RESOLVED FIXED 170616
Use audit_token_t instead of pid_t for checking sandbox of other processes 
https://bugs.webkit.org/show_bug.cgi?id=170616
Summary Use audit_token_t instead of pid_t for checking sandbox of other processes
Alex Christensen
Reported Friday, April 7, 2017 10:19:24 PM UTC
Use audit_token_t instead of pid_t for checking sandbox of other processes
Attachments
Patch (9.19 KB, patch)
2017-04-07 14:25 PDT, Alex Christensen 		no flags
DetailsFormatted DiffDiff
Patch (9.26 KB, patch)
2017-04-07 15:42 PDT, Alex Christensen 		no flags
DetailsFormatted DiffDiff
Patch (9.22 KB, patch)
2017-04-07 15:44 PDT, Alex Christensen 		no flags
DetailsFormatted DiffDiff
Patch (9.16 KB, patch)
2017-04-07 16:17 PDT, Alex Christensen 		no flags
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Alex Christensen
Comment 1 Friday, April 7, 2017 10:25:03 PM UTC
Created attachment 306534 [details] Patch
Daniel Bates
Comment 2 Friday, April 7, 2017 11:05:51 PM UTC
Comment on attachment 306534 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=306534&action=review > Source/WTF/wtf/spi/darwin/SandboxSPI.h:47 > +int sandbox_check_by_audit_token(audit_token_t, const char *operation, enum sandbox_filter_type, ...); For some reason I seem to recall that this SPI was not available on some version of macOS that we cared to support at least six months ago. Is this SPI available on all the versions of macOS that we care to support?
Alex Christensen
Comment 3 Friday, April 7, 2017 11:39:30 PM UTC
Comment on attachment 306534 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=306534&action=review >> Source/WTF/wtf/spi/darwin/SandboxSPI.h:47 >> +int sandbox_check_by_audit_token(audit_token_t, const char *operation, enum sandbox_filter_type, ...); > > For some reason I seem to recall that this SPI was not available on some version of macOS that we cared to support at least six months ago. Is this SPI available on all the versions of macOS that we care to support? I find its existence all the way back to Yosemite.
Alex Christensen
Comment 4 Friday, April 7, 2017 11:42:27 PM UTC
Created attachment 306542 [details] Patch
Alex Christensen
Comment 5 Friday, April 7, 2017 11:44:04 PM UTC
Created attachment 306543 [details] Patch
Daniel Bates
Comment 6 Friday, April 7, 2017 11:54:15 PM UTC
(In reply to Alex Christensen from comment #3) > Comment on attachment 306534 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=306534&action=review > > >> Source/WTF/wtf/spi/darwin/SandboxSPI.h:47 > >> +int sandbox_check_by_audit_token(audit_token_t, const char *operation, enum sandbox_filter_type, ...); > > > > For some reason I seem to recall that this SPI was not available on some version of macOS that we cared to support at least six months ago. Is this SPI available on all the versions of macOS that we care to support? > > I find its existence all the way back to Yosemite. Cool. We do not support Yosemite anymore.
Daniel Bates
Comment 7 Friday, April 7, 2017 11:59:33 PM UTC
Comment on attachment 306543 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=306543&action=review > Source/WebKit2/PluginProcess/mac/PluginProcessMac.mm:625 > + RELEASE_ASSERT(currentProcessIsSandboxed()); We will never hit this assertion. Should we still ensure our parent process is sandboxed?
Daniel Bates
Comment 8 Saturday, April 8, 2017 12:01:14 AM UTC
(In reply to Daniel Bates from comment #7) > Comment on attachment 306543 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=306543&action=review > > > Source/WebKit2/PluginProcess/mac/PluginProcessMac.mm:625 > > + RELEASE_ASSERT(currentProcessIsSandboxed()); > > We will never hit this assertion. I mean, this assertion is always guaranteed to be satisfied because we only execute it when currentProcessIsSandboxed() evaluates to true.
Alex Christensen
Comment 9 Saturday, April 8, 2017 12:03:21 AM UTC
Comment on attachment 306543 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=306543&action=review >>> Source/WebKit2/PluginProcess/mac/PluginProcessMac.mm:625 >>> + RELEASE_ASSERT(currentProcessIsSandboxed()); >> >> We will never hit this assertion. Should we still ensure our parent process is sandboxed? > > I mean, this assertion is always guaranteed to be satisfied because we only execute it when currentProcessIsSandboxed() evaluates to true. oh, the assertion used to be asserting that the parent process was sandboxed with getppid, not the current process with getpid. Gotta be careful! I'll fix this.
Alex Christensen
Comment 10 Saturday, April 8, 2017 12:14:42 AM UTC
There's no connection in this case. I'm going to just remove the assertion since there's no good way to assert about the parent process without a connection and without using a possibly-reused pid.
Alex Christensen
Comment 11 Saturday, April 8, 2017 12:17:30 AM UTC
Created attachment 306547 [details] Patch
Daniel Bates
Comment 12 Saturday, April 8, 2017 12:23:38 AM UTC
<rdar://problem/31158189>
WebKit Commit Bot
Comment 13 Saturday, April 8, 2017 1:25:01 AM UTC
Comment on attachment 306547 [details] Patch Clearing flags on attachment: 306547 Committed r215132: <http://trac.webkit.org/changeset/215132>
WebKit Commit Bot
Comment 14 Saturday, April 8, 2017 1:25:04 AM UTC
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.