RESOLVED FIXED 175857
Relax keychain access to permit users to permanently allow client certificates 
https://bugs.webkit.org/show_bug.cgi?id=175857
Summary Relax keychain access to permit users to permanently allow client certificates
Brent Fulgham
Reported 2017-08-22 16:14:30 PDT
When I hardened keychain access in Bug 165818, it had the unintended side effect of making it difficult to permanently allow use of a certificate. This happened because the network process is no longer allowed to create a new keychain file when it needs to, forcing the user to approve it every time. This change relaxes this restriction so that we can create the certificate file as needed.
Attachments
Patch (2.15 KB, patch)
2017-08-22 16:16 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Archive of layout-test-results from ews105 for mac-elcapitan-wk2 (508.23 KB, application/zip)
2017-08-22 16:47 PDT, Build Bot 		no flags
Details
Patch (2.11 KB, patch)
2017-08-22 17:12 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Patch (2.24 KB, patch)
2017-09-05 16:01 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Brent Fulgham
Comment 1 2017-08-22 16:16:31 PDT
Created attachment 318819 [details] Patch
Build Bot
Comment 2 2017-08-22 16:47:25 PDT
Comment on attachment 318819 [details] Patch Attachment 318819 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/4364520 Number of test failures exceeded the failure limit.
Build Bot
Comment 3 2017-08-22 16:47:27 PDT
Created attachment 318825 [details] Archive of layout-test-results from ews105 for mac-elcapitan-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews105 Port: mac-elcapitan-wk2 Platform: Mac OS X 10.11.6
Brent Fulgham
Comment 4 2017-08-22 17:12:59 PDT
Created attachment 318828 [details] Patch
WebKit Commit Bot
Comment 5 2017-08-22 18:05:25 PDT
Comment on attachment 318828 [details] Patch Clearing flags on attachment: 318828 Committed r221061: <http://trac.webkit.org/changeset/221061>
WebKit Commit Bot
Comment 6 2017-08-22 18:05:27 PDT
All reviewed patches have been landed. Closing bug.
Radar WebKit Bug Importer
Comment 7 2017-08-22 18:06:20 PDT
<rdar://problem/34026380>
Brent Fulgham
Comment 8 2017-08-23 08:20:33 PDT
This is actually <rdar://problem/32293867>.
Brent Fulgham
Comment 9 2017-09-05 15:45:16 PDT
We still get a sandbox violation, because the file-mode is not allowed. Revising the patch.
Brent Fulgham
Comment 10 2017-09-05 16:01:26 PDT
Created attachment 319948 [details] Patch
Alex Christensen
Comment 11 2017-09-05 16:07:30 PDT
Comment on attachment 319948 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=319948&action=review > Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:168 > -(allow file-read-data file-read-metadata file-write-create file-write-data > +(allow file-read-data file-read-metadata file-write* Wouldn't it be better to just expand the list rather than just giving it a wildcard?
Brent Fulgham
Comment 12 2017-09-05 16:09:00 PDT
Comment on attachment 319948 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=319948&action=review >> Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:168 >> +(allow file-read-data file-read-metadata file-write* > > Wouldn't it be better to just expand the list rather than just giving it a wildcard? I started off with that approach, but the Keychain framework really wanted access to every file operation. We'll re-tighten this soon when we fix the underlying Keychain access issue.
WebKit Commit Bot
Comment 13 2017-09-05 16:37:02 PDT
Comment on attachment 319948 [details] Patch Clearing flags on attachment: 319948 Committed r221647: <http://trac.webkit.org/changeset/221647>
WebKit Commit Bot
Comment 14 2017-09-05 16:37:04 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.