> -----Original Message----- > From: Dev [mailto:dev-boun...@lists.tizen.org] On Behalf Of José Bollo > Sent: Tuesday, December 09, 2014 1:40 AM > To: Rafał Krypa > Cc: d...@lists.tizen.org; crosswalk-dev@lists.crosswalk-project.org > Subject: Re: [Dev] [Intent to implement] Crosswalk uses Dual process model > on Tizen > > Le mardi 09 décembre 2014 à 10:13 +0100, Rafał Krypa a écrit : > > On 2014-12-09 09:36, José Bollo wrote: > > > > > Le lundi 08 décembre 2014 à 13:08 +0000, Pozdnyakov, Mikhail a écrit : > > > > Hi, > > > > > > > > Description: > > > > > > > > The Dual process model is a process model where each application run > contains two processes: > > > > The first process includes Browser process (BP), GPU process (GP) and > Extension process (EP)
You desperately need a change in your terminology! > > > Hi Mikhail, Hi all, > > > > > > IIRC & IMHO, merging BP and EP is a NO GO from the Tizen Security Point > > > of View. The rational is that EP to be as usable as possible from the > > > developper scope (hybrid apps) have to be sandboxed using Smack and > > > should not have capabilities. > > > > Hi José, > > My understanding of the proposed model is that each application would > > have two processes for itself: > > - BP+EP+GP, serving as a starting point for application > > - RP, executed from BP as before, possibly still sandboxed by Chromium Because you have EP in one process (the native component of the application) and RP in the other (the web component of the applications) neither can trusted to perform any security related function. Actually, the BP+EP+GP can start out as a trusted component, but has to drop all privilege and set all security attributes prior to invoking any application code. > > In this picture there is no need for any of these processes to be > > privileged. The new merged process would be started by > > amd-session-launcher with already setup Smack label. That process > > would no longer be responsible for security configuration and > > enforcement. IMHO from security point of view that is way better than > > we had before. Each application gets proper Smack sandbox without > > sharing any processes at Crosswalk. > > Hi Rafał, > > That would be good but I'm seeing there is still a reason to consider BP > as privileged: for implementing Web API, it is calling Cynara. The Cynara checks are going to have to be removed. I am curious as to how the resources that were managed by the BP in the prior design are going to be managed in the dual-process model. > I am also skeptical on the fact that BP will run without privileges. But The BP can start with privilege, but will need to drop it before it goes anywhere near application code. That is, until it invokes EP or GP or forks off RP. And of course, it can't make decisions about resource access. > I am not expert and should trust developers of crosswalk. Trust should be based on understanding. If you don't understand there is no reason you should trust. > Cheers > José Bollo > > > > > > > Best regards, > > Rafal Krypa > > > _______________________________________________ > Dev mailing list > d...@lists.tizen.org > https://lists.tizen.org/listinfo/dev _______________________________________________ Crosswalk-dev mailing list Crosswalk-dev@lists.crosswalk-project.org https://lists.crosswalk-project.org/mailman/listinfo/crosswalk-dev
