[Dev] enforcing priviliges of web apps

José Bollo jose.bollo at open.eurogiciel.org
Wed May 14 14:00:30 GMT 2014


On mer, 2014-05-14 at 16:56 +0300, Kis, Zoltan wrote:
> On Wed, May 14, 2014 at 3:50 PM, Lukasz Wojciechowski

(snip)

> > If we follow such design all calls to services will be made by browser
> > process and not by application process. It means that services won't be able
> > to provide application granularity access control because all calls will be
> > made with SMACK label of browser.
> > It is a problem.
> 
> Except if the browser / extension process become security enforcement
> points, doing the runtime checks.  Since they are different processes
> than the the one running the app, they could load a library
> implementing the runtime security checks and enforce permission. Of
> course then the platform becomes as secure as the browser... but

The problem is with accesses to the file system and other "filesystem
named" objects: the Smack context will not be the one of the App. That
is what explained Rafal.

> Chromium security is rather high.

Maybe... Until the next hole...

Best regards
José

> 
> Best regards,
> Zoltan




More information about the Dev mailing list