[Dev] enforcing priviliges of web apps
patrick.ohly at intel.com
Wed May 14 14:06:15 GMT 2014
On Wed, 2014-05-14 at 16:51 +0300, Jussi Laako wrote:
> On 13.5.2014 11:30, Patrick Ohly wrote:
> > Crosswalk cannot just call a method "do_something(x,y,z)" where x/y/z
> > are parameters of this method on the system side. Instead Crosswalk must
> > also pass some kind of app ID.
> To address this in SSO, we added concept of two layer security context
> to the ACL implementation.
> For SSO, each security context item is a pair of two items. "System
> context" which in case of Smack-enabled system is caller's Smack-label
> and in case of traditional Linux system is caller's executable binary
> path. And "application context" which is provided by the caller as
> auxiliary information and usually identifies for example the script
> being executed.
> System context part of the ACL is always enforced first, and if the
> system context check passes, then application context is enforced.
> This way, even if caller would lie about the application context, it
> cannot expand it's privileges outside of it's system context scope which
> is independently implemented from the caller.
With Cynara, that would imply first checking with the application
context retrieved securely (as defined in the Cynara Wiki), and then
checking once more with the application context provided by the caller.
The problem remains that the current D-Bus mechanism does not allow
passing this extra information.
Best Regards, Patrick Ohly
The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.
More information about the Dev