WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED WONTFIX
143004
[Seccomp] Web process has too much access to /run/user
https://bugs.webkit.org/show_bug.cgi?id=143004
Summary
[Seccomp] Web process has too much access to /run/user
Michael Catanzaro
Reported
2015-03-24 07:53:38 PDT
We grant access to all of /run/user/1000/ (where 1000 is my UID), which is needed for at-spi2 since it puts folders with random-looking names. But there are sockets there for gnome-keyring, dconf, and gvfs that the web process really should not be able to touch. Possible solutions: * Support globs, so that we can more precisely whitelist /run/user/1000/at-spi2-* instead. * Even then, I imagine the web process can do bad things to other apps with that permission... can it be used to inspect or control other processes? It would be nicest if at-spi2 created a more predictable directory name so that we could limit the web process.
Attachments
Add attachment
proposed patch, testcase, etc.
Michael Catanzaro
Comment 1
2015-03-24 07:59:31 PDT
Hey Joanie, I think you're the expert here. The security model is that the web process has been compromised and running attacker-controlled code, and is trying to access the user's personal files, so ideally it would not be able to have any more access in /run/user/uid than it really needs. I can just imagine it using the at-spi2 socket to control nautilus or something; is that possible?
Joanmarie Diggs
Comment 2
2015-03-24 08:06:53 PDT
Adding Piñeiro.
Michael Catanzaro
Comment 3
2015-09-15 08:56:37 PDT
Talked with AP. Indeed, the at-spi2 socket is a total sandbox escape: it can be used to inspect the accessibility tree of arbitrary applications, send them keyboard input, etc. We can't allow access to it. Also we can't block it, since that breaks a11y. A design change will be required. It should be considered in tandem with the problem of supporting a11y under Wayland.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug