Authman and Launcher

Authman and Launcher are processes responsible for determining whether an app has permission to use a set of requested capabilities and for launching the app if it has sufficient permissions.

When you package an app for installation, you include a list of capabilities that the app might use at runtime. For example, an app may need to have access to the Internet or to play audio. The bar-descriptor.xml file for such an app would include the following:

<action>access_internet</action>
<action>play_audio</action>

When the app is installed, a manifest file is created (MANIFEST.MF) that includes the list of requested capabilities. Continuing the above example, the manifest file would include the following:

Entry-Point-User-Actions: access_internet,play_audio

To launch an app, Navigator makes a request to Launcher. Launcher reads the app's manifest file and requests Authman to confirm that the app has permission to use the requested capabilities. Authman checks these against the /etc/authman/sys.res file which lists the available system capabilities and the apps that are entitled to use them. The file takes this form:

<capability> 
  <"allow"|"prompt"|"deny"> <application-name|application-name*|*> 
  ...

For example: 

record_audio
    prompt *
    allow sys.browser*
    allow sys.voicerecorder.testdm9pY2VyZWNvcmRlciAgICA
    allow com.Scout*

There are three permission levels:

allow means the identified app(s) can use the capability
deny means the capability cannot be used by the apps
prompt means the app(s) can use the capability but must first prompt the user for permission

The wildcard character * means that the permission applies to all apps. In the example above, the default action for any app that wishes to record audio is to prompt the user for permission. The browser, voice recorder, and Scout apps, however, do not need to prompt for permission. The * in the case of sys.browser* means that the permission applies to any system-level browser app.

Authman returns true or false for each capability request. If there are one or more instances of false, then the request to launch the app fails. Otherwise, Launcher can launch the app. Prior to doing so, Launcher must assign the app to an appropriate group so that it has the runtime permissions it needs. Launcher uses the file /etc/authman/sys.acl to determine the required permissions. The file takes this form:

<capability>
  <"ACL"> <"r"|"rw"|"rwx"> <path>

For example:

use_camera
    ACL rw /pps/services/multimedia/camera/control
    ACL r /pps/services/multimedia/camera/status
    ACL rw /pps/services/camera/control

ACL stands for Access Control List. The permissions associated with capability are one of r (read-only), rw (read and write), or rwx (read, write, and execute). The path refers to the directory containing relevant Persistent Publish/Subscribe (PPS) objects.

To summarize, three configuration files participate when the system attempts to launch an app:

MANIFEST.MF lists the capabilities that an app wishes to use
sys.res lists the apps that have permission to use a given capability
sys.acl lists the permissions required when using a given capability

If the MANIFEST.MF file and sys.res files for a given app are consistent (that is, the app has permission to use the capabilities it needs), then Launcher uses sys.acl to ensure that the app has the runtime permissions it needs by assigning it to an appropriate group.

Note: In the current implementation of the QNX CAR application platform, the /etc/authman/sys.res file must be hand-coded with the permissions you desire.