RESOLVED WONTFIX 187018
Update Cisco Webex sandbox to make it functional 
https://bugs.webkit.org/show_bug.cgi?id=187018
Summary Update Cisco Webex sandbox to make it functional
youenn fablet
Reported 2018-06-25 14:41:51 PDT
Update Cisco Webex sandbox to make it functional
Attachments
Patch (3.22 KB, patch)
2018-06-25 14:44 PDT, youenn fablet 		no flags
DetailsFormatted DiffDiff
Patch (5.05 KB, patch)
2018-06-25 23:06 PDT, youenn fablet 		no flags
DetailsFormatted DiffDiff
Patch (4.42 KB, patch)
2018-06-26 18:10 PDT, youenn fablet 		no flags
DetailsFormatted DiffDiff
Archive of layout-test-results from ews206 for win-future (12.76 MB, application/zip)
2018-06-27 00:05 PDT, EWS Watchlist 		no flags
Details
Patch (4.56 KB, patch)
2018-06-27 07:56 PDT, youenn fablet 		no flags
DetailsFormatted DiffDiff
Archive of layout-test-results from ews206 for win-future (12.75 MB, application/zip)
2018-06-27 11:23 PDT, EWS Watchlist 		no flags
Details
Show Obsolete (5) View All Add attachment proposed patch, testcase, etc.
youenn fablet
Comment 1 2018-06-25 14:44:42 PDT
Created attachment 343543 [details] Patch
youenn fablet
Comment 2 2018-06-25 23:06:43 PDT
Created attachment 343586 [details] Patch
Alexey Proskuryakov
Comment 3 2018-06-25 23:43:16 PDT
Comment on attachment 343586 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=343586&action=review > Source/WebKit/Resources/PlugInSandboxProfiles/com.cisco.webex.plugin.gpc64.sb:37 > + (literal "/Library/ScriptingAdditions")) Allowing writing here seems very insecure. > Source/WebKit/Resources/PlugInSandboxProfiles/com.cisco.webex.plugin.gpc64.sb:65 > + (prefix "/private/var/folders")) And this is definitely unacceptable.
youenn fablet
Comment 4 2018-06-26 18:10:15 PDT
Created attachment 343668 [details] Patch
youenn fablet
Comment 5 2018-06-26 18:14:48 PDT
> > Source/WebKit/Resources/PlugInSandboxProfiles/com.cisco.webex.plugin.gpc64.sb:65 > > + (prefix "/private/var/folders")) > > And this is definitely unacceptable. This is mandatory to make the plugin work as it is right now. To improve on this, there would be a need to coordinate with the plugin authors. We need to have something working to continue fiddling with the sandbox. Brent, is there a way to add the restriction that only the folders/files that the plugin creates are actually accessible?
youenn fablet
Comment 6 2018-06-26 18:16:53 PDT
Or maybe deny access to some patterns...
EWS Watchlist
Comment 7 2018-06-27 00:05:33 PDT
Comment on attachment 343668 [details] Patch Attachment 343668 [details] did not pass win-ews (win): Output: https://webkit-queues.webkit.org/results/8356378 New failing tests: http/tests/security/canvas-remote-read-remote-video-blocked-no-crossorigin.html http/tests/security/video-poster-cross-origin-crash2.html
EWS Watchlist
Comment 8 2018-06-27 00:05:44 PDT
Created attachment 343696 [details] Archive of layout-test-results from ews206 for win-future The attached test failures were seen while running run-webkit-tests on the win-ews. Bot: ews206 Port: win-future Platform: CYGWIN_NT-6.1-2.9.0-0.318-5-3-x86_64-64bit
Alexey Proskuryakov
Comment 9 2018-06-27 02:17:11 PDT
> Or maybe deny access to some patterns... Yes, regexes can definitely be used for access patterns. Surely the plug-in doesn't need to write to temporary and cache files of all apps for all users.
youenn fablet
Comment 10 2018-06-27 07:56:28 PDT
Created attachment 343711 [details] Patch
Radar WebKit Bug Importer
Comment 11 2018-06-27 09:45:54 PDT
<rdar://problem/41528287>
EWS Watchlist
Comment 12 2018-06-27 11:23:23 PDT
Comment on attachment 343711 [details] Patch Attachment 343711 [details] did not pass win-ews (win): Output: https://webkit-queues.webkit.org/results/8359738 New failing tests: http/tests/security/canvas-remote-read-remote-video-blocked-no-crossorigin.html http/tests/security/canvas-remote-read-remote-video-redirect.html
EWS Watchlist
Comment 13 2018-06-27 11:23:34 PDT
Created attachment 343730 [details] Archive of layout-test-results from ews206 for win-future The attached test failures were seen while running run-webkit-tests on the win-ews. Bot: ews206 Port: win-future Platform: CYGWIN_NT-6.1-2.9.0-0.318-5-3-x86_64-64bit
Alexey Proskuryakov
Comment 14 2018-06-28 01:31:12 PDT
Comment on attachment 343711 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=343711&action=review > Source/WebKit/Resources/PlugInSandboxProfiles/com.cisco.webex.plugin.gpc64.sb:62 > ;; FIXME: We should tigthen the sandbox to some tmp subfolders > (allow file* > (prefix "/private/tmp")) :-/ > Source/WebKit/Resources/PlugInSandboxProfiles/com.cisco.webex.plugin.gpc64.sb:67 > +(allow file* > + (regex #"^/private/var/folders/.*/TemporaryItems") > + (regex #"^/private/var/folders/.*\.cache$") > + (regex #"^/private/var/folders/.*/mds.lock$")) This doesn't make it substantially more secure - folders for other users are unaccessible due to POSIX permissions anyway, and this still allows access to other applications' files. What exactly are you trying to achieve with these rules?
youenn fablet
Comment 15 2018-07-03 16:25:33 PDT
Comment on attachment 343711 [details] Patch win error unrelated
Note You need to log in before you can comment on or make changes to this bug.