Resources | Resources |



Privileges and ACLs

Brew MP's security model is based on least privileged execution. Processes and applications can access only the services for which they have been granted access.

Principle of least-privileged execution

To protect the system against faulty or malicious software, each developer, code signer, and operator should make sure that applications conform to the principle of least privilege (least authority), which states that each digitally signed binary module should have only the minimum privileges required for its purpose.


Privileges are used to control application access to Brew MP interfaces and services.

Privileges are dynamic (not hard coded into the system). New privileges can be defined and associated with any new interface. This allows manufacturers or third party developers to protect system-critical functionality without modifying the core Brew MP implementation.

For example, in the figure below, both Applet 1 and Applet 2 intend to instantiate and access Service X. Since only Applet 1 has sufficient privilege, Applet 1's request would be granted and Applet 2's would be denied.


Brew MP provides Access Control Lists (ACLs), which allow modules to share access to their private directories. Applications can specify ACLs to allow a specific file or directory to be accessible to other applications.

This section provides information on privileges and ACLs, how they are specified in CIF files, and how they are used in applications.