Commit eba2e172 authored by Emanuele Aina's avatar Emanuele Aina

security: More details about the multi-proc WebKit architecture

Speak about process *classes* as there can be more than one Web process
if WEBKIT_PROCESS_MODEL_MULTIPLE_SECONDARY_PROCESSES is in use and
multiple Plugin processes (one for each plugin activated).

Also mention the Network process which contributes to keeping the
privileges needed by Web processes low.
Signed-off-by: Emanuele Aina's avatarEmanuele Aina <emanuele.aina@collabora.com>

Differential Revision: https://phabricator.apertis.org/D3967
parent 0d12b5d5
......@@ -1545,23 +1545,24 @@ regain control of the browser too. Existing browsers usually load an
alternate page with a button the user can click to load the page, which
is probably also a good idea for the Apertis browser.
Collabora evaluated taking the WebKit clutter port to the new WebKit2
Collabora evaluated taking the WebKit Clutter port to the new WebKit2
architecture as part of the Apertis project; as of 2012 it was deemed
risky given the time and budget constraints.
As of 2015, it has been decided that Apertis will switch away from
WebKit Clutter and onto the GTK+ port, which is already built upon the
WebKit2 architecture. The main feature of that architecture is that it
has three different processes: the UI process deals with user
interaction, the Web process deals directly with web content, and the
plugin process is responsible for running plugins.
has several different classes of processes: the UI process deals with user
interaction, the Web processes render page contents,
the Network process mediates access to remote data,
and the Plugin processes are responsible for running plugins.
The fact that the processes are separate provides a great way of locking
them down properly. The Web process, which is the most likely to be
exploited in case of successful attack is also the one that needs the
them down properly. The Web processes, which are the most likely to be
exploited in case of successful attack are also the one that needs the
least privileges when it comes to interfacing with the system, so the
AppArmor policies that apply to it can be very strict. If a limited set
of plugins is supported, the same can be applied to the plugins process.
of plugins is supported, the same can be applied to the Plugin processes.
In fact, the WebKit codebase contains support for using seccomp filters
(see [](#seccomp)) to sandbox the WebKit2 processes. It may be a useful
addition in the future.
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment