[Dev] enforcing priviliges of web apps

Lukasz Pawelczyk l.pawelczyk at partner.samsung.com
Thu May 22 11:48:11 GMT 2014


On czw, 2014-05-22 at 11:15 +0000, Poussa, Sakari wrote:
> Jose,
> 
> So you need a list of files the BP touches, right?
> 
> I don’t think we have that right now. But I’ll see what we can do.

I think what he meant is how to deal with the fact that requests for
file handling (reading and writing) that are coming from separate
applications have to be handled by a single process (BP) that is
obviously running with only one smack label.

Imagine you have two webapps: text editor and paint. The both will be
running with separate smack labels (RP/EP processes). And they both
might want to write or read a file.

Editor files should have (i.e.) App.WRT.Editor smack labels.
Paint files should have App.WRT.Paint labels.

Both webapps can't write and read files by themselves so they ask BP to
do it (and it's running with some other label). How BP is supposed in
this case to be able to read/write those files with application labels
to keep application separation with smack.

(unless there is no file API in W3C)

At least that is my understanding.


-- 
Havner




More information about the Dev mailing list