Part of our security improvements involve better isolation between the different WebKit processes (UIProcess, WebContent, Networking, Storage, etc.).
We need an assertion language we can use to protect certain critical APIs and code paths against accidental misuse.
This patch adds a new enum type meant to represent different categories of program logic that we do not want used in the wrong process.
Initially, this consists of the following:
1. None -- this process cannot use any specially privileged operations.
2. CanAccessRawCookies -- this protects access to the system cookie store. The WebContent process should only ever have cookies as filtered and meted out by the NetworkProcess.
3. CanAccessCredentials -- access to the system security credentials and keychain should not be allowed in the WebContent process.
4. CanCommunicateWithWindowServer -- WindowServer access (on macOS) should never be allowed in the WebContent process. Other platforms may have similar powerful APIs that need protection as well.
5. All -- This process may use all privileged operations. This should really only be present in the UIProcess.
This first patch just creates these types and makes them available. New assertions using these values will be added as we complete our work ensuring proper process isolation.
In a method we want to protect, we can add an assertion describing the process privileges needed to execute the code:
For example, for cookie access we might use this:
At the launch of the UIProcess we would use this method to ensure all privileges are available:
In the network process, during platform initialization, we would use something like this:
WTF::setProcessPrivileges(WTF::ProcessPrivilege::CanAccessRawCookies | WTF::ProcessPrivilege::CanAccessCredentials);
In the WebContent process, we would not set any privileges. We could just leave it as the default initialization, or use this:
Later, when we attempt to execute the initial code, we would expect an assertion for WebContent process, while Network and UIProcess pass the assertion.
Created attachment 336178 [details]
Comment on attachment 336178 [details]
View in context: https://bugs.webkit.org/attachment.cgi?id=336178&action=review
r=me with the use of OptionSet.
> +WTF_EXPORT void setProcessPrivileges(unsigned /* bitmap of privileges */);
> +WTF_EXPORT bool hasProcessPrivilege(ProcessPrivilege);
Please use OptionSet<ProcessPrivilege>.
(In reply to Ryosuke Niwa from comment #4)
> Comment on attachment 336178 [details]
> View in context:
> r=me with the use of OptionSet.
> > Source/WTF/wtf/ProcessPrivilege.h:39
> > +WTF_EXPORT void setProcessPrivileges(unsigned /* bitmap of privileges */);
> > +WTF_EXPORT bool hasProcessPrivilege(ProcessPrivilege);
> Please use OptionSet<ProcessPrivilege>.
Committed r229845: <https://trac.webkit.org/changeset/229845>