W dniu 2014-05-15 10:55, Zhang, Xu U pisze:
-----Original Message-----
From: Dev [mailto:[email protected]] On Behalf Of Patrick Ohly
Sent: Wednesday, May 14, 2014 11:02 PM
To: Jussi Laako
Cc: [email protected]
Subject: Re: [Dev] enforcing priviliges of web apps
On Wed, 2014-05-14 at 17:41 +0300, Jussi Laako wrote:
On 14.5.2014 17:06, Patrick Ohly wrote:
The problem remains that the current D-Bus mechanism does not allow
passing this extra information.
We just included appctx as part of our dbus API.
That works because you have full control over the D-Bus API. It does not work
when trying to add access control to an existing API, because it would break
the API for apps already using it.
At the moment, the patched dbus-daemon will tell clients when (and only
when) they ask what the application context of a certain peer is (via
GetConnectionSmackContext). This information is not part of the message
itself. I don't know how extensible the on-the-wire D-Bus message format is.
Perhaps it would be possible to extend the header such that the extra
information can be added without affecting parsing by D-Bus clients which are
not aware of this extension.
This does not address the file access issues pointed out by Rafał, which IMHO
is the bigger issue.
My feeling at the moment is that several interested bystanders (me
included) speculate about how Crosswalk could be secured, but do we have the
actual decision makers and implementers involved, too? Who owns security of
the web runtime?
[Zhang Xu ] Patrick, Bai (who has left Intel) and I have designed crosswalk API
permission control. The doc is here
https://docs.google.com/a/intel.com/document/d/137u_gxmNaIFwVzaCkCFBJyveIdZxuAydWOkMI8oWgD0/edit
and the implementation is done. I am informed that all web device APIs
implementation should use Cynara’s service API directly. So the design will be
dropped from web runtime side.
I will implement crosswalk runtime security issues.
Intel account is required to access linked page. :(
Could You share the document somehow ?
Lukasz
--
Best Regards, Patrick Ohly
The content of this message is my personal opinion only and although I am an
employee of Intel, the statements I make here in no way represent Intel's
position on the issue, nor am I authorized to speak on behalf of Intel on this
matter.
_______________________________________________
Dev mailing list
[email protected]
https://lists.tizen.org/listinfo/dev
_______________________________________________
Dev mailing list
[email protected]
https://lists.tizen.org/listinfo/dev
_______________________________________________
Dev mailing list
[email protected]
https://lists.tizen.org/listinfo/dev
