On Thu, Mar 15, 2012 at 3:26 AM, Chris Jones <
cjo...@mozilla.com> wrote:
> That's right: the ideal model is one process per "app" and one process per <iframe browser> (arbitrary web content).
processes (fork) are not secure, and are not securable. privilege
escalation is still possible. for maximum security (even when not
using SE/Linux to audit, track and enforce security), exec has to be
used.
that means designing the system so that there is inter-process communication.
and in the case under discussion, that's actually very very easy to
add.... to XPCOM. COM, which inspired XPCOM, can have its parameters
marshalled, shipped over an inter-process communications pipe, and
unmarshalled, because the fundamental basis of COM is actually
DCE/RPC.
so there is absolutely no reason in the world why XPCOM should not
also be properly upgraded to use DCE/RPC. there are at least two
suitable implementations out there: one is
http://freedce.sf.net and
the other is in Wine. the license on freedce is both BSD and LGPLv2+.
now, for precisely the reasons you raised chris (speed and memory
requirements optimised when things like security are blatantly
ignored) microsoft chose to make an "optimisation" to COM where the
inter-process communication could be removed and the parameters
swapped on the stack.
i believe they may actually have used COM to construct the function
call parameter stack in assembly code by the marshaller/unmarshaller
:)
so, anyway: if you've got the pieces in place, you can make the decision.
but... yeah. the above is quite a bit of work. it's why i
recommended the architecture of just creating JSONRPC services for all
B2G back-end functionality instead.
i'm actually quite concerned that to the Mozilla Foundation, with its
technical hammer called "WebAPI", that all technical problems are now
looking like nails.
l.