Bug 184214 - Guard against keychain/certificate access outside the network process
Summary: Guard against keychain/certificate access outside the network process
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit Misc. (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Brent Fulgham
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2018-03-31 18:25 PDT by Brent Fulgham
Modified: 2018-04-03 16:50 PDT (History)
5 users (show)

See Also:

Attachments
Patch (9.80 KB, patch)
2018-03-31 18:51 PDT, Brent Fulgham 		no flags Details | Formatted Diff | Diff
Patch (11.64 KB, patch)
2018-03-31 19:37 PDT, Brent Fulgham 		no flags Details | Formatted Diff | Diff
Patch (12.02 KB, patch)
2018-03-31 20:27 PDT, Brent Fulgham 		no flags Details | Formatted Diff | Diff
Patch (12.13 KB, patch)
2018-04-02 14:26 PDT, Brent Fulgham 		no flags Details | Formatted Diff | Diff
Archive of layout-test-results from ews104 for mac-sierra-wk2 (1.10 MB, application/zip)
2018-04-02 15:32 PDT, EWS Watchlist 		no flags Details
Archive of layout-test-results from ews121 for ios-simulator-wk2 (784.81 KB, application/zip)
2018-04-02 15:48 PDT, EWS Watchlist 		no flags Details
Patch (10.46 KB, patch)
2018-04-02 17:00 PDT, Brent Fulgham 		no flags Details | Formatted Diff | Diff
Patch (15.42 KB, patch)
2018-04-02 17:30 PDT, Brent Fulgham 		no flags Details | Formatted Diff | Diff
Archive of layout-test-results from ews106 for mac-sierra-wk2 (436.29 KB, application/zip)
2018-04-02 18:22 PDT, EWS Watchlist 		no flags Details
Archive of layout-test-results from ews126 for ios-simulator-wk2 (764.29 KB, application/zip)
2018-04-02 18:51 PDT, EWS Watchlist 		no flags Details
Patch (15.57 KB, patch)
2018-04-02 22:15 PDT, Brent Fulgham 		no flags Details | Formatted Diff | Diff
Patch (15.02 KB, patch)
2018-04-03 14:26 PDT, Brent Fulgham 		youennf: review+
Details | Formatted Diff | Diff
Show Obsolete (11) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Brent Fulgham 2018-03-31 18:25:48 PDT 
Use the ProcessPrivilege assertions to guard against accessing keychain/certificate methods outside of the NetworkProcess.
Comment 1 Brent Fulgham 2018-03-31 18:40:37 PDT 
<rdar://problem/38734795>
Comment 2 Brent Fulgham 2018-03-31 18:51:39 PDT 
Created attachment 336943 [details]
Patch
Comment 3 Brent Fulgham 2018-03-31 19:37:05 PDT 
Created attachment 336946 [details]
Patch
Comment 4 Brent Fulgham 2018-03-31 20:27:32 PDT 
Created attachment 336949 [details]
Patch
Comment 5 Brent Fulgham 2018-04-02 14:26:47 PDT 
Created attachment 337029 [details]
Patch
Comment 6 Jiewen Tan 2018-04-02 15:22:00 PDT 
Comment on attachment 337029 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=337029&action=review

The patch looks good to me. Please refer to the comments. Also, please consider adding the assertion for the followings:
ArgumentCodersCF::copyPersistentRef,
SecItemShimProxy::secItemRequest.

> Source/WebCore/platform/mac/SSLKeyGeneratorMac.mm:134
> +    RELEASE_ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessCredentials));

I don't think this one is needed.

> Source/WebCore/platform/mac/SSLKeyGeneratorMac.mm:237
> +    RELEASE_ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessCredentials));

Ditto.

> Source/WebCore/platform/network/cocoa/NetworkStorageSessionCocoa.mm:117
> +    RELEASE_ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));

I don't think this one is relevant.

> Source/WebCore/platform/network/mac/ResourceHandleMac.mm:499
> +        RELEASE_ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessCredentials));

I don't think this one is needed.
Comment 7 EWS Watchlist 2018-04-02 15:32:11 PDT 
Comment on attachment 337029 [details]
Patch

Attachment 337029 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.webkit.org/results/7184148

Number of test failures exceeded the failure limit.
Comment 8 EWS Watchlist 2018-04-02 15:32:12 PDT 
Created attachment 337037 [details]
Archive of layout-test-results from ews104 for mac-sierra-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews104  Port: mac-sierra-wk2  Platform: Mac OS X 10.12.6
Comment 9 EWS Watchlist 2018-04-02 15:48:32 PDT 
Comment on attachment 337029 [details]
Patch

Attachment 337029 [details] did not pass ios-sim-ews (ios-simulator-wk2):
Output: http://webkit-queues.webkit.org/results/7183976

Number of test failures exceeded the failure limit.
Comment 10 EWS Watchlist 2018-04-02 15:48:33 PDT 
Created attachment 337038 [details]
Archive of layout-test-results from ews121 for ios-simulator-wk2

The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews121  Port: ios-simulator-wk2  Platform: Mac OS X 10.12.6
Comment 11 Brent Fulgham 2018-04-02 16:47:46 PDT 
Comment on attachment 337029 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=337029&action=review

>> Source/WebCore/platform/mac/SSLKeyGeneratorMac.mm:134
>> +    RELEASE_ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessCredentials));
> 
> I don't think this one is needed.

OK

>> Source/WebCore/platform/mac/SSLKeyGeneratorMac.mm:237
>> +    RELEASE_ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessCredentials));
> 
> Ditto.

OK

>> Source/WebCore/platform/network/cocoa/NetworkStorageSessionCocoa.mm:117
>> +    RELEASE_ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies));
> 
> I don't think this one is relevant.

Yes -- this one was a mistake. Good catch!

>> Source/WebCore/platform/network/mac/ResourceHandleMac.mm:499
>> +        RELEASE_ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessCredentials));
> 
> I don't think this one is needed.

Really? This seems totally relevant to whether we are accessing credentials outside of the Network process.
Comment 12 Brent Fulgham 2018-04-02 17:00:18 PDT 
Created attachment 337044 [details]
Patch
Comment 13 Jiewen Tan 2018-04-02 17:10:35 PDT 
Comment on attachment 337029 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=337029&action=review

>>> Source/WebCore/platform/network/mac/ResourceHandleMac.mm:499
>>> +        RELEASE_ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessCredentials));
>> 
>> I don't think this one is needed.
> 
> Really? This seems totally relevant to whether we are accessing credentials outside of the Network process.

You are right. [NSURLCredentialStorage defaultCredentialForProtectionSpace] will use Keychain service API internally when it tries to store persistent credential.

I have a bad feeling that it is actually APIs like this cause us troubles.
Comment 14 Jiewen Tan 2018-04-02 17:12:46 PDT 
Comment on attachment 337044 [details]
Patch

Please add assertions to the followings as well:
ArgumentCodersCF::copyPersistentRef,
SecItemShimProxy::secItemRequest.
Comment 15 Brent Fulgham 2018-04-02 17:28:21 PDT 
(In reply to Jiewen Tan from comment #14)
> SecItemShimProxy::secItemRequest.

That's in the UIProcess, so it's okay. But I will add to the equivalent parts of Shared/mac/SecItemShim.cpp!
Comment 16 Brent Fulgham 2018-04-02 17:30:39 PDT 
Created attachment 337047 [details]
Patch
Comment 17 Jiewen Tan 2018-04-02 17:43:14 PDT 
(In reply to Brent Fulgham from comment #15)
> (In reply to Jiewen Tan from comment #14)
> > SecItemShimProxy::secItemRequest.
> 
> That's in the UIProcess, so it's okay. But I will add to the equivalent
> parts of Shared/mac/SecItemShim.cpp!

Got it. I don't think it is necessary to add assertions to Shared/Mac/SecItemShim.cpp though.
Comment 18 EWS Watchlist 2018-04-02 18:22:10 PDT 
Comment on attachment 337047 [details]
Patch

Attachment 337047 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.webkit.org/results/7186363

Number of test failures exceeded the failure limit.
Comment 19 EWS Watchlist 2018-04-02 18:22:11 PDT 
Created attachment 337048 [details]
Archive of layout-test-results from ews106 for mac-sierra-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews106  Port: mac-sierra-wk2  Platform: Mac OS X 10.12.6
Comment 20 EWS Watchlist 2018-04-02 18:51:09 PDT 
Comment on attachment 337047 [details]
Patch

Attachment 337047 [details] did not pass ios-sim-ews (ios-simulator-wk2):
Output: http://webkit-queues.webkit.org/results/7186406

Number of test failures exceeded the failure limit.
Comment 21 EWS Watchlist 2018-04-02 18:51:10 PDT 
Created attachment 337051 [details]
Archive of layout-test-results from ews126 for ios-simulator-wk2

The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews126  Port: ios-simulator-wk2  Platform: Mac OS X 10.12.6
Comment 22 Brent Fulgham 2018-04-02 22:15:05 PDT 
Created attachment 337060 [details]
Patch
Comment 23 youenn fablet 2018-04-03 09:24:29 PDT 
Comment on attachment 337060 [details]
Patch

LGTM, I am just not sure of the last change.

View in context: https://bugs.webkit.org/attachment.cgi?id=337060&action=review

> Source/WebCore/Modules/webauthn/cocoa/LocalAuthenticator.mm:115
> +    RELEASE_ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessCredentials));

Maybe we can RELEASE_ASSERT in LocalAuthenticator constructor directly?

> Source/WebKit/Shared/cf/ArgumentCodersCF.cpp:711
> +        RELEASE_ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessCredentials));

Could we simplify things here? Maybe with something like the following at the beginning of the method:
#if PLATFORM(COCOA)
RELEASE_ASSERT(!secKeyRefDecodingAllowed || hasProcessPrivilege(ProcessPrivilege::CanAccessCredentials));
#endif
Or maybe the version without secKeyRefDecodingAllowed is good too?

> Source/WebKit/Shared/cf/ArgumentCodersCF.cpp:746
> +    RELEASE_ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessCredentials));

Move to the top of the method?

> Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm:-310
> -#endif

This change is not explained.
Is it just dead code and we do not want to give CanAccessCredentials to the UIProcess?
Comment 24 Brent Fulgham 2018-04-03 14:24:47 PDT 
Comment on attachment 337060 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=337060&action=review

>> Source/WebCore/Modules/webauthn/cocoa/LocalAuthenticator.mm:115
>> +    RELEASE_ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessCredentials));
> 
> Maybe we can RELEASE_ASSERT in LocalAuthenticator constructor directly?

Good idea. We should never construct one of these outside of the UIProcess.

>> Source/WebKit/Shared/cf/ArgumentCodersCF.cpp:711
>> +        RELEASE_ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessCredentials));
> 
> Could we simplify things here? Maybe with something like the following at the beginning of the method:
> #if PLATFORM(COCOA)
> RELEASE_ASSERT(!secKeyRefDecodingAllowed || hasProcessPrivilege(ProcessPrivilege::CanAccessCredentials));
> #endif
> Or maybe the version without secKeyRefDecodingAllowed is good too?

This might work. I don't think we should be entering this routine outside the Network/UIProcess so the simpler approach might work. I'll upload a patch to see.

>> Source/WebKit/Shared/cf/ArgumentCodersCF.cpp:746
>> +    RELEASE_ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessCredentials));
> 
> Move to the top of the method?

Sure!

>> Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm:-310
>> -#endif
> 
> This change is not explained.
> Is it just dead code and we do not want to give CanAccessCredentials to the UIProcess?

We do not want to initialize the security API shims in the WebContent process, so this call should be removed. We only want this initialization to happen in the Networking process.
Comment 25 Brent Fulgham 2018-04-03 14:26:43 PDT 
Created attachment 337115 [details]
Patch
Comment 26 Brent Fulgham 2018-04-03 16:50:16 PDT 
Committed r230225: <https://trac.webkit.org/changeset/230225>