RESOLVED FIXED195464
[macOS] Remove the Kerberos rules from the WebContent sandbox 
https://bugs.webkit.org/show_bug.cgi?id=195464
Summary [macOS] Remove the Kerberos rules from the WebContent sandbox
Per Arne Vollan
Reported 2019-03-08 09:41:10 PST
Kerberos auth is done in the UIProcess or NetworkProcess now.
Attachments
Patch (1.41 KB, patch)
2019-03-08 09:42 PST, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Patch (1.44 KB, patch)
2019-03-08 09:43 PST, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Archive of layout-test-results from ews105 for mac-highsierra-wk2 (797.51 KB, application/zip)
2019-03-08 10:19 PST, EWS Watchlist 		no flags
Details
Patch (1.48 KB, patch)
2019-03-08 10:25 PST, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Patch (1.65 KB, patch)
2019-03-08 11:04 PST, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Patch (1.40 KB, patch)
2019-03-08 11:40 PST, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Patch (1.46 KB, patch)
2019-03-11 17:10 PDT, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Show Obsolete (6) View All Add attachment proposed patch, testcase, etc.
Per Arne Vollan
Comment 1 2019-03-08 09:41:30 PST
rdar://problem/35369230
Per Arne Vollan
Comment 2 2019-03-08 09:42:40 PST
Created attachment 364021 [details] Patch
Per Arne Vollan
Comment 3 2019-03-08 09:43:39 PST
Created attachment 364022 [details] Patch
EWS Watchlist
Comment 4 2019-03-08 10:19:14 PST
Comment on attachment 364022 [details] Patch Attachment 364022 [details] did not pass mac-wk2-ews (mac-wk2): Output: https://webkit-queues.webkit.org/results/11427575 Number of test failures exceeded the failure limit.
EWS Watchlist
Comment 5 2019-03-08 10:19:16 PST
Created attachment 364028 [details] Archive of layout-test-results from ews105 for mac-highsierra-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews105 Port: mac-highsierra-wk2 Platform: Mac OS X 10.13.6
Per Arne Vollan
Comment 6 2019-03-08 10:25:27 PST
Created attachment 364030 [details] Patch
Alexey Proskuryakov
Comment 7 2019-03-08 10:55:44 PST
Comment on attachment 364030 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=364030&action=review > Source/WebKit/ChangeLog:3 > + [macOS] Remove the Kerberos rules from the WebContent sandbox Is it not needed on all macOS versions any more, or just the newest ones?
Per Arne Vollan
Comment 8 2019-03-08 10:59:14 PST
(In reply to Alexey Proskuryakov from comment #7) > Comment on attachment 364030 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=364030&action=review > > > Source/WebKit/ChangeLog:3 > > + [macOS] Remove the Kerberos rules from the WebContent sandbox > > Is it not needed on all macOS versions any more, or just the newest ones? That's a good point, we might have to protect this. Thanks for reviewing!
Per Arne Vollan
Comment 9 2019-03-08 11:04:48 PST
Created attachment 364039 [details] Patch
Alexey Proskuryakov
Comment 10 2019-03-08 11:13:14 PST
Comment on attachment 364039 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=364039&action=review > Source/WebKit/WebProcess/com.apple.WebProcess.sb.in:695 > (allow user-preference-read There is also edu.mit.Kerberos preference rule in this file. > Source/WebKit/WebProcess/com.apple.WebProcess.sb.in:708 > + (literal "/private/etc/services") > + (literal "/private/etc/host")) I'm confused by why this is still needed. Didn't all network loading move from WebContent on all macOS versions?
Brent Fulgham
Comment 11 2019-03-08 11:18:07 PST
Comment on attachment 364039 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=364039&action=review >> Source/WebKit/WebProcess/com.apple.WebProcess.sb.in:708 >> + (literal "/private/etc/host")) > > I'm confused by why this is still needed. Didn't all network loading move from WebContent on all macOS versions? That's true. I chickened out and suggested keeping this because I wasn't sure if CFURL needed it to do its work, and that is still used in the WebContent process.
Per Arne Vollan
Comment 12 2019-03-08 11:40:50 PST
Created attachment 364044 [details] Patch
Per Arne Vollan
Comment 13 2019-03-08 11:42:05 PST
(In reply to Brent Fulgham from comment #11) > Comment on attachment 364039 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=364039&action=review > > >> Source/WebKit/WebProcess/com.apple.WebProcess.sb.in:708 > >> + (literal "/private/etc/host")) > > > > I'm confused by why this is still needed. Didn't all network loading move from WebContent on all macOS versions? > > That's true. I chickened out and suggested keeping this because I wasn't > sure if CFURL needed it to do its work, and that is still used in the > WebContent process. I disallowed it in the latest patch, but perhaps we should keep it? Thanks for reviewing, all!
Brent Fulgham
Comment 14 2019-03-08 11:43:30 PST
(In reply to Per Arne Vollan from comment #13) > I disallowed it in the latest patch, but perhaps we should keep it? Thanks > for reviewing, all! Let's see what EWS says. If that works, we should proceed.
Per Arne Vollan
Comment 15 2019-03-08 11:44:47 PST
(In reply to Brent Fulgham from comment #14) > (In reply to Per Arne Vollan from comment #13) > > I disallowed it in the latest patch, but perhaps we should keep it? Thanks > > for reviewing, all! > > Let's see what EWS says. If that works, we should proceed. Great, thanks!
Alexey Proskuryakov
Comment 16 2019-03-08 13:10:15 PST
Didn't we stop doing network loading in WebContent on all macOS versions though? If so, Kerberos also shouldn't be needed I suspect. Maybe the original patch was correct.
Ryosuke Niwa
Comment 17 2019-03-09 18:20:57 PST
(In reply to Alexey Proskuryakov from comment #16) > Didn't we stop doing network loading in WebContent on all macOS versions > though? If so, Kerberos also shouldn't be needed I suspect. I believe we have. +Alex, Youenn.
Darin Adler
Comment 18 2019-03-10 15:34:42 PDT
Comment on attachment 364044 [details] Patch I prefer separate #if with && to nested #if myself.
Darin Adler
Comment 19 2019-03-10 15:35:25 PDT
Oh, sorry, didn’t realize we were waiting to here from experts on what macOS versions this change is needed in.
youenn fablet
Comment 20 2019-03-10 22:36:18 PDT
(In reply to Ryosuke Niwa from comment #17) > (In reply to Alexey Proskuryakov from comment #16) > > Didn't we stop doing network loading in WebContent on all macOS versions > > though? If so, Kerberos also shouldn't be needed I suspect. > > I believe we have. +Alex, Youenn. Right, I think we are doing all networking in NetworkProcess since we moved app cache to NetworkProcess (rdar://problem/17969182).
Brent Fulgham
Comment 21 2019-03-11 09:34:17 PDT
Comment on attachment 364044 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=364044&action=review r- to remove the conditional check and just remove the GSS access. > Source/WebKit/WebProcess/com.apple.WebProcess.sb.in:694 > +#if __MAC_OS_X_VERSION_MIN_REQUIRED < 101500 As discussed in the bug, we shouldn't need this version check since all WebKit builds (even to downlevel OSes) have all such interactions happening in the Network Process.
Per Arne Vollan
Comment 22 2019-03-11 17:10:30 PDT
Created attachment 364315 [details] Patch
Per Arne Vollan
Comment 23 2019-03-11 17:11:03 PDT
(In reply to Brent Fulgham from comment #21) > Comment on attachment 364044 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=364044&action=review > > r- to remove the conditional check and just remove the GSS access. > > > Source/WebKit/WebProcess/com.apple.WebProcess.sb.in:694 > > +#if __MAC_OS_X_VERSION_MIN_REQUIRED < 101500 > > As discussed in the bug, we shouldn't need this version check since all > WebKit builds (even to downlevel OSes) have all such interactions happening > in the Network Process. Thanks for reviewing, all! I have updated the patch.
Brent Fulgham
Comment 24 2019-03-11 17:12:26 PDT
Comment on attachment 364315 [details] Patch Yay! r=me (wait for EWS)
Per Arne Vollan
Comment 25 2019-03-11 19:56:05 PDT
Comment on attachment 364315 [details] Patch Thanks for reviewing!
WebKit Commit Bot
Comment 26 2019-03-11 20:24:33 PDT
Comment on attachment 364315 [details] Patch Clearing flags on attachment: 364315 Committed r242769: <https://trac.webkit.org/changeset/242769>
WebKit Commit Bot
Comment 27 2019-03-11 20:24:35 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.