210120 2020-04-07 09:27:04 -0700 [ macOS ] Update sandbox rules for storage 2020-04-07 15:50:56 -0700 1 1 1 Unclassified WebKit WebKit2 WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 sihui_liu sihui_liu ap bfulgham ggaren pvollan webkit-bug-importer oldest_to_newest 1638579 0 sihui_liu 2020-04-07 09:27:04 -0700 <rdar://problem/60972224> 1638601 1 395692 sihui_liu 2020-04-07 10:00:11 -0700 Created attachment 395692 Patch 1638606 2 395695 sihui_liu 2020-04-07 10:04:11 -0700 Created attachment 395695 Patch 1638610 3 395695 ggaren 2020-04-07 10:06:35 -0700 Comment on attachment 395695 Patch r=me 1638707 4 395695 ap 2020-04-07 11:58:18 -0700 Comment on attachment 395695 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=395695&action=review > Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:451 > +(allow file-read* file-write* > + (home-subpath "/Library/HTTPStorages")) This is not great, because all NetworkProcesses will have access to each other's cookies, right? So any WebKit2 client can have access to Safari cookies, for example. 1638719 5 sihui_liu 2020-04-07 12:18:53 -0700 (In reply to Alexey Proskuryakov from comment #4) > Comment on attachment 395695 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=395695&action=review > > > Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:451 > > +(allow file-read* file-write* > > + (home-subpath "/Library/HTTPStorages")) > > This is not great, because all NetworkProcesses will have access to each > other's cookies, right? So any WebKit2 client can have access to Safari > cookies, for example. Safari's cookie is not under this path, only (In reply to Alexey Proskuryakov from comment #4) > Comment on attachment 395695 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=395695&action=review > > > Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:451 > > +(allow file-read* file-write* > > + (home-subpath "/Library/HTTPStorages")) > > This is not great, because all NetworkProcesses will have access to each > other's cookies, right? So any WebKit2 client can have access to Safari > cookies, for example. Safari's cookies is not in this directory. I just updated the radar with more background. 1638729 6 ggaren 2020-04-07 12:41:35 -0700 Hmmm... if we can derive the expected path of the cookie storage for a given app, an alternative approach is to issue a sandbox extension for just that path at runtime. That would prevent a compromised Networking process from accessing cookies from other apps. (Is any other data stored in HTTPStorages, like HSTS data or HTTP2 or HTTP3 data? If so, I guess we would need a list of sandbox extensions, one for each storage technology.) That said, the networking process always had blanket access to nsurlstoraged / cookied, so I don't think this approach is a regression. I think we can check this in to resolve our high priority test failure regression, and consider more secure designs for the future. 1638750 7 sihui_liu 2020-04-07 13:03:13 -0700 (In reply to Geoffrey Garen from comment #6) > Hmmm... if we can derive the expected path of the cookie storage for a given > app, an alternative approach is to issue a sandbox extension for just that > path at runtime. That would prevent a compromised Networking process from > accessing cookies from other apps. > This is an option if we can extract the path. > (Is any other data stored in HTTPStorages, like HSTS data or HTTP2 or HTTP3 > data? If so, I guess we would need a list of sandbox extensions, one for > each storage technology.) > I don't know that. Will check with network people. > That said, the networking process always had blanket access to nsurlstoraged > / cookied, so I don't think this approach is a regression. I think we can > check this in to resolve our high priority test failure regression, and > consider more secure designs for the future. Sure. And this is not a test-only regression. Apps like TestWebKitAPI may not be able to store cookies persistently. 1638863 8 ews-feeder 2020-04-07 15:50:55 -0700 Committed r259679: <https://trac.webkit.org/changeset/259679> All reviewed patches have been landed. Closing bug and clearing flags on attachment 395695. 395692 2020-04-07 10:00:11 -0700 2020-04-07 10:04:09 -0700 Patch bug-210120-20200407100010.patch text/plain 1306 sihui_liu U3VidmVyc2lvbiBSZXZpc2lvbjogMjU5NTk3CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViS2l0L0No YW5nZUxvZyBiL1NvdXJjZS9XZWJLaXQvQ2hhbmdlTG9nCmluZGV4IGI3YTZlMDQyMWUyOTE3MTdh YzA4MDg3ZDc3N2ViN2U5MzY2MTJiNzIuLmE5ZTVmZmJjMzA5NTlhYWYwMzg1NDI3ODY2OTVlOWNm ZThmZDdmOTcgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJLaXQvQ2hhbmdlTG9nCisrKyBiL1NvdXJj ZS9XZWJLaXQvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTUgQEAKKzIwMjAtMDQtMDcgIFNpaHVpIExp dSAgPHNpaHVpX2xpdUBob3RtYWlsLmNvbT4KKworICAgICAgICBbTWFjT1NdIFVwZGF0ZSBzYW5k Ym94IHJ1bGVzIGZvciBzdG9yYWdlCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3No b3dfYnVnLmNnaT9pZD0yMTAxMjAKKyAgICAgICAgPHJkYXI6Ly9wcm9ibGVtLzYwOTcyMjI0Pgor CisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIFRoaXMgZGly ZWNvdHJ5IGlzIHVzZWQgZm9yIGNvb2tpZSBzdG9yYWdlLgorCisgICAgICAgICogTmV0d29ya1By b2Nlc3MvbWFjL2NvbS5hcHBsZS5XZWJLaXQuTmV0d29ya1Byb2Nlc3Muc2IuaW46CisKIDIwMjAt MDQtMDYgIFNpbW9uIEZyYXNlciAgPHNpbW9uLmZyYXNlckBhcHBsZS5jb20+CiAKICAgICAgICAg TWFrZSBTY3JvbGxhYmxlQXJlYSBUZXh0U3RyZWFtLWxvZ2dhYmxlCmRpZmYgLS1naXQgYS9Tb3Vy Y2UvV2ViS2l0L05ldHdvcmtQcm9jZXNzL21hYy9jb20uYXBwbGUuV2ViS2l0Lk5ldHdvcmtQcm9j ZXNzLnNiLmluIGIvU291cmNlL1dlYktpdC9OZXR3b3JrUHJvY2Vzcy9tYWMvY29tLmFwcGxlLldl YktpdC5OZXR3b3JrUHJvY2Vzcy5zYi5pbgppbmRleCAyOWJkOGI3ZDIwMTViNzU4MzQ3MWY3ZmMw NzVlYmQ1MGNiYmExNGRhLi4wY2EzNGYwZmFkYTc2MmRiZjYyZWYzODM4OTc2ODVlYTY4ZDBiNTll IDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViS2l0L05ldHdvcmtQcm9jZXNzL21hYy9jb20uYXBwbGUu V2ViS2l0Lk5ldHdvcmtQcm9jZXNzLnNiLmluCisrKyBiL1NvdXJjZS9XZWJLaXQvTmV0d29ya1By b2Nlc3MvbWFjL2NvbS5hcHBsZS5XZWJLaXQuTmV0d29ya1Byb2Nlc3Muc2IuaW4KQEAgLTQ0Niwz ICs0NDYsNiBAQAogOzsgTmVlZGVkIGZvciBUQ0MuCiAoYWxsb3cgbWFjaC1sb29rdXAKICAgICAo Z2xvYmFsLW5hbWUgImNvbS5hcHBsZS50Y2NkIikpCisKKyhhbGxvdyBmaWxlLXJlYWQqIGZpbGUt d3JpdGUqCisgICAgKGhvbWUtc3VicGF0aCAiL0xpYnJhcnkvSFRUUFN0b3JhZ2VzIikpCg== 395695 2020-04-07 10:04:11 -0700 2020-04-07 15:50:55 -0700 Patch bug-210120-20200407100410.patch text/plain 1434 sihui_liu U3VidmVyc2lvbiBSZXZpc2lvbjogMjU5NjQzCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViS2l0L0No YW5nZUxvZyBiL1NvdXJjZS9XZWJLaXQvQ2hhbmdlTG9nCmluZGV4IGIxYTExOTZkNjU3NTllOWVk YWMxMGE2NmNjMTZkNzkyMjJlYmIxMjMuLjk3MGI5MGFkMmVhZjRhOTY5Y2JmZTM5MWM3MTEzMDFh NTQ0NzZkYzkgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJLaXQvQ2hhbmdlTG9nCisrKyBiL1NvdXJj ZS9XZWJLaXQvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTUgQEAKKzIwMjAtMDQtMDcgIFNpaHVpIExp dSAgPHNpaHVpX2xpdUBob3RtYWlsLmNvbT4KKworICAgICAgICBbIG1hY09TIF0gVXBkYXRlIHNh bmRib3ggcnVsZXMgZm9yIHN0b3JhZ2UKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcv c2hvd19idWcuY2dpP2lkPTIxMDEyMAorICAgICAgICA8cmRhcjovL3Byb2JsZW0vNjA5NzIyMjQ+ CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgVGhpcyBk aXJlY290cnkgaXMgdXNlZCBmb3IgY29va2llIHN0b3JhZ2UuCisKKyAgICAgICAgKiBOZXR3b3Jr UHJvY2Vzcy9tYWMvY29tLmFwcGxlLldlYktpdC5OZXR3b3JrUHJvY2Vzcy5zYi5pbjoKKwogMjAy MC0wNC0wNyAgWW91ZW5uIEZhYmxldCAgPHlvdWVubkBhcHBsZS5jb20+CiAKICAgICAgICAgUkVH UkVTU0lPTiAocjI1OTM4My0yNTkzODQpOiBBU1NFUlRJT04gRkFJTEVEOiAnQ29tcGxldGlvbiBo YW5kbGVyIHNob3VsZCBhbHdheXMgYmUgY2FsbGVkJyBzZWVuIHdpdGggaHR0cC93cHQvc2Vydmlj ZS13b3JrZXJzL3NlcnZpY2Utd29ya2VyLWRpZmZlcmVudC1wcm9jZXNzLmh0dHBzLmh0bWwKZGlm ZiAtLWdpdCBhL1NvdXJjZS9XZWJLaXQvTmV0d29ya1Byb2Nlc3MvbWFjL2NvbS5hcHBsZS5XZWJL aXQuTmV0d29ya1Byb2Nlc3Muc2IuaW4gYi9Tb3VyY2UvV2ViS2l0L05ldHdvcmtQcm9jZXNzL21h Yy9jb20uYXBwbGUuV2ViS2l0Lk5ldHdvcmtQcm9jZXNzLnNiLmluCmluZGV4IDI5YmQ4YjdkMjAx NWI3NTgzNDcxZjdmYzA3NWViZDUwY2JiYTE0ZGEuLjBjYTM0ZjBmYWRhNzYyZGJmNjJlZjM4Mzg5 NzY4NWVhNjhkMGI1OWUgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJLaXQvTmV0d29ya1Byb2Nlc3Mv bWFjL2NvbS5hcHBsZS5XZWJLaXQuTmV0d29ya1Byb2Nlc3Muc2IuaW4KKysrIGIvU291cmNlL1dl YktpdC9OZXR3b3JrUHJvY2Vzcy9tYWMvY29tLmFwcGxlLldlYktpdC5OZXR3b3JrUHJvY2Vzcy5z Yi5pbgpAQCAtNDQ2LDMgKzQ0Niw2IEBACiA7OyBOZWVkZWQgZm9yIFRDQy4KIChhbGxvdyBtYWNo LWxvb2t1cAogICAgIChnbG9iYWwtbmFtZSAiY29tLmFwcGxlLnRjY2QiKSkKKworKGFsbG93IGZp bGUtcmVhZCogZmlsZS13cml0ZSoKKyAgICAoaG9tZS1zdWJwYXRoICIvTGlicmFyeS9IVFRQU3Rv cmFnZXMiKSkK