RESOLVED FIXED 165818
[Mac][WK2] Tighten Keychain directory access 
https://bugs.webkit.org/show_bug.cgi?id=165818
Summary [Mac][WK2] Tighten Keychain directory access
Brent Fulgham
Reported 2016-12-13 12:48:41 PST
The existing Sandbox rules for the various WebKit processes are overly permissive. We should tighten them down to just the handful of operations we really need: We should limit our access to: file-read-data, file-read-metadata, and file-write-data. We should also deny access to newer keychains (with UUID-based names) since those are not meant to be used by user processes.
Attachments
Patch (10.92 KB, patch)
2016-12-13 12:51 PST, Brent Fulgham 		andersca: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Brent Fulgham
Comment 1 2016-12-13 12:49:21 PST
<rdar://problem/16863857>
Brent Fulgham
Comment 2 2016-12-13 12:51:53 PST
Created attachment 297036 [details] Patch
Blaze Burg
Comment 3 2016-12-13 13:58:45 PST
Comment on attachment 297036 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=297036&action=review > Source/WebKit2/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:41 > +;;; UUID of the form: XXXXXXXX-XXXX-XXXX--XXXX-XXXXXXXXXXXX All of this profile text is going to get embedded in the binary. Should it? > Source/WebKit2/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in:78 > +;;; That's 8X-4X-4X-4X-12X; where X = "[0-9A-F]", length(X) = 8 Ditto. > Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in:48 > +;;; That's 8X-4X-4X-4X-12X; where X = "[0-9A-F]", length(X) = 8 Ditto.
Brent Fulgham
Comment 4 2016-12-13 14:51:08 PST
Comment on attachment 297036 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=297036&action=review >> Source/WebKit2/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:41 >> +;;; UUID of the form: XXXXXXXX-XXXX-XXXX--XXXX-XXXXXXXXXXXX > > All of this profile text is going to get embedded in the binary. Should it? That's okay -- I'll pull it out. >> Source/WebKit2/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in:78 >> +;;; That's 8X-4X-4X-4X-12X; where X = "[0-9A-F]", length(X) = 8 > > Ditto. Ditto. >> Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in:48 >> +;;; That's 8X-4X-4X-4X-12X; where X = "[0-9A-F]", length(X) = 8 > > Ditto. Ditto.
Brent Fulgham
Comment 5 2016-12-13 14:57:02 PST
Committed r209779: <http://trac.webkit.org/changeset/209779>
Brent Fulgham
Comment 6 2016-12-14 09:01:58 PST
This change broke the Keygen element (e.g., http/tests/misc/submit-post-keygen.html). WebProcess needs the file-write-create permission for the Keychains directory.
Brent Fulgham
Comment 7 2016-12-14 09:18:49 PST
Committed r209806: <http://trac.webkit.org/changeset/209806>
Brent Fulgham
Comment 8 2016-12-14 10:29:07 PST
Please note, three changes are needed to integrate this sandbox change: Committed r209779: <http://trac.webkit.org/changeset/209779> Committed r209806: <http://trac.webkit.org/changeset/209806> Committed r209814: <http://trac.webkit.org/changeset/209814>
Note You need to log in before you can comment on or make changes to this bug.