The permissions.perm does not specify what the bundle may do. It specifies what the bundle wants to do: See http://www.javacodegeeks.com/2012/11/permissions-in-osgi.html
So this file seems to be there to be able to fail fast if permissions are missing. You can even leave it out if this is not necessary for you.
The real security settings have to be done on the framework. See this for felix: https://felix.apache.org/documentation/subprojects/apache-felix-framework-security.html