RESOLVED FIXED 184214
Guard against keychain/certificate access outside the network process 
https://bugs.webkit.org/show_bug.cgi?id=184214
Summary Guard against keychain/certificate access outside the network process
Brent Fulgham
Reported 2018-03-31 18:25:48 PDT
Use the ProcessPrivilege assertions to guard against accessing keychain/certificate methods outside of the NetworkProcess.
Attachments
Patch (9.80 KB, patch)
2018-03-31 18:51 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Patch (11.64 KB, patch)
2018-03-31 19:37 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Patch (12.02 KB, patch)
2018-03-31 20:27 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Patch (12.13 KB, patch)
2018-04-02 14:26 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Archive of layout-test-results from ews104 for mac-sierra-wk2 (1.10 MB, application/zip)
2018-04-02 15:32 PDT, EWS Watchlist 		no flags
Details
Archive of layout-test-results from ews121 for ios-simulator-wk2 (784.81 KB, application/zip)
2018-04-02 15:48 PDT, EWS Watchlist 		no flags
Details
Patch (10.46 KB, patch)
2018-04-02 17:00 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Patch (15.42 KB, patch)
2018-04-02 17:30 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Archive of layout-test-results from ews106 for mac-sierra-wk2 (436.29 KB, application/zip)
2018-04-02 18:22 PDT, EWS Watchlist 		no flags
Details
Archive of layout-test-results from ews126 for ios-simulator-wk2 (764.29 KB, application/zip)
2018-04-02 18:51 PDT, EWS Watchlist 		no flags
Details
Patch (15.57 KB, patch)
2018-04-02 22:15 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Patch (15.02 KB, patch)
2018-04-03 14:26 PDT, Brent Fulgham 		youennf: review+
DetailsFormatted DiffDiff
Show Obsolete (11) View All Add attachment proposed patch, testcase, etc.
Brent Fulgham
Comment 1 2018-03-31 18:40:37 PDT
<rdar://problem/38734795>
Brent Fulgham
Comment 2 2018-03-31 18:51:39 PDT
Created attachment 336943 [details] Patch
Brent Fulgham
Comment 3 2018-03-31 19:37:05 PDT
Created attachment 336946 [details] Patch
Brent Fulgham
Comment 4 2018-03-31 20:27:32 PDT
Created attachment 336949 [details] Patch
Brent Fulgham
Comment 5 2018-04-02 14:26:47 PDT
Created attachment 337029 [details] Patch
Jiewen Tan
Comment 6 2018-04-02 15:22:00 PDT
Comment on attachment 337029 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=337029&action=review The patch looks good to me. Please refer to the comments. Also, please consider adding the assertion for the followings: ArgumentCodersCF::copyPersistentRef, SecItemShimProxy::secItemRequest. > Source/WebCore/platform/mac/SSLKeyGeneratorMac.mm:134 > + RELEASE_ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessCredentials)); I don't think this one is needed. > Source/WebCore/platform/mac/SSLKeyGeneratorMac.mm:237 > + RELEASE_ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessCredentials)); Ditto. > Source/WebCore/platform/network/cocoa/NetworkStorageSessionCocoa.mm:117 > + RELEASE_ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies)); I don't think this one is relevant. > Source/WebCore/platform/network/mac/ResourceHandleMac.mm:499 > + RELEASE_ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessCredentials)); I don't think this one is needed.
EWS Watchlist
Comment 7 2018-04-02 15:32:11 PDT
Comment on attachment 337029 [details] Patch Attachment 337029 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/7184148 Number of test failures exceeded the failure limit.
EWS Watchlist
Comment 8 2018-04-02 15:32:12 PDT
Created attachment 337037 [details] Archive of layout-test-results from ews104 for mac-sierra-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews104 Port: mac-sierra-wk2 Platform: Mac OS X 10.12.6
EWS Watchlist
Comment 9 2018-04-02 15:48:32 PDT
Comment on attachment 337029 [details] Patch Attachment 337029 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: http://webkit-queues.webkit.org/results/7183976 Number of test failures exceeded the failure limit.
EWS Watchlist
Comment 10 2018-04-02 15:48:33 PDT
Created attachment 337038 [details] Archive of layout-test-results from ews121 for ios-simulator-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews121 Port: ios-simulator-wk2 Platform: Mac OS X 10.12.6
Brent Fulgham
Comment 11 2018-04-02 16:47:46 PDT
Comment on attachment 337029 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=337029&action=review >> Source/WebCore/platform/mac/SSLKeyGeneratorMac.mm:134 >> + RELEASE_ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessCredentials)); > > I don't think this one is needed. OK >> Source/WebCore/platform/mac/SSLKeyGeneratorMac.mm:237 >> + RELEASE_ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessCredentials)); > > Ditto. OK >> Source/WebCore/platform/network/cocoa/NetworkStorageSessionCocoa.mm:117 >> + RELEASE_ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies)); > > I don't think this one is relevant. Yes -- this one was a mistake. Good catch! >> Source/WebCore/platform/network/mac/ResourceHandleMac.mm:499 >> + RELEASE_ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessCredentials)); > > I don't think this one is needed. Really? This seems totally relevant to whether we are accessing credentials outside of the Network process.
Brent Fulgham
Comment 12 2018-04-02 17:00:18 PDT
Created attachment 337044 [details] Patch
Jiewen Tan
Comment 13 2018-04-02 17:10:35 PDT
Comment on attachment 337029 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=337029&action=review >>> Source/WebCore/platform/network/mac/ResourceHandleMac.mm:499 >>> + RELEASE_ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessCredentials)); >> >> I don't think this one is needed. > > Really? This seems totally relevant to whether we are accessing credentials outside of the Network process. You are right. [NSURLCredentialStorage defaultCredentialForProtectionSpace] will use Keychain service API internally when it tries to store persistent credential. I have a bad feeling that it is actually APIs like this cause us troubles.
Jiewen Tan
Comment 14 2018-04-02 17:12:46 PDT
Comment on attachment 337044 [details] Patch Please add assertions to the followings as well: ArgumentCodersCF::copyPersistentRef, SecItemShimProxy::secItemRequest.
Brent Fulgham
Comment 15 2018-04-02 17:28:21 PDT
(In reply to Jiewen Tan from comment #14) > SecItemShimProxy::secItemRequest. That's in the UIProcess, so it's okay. But I will add to the equivalent parts of Shared/mac/SecItemShim.cpp!
Brent Fulgham
Comment 16 2018-04-02 17:30:39 PDT
Created attachment 337047 [details] Patch
Jiewen Tan
Comment 17 2018-04-02 17:43:14 PDT
(In reply to Brent Fulgham from comment #15) > (In reply to Jiewen Tan from comment #14) > > SecItemShimProxy::secItemRequest. > > That's in the UIProcess, so it's okay. But I will add to the equivalent > parts of Shared/mac/SecItemShim.cpp! Got it. I don't think it is necessary to add assertions to Shared/Mac/SecItemShim.cpp though.
EWS Watchlist
Comment 18 2018-04-02 18:22:10 PDT
Comment on attachment 337047 [details] Patch Attachment 337047 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/7186363 Number of test failures exceeded the failure limit.
EWS Watchlist
Comment 19 2018-04-02 18:22:11 PDT
Created attachment 337048 [details] Archive of layout-test-results from ews106 for mac-sierra-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews106 Port: mac-sierra-wk2 Platform: Mac OS X 10.12.6
EWS Watchlist
Comment 20 2018-04-02 18:51:09 PDT
Comment on attachment 337047 [details] Patch Attachment 337047 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: http://webkit-queues.webkit.org/results/7186406 Number of test failures exceeded the failure limit.
EWS Watchlist
Comment 21 2018-04-02 18:51:10 PDT
Created attachment 337051 [details] Archive of layout-test-results from ews126 for ios-simulator-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews126 Port: ios-simulator-wk2 Platform: Mac OS X 10.12.6
Brent Fulgham
Comment 22 2018-04-02 22:15:05 PDT
Created attachment 337060 [details] Patch
youenn fablet
Comment 23 2018-04-03 09:24:29 PDT
Comment on attachment 337060 [details] Patch LGTM, I am just not sure of the last change. View in context: https://bugs.webkit.org/attachment.cgi?id=337060&action=review > Source/WebCore/Modules/webauthn/cocoa/LocalAuthenticator.mm:115 > + RELEASE_ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessCredentials)); Maybe we can RELEASE_ASSERT in LocalAuthenticator constructor directly? > Source/WebKit/Shared/cf/ArgumentCodersCF.cpp:711 > + RELEASE_ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessCredentials)); Could we simplify things here? Maybe with something like the following at the beginning of the method: #if PLATFORM(COCOA) RELEASE_ASSERT(!secKeyRefDecodingAllowed || hasProcessPrivilege(ProcessPrivilege::CanAccessCredentials)); #endif Or maybe the version without secKeyRefDecodingAllowed is good too? > Source/WebKit/Shared/cf/ArgumentCodersCF.cpp:746 > + RELEASE_ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessCredentials)); Move to the top of the method? > Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm:-310 > -#endif This change is not explained. Is it just dead code and we do not want to give CanAccessCredentials to the UIProcess?
Brent Fulgham
Comment 24 2018-04-03 14:24:47 PDT
Comment on attachment 337060 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=337060&action=review >> Source/WebCore/Modules/webauthn/cocoa/LocalAuthenticator.mm:115 >> + RELEASE_ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessCredentials)); > > Maybe we can RELEASE_ASSERT in LocalAuthenticator constructor directly? Good idea. We should never construct one of these outside of the UIProcess. >> Source/WebKit/Shared/cf/ArgumentCodersCF.cpp:711 >> + RELEASE_ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessCredentials)); > > Could we simplify things here? Maybe with something like the following at the beginning of the method: > #if PLATFORM(COCOA) > RELEASE_ASSERT(!secKeyRefDecodingAllowed || hasProcessPrivilege(ProcessPrivilege::CanAccessCredentials)); > #endif > Or maybe the version without secKeyRefDecodingAllowed is good too? This might work. I don't think we should be entering this routine outside the Network/UIProcess so the simpler approach might work. I'll upload a patch to see. >> Source/WebKit/Shared/cf/ArgumentCodersCF.cpp:746 >> + RELEASE_ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessCredentials)); > > Move to the top of the method? Sure! >> Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm:-310 >> -#endif > > This change is not explained. > Is it just dead code and we do not want to give CanAccessCredentials to the UIProcess? We do not want to initialize the security API shims in the WebContent process, so this call should be removed. We only want this initialization to happen in the Networking process.
Brent Fulgham
Comment 25 2018-04-03 14:26:43 PDT
Created attachment 337115 [details] Patch
Brent Fulgham
Comment 26 2018-04-03 16:50:16 PDT
Committed r230225: <https://trac.webkit.org/changeset/230225>
Note You need to log in before you can comment on or make changes to this bug.