[Dev] enforcing priviliges of web apps

Rafał Krypa r.krypa at samsung.com
Thu May 22 18:05:28 GMT 2014

On 2014-05-22 09:53, Poussa, Sakari wrote:
> All,
> Let me try to clarify how the Crosswalk is planned to integrate into the
> Tizen cynara system in order to do the API permission checks.
> First we need context for the terms:
> Shared Process Model: We have one shared Browser Process (BP) per user.
> Each individual web application contains render process (RP) and extension
> process (EP). This is the high level summary and is adequate for this
> discussion.

Thank you for the clarification.
I have one more question about the processes: how are these started? Is BP forking and executing RPs and EPs?

> RP - Sandboxed. Runs blink and JS engine. Contains the W3C APIs. When the
> WebApp issues a W3C API (JS) call which requires access to platform API
> (e.g. Geolocation) it does IPC to the BP.
> BP - Not sandboxed. Knows all the details of RPs that are currently
> running including the application id, smack label, user is, etc. When the
> RP talks to BP via IPC the BP can use the details of the RP to issue
> cynara checks.
> EP - No sandboxed. Contains the Tizen Device Web APIs and some
> experimental W3C draft APIs.

What does it mean that EP is not sandboxed? At first I understood that you meant sandboxing by Smack labels, but in another e-mail you confirmed that EP should run with application's Smack label.

> So we have two cases. 1) Tizen Device APIs et al which are in the EP and
> 2) W3C APIs which are in RP+BP, BP being the relevant part here.
> The plan is to add the API permission checks in the following way:
> Case 1: Tizen Device APIs et al
> Since the EP is not sandboxed, it can talk use the libcynara directly or
> talk to Service API layer, which then talks to cynara. The EP has all the
> information in hand to do so including the smack label, user id and
> application id.

If we are going to support native applications, services will have to perform cynara checks anyway. Also we can declare EPs as "not trusted" if enforcement is performed outside.

> Case 2: W3 APIs
> Since the RP is sandboxed it can¹t talk to cynara. Instead, the platform
> API calls are delegated to BP. The BP can then talk to the required
> services including the cynara. The BP has all the information about the RP
> (e.g. Web Application) to do so (see above the BP term description).

Here again platform services will perform additional cynara checks, but there probably is no way around it.

By the way, is BP also responsible for communication between applications?

More information about the Dev mailing list