New issue
Advanced search Search tips

Issue 700462 link

Starred by 2 users

Issue metadata

Status: Assigned
Owner:
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 3
Type: Bug



Sign in to add a comment

mash: Review security of Chrome/app -> ash mojo interactions

Project Member Reported by msw@chromium.org, Mar 10 2017

Issue description

mash: Review security of Chrome/app -> ash mojo interactions

With our current design, any client connecting to ash (ash::mojom::kServiceName) could change a variety of ash settings (eg. desktop background wallpaper, pinned shelf items, audio volume, etc.). We simply rely on the only client (Chrome) to do the right thing here. We should consider the implications of a compromised/malicious client connecting to ash, especially if/when we broaden the connection permissions beyond Chrome.

Tom and I discussed this in https://codereview.chromium.org/2718563008 comments #29-30:

Tom: We should chat sometime about what prevents clients from messing with each other's shelf items if the calls to change image etc. take an easily guessable app ID as a primary key ...

Mike: That's a very good question; I hadn't thought of that. I suppose we are just relying on the shelf client (Chrome) to do the right thing (ie. only set each app's requested title/icon/etc.). Isn't that also true for all other chrome->ash interaction schemes (wallpaper, volume control, shelf alignment/auto-hide/pinning, etc.)? Perhaps that's not good enough? ... This might be of more concern once app-specific clients beyond chrome can connect to Ash.


 

Comment 1 by dcheng@chromium.org, Mar 11 2017

Cc: dcheng@chromium.org
Cc: jamescook@chromium.org
Owner: sky@chromium.org
Status: Assigned (was: Untriaged)
Please triage. Thanks!

Comment 3 by sky@chromium.org, Apr 17 2017

Labels: Proj-Mustash-Chrome Proj-Mustash-Mash
Aren't the ash settings limited to a specific interface that we lock down by way of manifests?
Components: Internals>Services>Ash
Labels: -Proj-Mustash-Mash

Sign in to add a comment