Bug 175857 - Relax keychain access to permit users to permanently allow client certificates
Summary: Relax keychain access to permit users to permanently allow client certificates
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit2 (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Major
Assignee: Brent Fulgham
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2017-08-22 16:14 PDT by Brent Fulgham
Modified: 2017-09-05 16:37 PDT (History)
10 users (show)

See Also:


Attachments
Patch (2.15 KB, patch)
2017-08-22 16:16 PDT, Brent Fulgham
no flags Details | Formatted Diff | Diff
Archive of layout-test-results from ews105 for mac-elcapitan-wk2 (508.23 KB, application/zip)
2017-08-22 16:47 PDT, Build Bot
no flags Details
Patch (2.11 KB, patch)
2017-08-22 17:12 PDT, Brent Fulgham
no flags Details | Formatted Diff | Diff
Patch (2.24 KB, patch)
2017-09-05 16:01 PDT, Brent Fulgham
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Brent Fulgham 2017-08-22 16:14:30 PDT
When I hardened keychain access in Bug 165818, it had the unintended side effect of making it difficult to permanently allow use of a certificate. This happened because the network process is no longer allowed to create a new keychain file when it needs to, forcing the user to approve it every time.

This change relaxes this restriction so that we can create the certificate file as needed.
Comment 1 Brent Fulgham 2017-08-22 16:16:31 PDT
Created attachment 318819 [details]
Patch
Comment 2 Build Bot 2017-08-22 16:47:25 PDT
Comment on attachment 318819 [details]
Patch

Attachment 318819 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.webkit.org/results/4364520

Number of test failures exceeded the failure limit.
Comment 3 Build Bot 2017-08-22 16:47:27 PDT
Created attachment 318825 [details]
Archive of layout-test-results from ews105 for mac-elcapitan-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews105  Port: mac-elcapitan-wk2  Platform: Mac OS X 10.11.6
Comment 4 Brent Fulgham 2017-08-22 17:12:59 PDT
Created attachment 318828 [details]
Patch
Comment 5 WebKit Commit Bot 2017-08-22 18:05:25 PDT
Comment on attachment 318828 [details]
Patch

Clearing flags on attachment: 318828

Committed r221061: <http://trac.webkit.org/changeset/221061>
Comment 6 WebKit Commit Bot 2017-08-22 18:05:27 PDT
All reviewed patches have been landed.  Closing bug.
Comment 7 Radar WebKit Bug Importer 2017-08-22 18:06:20 PDT
<rdar://problem/34026380>
Comment 8 Brent Fulgham 2017-08-23 08:20:33 PDT
This is actually <rdar://problem/32293867>.
Comment 9 Brent Fulgham 2017-09-05 15:45:16 PDT
We still get a sandbox violation, because the file-mode is not allowed. Revising the patch.
Comment 10 Brent Fulgham 2017-09-05 16:01:26 PDT
Created attachment 319948 [details]
Patch
Comment 11 Alex Christensen 2017-09-05 16:07:30 PDT
Comment on attachment 319948 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=319948&action=review

> Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:168
> -(allow file-read-data file-read-metadata file-write-create file-write-data
> +(allow file-read-data file-read-metadata file-write*

Wouldn't it be better to just expand the list rather than just giving it a wildcard?
Comment 12 Brent Fulgham 2017-09-05 16:09:00 PDT
Comment on attachment 319948 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=319948&action=review

>> Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:168
>> +(allow file-read-data file-read-metadata file-write*
> 
> Wouldn't it be better to just expand the list rather than just giving it a wildcard?

I started off with that approach, but the Keychain framework really wanted access to every file operation. We'll re-tighten this soon when we fix the underlying Keychain access issue.
Comment 13 WebKit Commit Bot 2017-09-05 16:37:02 PDT
Comment on attachment 319948 [details]
Patch

Clearing flags on attachment: 319948

Committed r221647: <http://trac.webkit.org/changeset/221647>
Comment 14 WebKit Commit Bot 2017-09-05 16:37:04 PDT
All reviewed patches have been landed.  Closing bug.