[Dev] enforcing priviliges of web apps
jose.bollo at open.eurogiciel.org
Wed May 14 14:34:27 GMT 2014
On mer, 2014-05-14 at 17:16 +0300, Kis, Zoltan wrote:
> On Wed, May 14, 2014 at 5:00 PM, José Bollo
> <jose.bollo at open.eurogiciel.org> wrote:
> > On mer, 2014-05-14 at 16:56 +0300, Kis, Zoltan wrote:
> >> On Wed, May 14, 2014 at 3:50 PM, Lukasz Wojciechowski
> >> > If we follow such design all calls to services will be made by browser
> >> > process and not by application process. It means that services won't be able
> >> > to provide application granularity access control because all calls will be
> >> > made with SMACK label of browser.
> >> > It is a problem.
> >> Except if the browser / extension process become security enforcement
> >> points, doing the runtime checks. Since they are different processes
> >> than the the one running the app, they could load a library
> >> implementing the runtime security checks and enforce permission. Of
> >> course then the platform becomes as secure as the browser... but
> > The problem is with accesses to the file system and other "filesystem
> > named" objects: the Smack context will not be the one of the App. That
> > is what explained Rafal.
> In this model, the extension process could check the app identity,
> manifest, security policy,
Yes it could
> and won't allow access to file system or
> similar secured objects unless the app has permission for it.
1) how to know if an access to the file system is authorized? You should
read the Smack labels of the accessed entity and check the Smack
database using the application id. It's heavy but could work. Except
with that corner case if a part of the filesystem can't be accessed by
your process but could be by the application (ex: the app has context A
and the browser that is checking has the context B, if the accessed item
is under context I granted for A but not for B it doesn't work)
2) when the browser creates an object in the filesystem, it gives him
its context. In that case, how to distinguish the objects created by an
application? And how to avoid an other application to access the object
of an other one? It is possible to achieve it using transmutation of
labels. Is it always possible? I don't know.
Then it could work... At what cost?
> Similarly to the proposed security proxy.
> Then, by another model, the extension process (one per app/instance),
> could inherit the app identity; then indeed security needs to be
> enforced at lower layers, but then the smack context will be of the
> Did I misunderstand something? :)
> Best regards,
More information about the Dev