Bug 201798

Summary: REGRESSION(249649): Unable to open local files in MiniBrowser on macOS
Product: WebKit Reporter: Per Arne Vollan <pvollan>
Component: WebKit Misc.Assignee: Per Arne Vollan <pvollan>
Status: REOPENED    
Severity: Normal CC: benjamin, bfulgham, cdumez, cmarcelo, commit-queue, dbates, ews-watchlist, rmorisset, ryanhaddad, sam, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Mac   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=202575
Attachments:
Description Flags
Patch
none
Patch
none
Patch
none
Patch
none
Patch
none
Patch
none
Patch
none
Patch
none
Patch
none
Patch
bfulgham: review+
Patch
commit-queue: commit-queue-
Patch none

Per Arne Vollan
Reported 2019-09-14 08:00:33 PDT
The commit <https://trac.webkit.org/changeset/249649> introduced a MiniBrowser regression on macOS where MiniBrowser is not able to open local files. The change set r249649 fixed a problem where the WebContent process PID was not ready to be used when creating a sandbox extension. This happened in the cases where the WebContent process had not finished launching when the load started. The WebContent process is also creating sandbox extensions for the Networking process for the files being loaded, and also needs to be passing the PID of the Networking process when creating these.
Attachments
Patch (14.22 KB, patch)
2019-09-14 08:19 PDT, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Patch (14.42 KB, patch)
2019-09-14 08:49 PDT, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Patch (17.66 KB, patch)
2019-09-18 06:24 PDT, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Patch (17.80 KB, patch)
2019-09-18 14:36 PDT, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Patch (28.10 KB, patch)
2019-10-02 14:27 PDT, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Patch (28.35 KB, patch)
2019-10-02 14:41 PDT, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Patch (28.40 KB, patch)
2019-10-02 15:01 PDT, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Patch (30.27 KB, patch)
2019-10-02 16:31 PDT, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Patch (30.28 KB, patch)
2019-10-03 09:18 PDT, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Patch (30.29 KB, patch)
2019-10-03 10:17 PDT, Per Arne Vollan 		bfulgham: review+
DetailsFormatted DiffDiff
Patch (30.29 KB, patch)
2019-10-03 12:18 PDT, Per Arne Vollan 		commit-queue: commit-queue-
DetailsFormatted DiffDiff
Patch (30.28 KB, patch)
2019-10-03 12:29 PDT, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Show Obsolete (10) View All Add attachment proposed patch, testcase, etc.
Per Arne Vollan
Comment 1 2019-09-14 08:19:31 PDT
Created attachment 378797 [details] Patch
Per Arne Vollan
Comment 2 2019-09-14 08:49:51 PDT
Created attachment 378798 [details] Patch
Sam Weinig
Comment 3 2019-09-15 17:08:06 PDT
As I mentioned in the previous bug, this really should not be using a pid, as they are prone to re-use attacks, and instead should be using audit_token_t. Any reason this can't be unit tested?
Brent Fulgham
Comment 4 2019-09-16 10:21:05 PDT
Comment on attachment 378798 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=378798&action=review r=me. Let's get this integrated since this could impact clients on our new release. > Source/WebKit/NetworkProcess/NetworkResourceLoadParameters.cpp:74 > +#endif Is MiniBrowser the only client for this? Or might you be fixing bugs in other applications we just haven't seen yet?
Brent Fulgham
Comment 5 2019-09-16 10:21:48 PDT
(In reply to Sam Weinig from comment #3) > As I mentioned in the previous bug, this really should not be using a pid, > as they are prone to re-use attacks, and instead should be using > audit_token_t. > > Any reason this can't be unit tested? Per Arne: This is a great point. After you land this regression fix, can you spin up a task to switch the pid-based stuff over to audit tokens instead?
Per Arne Vollan
Comment 6 2019-09-16 11:20:23 PDT
(In reply to Sam Weinig from comment #3) > As I mentioned in the previous bug, this really should not be using a pid, > as they are prone to re-use attacks, and instead should be using > audit_token_t. > > Any reason this can't be unit tested? That's a good point. I will file a bug to start using audit tokens instead of PIDs, and add an API test. Thanks for reviewing!
Per Arne Vollan
Comment 7 2019-09-16 11:22:53 PDT
(In reply to Brent Fulgham from comment #4) > Comment on attachment 378798 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=378798&action=review > > r=me. Let's get this integrated since this could impact clients on our new > release. > > > Source/WebKit/NetworkProcess/NetworkResourceLoadParameters.cpp:74 > > +#endif > > Is MiniBrowser the only client for this? Or might you be fixing bugs in > other applications we just haven't seen yet? As you suggest, I think this bug can affect other applications in addition to MiniBrowser. Thanks for reviewing!
Per Arne Vollan
Comment 8 2019-09-16 11:28:45 PDT
(In reply to Brent Fulgham from comment #5) > (In reply to Sam Weinig from comment #3) > > As I mentioned in the previous bug, this really should not be using a pid, > > as they are prone to re-use attacks, and instead should be using > > audit_token_t. > > > > Any reason this can't be unit tested? > > Per Arne: This is a great point. After you land this regression fix, can you > spin up a task to switch the pid-based stuff over to audit tokens instead? Filed https://bugs.webkit.org/show_bug.cgi?id=201828.
Sam Weinig
Comment 9 2019-09-16 11:29:42 PDT
Wait, why the r+ without a test? Especially since this was a regression, this needs to be tested.
WebKit Commit Bot
Comment 10 2019-09-16 12:15:57 PDT
Comment on attachment 378798 [details] Patch Clearing flags on attachment: 378798 Committed r249910: <https://trac.webkit.org/changeset/249910>
WebKit Commit Bot
Comment 11 2019-09-16 12:15:59 PDT
All reviewed patches have been landed. Closing bug.
Radar WebKit Bug Importer
Comment 12 2019-09-16 12:16:18 PDT
<rdar://problem/55409379>
Ryan Haddad
Comment 13 2019-09-16 23:24:34 PDT
Reverted r249910 for reason: Caused layout test failures and timeouts on Catalina Committed r249942: <https://trac.webkit.org/changeset/249942>
Ryan Haddad
Comment 14 2019-09-16 23:26:54 PDT
(In reply to Ryan Haddad from comment #13) > Reverted r249910 for reason: > > Caused layout test failures and timeouts on Catalina > > Committed r249942: <https://trac.webkit.org/changeset/249942> Details in radar.
Per Arne Vollan
Comment 15 2019-09-18 06:24:31 PDT
Created attachment 379034 [details] Patch
Per Arne Vollan
Comment 16 2019-09-18 06:25:50 PDT
(In reply to Per Arne Vollan from comment #15) > Created attachment 379034 [details] > Patch Updated patch to add API test and fix layout test failures. Rewriting this to use audit tokens instead of PIDs will come in a follow up patch.
Per Arne Vollan
Comment 17 2019-09-18 14:36:13 PDT
Created attachment 379074 [details] Patch
Per Arne Vollan
Comment 18 2019-10-02 14:27:43 PDT
Created attachment 380060 [details] Patch
Per Arne Vollan
Comment 19 2019-10-02 14:41:42 PDT
Created attachment 380061 [details] Patch
Per Arne Vollan
Comment 20 2019-10-02 15:01:40 PDT
Created attachment 380062 [details] Patch
Brent Fulgham
Comment 21 2019-10-02 15:11:00 PDT
Comment on attachment 380062 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=380062&action=review > Source/WebKit/ChangeLog:3 > + REGRESSION(249649): Unable to open local files in MiniBrowser on macOS Is this really a fix for the regression? I thought this was about adopting Audit Tokens? > Source/WebKit/NetworkProcess/NetworkResourceLoadParameters.cpp:69 > +#if HAVE(SANDBOX_ISSUE_READ_EXTENSION_TO_PROCESS_BY_PID) Does this use PID if we can't use Audit Tokens? If not, I think we should rename the macro to SANDBOX_ISSUE_READ_EXTENSION_TO_PROCESS_BY_AUDIT_TOKEN > Source/WebKit/Shared/SandboxExtension.h:52 > + ReadByProcess Looks like we don't use PID -- so I think we do need to rename the macro. > Source/WebKit/Shared/Cocoa/SandboxExtensionCocoa.mm:46 > + std::unique_ptr<SandboxExtensionImpl> impl { new SandboxExtensionImpl(path, type, process) }; I suggest we call these parameters "processToken" or "auditToken". We use process in a lot of places to represent our own concept of a process abstraction.
Sam Weinig
Comment 22 2019-10-02 15:23:38 PDT
Comment on attachment 380062 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=380062&action=review > Source/WebKit/Platform/IPC/ArgumentCoders.cpp:191 > +#if OS(DARWIN) This should be a more specific conditional. e.g. HAVE(AUDIT_TOKEN)
Per Arne Vollan
Comment 23 2019-10-02 15:41:06 PDT
(In reply to Brent Fulgham from comment #21) > Comment on attachment 380062 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=380062&action=review > > > Source/WebKit/ChangeLog:3 > > + REGRESSION(249649): Unable to open local files in MiniBrowser on macOS > > Is this really a fix for the regression? I thought this was about adopting > Audit Tokens? > Originally, this was just about fixing the regression using PIDs, but now it is both a regression fix, and a fix to adopt audit tokens. > > Source/WebKit/NetworkProcess/NetworkResourceLoadParameters.cpp:69 > > +#if HAVE(SANDBOX_ISSUE_READ_EXTENSION_TO_PROCESS_BY_PID) > > Does this use PID if we can't use Audit Tokens? If not, I think we should > rename the macro to SANDBOX_ISSUE_READ_EXTENSION_TO_PROCESS_BY_AUDIT_TOKEN > It does not use PIDs in case we can't use Audit Token. I will use SANDBOX_ISSUE_READ_EXTENSION_TO_PROCESS_BY_AUDIT_TOKEN instead. > > Source/WebKit/Shared/SandboxExtension.h:52 > > + ReadByProcess > > Looks like we don't use PID -- so I think we do need to rename the macro. > > > Source/WebKit/Shared/Cocoa/SandboxExtensionCocoa.mm:46 > > + std::unique_ptr<SandboxExtensionImpl> impl { new SandboxExtensionImpl(path, type, process) }; > > I suggest we call these parameters "processToken" or "auditToken". We use > process in a lot of places to represent our own concept of a process > abstraction. Will do. Thanks for reviewing!
Per Arne Vollan
Comment 24 2019-10-02 15:41:39 PDT
(In reply to Sam Weinig from comment #22) > Comment on attachment 380062 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=380062&action=review > > > Source/WebKit/Platform/IPC/ArgumentCoders.cpp:191 > > +#if OS(DARWIN) > > This should be a more specific conditional. e.g. HAVE(AUDIT_TOKEN) Will fix. Thanks for reviewing!
Sam Weinig
Comment 25 2019-10-02 16:03:11 PDT
Comment on attachment 380062 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=380062&action=review > Source/WebKit/Shared/Cocoa/SandboxExtensionCocoa.mm:126 > + SandboxExtensionImpl(const char* path, SandboxExtension::Type type, Optional<Variant<pid_t, audit_token_t>> process) Why is this a variant? A pid should never be used.
Per Arne Vollan
Comment 26 2019-10-02 16:31:14 PDT
Created attachment 380069 [details] Patch
Per Arne Vollan
Comment 27 2019-10-02 16:33:31 PDT
(In reply to Sam Weinig from comment #25) > Comment on attachment 380062 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=380062&action=review > > > Source/WebKit/Shared/Cocoa/SandboxExtensionCocoa.mm:126 > > + SandboxExtensionImpl(const char* path, SandboxExtension::Type type, Optional<Variant<pid_t, audit_token_t>> process) > > Why is this a variant? A pid should never be used. This patch only partially adopt audit tokens. When the UI process is creating extensions for the WebContent process, PIDs are still used, but I will rewrite this to use audit tokens in a follow-up patch coming soon. We can then remove the variant.
Per Arne Vollan
Comment 28 2019-10-03 09:18:06 PDT
Created attachment 380120 [details] Patch
Per Arne Vollan
Comment 29 2019-10-03 10:17:50 PDT
Created attachment 380128 [details] Patch
Brent Fulgham
Comment 30 2019-10-03 11:19:20 PDT
Comment on attachment 380128 [details] Patch This seems reasonable. Can you also file a bug to convert the other PID-based code to use Audit Tokens?
Per Arne Vollan
Comment 31 2019-10-03 12:18:43 PDT
Created attachment 380152 [details] Patch
Per Arne Vollan
Comment 32 2019-10-03 12:21:18 PDT
(In reply to Brent Fulgham from comment #30) > Comment on attachment 380128 [details] > Patch > > This seems reasonable. Can you also file a bug to convert the other > PID-based code to use Audit Tokens? Filed https://bugs.webkit.org/show_bug.cgi?id=202540. Thanks for reviewing!
WebKit Commit Bot
Comment 33 2019-10-03 12:26:35 PDT
Comment on attachment 380152 [details] Patch Rejecting attachment 380152 [details] from commit-queue. Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.webkit.org', '--bot-id=webkit-cq-03', 'validate-changelog', '--check-oops', '--non-interactive', 380152, '--port=mac']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit NOBODY Brent Fulgham found in /Volumes/Data/EWS/WebKit/Source/WebKit/ChangeLog does not appear to be a valid reviewer according to contributors.json. /Volumes/Data/EWS/WebKit/Source/WebKit/ChangeLog neither lists a valid reviewer nor contains the string "Unreviewed" or "Rubber stamp" (case insensitive). Full output: https://webkit-queues.webkit.org/results/13091824
Per Arne Vollan
Comment 34 2019-10-03 12:29:35 PDT
Created attachment 380153 [details] Patch
WebKit Commit Bot
Comment 35 2019-10-03 13:08:31 PDT
Comment on attachment 380153 [details] Patch Clearing flags on attachment: 380153 Committed r250673: <https://trac.webkit.org/changeset/250673>
Note You need to log in before you can comment on or make changes to this bug.