[Dev] [Cynara] Async admin API proposal

Zhang, Xu U xu.u.zhang at intel.com
Thu Sep 4 01:49:35 GMT 2014


Thanks for your reminder.

Just as Lukasz understand, Crosswalk should add API permission check in the browser process.  From the view of  process running, Tizen web API can be categorized two kinds. One is Tizen device APIs, which will run the browser process.  The other is some W3C web APIs, which  including Geolocation, media and so on will  run  in the browser process. For applications using these W3C APIs, browser process should call Cynara client API to check whether application has privilege to access the resources.  Peter and I are implementing W3C module’s embedder for Crosswalk and a security thread ,  which is a check point to call Cynara client API,  in the browser process.

I think synchronous APIs is enough for Crosswalk browser process.

Zhang Xu
From: Dev [mailto:dev-bounces at lists.tizen.org] On Behalf Of Whiteman, John L
Sent: Thursday, September 4, 2014 5:41 AM
To: Oda, Terri; Lukasz Wojciechowski
Cc: dev at lists.tizen.org
Subject: Re: [Dev] [Cynara] Async admin API proposal

Hi Xu & Sakari,

Do you have input for this per Terri's comments below?  Synchronous or asynchronous?  This info is needed to complete this.

Best Regards,


From: Dev [mailto:dev-bounces at lists.tizen.org] On Behalf Of Oda, Terri
Sent: Wednesday, August 27, 2014 10:03 AM
To: Lukasz Wojciechowski
Cc: dev at lists.tizen.org<mailto:dev at lists.tizen.org>
Subject: Re: [Dev] [Cynara] Async admin API proposal

On Tue, Aug 26, 2014 at 10:03 PM, Lukasz Wojciechowski <l.wojciechow at partner.samsung.com<mailto:l.wojciechow at partner.samsung.com>> wrote:

For installation and launching purposes crosswalk should use libsecurity-manager-client API instead of direct cynara API.
SecurityManager is responsible for setting up cynara policy. It has API for installation and launching applications ready.

but ...
as far as I know, I think it will need also cynara client API in browser process in order to check if running applications have proper privileges to resources that are accessed by browser process.
Check is needed, because a browser process will run an action in the name of application, so some system service (managing resource) will recognize crosswalk's browser process as client.
It is crosswalk responsibility to check if application is allowed to access resource.

Could You check if synchronous or asynchronous cynara API would fit better for that task in browser process ?

To be honest, at this point I'm not sure I know enough about where the checks will need to go in the browser process to answer the question definitively.  I've only looked through the installer code in any sort of depth.

So perhaps it's better to ask someone who's more familiar with the internals of crosswalk: Xu & Sakari, do you know where in the browser code we'll need those checks?  I know last time we talked, it looked most of the APIs were going through the extension process, which meant that they'd be running with an appropriate application label and the services themselves should enforce any policy set on Tizen.  But I believe there will still some necessary checks in the browser process (which runs under a different label than the individual applications), I just don't know which APIs are being handled through the browser and where precisely use of those APIs is enforced.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.tizen.org/pipermail/dev/attachments/20140904/937787fe/attachment.html>

More information about the Dev mailing list