- Revision
- 170608
- Author
- oli...@apple.com
- Date
- 2014-06-30 15:51:39 -0700 (Mon, 30 Jun 2014)
Log Message
Restrict network process sandbox
https://bugs.webkit.org/show_bug.cgi?id=134360
Reviewed by Sam Weinig.
Add more restrictions to the network process sandbox.
* NetworkProcess/cocoa/NetworkProcessCocoa.mm:
(WebKit::NetworkProcess::platformInitializeNetworkProcessCocoa):
Always use the cache directory provided in the initialization parameters,
and make sure we consume the cookie directory extension.
* Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:
Make the sandbox profile much more restrictive.
* Shared/Network/NetworkProcessCreationParameters.cpp:
(WebKit::NetworkProcessCreationParameters::encode):
(WebKit::NetworkProcessCreationParameters::decode):
* Shared/Network/NetworkProcessCreationParameters.h:
The network process now requires an extension to access
its cookie storage.
* Shared/mac/SandboxUtilities.cpp:
(WebKit::pathForProcessContainer):
* Shared/mac/SandboxUtilities.h:
We need to be able to get hold of our container so
that we can get the correct cookie storage directory.
* UIProcess/WebContext.cpp:
(WebKit::WebContext::ensureNetworkProcess):
We have to pass in the an extension for the cookie storage directory when
initalising the network process
* UIProcess/mac/WebContextMac.mm:
(WebKit::WebContext::platformDefaultCookieStorageDirectory):
Make sure we provide the correct location on IOS
* WebProcess/cocoa/WebProcessCocoa.mm:
(WebKit::WebProcess::platformInitializeWebProcess):
Consume the cookie storage extension
Modified Paths
Diff
Modified: trunk/Source/WebKit2/ChangeLog (170607 => 170608)
--- trunk/Source/WebKit2/ChangeLog 2014-06-30 22:50:59 UTC (rev 170607)
+++ trunk/Source/WebKit2/ChangeLog 2014-06-30 22:51:39 UTC (rev 170608)
@@ -1,3 +1,40 @@
+2014-06-28 Oliver Hunt <oli...@apple.com>
+
+ Restrict network process sandbox
+ https://bugs.webkit.org/show_bug.cgi?id=134360
+
+ Reviewed by Sam Weinig.
+
+ Add more restrictions to the network process sandbox.
+
+ * NetworkProcess/cocoa/NetworkProcessCocoa.mm:
+ (WebKit::NetworkProcess::platformInitializeNetworkProcessCocoa):
+ Always use the cache directory provided in the initialization parameters,
+ and make sure we consume the cookie directory extension.
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:
+ Make the sandbox profile much more restrictive.
+ * Shared/Network/NetworkProcessCreationParameters.cpp:
+ (WebKit::NetworkProcessCreationParameters::encode):
+ (WebKit::NetworkProcessCreationParameters::decode):
+ * Shared/Network/NetworkProcessCreationParameters.h:
+ The network process now requires an extension to access
+ its cookie storage.
+ * Shared/mac/SandboxUtilities.cpp:
+ (WebKit::pathForProcessContainer):
+ * Shared/mac/SandboxUtilities.h:
+ We need to be able to get hold of our container so
+ that we can get the correct cookie storage directory.
+ * UIProcess/WebContext.cpp:
+ (WebKit::WebContext::ensureNetworkProcess):
+ We have to pass in the an extension for the cookie storage directory when
+ initalising the network process
+ * UIProcess/mac/WebContextMac.mm:
+ (WebKit::WebContext::platformDefaultCookieStorageDirectory):
+ Make sure we provide the correct location on IOS
+ * WebProcess/cocoa/WebProcessCocoa.mm:
+ (WebKit::WebProcess::platformInitializeWebProcess):
+ Consume the cookie storage extension
+
2014-06-30 Simon Fraser <simon.fra...@apple.com>
[iOS WK2] Turn off scrollsToTop on overflow UIScrollViews
Modified: trunk/Source/WebKit2/NetworkProcess/cocoa/NetworkProcessCocoa.mm (170607 => 170608)
--- trunk/Source/WebKit2/NetworkProcess/cocoa/NetworkProcessCocoa.mm 2014-06-30 22:50:59 UTC (rev 170607)
+++ trunk/Source/WebKit2/NetworkProcess/cocoa/NetworkProcessCocoa.mm 2014-06-30 22:51:39 UTC (rev 170608)
@@ -60,24 +60,23 @@
void NetworkProcess::platformInitializeNetworkProcessCocoa(const NetworkProcessCreationParameters& parameters)
{
+ SandboxExtension::consumePermanently(parameters.cookieStorageDirectoryExtensionHandle);
+ m_diskCacheDirectory = parameters.diskCacheDirectory;
+
+ if (!m_diskCacheDirectory.isNull()) {
+ SandboxExtension::consumePermanently(parameters.diskCacheDirectoryExtensionHandle);
#if PLATFORM(IOS)
- if (!parameters.uiProcessBundleIdentifier.isNull()) {
[NSURLCache setSharedURLCache:adoptNS([[NSURLCache alloc]
_initWithMemoryCapacity:parameters.nsURLCacheMemoryCapacity
diskCapacity:parameters.nsURLCacheDiskCapacity
relativePath:parameters.uiProcessBundleIdentifier]).get()];
- }
#else
- m_diskCacheDirectory = parameters.diskCacheDirectory;
-
- if (!m_diskCacheDirectory.isNull()) {
- SandboxExtension::consumePermanently(parameters.diskCacheDirectoryExtensionHandle);
[NSURLCache setSharedURLCache:adoptNS([[NSURLCache alloc]
initWithMemoryCapacity:parameters.nsURLCacheMemoryCapacity
diskCapacity:parameters.nsURLCacheDiskCapacity
diskPath:parameters.diskCacheDirectory]).get()];
- }
#endif
+ }
#if PLATFORM(IOS) || __MAC_OS_X_VERSION_MIN_REQUIRED >= 1090
RetainPtr<CFURLCacheRef> cache = adoptCF(CFURLCacheCopySharedURLCache());
Modified: trunk/Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb (170607 => 170608)
--- trunk/Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb 2014-06-30 22:50:59 UTC (rev 170607)
+++ trunk/Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb 2014-06-30 22:51:39 UTC (rev 170608)
@@ -22,7 +22,48 @@
; THE POSSIBILITY OF SUCH DAMAGE.
(version 1)
-(allow default)
+(deny default (with partial-symbolication))
+(allow system-audit file-read-metadata)
(import "common.sb")
(import "removed-dev-nodes.sb")
+
+;; Access CFNetwork shared cookies
+;; This is too generous -- <rdar://problem/17496756>
+(apple-cookie-access 'with-read-write)
+
+;; Sandbox extensions
+(allow file-read* (container-subpath "Library/")
+ (extension "com.apple.webkit.read"))
+
+;; Access to client's cache folder & re-vending to CFNetwork.
+(allow file-read* file-write* (container-subpath "Library/")
+ (extension "com.apple.nsurlstorage.extension-cache"))
+(allow file-issue-extension (container-subpath "Library/")
+ (extension-class "com.apple.nsurlstorage.extension-cache"))
+
+;; App sandbox extensions
+(allow file-read* file-write* (container-subpath "Library/")
+ (extension "com.apple.app-sandbox.read-write"))
+
+;; Access to own cache & temp folders.
+(allow file-read* file-write* (container-subpath "")
+ (extension "com.apple.webkit.read-write"))
+
+;; IOKit user clients
+(allow iokit-open
+ (iokit-user-client-class "RootDomainUserClient"))
+
+;; Various services required by CFNetwork and other frameworks
+(allow mach-lookup
+ (global-name "com.apple.PowerManagement.control"))
+
+(network-client)
+
+;; Security framework
+(allow mach-lookup
+ (global-name "com.apple.ocspd")
+ (global-name "com.apple.securityd"))
+
+(deny file-write-create
+ (vnode-type SYMLINK))
Modified: trunk/Source/WebKit2/Shared/Network/NetworkProcessCreationParameters.cpp (170607 => 170608)
--- trunk/Source/WebKit2/Shared/Network/NetworkProcessCreationParameters.cpp 2014-06-30 22:50:59 UTC (rev 170607)
+++ trunk/Source/WebKit2/Shared/Network/NetworkProcessCreationParameters.cpp 2014-06-30 22:51:39 UTC (rev 170608)
@@ -42,6 +42,8 @@
encoder.encodeEnum(cacheModel);
encoder << diskCacheDirectory;
encoder << diskCacheDirectoryExtensionHandle;
+ encoder << cookieStorageDirectory;
+ encoder << cookieStorageDirectoryExtensionHandle;
encoder << shouldUseTestingNetworkSession;
#if ENABLE(CUSTOM_PROTOCOLS)
encoder << urlSchemesRegisteredForCustomProtocols;
@@ -73,6 +75,10 @@
return false;
if (!decoder.decode(result.diskCacheDirectoryExtensionHandle))
return false;
+ if (!decoder.decode(result.cookieStorageDirectory))
+ return false;
+ if (!decoder.decode(result.cookieStorageDirectoryExtensionHandle))
+ return false;
if (!decoder.decode(result.shouldUseTestingNetworkSession))
return false;
#if ENABLE(CUSTOM_PROTOCOLS)
Modified: trunk/Source/WebKit2/Shared/Network/NetworkProcessCreationParameters.h (170607 => 170608)
--- trunk/Source/WebKit2/Shared/Network/NetworkProcessCreationParameters.h 2014-06-30 22:50:59 UTC (rev 170607)
+++ trunk/Source/WebKit2/Shared/Network/NetworkProcessCreationParameters.h 2014-06-30 22:51:39 UTC (rev 170608)
@@ -56,6 +56,9 @@
String diskCacheDirectory;
SandboxExtension::Handle diskCacheDirectoryExtensionHandle;
+ String cookieStorageDirectory;
+ SandboxExtension::Handle cookieStorageDirectoryExtensionHandle;
+
bool shouldUseTestingNetworkSession;
#if ENABLE(CUSTOM_PROTOCOLS)
Modified: trunk/Source/WebKit2/Shared/mac/SandboxUtilities.cpp (170607 => 170608)
--- trunk/Source/WebKit2/Shared/mac/SandboxUtilities.cpp 2014-06-30 22:50:59 UTC (rev 170607)
+++ trunk/Source/WebKit2/Shared/mac/SandboxUtilities.cpp 2014-06-30 22:51:39 UTC (rev 170608)
@@ -27,6 +27,7 @@
#include "SandboxUtilities.h"
#include <array>
+#include <wtf/text/WTFString.h>
#if __has_include(<sandbox/private.h>)
#import <sandbox/private.h>
@@ -67,4 +68,13 @@
return hasContainer;
}
+String pathForProcessContainer()
+{
+ std::array<char, MAXPATHLEN> path;
+ path[0] = 0;
+ sandbox_container_path_for_pid(getpid(), path.data(), path.size());
+
+ return String::fromUTF8(path.data());
}
+
+}
Modified: trunk/Source/WebKit2/Shared/mac/SandboxUtilities.h (170607 => 170608)
--- trunk/Source/WebKit2/Shared/mac/SandboxUtilities.h 2014-06-30 22:50:59 UTC (rev 170607)
+++ trunk/Source/WebKit2/Shared/mac/SandboxUtilities.h 2014-06-30 22:51:39 UTC (rev 170608)
@@ -27,12 +27,16 @@
#define SandboxUtilities_h
#include <sys/types.h>
+#include <wtf/Forward.h>
namespace WebKit {
bool processIsSandboxed(pid_t);
bool processHasContainer();
+// Returns an empty string if the process is not in a container.
+String pathForProcessContainer();
+
}
#endif // SandboxUtilities_h
Modified: trunk/Source/WebKit2/UIProcess/WebContext.cpp (170607 => 170608)
--- trunk/Source/WebKit2/UIProcess/WebContext.cpp 2014-06-30 22:50:59 UTC (rev 170607)
+++ trunk/Source/WebKit2/UIProcess/WebContext.cpp 2014-06-30 22:51:39 UTC (rev 170608)
@@ -411,6 +411,10 @@
if (!parameters.diskCacheDirectory.isEmpty())
SandboxExtension::createHandleForReadWriteDirectory(parameters.diskCacheDirectory, parameters.diskCacheDirectoryExtensionHandle);
+ parameters.cookieStorageDirectory = cookieStorageDirectory();
+ if (!parameters.cookieStorageDirectory.isEmpty())
+ SandboxExtension::createHandleForReadWriteDirectory(parameters.cookieStorageDirectory, parameters.cookieStorageDirectoryExtensionHandle);
+
parameters.shouldUseTestingNetworkSession = m_shouldUseTestingNetworkSession;
// Add any platform specific parameters
Modified: trunk/Source/WebKit2/UIProcess/mac/WebContextMac.mm (170607 => 170608)
--- trunk/Source/WebKit2/UIProcess/mac/WebContextMac.mm 2014-06-30 22:50:59 UTC (rev 170607)
+++ trunk/Source/WebKit2/UIProcess/mac/WebContextMac.mm 2014-06-30 22:51:39 UTC (rev 170608)
@@ -27,6 +27,7 @@
#import "WebContext.h"
#import "PluginProcessManager.h"
+#import "SandboxUtilities.h"
#import "TextChecker.h"
#import "WKBrowsingContextControllerInternal.h"
#import "WKBrowsingContextControllerInternal.h"
@@ -269,8 +270,17 @@
String WebContext::platformDefaultCookieStorageDirectory() const
{
+#if PLATFORM(IOS)
+ String path = pathForProcessContainer();
+ if (path.isEmpty())
+ path = NSHomeDirectory();
+
+ path = path + "/Library/Cookies";
+ return stringByResolvingSymlinksInPath(path);
+#else
notImplemented();
return [@"" stringByStandardizingPath];
+#endif
}
String WebContext::platformDefaultWebSQLDatabaseDirectory()
Modified: trunk/Source/WebKit2/WebProcess/cocoa/WebProcessCocoa.mm (170607 => 170608)
--- trunk/Source/WebKit2/WebProcess/cocoa/WebProcessCocoa.mm 2014-06-30 22:50:59 UTC (rev 170607)
+++ trunk/Source/WebKit2/WebProcess/cocoa/WebProcessCocoa.mm 2014-06-30 22:51:39 UTC (rev 170608)
@@ -167,6 +167,7 @@
SandboxExtension::consumePermanently(parameters.webSQLDatabaseDirectoryExtensionHandle);
SandboxExtension::consumePermanently(parameters.applicationCacheDirectoryExtensionHandle);
SandboxExtension::consumePermanently(parameters.diskCacheDirectoryExtensionHandle);
+ SandboxExtension::consumePermanently(parameters.cookieStorageDirectoryExtensionHandle);
#endif
// When the network process is enabled, each web process wants a stand-alone