::nogroup
GRP::operator
GRP::osa
GRP::phonet
GRP::plugdev
GRP::powerdev
GRP::proxy
GRP::pulse
GRP::pulse-rt
GRP::sasl
GRP::shadow
GRP::signon
GRP::slpgwd
GRP::spool
GRP::src
GRP::ssh
GRP::staff
GRP::sudo
GRP::sys
GRP::tape
GRP::tty
GRP::upstart
GRP::utmp
GRP::uucp
GRP::visualreminder
GRP::voice
GRP::www-data
libaccounts-glib0::accounts-glib-access
libaccounts-glib0::t
libaccounts-glib0::tok
libaegis-session::aegis-session-data
libbb5-secbins::SEE_CCCWrite
libbb5-secbins::SEE_DBIWrite
libbb5-secbins::SEE_DeviceLockControl
libbb5-secbins::SEE_HWCWrite
libbb5-secbins::SEE_NPCWrite
libbb5-secbins::SEE_SecStorageMaintenance
libbb5-secbins::SEE_SimLock3Operation
libbb5-secbins::SEE_SimLock3Write
libbb5-secbins::SEE_SuperDongleOperation
libbb5-secbins::SEE_SuperDongleWrite
libbb5-secbins::SEE_TerminalResponce
libodnp::odnp
libslpgw::slpgw
location-ui::location-ui
mce::CallStateControl
mce::DeviceModeControl
mce::LEDControl
mce::SensorControl
mce::TKLockControl
messaging-ui::messaging-ui
mms-manager::MmsProtectedReadAccess
mms-manager::MmsProtectedWriteAccess
mms-manager::MmsWorkerAccess
npe-maemo0::LocationFW
odnp-fpcd::odnp-fpcd
omb0::omb-communication
phonet-at::acm-plugin
positioningd::LocationControl
signon-default-key-extension::key-storage
signond::keychain-access
signon-ui::signond-access
smartsearch::RelevanceAllContentTypes
system-ui-screenlock-nokia::ScreenLockEventPublish
tcb
telepathy-spirit::sso-encryption-token
telepathy-spirit::telepathy-spirit
timed::TimeBackup
timed::TimeControl
timed::TimedEventQueueWrite
usb-moded::USBControl
usb-moded::usb-moded-dbus-bind