On 2014-11-04 09:25, Zhang, Xu U wrote: > Hi Rafal, > > I have forwarded your email to Crosswalk mail list. Misha , who is key > contributor for Crosswalk reply here: > https://lists.crosswalk-project.org/pipermail/crosswalk-dev/2014-October/002165.html > > > I have a question on setting SMACK label for gpu process. GPU process is > shared by all render process in the same user just as browser process. What > SMACK label should be set for GPU process? What API should we call?
Hi Xu, Let me summarize the whole picture including the GPU process and the Zygote process and how I think they security configuration should be handled: *Browser process* Will be launched by "systemd --user". Runs with label "User" and with privilege (capabilities for setting Smack labels). You don't have to call anything to change it's security settings, with one exception (described below at Zygote process). *GPU process *Spawned from the browser process. Runs with label "User" and inherits the privilege from the browser process. Since it doesn't need the privilege, it should call security_manager_drop_process_privileges() function. *Zygote process *Spawned from the browser process. Runs with label "User" and inherits the privilege. I need to know if Zygote will continue to be used on Tizen. If yes, then the browses should drop capabilities after spawning Zygote (security_manager_drop_process_privileges()). Whichever process will spawn render processes, needs privileges to pass them to render children. *Render process *Spawned from Zygote process, or directly from Browser process if Zygote is gone. It will run with application-specific Smack label. Will be initially started with privilege to allow changing of Smack label. Should call security_manager_prepare_app() to set security context, which will change the label and also drop privileges. *Extension process* Will be spawned from application launcher (amd_session_agent, but see also https://bugs.tizen.org/jira/browse/TC-1968). It should run with application-specific Smack label. Tomasz Iwanek patched Crosswalk to call security-manager in EP, but after we integrate amd with security-manager, that won't be needed. The launcher should take care of setting security for EP and you won't have to do it in Crosswalk. Best regards, Rafal Krypa _______________________________________________ Dev mailing list [email protected] https://lists.tizen.org/listinfo/dev
