projects / framework / web / webkit-efl.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: c00fe88) | patch
Validate smack label of forked/executed WebProcess and PluginProcess
authorYunchan Cho <yunchan.cho@samsung.com>
Wed, 11 Sep 2013 02:16:16 +0000 (11:16 +0900)
committerGerrit Code Review <gerrit@gerrit.vlan144.tizendev.org>
Wed, 25 Sep 2013 06:44:36 +0000 (06:44 +0000)
commitabf2d2377d11e20f77d2a88d9102f763bbd440c5
treedffba25a1165823bd4284d619712775c051b6dd8tree | snapshot
parentc00fe88377e7105684dc964e440e13fa1d2924b9commit | diff
Validate smack label of forked/executed WebProcess and PluginProcess

[Title] Validate smack label of executed WebProcess and PluginProcess
[Issue#] N/A
[Problem] Executed WebProcess/PluginProcess can have unnecessary smack permissions,
          because its all smack permissions are inherited from its parent process by linux kernel.
          So WebProcess/PluginProcess can access some resources of platform which they are not permitted logically.
          This problem would let web app isolation be breaked.

[Cause] This problem had not been considered in WebProcess and PluginProcess
[Solution] WebProcess and PluginProcess check if they changes their smack label or not.
           If they have to change their smack label, the following jobs are executed in each process.
           1. getting smack label string from each executable path(argv[0]) in order to change current label.
           2. changing current label to smack label gotten in 1 step.
           3. dropping CAP_MAC_ADMIN capability to guarantee that any code after this step cann't change smack label.

Change-Id: I03dea4320a4edfd3e8f373705dd192d3ca8a9227
20 files changed:
Source/WTF/wtf/Platform.h diff | blob | history
Source/WebKit2/PlatformTizen.cmake diff | blob | history
Source/WebKit2/PluginProcess/efl/PluginProcessMainEfl.cpp diff | blob | history
Source/WebKit2/Shared/Plugins/PluginModuleInfo.h diff | blob | history
Source/WebKit2/Shared/tizen/ProcessSmackLabel.cpp [new file with mode: 0644] blob
Source/WebKit2/Shared/tizen/ProcessSmackLabel.h [new file with mode: 0644] blob
Source/WebKit2/UIProcess/API/efl/ewk_context.cpp diff | blob | history
Source/WebKit2/UIProcess/Launcher/ProcessLauncher.h diff | blob | history
Source/WebKit2/UIProcess/Launcher/efl/ProcessLauncherEfl.cpp diff | blob | history
Source/WebKit2/UIProcess/Plugins/PluginInfoStore.h diff | blob | history
Source/WebKit2/UIProcess/Plugins/PluginProcessManager.cpp diff | blob | history
Source/WebKit2/UIProcess/Plugins/PluginProcessProxy.cpp diff | blob | history
Source/WebKit2/UIProcess/WebContext.cpp diff | blob | history
Source/WebKit2/UIProcess/WebContext.h diff | blob | history
Source/WebKit2/UIProcess/WebProcessProxy.cpp diff | blob | history
Source/WebKit2/UIProcess/efl/WebContextEfl.cpp diff | blob | history
Source/WebKit2/WebProcess/efl/WebProcessMainEfl.cpp diff | blob | history
Source/cmake/FindLIBSMACK.cmake [new file with mode: 0644] blob
Source/cmake/OptionsTizen.cmake diff | blob | history
packaging/webkit2-efl.spec diff | blob | history
Domain: Web Framework / Uncategorized;