[Dev] enforcing priviliges of web apps (was: Re: New Tizen Bluetooth Framwork (NTB) wiki page)

José Bollo jose.bollo at open.eurogiciel.org
Tue May 13 09:27:06 GMT 2014


On mar, 2014-05-13 at 11:16 +0200, Patrick Ohly wrote:
> On Tue, 2014-05-13 at 10:49 +0200, José Bollo wrote:
> > On mar, 2014-05-13 at 10:30 +0200, Patrick Ohly wrote:
> > > I understand and agree that the system needs to enforce privileges. But
> > > if all Web apps run in the same Crosswalk process, doesn't that force
> > > Crosswalk to become a trusted part of the system?
> > 
> > Hi,
> > 
> > The process model of Crosswalk is more complicated: IIRC, for one
> > application, 2 processes are launched. The launcher (aul, aul-ng) will
> > take care to set good ids and context to these processes.
> 
> So Crosswalk will not be "having a single Web process for all App"?

Yes. IIRC, it is following the google chrome model. Baptiste or Thiago
would confirm.

> They key question is: will a service contacted by Crosswalk via D-Bus be
> able to identify which app it is servicing?

AFAIK dbus will be only filtering based on Smack context. The server
should check the uid as neded. For Cynara aware dbus services, the Smack
label will match the application id and the uid of the dbus client will
be checked.

But there is an other model where apps (then crosswalk) use a IPC
service to filter accesses to the restricted API.

> > > It can't delegate the enforcement to the rest of the system, because
> > > that rest will just see one process making various requests, without
> > > being able to tell on behalf of which app that request was made.
> > > 
> > > Cynara as discussed so far on this list does not cover this.
> > 
> > right but is it needed?
> 
> That depends on who is expected to do the enforcement (D-Bus services or
> some proxy) and whether we need to accommodate for a single process
> hosting multiple apps.

agreed.

> > (*) Are native apps to be supported? The answer seems to depend on the
> > people you are asking. For me the answer is yes because it is harder to
> > secure.
> 
> I agree, there doesn't seem to be a consensus here. Not only is it
> uncertain whether it is needed, it is also unclear which APIs need to be
> available to native apps.

yes, but sorry for the confusion, that note was remaining from the draft
of the previous answer.




More information about the Dev mailing list