* Making default permissions on Android more restrictive
@ 2023-09-13 12:07 Stefan Kangas
2023-09-13 12:34 ` Po Lu
2023-09-14 7:21 ` Jean Louis
0 siblings, 2 replies; 10+ messages in thread
From: Stefan Kangas @ 2023-09-13 12:07 UTC (permalink / raw)
To: emacs-devel; +Cc: Po Lu, Eli Zaretskii
[I couldn't find any previous discussion about this.]
1.
a) I don't see why Emacs should be asking for these permissions on
Android 5.1 and earlier:
RECORD_AUDIO
CAMERA
ACCESS_COARSE_LOCATION
b) These permissions also make me rather uneasy:
REQUEST_INSTALL_PACKAGES
REQUEST_DELETE_PACKAGES
c) Finally, these seem rather dubious to me:
READ_SMS
RECEIVE_SMS
SEND_SMS
WRITE_SMS
RECEIVE_MMS
READ_CONTACTS
WRITE_CONTACTS
Are there any technical reasons why we need the above permissions? If
not, can we remove them, at least the ones in category (a) and (b)?
2.
The justification for asking for the above permissions in (info "(emacs)
Android Environment") is:
While most of these permissions are left unused by Emacs itself,
they are declared by Emacs as they could be useful for other
programs; for example, the permission to access contacts may be
useful for EUDC.
I think this criteria should be changed. Instead of saying "one can
imagine something like EUDC to be using this", we should decide which
permissions to ask for based on criteria like "package <foo> supports
feature <bar> on Android, and it is highly useful".
3.
I don't understand why we ask for the following permissions, AFAIU on
all versions of Android:
NFC
TRANSMIT_IR
Are there any technical reasons to ask for them? If not, could they be
removed as well?
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Making default permissions on Android more restrictive
2023-09-13 12:07 Making default permissions on Android more restrictive Stefan Kangas
@ 2023-09-13 12:34 ` Po Lu
2023-09-13 13:29 ` Stefan Kangas
2023-09-13 13:31 ` Stefan Kangas
2023-09-14 7:21 ` Jean Louis
1 sibling, 2 replies; 10+ messages in thread
From: Po Lu @ 2023-09-13 12:34 UTC (permalink / raw)
To: Stefan Kangas; +Cc: emacs-devel, Eli Zaretskii
Stefan Kangas <stefankangas@gmail.com> writes:
> 2.
>
> The justification for asking for the above permissions in (info "(emacs)
> Android Environment") is:
>
> While most of these permissions are left unused by Emacs itself,
> they are declared by Emacs as they could be useful for other
> programs; for example, the permission to access contacts may be
> useful for EUDC.
>
> I think this criteria should be changed. Instead of saying "one can
> imagine something like EUDC to be using this", we should decide which
> permissions to ask for based on criteria like "package <foo> supports
> feature <bar> on Android, and it is highly useful".
I think that is too high a bar, given that Emacs must be recompiled
before it is capable of requesting permissions outside the set of
permissions enumerated within its manifest. Which is to say, unless we
declare these permissions from the outset, such packages will _never_
have a fighting chance of supporting Android.
Most of our users will run Android 6.0 or later, where most of the
permissions Emacs requests by default are in fact disabled until
explicit action is taken to enable them. Removing these permission
declarations is tantamount to impeding the development of user Lisp code
just to assauge minor security concerns on decade-old installations of
Android. These versions collectively amount to less than 2.17% of all
Android installations.
> 3.
>
> I don't understand why we ask for the following permissions, AFAIU on
> all versions of Android:
>
> NFC
> TRANSMIT_IR
>
> Are there any technical reasons to ask for them? If not, could they be
> removed as well?
NFC and IR transmission are tasks that someone might conceivably use
Emacs to perform (for example, the other day I observed a package
purporting to save ``smart cards'' into Emacs.) They're innocuous to
such an extent that Android grants them to all requesting programs by
default.
Thanks.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Making default permissions on Android more restrictive
2023-09-13 12:34 ` Po Lu
@ 2023-09-13 13:29 ` Stefan Kangas
2023-09-13 13:35 ` Po Lu
2023-09-13 13:31 ` Stefan Kangas
1 sibling, 1 reply; 10+ messages in thread
From: Stefan Kangas @ 2023-09-13 13:29 UTC (permalink / raw)
To: Po Lu; +Cc: emacs-devel, Eli Zaretskii
[-- Attachment #1: Type: text/plain, Size: 1220 bytes --]
Po Lu <luangruo@yahoo.com> writes:
> I think that is too high a bar, given that Emacs must be recompiled
> before it is capable of requesting permissions outside the set of
> permissions enumerated within its manifest. Which is to say, unless we
> declare these permissions from the outset, such packages will _never_
> have a fighting chance of supporting Android.
>
> Most of our users will run Android 6.0 or later, where most of the
> permissions Emacs requests by default are in fact disabled until
> explicit action is taken to enable them. Removing these permission
> declarations is tantamount to impeding the development of user Lisp code
> just to assauge minor security concerns on decade-old installations of
> Android. These versions collectively amount to less than 2.17% of all
> Android installations.
Does this mean that if we want users to be able to enable these
capabilities on Android 6.0 or later, they must also be enabled
unconditionally on Android 5.1? I guess we can live with that.
That said, I still see no need for these capabilities, so I suggest we
simply remove them:
RECORD_AUDIO
CAMERA
ACCESS_COARSE_LOCATION
REQUEST_INSTALL_PACKAGES
REQUEST_DELETE_PACKAGES
[-- Attachment #2: 0001-Make-default-permissions-on-Android-more-restrictive.patch --]
[-- Type: text/x-patch, Size: 3156 bytes --]
From ed15bbdd7f1313ff80f988191d84e6c633fa9a02 Mon Sep 17 00:00:00 2001
From: Stefan Kangas <stefankangas@gmail.com>
Date: Wed, 13 Sep 2023 15:17:53 +0200
Subject: [PATCH] Make default permissions on Android more restrictive
* java/AndroidManifest.xml.in: Remove some default permissions.
* doc/emacs/android.texi (Android Environment): Document the above.
Ref: https://lists.gnu.org/r/emacs-devel/2023-09/msg00827.html
---
doc/emacs/android.texi | 10 ----------
java/AndroidManifest.xml.in | 8 +-------
2 files changed, 1 insertion(+), 17 deletions(-)
diff --git a/doc/emacs/android.texi b/doc/emacs/android.texi
index 78e63731ad1..82568e24a9a 100644
--- a/doc/emacs/android.texi
+++ b/doc/emacs/android.texi
@@ -454,8 +454,6 @@ Android Environment
@item
@code{android.permission.VIBRATE}
@item
-@code{android.permission.ACCESS_COARSE_LOCATION}
-@item
@code{android.permission.ACCESS_NETWORK_STATE}
@item
@code{android.permission.INTERNET}
@@ -486,16 +484,8 @@ Android Environment
@item
@code{android.permission.FOREGROUND_SEVICE}
@item
-@code{android.permission.REQUEST_INSTALL_PACKAGES}
-@item
-@code{android.permission.REQUEST_DELETE_PACKAGES}
-@item
@code{android.permission.SYSTEM_ALERT_WINDOW}
@item
-@code{android.permission.RECORD_AUDIO}
-@item
-@code{android.permission.CAMERA}
-@item
@code{android.permission.POST_NOTIFICATIONS}
@end itemize
diff --git a/java/AndroidManifest.xml.in b/java/AndroidManifest.xml.in
index 21bb2af2530..9d8d73f4dc5 100644
--- a/java/AndroidManifest.xml.in
+++ b/java/AndroidManifest.xml.in
@@ -30,13 +30,11 @@ along with GNU Emacs. If not, see <https://www.gnu.org/licenses/>. -->
android:versionCode="@emacs_major_version@"
android:versionName="@version@">
- <!-- Paste in every permission in existence so Emacs can do
- anything. -->
+ <!-- Add permissions needed for Emacs to do typical tasks. -->
<uses-permission android:name="android.permission.READ_CONTACTS" />
<uses-permission android:name="android.permission.WRITE_CONTACTS" />
<uses-permission android:name="android.permission.VIBRATE" />
- <uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.SET_WALLPAPER" />
@@ -56,11 +54,7 @@ along with GNU Emacs. If not, see <https://www.gnu.org/licenses/>. -->
<uses-permission android:name="android.permission.READ_PHONE_STATE"/>
<uses-permission android:name="android.permission.WAKE_LOCK"/>
<uses-permission android:name="android.permission.FOREGROUND_SERVICE"/>
- <uses-permission android:name="android.permission.REQUEST_INSTALL_PACKAGES"/>
- <uses-permission android:name="android.permission.REQUEST_DELETE_PACKAGES"/>
<uses-permission android:name="android.permission.SYSTEM_ALERT_WINDOW"/>
- <uses-permission android:name="android.permission.RECORD_AUDIO" />
- <uses-permission android:name="android.permission.CAMERA" />
<!-- This is required on Android 11 or later to access /sdcard. -->
--
2.42.0
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: Making default permissions on Android more restrictive
2023-09-13 12:34 ` Po Lu
2023-09-13 13:29 ` Stefan Kangas
@ 2023-09-13 13:31 ` Stefan Kangas
2023-09-13 13:36 ` Po Lu
1 sibling, 1 reply; 10+ messages in thread
From: Stefan Kangas @ 2023-09-13 13:31 UTC (permalink / raw)
To: Po Lu; +Cc: emacs-devel, Eli Zaretskii
Po Lu <luangruo@yahoo.com> writes:
> I think that is too high a bar, given that Emacs must be recompiled
> before it is capable of requesting permissions outside the set of
> permissions enumerated within its manifest. Which is to say, unless we
> declare these permissions from the outset, such packages will _never_
> have a fighting chance of supporting Android.
>
> Most of our users will run Android 6.0 or later, where most of the
> permissions Emacs requests by default are in fact disabled until
> explicit action is taken to enable them. Removing these permission
> declarations is tantamount to impeding the development of user Lisp code
> just to assauge minor security concerns on decade-old installations of
> Android. These versions collectively amount to less than 2.17% of all
> Android installations.
BTW, I think the documentation should be rewritten to focus on recent
Android first, and only then mention what happens for legacy versions.
Assuming I'm understand this right, perhaps something like:
• On reasonably recent versions of Android (6.0 and later), Emacs
only receives the following permissions upon installation:
− ‘android.permission.VIBRATE’
− ‘android.permission.ACCESS_NETWORK_STATE’
− ‘android.permission.INTERNET’
− ‘android.permission.SET_WALLPAPER’
− ‘android.permission.NFC’
− ‘android.permission.TRANSMIT_IR’
− ‘android.permission.WAKE_LOCK’
Other permissions must be granted by the user through the system
settings application. This is the list of capabilities:
[long list of capabilities elided]
• On Android 5.1 and earlier, Emacs automatically gets the
above list of permissions when it is installed.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Making default permissions on Android more restrictive
2023-09-13 13:29 ` Stefan Kangas
@ 2023-09-13 13:35 ` Po Lu
0 siblings, 0 replies; 10+ messages in thread
From: Po Lu @ 2023-09-13 13:35 UTC (permalink / raw)
To: Stefan Kangas; +Cc: emacs-devel, Eli Zaretskii
Stefan Kangas <stefankangas@gmail.com> writes:
> Does this mean that if we want users to be able to enable these
> capabilities on Android 6.0 or later, they must also be enabled
> unconditionally on Android 5.1? I guess we can live with that.
Yes.
> That said, I still see no need for these capabilities, so I suggest we
> simply remove them:
>
> RECORD_AUDIO
> CAMERA
> ACCESS_COARSE_LOCATION
ACCESS_COARSE_LOCATION, RECORD_AUDIO and CAMERA are in fact useful. I
am aware of one package which refers to location, microphone and camera
data, the Telegram client:
https://github.com/zevlg/telega.el/
> REQUEST_INSTALL_PACKAGES
> REQUEST_DELETE_PACKAGES
These are harmless from a security perspective, as they only entitle
Emacs to display an installation dialog from the package manager itself.
They're also useful for debugging and perhaps updating Emacs from within
itself, if we eventually get to that.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Making default permissions on Android more restrictive
2023-09-13 13:31 ` Stefan Kangas
@ 2023-09-13 13:36 ` Po Lu
2023-09-13 13:52 ` Stefan Kangas
0 siblings, 1 reply; 10+ messages in thread
From: Po Lu @ 2023-09-13 13:36 UTC (permalink / raw)
To: Stefan Kangas; +Cc: emacs-devel, Eli Zaretskii
Stefan Kangas <stefankangas@gmail.com> writes:
> BTW, I think the documentation should be rewritten to focus on recent
> Android first, and only then mention what happens for legacy versions.
>
> Assuming I'm understand this right, perhaps something like:
>
> • On reasonably recent versions of Android (6.0 and later), Emacs
> only receives the following permissions upon installation:
>
> − ‘android.permission.VIBRATE’
> − ‘android.permission.ACCESS_NETWORK_STATE’
> − ‘android.permission.INTERNET’
> − ‘android.permission.SET_WALLPAPER’
> − ‘android.permission.NFC’
> − ‘android.permission.TRANSMIT_IR’
> − ‘android.permission.WAKE_LOCK’
>
> Other permissions must be granted by the user through the system
> settings application. This is the list of capabilities:
>
> [long list of capabilities elided]
>
> • On Android 5.1 and earlier, Emacs automatically gets the
> above list of permissions when it is installed.
Fine by me, I'll make this change.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Making default permissions on Android more restrictive
2023-09-13 13:36 ` Po Lu
@ 2023-09-13 13:52 ` Stefan Kangas
0 siblings, 0 replies; 10+ messages in thread
From: Stefan Kangas @ 2023-09-13 13:52 UTC (permalink / raw)
To: Po Lu; +Cc: emacs-devel, Eli Zaretskii
Po Lu <luangruo@yahoo.com> writes:
> Fine by me, I'll make this change.
Thanks, LGTM.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Making default permissions on Android more restrictive
2023-09-13 12:07 Making default permissions on Android more restrictive Stefan Kangas
2023-09-13 12:34 ` Po Lu
@ 2023-09-14 7:21 ` Jean Louis
1 sibling, 0 replies; 10+ messages in thread
From: Jean Louis @ 2023-09-14 7:21 UTC (permalink / raw)
To: Stefan Kangas; +Cc: emacs-devel
* Stefan Kangas <stefankangas@gmail.com> [2023-09-13 15:10]:
> [I couldn't find any previous discussion about this.]
>
> 1.
>
> a) I don't see why Emacs should be asking for these permissions on
> Android 5.1 and earlier:
>
> RECORD_AUDIO
> CAMERA
> ACCESS_COARSE_LOCATION
> REQUEST_INSTALL_PACKAGES
> REQUEST_DELETE_PACKAGES
> READ_SMS
> RECEIVE_SMS
> SEND_SMS
> WRITE_SMS
> RECEIVE_MMS
> READ_CONTACTS
> WRITE_CONTACTS
I hope to see Emacs being able to do use all of the permissions on Android.
> Are there any technical reasons why we need the above permissions? If
> not, can we remove them, at least the ones in category (a) and (b)?
Emacs has Emacs Lisp, I use it for running programs and Emacs on
Android will hopefully get functions to use above permissions.
1. RECORD_AUDIO: Emacs could use this permission to enable voice commands or voice-controlled editing features within the editor.
2. CAMERA: Emacs could utilize the camera permission for functionalities such as capturing and inserting images directly into documents, visual recognition features, or scanning QR codes.
3. ACCESS_COARSE_LOCATION: Emacs could leverage this permission to provide location-based information or contextual features, such as displaying weather information or adjusting settings based on the user's location.
4. REQUEST_INSTALL_PACKAGES: Emacs may need this permission to facilitate the installation of additional packages or plugins from external sources to enhance its functionality.
5. REQUEST_DELETE_PACKAGES: This permission could be used by Emacs to uninstall packages or plugins when requested by the user.
6. READ_SMS, RECEIVE_SMS, SEND_SMS, WRITE_SMS, RECEIVE_MMS: Emacs could utilize these permissions to integrate SMS or MMS-based features, such as sending code snippets via SMS, receiving notifications or alerts through SMS, or extracting relevant information from received messages.
7. READ_CONTACTS, WRITE_CONTACTS: Emacs could use these permissions to access and modify the user's contact information, enabling features like autocomplete or inserting contact details into documents.
> NFC
> TRANSMIT_IR
1. NFC: Emacs could use the NFC permission to interact with Near Field Communication (NFC) tags or devices. For example, Emacs could read data from NFC tags containing programming instructions or use NFC for authentication purposes.
2. TRANSMIT_IR: Emacs could utilize the TRANSMIT_IR permission to control infrared (IR) devices. This could include using Emacs as a remote control for TVs, air conditioners, or other IR-enabled devices directly from within the editor.
--
Jean
Take action in Free Software Foundation campaigns:
https://www.fsf.org/campaigns
In support of Richard M. Stallman
https://stallmansupport.org/
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Making default permissions on Android more restrictive
@ 2023-09-15 17:40 Ant
2023-09-16 0:53 ` Po Lu
0 siblings, 1 reply; 10+ messages in thread
From: Ant @ 2023-09-15 17:40 UTC (permalink / raw)
To: luangruo; +Cc: emacs-devel
> I think that is too high a bar, given that Emacs must be recompiled
> before it is capable of requesting permissions outside the set of
> permissions enumerated within its manifest. Which is to say, unless we
> declare these permissions from the outset, such packages will _never_
> have a fighting chance of supporting Android.
Is any of these permissions already usable without modifying the Emacs
C/Java core?
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Making default permissions on Android more restrictive
2023-09-15 17:40 Ant
@ 2023-09-16 0:53 ` Po Lu
0 siblings, 0 replies; 10+ messages in thread
From: Po Lu @ 2023-09-16 0:53 UTC (permalink / raw)
To: Ant; +Cc: emacs-devel
Ant <n58r@pm.me> writes:
> Is any of these permissions already usable without modifying the Emacs
> C/Java core?
Any process running under Emacs's user is granted these permissions, so
yes.
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2023-09-16 0:53 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-09-13 12:07 Making default permissions on Android more restrictive Stefan Kangas
2023-09-13 12:34 ` Po Lu
2023-09-13 13:29 ` Stefan Kangas
2023-09-13 13:35 ` Po Lu
2023-09-13 13:31 ` Stefan Kangas
2023-09-13 13:36 ` Po Lu
2023-09-13 13:52 ` Stefan Kangas
2023-09-14 7:21 ` Jean Louis
-- strict thread matches above, loose matches on Subject: below --
2023-09-15 17:40 Ant
2023-09-16 0:53 ` Po Lu
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.