Bug 186110 - Add a sandbox profile for com.cisco.webex.plugin.gpc64 plugin
Summary: Add a sandbox profile for com.cisco.webex.plugin.gpc64 plugin
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Plug-ins (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: youenn fablet
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2018-05-30 14:33 PDT by youenn fablet
Modified: 2018-06-02 09:00 PDT (History)
4 users (show)

See Also:


Attachments
Patch (8.78 KB, patch)
2018-05-30 16:56 PDT, youenn fablet
no flags Details | Formatted Diff | Diff
Patch (9.00 KB, patch)
2018-06-01 15:04 PDT, youenn fablet
no flags Details | Formatted Diff | Diff
Patch (10.59 KB, patch)
2018-06-01 15:51 PDT, youenn fablet
no flags Details | Formatted Diff | Diff
Patch (10.55 KB, patch)
2018-06-01 15:53 PDT, youenn fablet
no flags Details | Formatted Diff | Diff
Patch for landing (10.61 KB, patch)
2018-06-01 17:02 PDT, youenn fablet
no flags Details | Formatted Diff | Diff
Archive of layout-test-results from ews206 for win-future (12.71 MB, application/zip)
2018-06-01 21:56 PDT, Build Bot
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description youenn fablet 2018-05-30 14:33:56 PDT
Add a sandbox profile for com.cisco.webex.plugin.gpc64 plugin
Comment 1 youenn fablet 2018-05-30 16:56:36 PDT
Created attachment 341625 [details]
Patch
Comment 2 Radar WebKit Bug Importer 2018-06-01 11:32:20 PDT
<rdar://problem/40728353>
Comment 3 youenn fablet 2018-06-01 11:40:33 PDT
Comment on attachment 341625 [details]
Patch

I think that we might be able to strengthen the sandbox.
It might best be done when having some real testing.
Comment 4 Brent Fulgham 2018-06-01 12:14:03 PDT
Comment on attachment 341625 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=341625&action=review

I think this is very close, but I'd like to see some tighter rules on the rules I mentioned above. Maybe you've found that WebEx just won't work without these open fully -- if so, let me know.

> Source/WebKit/Resources/PlugInSandboxProfiles/com.cisco.webex.plugin.gpc64.sb:44
> +

You might consider preventing symlinks from being created, unless WebEx uses them:

(if (defined? 'vnode-type)
        (deny file-write-create (vnode-type SYMLINK)))

This would help protect against a compromised plugin from creating a symlink someplace bad.

> Source/WebKit/Resources/PlugInSandboxProfiles/com.cisco.webex.plugin.gpc64.sb:46
> +(allow process-fork)

Lots of powerful operations allowed :-(

> Source/WebKit/Resources/PlugInSandboxProfiles/com.cisco.webex.plugin.gpc64.sb:74
> +(allow network-outbound)

I wonder if these outbound connections could be limited to specific ports?

E.g, like we do in some other plugins:

(allow network-outbound
   (remote udp "*:4160" "*:88"))

> Source/WebKit/Resources/PlugInSandboxProfiles/com.cisco.webex.plugin.gpc64.sb:79
> +(allow ipc-posix-shm)

Do you need all ipc-posix-shm? For example, could you just have "ipc-posix-shm-read-data"? Even better would be to limit it to specific IPC agents you want to talk to.

> Source/WebKit/Resources/PlugInSandboxProfiles/com.cisco.webex.plugin.gpc64.sb:80
> +(allow mach-lookup)

It would be much better to limit mach-lookup to just the mach endpoints you actually need. This is a huge window for attackers.

> Source/WebKit/Resources/PlugInSandboxProfiles/com.cisco.webex.plugin.gpc64.sb:81
> +(allow sysctl-read)

Can this be limited to a smaller subset?

(allow sysctl-read
    (sysctl-name
        "hw.byteorder"
        "hw.busfrequency_max"
        ...
 (sysctl-name-regex #"^net.routetable")
)

> Source/WebKit/Resources/PlugInSandboxProfiles/com.cisco.webex.plugin.gpc64.sb:82
> +(allow sysctl-write)

Oh gosh -- can this be limited to specific things? All of WebContent process manages to avoid sysctl-write for anything!
Comment 5 youenn fablet 2018-06-01 12:26:55 PDT
I will try to do further testing to ensure I can remove some of these potentially non useful rules.
Comment 6 youenn fablet 2018-06-01 15:04:31 PDT
Created attachment 341789 [details]
Patch
Comment 7 youenn fablet 2018-06-01 15:06:22 PDT
OK, this sandbox should allow plugin listing but there are still some issues with running the plugin.
In particular, it seems that the finalizer in com.apple.WebKit.plugin-common.sb.in is not compatible.
Comment 8 youenn fablet 2018-06-01 15:51:50 PDT
Created attachment 341798 [details]
Patch
Comment 9 youenn fablet 2018-06-01 15:53:02 PDT
Created attachment 341799 [details]
Patch
Comment 10 youenn fablet 2018-06-01 15:54:05 PDT
I removed some potentially unneeded rules.
I kept the port rules unchanged for now since webex might use a wide range.
Comment 11 Brent Fulgham 2018-06-01 16:34:53 PDT
Comment on attachment 341799 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=341799&action=review

Looks much better! I think this is a good first cut. We can tighten it as we work with it more.

> Source/WebKit/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in:531
> +            (if (not (defined? 'allow-symlinks))

I just tested this locally and made sure existing plugins still hit this code path, so that works properly.

> Source/WebKit/Resources/PlugInSandboxProfiles/com.cisco.webex.plugin.gpc64.sb:41
> +    (prefix "/private/tmp"))

It's a little scary to be granting global read/write to "/private/tmp". It would be nice to tighten this up to a sub-folder if possible.
Comment 12 youenn fablet 2018-06-01 16:58:59 PDT
> > Source/WebKit/Resources/PlugInSandboxProfiles/com.cisco.webex.plugin.gpc64.sb:41
> > +    (prefix "/private/tmp"))
> 
> It's a little scary to be granting global read/write to "/private/tmp". It
> would be nice to tighten this up to a sub-folder if possible.

An initial version of the sandbox was using /private/tmp subfolders but I saw some sandbox issues.
I think we will need to continue fixing the sandbox, I'll add a FIXME in the meantime.
Comment 13 youenn fablet 2018-06-01 17:02:26 PDT
Created attachment 341809 [details]
Patch for landing
Comment 14 Build Bot 2018-06-01 21:56:20 PDT
Comment on attachment 341809 [details]
Patch for landing

Attachment 341809 [details] did not pass win-ews (win):
Output: http://webkit-queues.webkit.org/results/7939894

New failing tests:
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-audio.html
Comment 15 Build Bot 2018-06-01 21:56:30 PDT
Created attachment 341828 [details]
Archive of layout-test-results from ews206 for win-future

The attached test failures were seen while running run-webkit-tests on the win-ews.
Bot: ews206  Port: win-future  Platform: CYGWIN_NT-6.1-2.9.0-0.318-5-3-x86_64-64bit
Comment 16 WebKit Commit Bot 2018-06-02 08:59:59 PDT
Comment on attachment 341809 [details]
Patch for landing

Clearing flags on attachment: 341809

Committed r232436: <https://trac.webkit.org/changeset/232436>
Comment 17 WebKit Commit Bot 2018-06-02 09:00:00 PDT
All reviewed patches have been landed.  Closing bug.