[Dev] enforcing priviliges of web apps

Patrick Ohly patrick.ohly at intel.com
Thu May 22 09:34:56 GMT 2014

On Thu, 2014-05-22 at 07:53 +0000, Poussa, Sakari wrote:
> Let me try to clarify how the Crosswalk is planned to integrate into the
> Tizen cynara system in order to do the API permission checks.
> First we need context for the terms:
> Shared Process Model: We have one shared Browser Process (BP) per user.
> Each individual web application contains render process (RP) and extension
> process (EP). This is the high level summary and is adequate for this
> discussion.
> RP - Sandboxed. Runs blink and JS engine. Contains the W3C APIs. When the
> WebApp issues a W3C API (JS) call which requires access to platform API
> (e.g. Geolocation) it does IPC to the BP.
> BP - Not sandboxed. Knows all the details of RPs that are currently
> running including the application id, smack label, user is, etc. When the
> RP talks to BP via IPC the BP can use the details of the RP to issue
> cynara checks.
> EP - No sandboxed. Contains the Tizen Device Web APIs and some
> experimental W3C draft APIs.

Just to clarify: the EP will run with the Smack label of the app that it
was created for?

> So we have two cases. 1) Tizen Device APIs et al which are in the EP and
> 2) W3C APIs which are in RP+BP, BP being the relevant part here.
> The plan is to add the API permission checks in the following way:
> Case 1: Tizen Device APIs et al
> Since the EP is not sandboxed, it can talk use the libcynara directly or
> talk to Service API layer, which then talks to cynara. The EP has all the
> information in hand to do so including the smack label, user id and
> application id.

EP <-> "some (D-Bus) system service" depends on the EP having the app's
Smack label.

> Case 2: W3 APIs
> Since the RP is sandboxed it can¹t talk to cynara. Instead, the platform
> API calls are delegated to BP. The BP can then talk to the required
> services including the cynara. The BP has all the information about the RP
> (e.g. Web Application) to do so (see above the BP term description).

Again, for clarity's sake: we agree that the BP not only can talk to
Cynara, it also must and will do it? Because once the BP contacts a
system service, that service no longer knows what app it is servicing
and can only check that the BP itself is allowed to use the service.

Have you already started to look into actually adding the libcynara
calls? In the libcynara API discussion I was reprimanded for speculating
whether the current synchronous API is good enough for Crosswalk; it
would be good if some Crosswalk developer responsible for calling
libcynara in the BP could look at the API and confirm that it is

Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.

More information about the Dev mailing list