[Dev] enforcing priviliges of web apps

Jussi Laako jussi.laako at linux.intel.com
Wed May 14 14:41:43 GMT 2014


On 14.5.2014 17:06, Patrick Ohly wrote:
> With Cynara, that would imply first checking with the application
> context retrieved securely (as defined in the Cynara Wiki), and then
> checking once more with the application context provided by the caller.

I think Cynara should also separate system context and application 
context like we did. Thus first check for example if caller process 
"crosswalk" (runtime) is allowed to access the interface and then check 
if the application context (running inside the runtime) provided by the 
runtime is allowed to access.

This way if necessary you can revoke entire crosswalk's access to 
interface regardless of the application it is running.

> The problem remains that the current D-Bus mechanism does not allow
> passing this extra information.

We just included appctx as part of our dbus API.



More information about the Dev mailing list