On mer, 2014-05-14 at 17:16 +0300, Kis, Zoltan wrote: > On Wed, May 14, 2014 at 5:00 PM, José Bollo > <[email protected]> wrote: > > On mer, 2014-05-14 at 16:56 +0300, Kis, Zoltan wrote: > >> On Wed, May 14, 2014 at 3:50 PM, Lukasz Wojciechowski > > > >> > If we follow such design all calls to services will be made by browser > >> > process and not by application process. It means that services won't be > >> > able > >> > to provide application granularity access control because all calls will > >> > be > >> > made with SMACK label of browser. > >> > It is a problem. > >> > >> Except if the browser / extension process become security enforcement > >> points, doing the runtime checks. Since they are different processes > >> than the the one running the app, they could load a library > >> implementing the runtime security checks and enforce permission. Of > >> course then the platform becomes as secure as the browser... but > > > > The problem is with accesses to the file system and other "filesystem > > named" objects: the Smack context will not be the one of the App. That > > is what explained Rafal. > > > > In this model, the extension process could check the app identity, > manifest, security policy,
Yes it could > and won't allow access to file system or > similar secured objects unless the app has permission for it. 1) how to know if an access to the file system is authorized? You should read the Smack labels of the accessed entity and check the Smack database using the application id. It's heavy but could work. Except with that corner case if a part of the filesystem can't be accessed by your process but could be by the application (ex: the app has context A and the browser that is checking has the context B, if the accessed item is under context I granted for A but not for B it doesn't work) 2) when the browser creates an object in the filesystem, it gives him its context. In that case, how to distinguish the objects created by an application? And how to avoid an other application to access the object of an other one? It is possible to achieve it using transmutation of labels. Is it always possible? I don't know. Then it could work... At what cost? Best regards José > Similarly to the proposed security proxy. > > Then, by another model, the extension process (one per app/instance), > could inherit the app identity; then indeed security needs to be > enforced at lower layers, but then the smack context will be of the > app. > > Did I misunderstand something? :) > > Best regards, > Zoltan _______________________________________________ Dev mailing list [email protected] https://lists.tizen.org/listinfo/dev
