Jose, So you need a list of files the BP touches, right?
I don’t think we have that right now. But I’ll see what we can do. Sakari On 5/22/14, 11:26, "José Bollo" <[email protected]> wrote: >Hi Sakari, > >Thank you for your clear answering that well explains the role of each >of the 3 parts and the options on how to call Cynara. > >For further investigation on security integration of crosswalk within >Tizen, there is some more need: we need an explanation on how files >created, written or read(*) by BP in delegation of RP will deal with the >Smack labels of files (extended attribute security.SMACK64). > >Best regards >José Bollo > >(*) storage part of W3C >https://developer.tizen.org/dev-guide/2.2.1/org.tizen.web.w3c.apireference >/w3c_api.html > > > >On gio, 2014-05-22 at 07:53 +0000, Poussa, Sakari wrote: >> All, >> >> Let me try to clarify how the Crosswalk is planned to integrate into the >> Tizen cynara system in order to do the API permission checks. >> >> First we need context for the terms: >> >> Shared Process Model: We have one shared Browser Process (BP) per user. >> Each individual web application contains render process (RP) and >>extension >> process (EP). This is the high level summary and is adequate for this >> discussion. >> >> RP - Sandboxed. Runs blink and JS engine. Contains the W3C APIs. When >>the >> WebApp issues a W3C API (JS) call which requires access to platform API >> (e.g. Geolocation) it does IPC to the BP. >> >> BP - Not sandboxed. Knows all the details of RPs that are currently >> running including the application id, smack label, user is, etc. When >>the >> RP talks to BP via IPC the BP can use the details of the RP to issue >> cynara checks. >> >> EP - No sandboxed. Contains the Tizen Device Web APIs and some >> experimental W3C draft APIs. >> >> So we have two cases. 1) Tizen Device APIs et al which are in the EP and >> 2) W3C APIs which are in RP+BP, BP being the relevant part here. >> >> The plan is to add the API permission checks in the following way: >> >> Case 1: Tizen Device APIs et al >> >> Since the EP is not sandboxed, it can talk use the libcynara directly or >> talk to Service API layer, which then talks to cynara. The EP has all >>the >> information in hand to do so including the smack label, user id and >> application id. >> >> Case 2: W3 APIs >> >> >> Since the RP is sandboxed it can¹t talk to cynara. Instead, the platform >> API calls are delegated to BP. The BP can then talk to the required >> services including the cynara. The BP has all the information about the >>RP >> (e.g. Web Application) to do so (see above the BP term description). >> >> Hope this clarifies the case. >> >> Sakari >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> https://lists.tizen.org/listinfo/dev > > _______________________________________________ Dev mailing list [email protected] https://lists.tizen.org/listinfo/dev
