RESOLVED FIXED Bug 219428
Add sandbox extension flag to specify that path contains no symlinks 
https://bugs.webkit.org/show_bug.cgi?id=219428
Summary Add sandbox extension flag to specify that path contains no symlinks
Per Arne Vollan
Reported 2020-12-02 05:04:06 PST
In general, when SandboxExtension::createHandleWithoutResolvingPath is called, it is assumed that there are no symlinks in the provided path. Add a 'canonical' flag, which can be used by platform APIs to verify that this is the case.
Attachments
Patch (2.56 KB, patch)
2020-12-02 05:09 PST, Per Arne Vollan 		ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Patch (3.83 KB, patch)
2020-12-02 05:11 PST, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Patch (4.56 KB, patch)
2020-12-02 07:19 PST, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Patch (4.50 KB, patch)
2020-12-03 01:21 PST, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Patch (5.39 KB, patch)
2020-12-03 02:30 PST, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Patch (5.41 KB, patch)
2021-04-27 10:21 PDT, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Show Obsolete (5) View All Add attachment proposed patch, testcase, etc.
Per Arne Vollan
Comment 1 2020-12-02 05:04:44 PST
<rdar://problem/66551986>
Per Arne Vollan
Comment 2 2020-12-02 05:09:02 PST
Created attachment 415213 [details] Patch
Per Arne Vollan
Comment 3 2020-12-02 05:11:36 PST
Created attachment 415214 [details] Patch
Per Arne Vollan
Comment 4 2020-12-02 07:19:30 PST
Created attachment 415222 [details] Patch
Alexey Proskuryakov
Comment 5 2020-12-02 09:29:54 PST
Comment on attachment 415222 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=415222&action=review Is the API test failure real? > Source/WebKit/Shared/Cocoa/SandboxExtensionCocoa.mm:97 > + if (flags & SandboxExtension::Flags::Canonical) > + extensionFlags |= SANDBOX_EXTENSION_CANONICAL; If I understand what this does correctly, then the naming is actively misleading. Putting a "canonical" flag on an extension means that it is canonical. But we cannot guarantee that, and that's the whole purpose of adding the flag! The difference between "is canonical" and "do not canonicalize" is subtle and even non-existent when everything goes well, but maintaining this difference is how we defend against attacks. I think that we should have another pass at the naming, and do better than mirror an SPI name.
Per Arne Vollan
Comment 6 2020-12-03 01:21:29 PST
Created attachment 415283 [details] Patch
Per Arne Vollan
Comment 7 2020-12-03 01:23:46 PST
(In reply to Alexey Proskuryakov from comment #5) > Comment on attachment 415222 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=415222&action=review > > Is the API test failure real? > Yes, should be fixed in latest patch. > > Source/WebKit/Shared/Cocoa/SandboxExtensionCocoa.mm:97 > > + if (flags & SandboxExtension::Flags::Canonical) > > + extensionFlags |= SANDBOX_EXTENSION_CANONICAL; > > If I understand what this does correctly, then the naming is actively > misleading. Putting a "canonical" flag on an extension means that it is > canonical. But we cannot guarantee that, and that's the whole purpose of > adding the flag! > > The difference between "is canonical" and "do not canonicalize" is subtle > and even non-existent when everything goes well, but maintaining this > difference is how we defend against attacks. > > I think that we should have another pass at the naming, and do better than > mirror an SPI name. That is a good point. I have proposed a new name in the latest patch. Thanks for reviewing!
Per Arne Vollan
Comment 8 2020-12-03 02:30:06 PST
Created attachment 415288 [details] Patch
Brent Fulgham
Comment 9 2020-12-03 13:29:43 PST
Comment on attachment 415288 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=415288&action=review I reviewed this with Coops and I think it looks good. r=me. > Source/WebKit/Shared/Cocoa/SandboxExtensionCocoa.mm:277 > + handle.m_sandboxExtension = SandboxExtensionImpl::create(path.utf8().data(), type, WTF::nullopt, SandboxExtension::Flags::DoNotCanonicalize); Extra whitespace before SandboxExtension::Flags::DoNotCanonicalize
Brent Fulgham
Comment 10 2020-12-03 14:41:57 PST
Comment on attachment 415288 [details] Patch Whoops! Not quite right.
Per Arne Vollan
Comment 11 2021-04-27 10:21:27 PDT
Created attachment 427162 [details] Patch
Brent Fulgham
Comment 12 2021-05-06 10:46:18 PDT
Comment on attachment 427162 [details] Patch r=me
Per Arne Vollan
Comment 13 2021-05-06 11:03:49 PDT
Comment on attachment 427162 [details] Patch Thanks for reviewing!
EWS
Comment 14 2021-05-06 11:40:12 PDT
Committed r277104 (237406@main): <https://commits.webkit.org/237406@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 427162 [details].
Note You need to log in before you can comment on or make changes to this bug.