Bug 183192

Summary:

Remove network access from the WebContent process sandbox

Product:

WebKit

Reporter:

Brent Fulgham <bfulgham>

Component:

WebKit2

Assignee:

Brent Fulgham <bfulgham>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

achristensen, ap, bfulgham, commit-queue, eric.carlson, ews-watchlist, jer.noble, mcatanzaro, rniwa, youennf

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

See Also:

https://bugs.webkit.org/show_bug.cgi?id=183382
https://bugs.webkit.org/show_bug.cgi?id=185874

Bug Depends on:

178540

Bug Blocks:

183421

Attachments:

Description	Flags
Patch	none
Archive of layout-test-results from ews105 for mac-sierra-wk2	none
Patch	achristensen: review+, commit-queue: commit-queue-

Brent Fulgham

Reported 2018-02-27 17:21:39 PST

Now that Bug 178540 is done, we can remove basic network access from the WebContent process!

Attachments
Patch (3.71 KB, patch) 2018-02-27 17:26 PST, Brent Fulgham	no flags	Details Formatted Diff Diff
Archive of layout-test-results from ews105 for mac-sierra-wk2 (2.10 MB, application/zip) 2018-02-27 18:22 PST, EWS Watchlist	no flags	Details
Patch (4.34 KB, patch) 2018-02-27 20:15 PST, Brent Fulgham	achristensen: review+ commit-queue: commit-queue-	Details Formatted Diff Diff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.

Brent Fulgham

Comment 1 2018-02-27 17:23:49 PST

I've run local tests against the upcoming macOS 10.13.4 and iOS 11.3 betas and confirmed this does not break browsing or media playback. I ran a full test pass on macOS and confirmed no new test failures.

Brent Fulgham

Comment 2 2018-02-27 17:24:20 PST

<rdar://problem/35369115>

Brent Fulgham

Comment 3 2018-02-27 17:26:20 PST

Created attachment 334717 [details] Patch

Alex Christensen

Comment 4 2018-02-27 17:34:31 PST

Comment on attachment 334717 [details] Patch r=me! HOORAY!

youenn fablet

Comment 5 2018-02-27 17:39:22 PST

In Source/WebKit/WebProcess/com.apple.WebProcess.sb.in, there is also: (allow network-outbound (remote udp)) Can we try removing it as well?

EWS Watchlist

Comment 6 2018-02-27 18:22:16 PST

Comment on attachment 334717 [details] Patch Attachment 334717 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/6699122 Number of test failures exceeded the failure limit.

EWS Watchlist

Comment 7 2018-02-27 18:22:17 PST

Created attachment 334721 [details] Archive of layout-test-results from ews105 for mac-sierra-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews105 Port: mac-sierra-wk2 Platform: Mac OS X 10.12.6

youenn fablet

Comment 8 2018-02-27 18:28:17 PST

Could there still be some media loading directly from the WebProcess on this Sierra bot?

Brent Fulgham

Comment 9 2018-02-27 18:53:51 PST

(In reply to youenn fablet from comment #8) > Could there still be some media loading directly from the WebProcess on this > Sierra bot? Oh, I'll bet there is. I think we only took over full media loading in High Sierra. I'll conditionalize the patch so it only takes effect on High Sierra and newer.

Brent Fulgham

Comment 10 2018-02-27 18:54:23 PST

(In reply to youenn fablet from comment #5) > In Source/WebKit/WebProcess/com.apple.WebProcess.sb.in, there is also: > (allow network-outbound > (remote udp)) > > Can we try removing it as well? Absolutely! I'll try it out in the morning.

Brent Fulgham

Comment 11 2018-02-27 20:15:17 PST

Created attachment 334726 [details] Patch

Brent Fulgham

Comment 12 2018-02-27 20:23:21 PST

(In reply to Brent Fulgham from comment #10) > (In reply to youenn fablet from comment #5) > > In Source/WebKit/WebProcess/com.apple.WebProcess.sb.in, there is also: > > (allow network-outbound > > (remote udp)) > > > > Can we try removing it as well? > > Absolutely! I'll try it out in the morning. ... or, right now.

WebKit Commit Bot

Comment 13 2018-02-28 08:50:58 PST

Comment on attachment 334726 [details] Patch Rejecting attachment 334726 [details] from commit-queue. Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.webkit.org', '--bot-id=webkit-cq-02', 'land-attachment', '--force-clean', '--non-interactive', '--parent-command=commit-queue', 334726, '--port=mac']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit Last 500 characters of output: rdparty/autoinstalled/mechanize/_urllib2_fork.py", line 332, in _call_chain result = func(*args) File "/Volumes/Data/EWS/WebKit/Tools/Scripts/webkitpy/thirdparty/autoinstalled/mechanize/_urllib2_fork.py", line 1170, in https_open return self.do_open(conn_factory, req) File "/Volumes/Data/EWS/WebKit/Tools/Scripts/webkitpy/thirdparty/autoinstalled/mechanize/_urllib2_fork.py", line 1118, in do_open raise URLError(err) urllib2.URLError: <urlopen error [Errno 60] Operation timed out> Full output: http://webkit-queues.webkit.org/results/6705241

Brent Fulgham

Comment 14 2018-02-28 09:17:14 PST

Committed r229093: <https://trac.webkit.org/changeset/229093>

Michael Catanzaro

Comment 15 2018-02-28 09:39:35 PST

Nice!

Note You need to log in before you can comment on or make changes to this bug.