[Dev] Crosswalk single process model and Privilege enforcement side effect.

Dominig ar Foll dominig.arfoll at fridu.net
Thu Dec 11 11:23:39 GMT 2014


Hello,

following the annoucement by the Crosswalk team abandon of the shared
process model in favour of the single process model (which actually
create two processes), I want to raise a few remarks and opened
questions linked to that change.

A) Loss of trusted status.
---------------------------------
In the share process model, the Browser process and Renderer process
were running with system privileges and was protected by a specific
Smacks label. No Apps could fake the Browser process and for that raison
the system was able to trust it what was allowing us to locate the
enforcement of some App privileges at that level (at least on the paper,
as in the real world, the implementation proved to be serious challenge,
forcing Crosswalk team to abandon that model).

In the new model the Browser Process will run with the same AppID than
the Apps itself.
It means that the system will not be able to differentiate both reliably
and so, we will not be able to trust the Browser process any more for
capability enforcement.

With this change, the requirement for implementing the support of Native
App privileges enforcement becomes urgent.

B) Browser Process and App are both untrusted
---------------------------------------------------------------
We need to treat Crosswalk running an HTML5 App as a native App and
enforce the privilege externally what will be done by a bundle of tools
which includes (smack label and Smack rules, Cynara, special groups).

C) My questions
-----------------------
1) The security model for native App was agreed during the Aug14
Security workshop in Vannes. Where is located the associated
documentation. In particular the list of privileges applicable to native
Apps.

2) Do we have a 1:1 mapping between HTML5 and Native privileges. If not
(what I expect) where is that mapping.

3) What is the exact list of privileges enforcement which were
"subcontracted" to the browser process in the share process model.

4) What is the time table for implementation of the Native App privilege
enforcement.

Regards

-- 
Dominig ar Foll
Senior Software Architect
Intel Open Source Technology Centre



More information about the Dev mailing list