[Dev] enforcing priviliges of web apps (was: Re: New Tizen Bluetooth Framwork (NTB) wiki page)

José Bollo jose.bollo at open.eurogiciel.org
Wed May 14 09:15:52 GMT 2014


On mer, 2014-05-14 at 10:33 +0300, Kis, Zoltan wrote:
> On Wed, May 14, 2014 at 9:53 AM, Patrick Ohly <patrick.ohly at intel.com> wrote:

(snip)

> >  4. Cynara called by dbus-daemon, based on service configuration.
> >
> > The advantage of option 4 over 3 is that we don't need to touch the many
> > entry points into upstream services. However, it depends on Cynara
> > behaving well inside the dbus-daemon event loop - blocking synchronous
> > calls definitely will be a showstopper there. It also won't work well
> > with kdbus.
> 
> In my view (may be wrong and I expect security people to correct me)
> we may be able to solve that.

IIRC, this solution wasn't already debated.

IMHO, this solution is costly: time to do it, time to maintain it, time
to make it accepted upstream, dependency of DBus to cynara, the
configuration process isn't obvious.

It also have the drawback to be DBus specific, letting part of the world
outside of the scope.

> What we need is to have the runtime checks in one or more security
> enforcement points.
> One of those is the dbus-daemon, but there may be others, e.g.
> crosswalk extensions (in one of the models), a security proxy daemon
> for platform libraries, etc.
> 
> Now I see there may be a problem if those runtime checks are run in
> the same process memory as the app, since a malicious app could use
> tricks to access/modify that code. Therefore the generic solution
> cannot really be a library doing the runtime security checks from the
> same virtual memory space in which the app is running, and therefore
> has to be separated by process boundary enforced by the kernel.

Fully agreed.

Best regards
José



More information about the Dev mailing list