[Tarako] ConnectA2 attach image from camera could slow down the system



Firefox OS
4 years ago
14 days ago


(Reporter: seinlin, Unassigned)



Firefox Tracking Flags

(Not tracked)


(Whiteboard: [c= p= s= u=tarako])


(1 attachment)



4 years ago
When ConnectA2 try to attach an image from camera, something the camera will take a long time. If connectA2 can group apps in activities chains as bug 982491, it could be better. Now only certified app can use activities chains, but connectA2 is privileged type. Is there any concern to allow privileged type apps to use activities chains?

Comment 1

4 years ago
Created attachment 8462974 [details] [diff] [review]

Fabrice, Could you have a look to this patch? Is it reasonable to allow privileged app to use activities chains? Thanks!
Attachment #8462974 - Flags: feedback?(fabrice)

Comment 2

4 years ago
Tim, Do you have any concern about allow privileged type app to group apps in activities chains?
Flags: needinfo?(timdream)
I do, but I don't think there is any alternative either.
Group: b2g-core-security
Flags: needinfo?(timdream) → needinfo?(ptheriault)
Comment on attachment 8462974 [details] [diff] [review]

Review of attachment 8462974 [details] [diff] [review]:

I really don't think we can run apps with different privilege levels in the same process. But we need the security people to weight in.
Attachment #8462974 - Flags: feedback?(fabrice) → feedback-
I cannot reproduce this issue on my tarako device with same SD content.

kai-zhen, could you help to co-work with partner then try to provide STR and check cpu/memory usage?
Flags: needinfo?(kli)

Comment 6

4 years ago
This issue is not easy to reproduce. Today partner can't reproduce it too. I'll collect the cpu/memory usage when it happened again.
Flags: needinfo?(kli)
I don't know what activity chains are, but from I can tell it allows an app to open a web activity in its own process or something like that. Do activity chains actually result in new permissions being granted to a process? I assume so, otherwise things like the camera picker wouldn't work. So basically +1 to what Fabrice said - if we allowed ConnectA2 to open the camera app to choose a photo in it's process, we would need to grant that process the permissions needed to run the camera app, which breaks our security model.

Two possible solutions:

- Camera permission is available to privileged - can we just implement a library version of the camera picker that they can include in their app?

- (complex and probably bad idea): allow same process activities, so long as the app initiating the activity is the same or higher app type than the handler, and contains all of the permissions of the handler (ie dont grant new permissions).
Flags: needinfo?(ptheriault)
Since this is not a security bug in shipping product we don't really need to hide this. If you feel we need to hide it because the code we're GOING to add is adding a vulnerability then we should not add the code, not hide it.
Group: b2g-core-security


4 years ago
Keywords: perf
Whiteboard: [c= p= s= u=tarako]
Priority: -- → P3

Comment 9

4 years ago
I think bug 1050181 is linked with this problem.

What do you think?


Comment 10

14 days ago
Firefox OS is not being worked on
Last Resolved: 14 days ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.