200182 2019-07-26 16:27:10 -0700 Allow more syscalls in the WebContent process' sandbox profile 2019-07-27 06:41:59 -0700 1 1 1 Unclassified WebKit WebKit2 WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 cdumez cdumez ap bfulgham commit-queue ggaren pvollan webkit-bug-importer oldest_to_newest 1556269 0 cdumez 2019-07-26 16:27:10 -0700 Allow more syscalls in the WebContent process' sandbox profile to avoid getting killed. 1556270 1 cdumez 2019-07-26 16:27:25 -0700 <rdar://problem/53594973> 1556271 2 374998 cdumez 2019-07-26 16:28:52 -0700 Created attachment 374998 Patch 1556273 3 374998 ap 2019-07-26 16:33:55 -0700 Comment on attachment 374998 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=374998&action=review > Source/WebKit/WebProcess/com.apple.WebProcess.sb.in:945 > + (syscall-number SYS_recvmsg) This one looks suspicious. Looking at the logs, it seems like there is actual networking happening in WebContent, which is not allowed. So we may need a higher level fix here. 1556274 4 374998 cdumez 2019-07-26 16:36:50 -0700 Comment on attachment 374998 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=374998&action=review >> Source/WebKit/WebProcess/com.apple.WebProcess.sb.in:945 >> + (syscall-number SYS_recvmsg) > > This one looks suspicious. Looking at the logs, it seems like there is actual networking happening in WebContent, which is not allowed. So we may need a higher level fix here. I am no sandboxing expert so I followed the existing pattern. We already allow SYS_recvfrom / SYS_recvfrom_nocancel / SYS_sendto / SYS_sendmsg_nocancel / SYS_sendto_nocancel. 1556275 5 374998 cdumez 2019-07-26 16:37:48 -0700 Comment on attachment 374998 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=374998&action=review >>> Source/WebKit/WebProcess/com.apple.WebProcess.sb.in:945 >>> + (syscall-number SYS_recvmsg) >> >> This one looks suspicious. Looking at the logs, it seems like there is actual networking happening in WebContent, which is not allowed. So we may need a higher level fix here. > > I am no sandboxing expert so I followed the existing pattern. We already allow SYS_recvfrom / SYS_recvfrom_nocancel / SYS_sendto / SYS_sendmsg_nocancel / SYS_sendto_nocancel. Couldn't it be a socket used to talk to a daemon, as opposed to actual networking? 1556293 6 ap 2019-07-26 17:05:19 -0700 > Couldn't it be a socket used to talk to a daemon, as opposed to actual networking? I have no definitive proof, but I doubt it - there's always com.apple.NSURLConnectionLoader thread in those processes, and usually people who use sockets use them through low level API. > I am no sandboxing expert so I followed the existing pattern. We already allow SYS_recvfrom / SYS_recvfrom_nocancel / SYS_sendto / SYS_sendmsg_nocancel / SYS_sendto_nocancel. Maybe all of those are wrong :-O 1556297 7 374998 ggaren 2019-07-26 17:24:12 -0700 Comment on attachment 374998 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=374998&action=review r=me >>>> Source/WebKit/WebProcess/com.apple.WebProcess.sb.in:945 >>>> + (syscall-number SYS_recvmsg) >>> >>> This one looks suspicious. Looking at the logs, it seems like there is actual networking happening in WebContent, which is not allowed. So we may need a higher level fix here. >> >> I am no sandboxing expert so I followed the existing pattern. We already allow SYS_recvfrom / SYS_recvfrom_nocancel / SYS_sendto / SYS_sendmsg_nocancel / SYS_sendto_nocancel. > > Couldn't it be a socket used to talk to a daemon, as opposed to actual networking? FWIW, in the traces I saw, each call to recvmsg was triggered by a network connection failure. Seems like someone might have tried to do some networking, but didn't necessarily succeed. Given that these similar sys calls are already allowed, I'm inclined to allow this one too, so folks can stop crashing while we figure out how to generally remove access to this set of syscalls. 1556301 8 374998 ap 2019-07-26 17:30:40 -0700 Comment on attachment 374998 Patch Let's not be in such a crazy hurry. 1556353 9 ap 2019-07-26 23:45:20 -0700 > SYS_sendto Used by ASL logging facility, so definitely needed. > SYS_recvfrom_nocancel > SYS_sendmsg_nocancel > SYS_sendto_nocancel Very few tests hit these, http/tests/workers/service/serviceworker-websocket.https.html being one of those. > SYS_recvfrom I didn't see this one hit on layout tests, but I did see SYS_recvmsg, the same test reproduces it. Maybe the internal implementation in libnetwork switched from one to another after Per Arne's initial testing. So WebSockets in service workers try to use networking in WebContent. This appears related to bug 200161 and bug 199906. The former has a fix posted today, so we should re-test and hopefully remove the unnecessary syscalls. I suggest landing this patch with only SYS_chmod_extended and SYS_lstat_extended added for now. We also need to wire service worker processes to WebKitTestRunner's crash reporting - it's quite unfortunate that these crashes are currently silent during tests. 1556383 10 cdumez 2019-07-27 06:41:59 -0700 Committed r247890: <https://trac.webkit.org/changeset/247890> 374998 2019-07-26 16:28:52 -0700 2019-07-26 17:30:40 -0700 Patch bug-200182-20190726162851.patch text/plain 2246 cdumez U3VidmVyc2lvbiBSZXZpc2lvbjogMjQ3ODc5CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViS2l0L0No YW5nZUxvZyBiL1NvdXJjZS9XZWJLaXQvQ2hhbmdlTG9nCmluZGV4IDM1MzQ3Zjk3ZmY5Y2Q1YWQ4 NTgzM2FhOWE2OTVkNzI1YTI0ZjdjZTcuLjNlMTBhODVmNTA1NjczOTJkYTMwOWViMjdhNGY0MmE5 MmQ0ZTRmZmQgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJLaXQvQ2hhbmdlTG9nCisrKyBiL1NvdXJj ZS9XZWJLaXQvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTcgQEAKKzIwMTktMDctMjYgIENocmlzIER1 bWV6ICA8Y2R1bWV6QGFwcGxlLmNvbT4KKworICAgICAgICBBbGxvdyBtb3JlIHN5c2NhbGxzIGlu IHRoZSBXZWJDb250ZW50IHByb2Nlc3MnIHNhbmRib3ggcHJvZmlsZQorICAgICAgICBodHRwczov L2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MjAwMTgyCisgICAgICAgIDxyZGFyOi8v cHJvYmxlbS81MzU5NDk3Mz4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4K KworICAgICAgICBJIHJldmlld2VkIGFsbCBjcmFzaCB0cmFjZXMgYXR0YWNoZWQgdG8gdGhlIHJh ZGFyIGFuZCBmb3VuZCB0aGUgZm9sbG93aW5nCisgICAgICAgIHN5c2NhbGxzIHRoYXQgd2Ugbm90 IHlldCBhbGxvd2VkIGJ5IHRoZSBXZWJDb250ZW50IHByb2Nlc3MncyBzYW5kYm94CisgICAgICAg IHByb2ZpbGUuCisKKyAgICAgICAgKiBXZWJQcm9jZXNzL2NvbS5hcHBsZS5XZWJQcm9jZXNzLnNi LmluOgorCiAyMDE5LTA3LTI2ICBDaHJpcyBEdW1leiAgPGNkdW1lekBhcHBsZS5jb20+CiAKICAg ICAgICAgQ3Jhc2hlcyB1bmRlciBYUENTZXJ2aWNlTWFpbigpIC8gbWFjaF9tc2dfdHJhcCgpIGR1 ZSB0byBzYW5kYm94aW5nCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViS2l0L1dlYlByb2Nlc3MvY29t LmFwcGxlLldlYlByb2Nlc3Muc2IuaW4gYi9Tb3VyY2UvV2ViS2l0L1dlYlByb2Nlc3MvY29tLmFw cGxlLldlYlByb2Nlc3Muc2IuaW4KaW5kZXggZTJkNjMyMTUwMzIwMjdmM2E4Y2Q2ZDc2ZmM0NDg1 OTgzMzEyMzc4OS4uMzdlZGYwZTU4NmIyMzM4N2MyY2E2YWU4ZTA4OGMwYzA2ZjFmNmZhYyAxMDA2 NDQKLS0tIGEvU291cmNlL1dlYktpdC9XZWJQcm9jZXNzL2NvbS5hcHBsZS5XZWJQcm9jZXNzLnNi LmluCisrKyBiL1NvdXJjZS9XZWJLaXQvV2ViUHJvY2Vzcy9jb20uYXBwbGUuV2ViUHJvY2Vzcy5z Yi5pbgpAQCAtODQxLDYgKzg0MSw3IEBACiAgICAgICAgIChzeXNjYWxsLW51bWJlciBTWVNfY2xv c2UpCiAgICAgICAgIChzeXNjYWxsLW51bWJlciBTWVNfdW5saW5rKQogICAgICAgICAoc3lzY2Fs bC1udW1iZXIgU1lTX2NobW9kKQorICAgICAgICAoc3lzY2FsbC1udW1iZXIgU1lTX2NobW9kX2V4 dGVuZGVkKQogICAgICAgICAoc3lzY2FsbC1udW1iZXIgU1lTX2dldHVpZCkKICAgICAgICAgKHN5 c2NhbGwtbnVtYmVyIFNZU19nZXRldWlkKQogICAgICAgICAoc3lzY2FsbC1udW1iZXIgU1lTX3Jl Y3Zmcm9tKQpAQCAtOTQxLDYgKzk0Miw3IEBACiAgICAgICAgIChzeXNjYWxsLW51bWJlciBTWVNf Y2xvc2Vfbm9jYW5jZWwpCiAgICAgICAgIChzeXNjYWxsLW51bWJlciBTWVNfc2VuZG1zZ19ub2Nh bmNlbCkKICAgICAgICAgKHN5c2NhbGwtbnVtYmVyIFNZU19yZWN2ZnJvbV9ub2NhbmNlbCkKKyAg ICAgICAgKHN5c2NhbGwtbnVtYmVyIFNZU19yZWN2bXNnKQogICAgICAgICAoc3lzY2FsbC1udW1i ZXIgU1lTX2ZjbnRsX25vY2FuY2VsKQogICAgICAgICAoc3lzY2FsbC1udW1iZXIgU1lTX3NlbGVj dF9ub2NhbmNlbCkKICAgICAgICAgKHN5c2NhbGwtbnVtYmVyIFNZU19jb25uZWN0X25vY2FuY2Vs KQpAQCAtOTc1LDYgKzk3Nyw3IEBACiAgICAgICAgIChzeXNjYWxsLW51bWJlciBTWVNfdGVybWlu YXRlX3dpdGhfcGF5bG9hZCkgOzsgPHJkYXI6Ly9wcm9ibGVtLzUwMDI2NTgwPgogICAgICAgICAo c3lzY2FsbC1udW1iZXIgU1lTX3F1b3RhY3RsKSA7OyA8cmRhcjovL3Byb2JsZW0vNDk5NDUwMzE+ CiAgICAgICAgIChzeXNjYWxsLW51bWJlciBTWVNfc3RhdDY0X2V4dGVuZGVkKSA7OyA8cmRhcjov L3Byb2JsZW0vNTA0NzMzMzA+CisgICAgICAgIChzeXNjYWxsLW51bWJlciBTWVNfbHN0YXRfZXh0 ZW5kZWQpCiAgICAgICAgIChzeXNjYWxsLW51bWJlciBTWVNfbHN0YXQ2NF9leHRlbmRlZCkKICAg ICAgICAgKHN5c2NhbGwtbnVtYmVyIFNZU19pb3BvbGljeXN5cykKICAgICAgICAgKHN5c2NhbGwt bnVtYmVyIFNZU193b3JrcV9vcGVuKQo=