Title: [209779] trunk/Source/WebKit2
- Revision
- 209779
- Author
- [email protected]
- Date
- 2016-12-13 14:56:28 -0800 (Tue, 13 Dec 2016)
Log Message
[Mac][WK2] Tighten Keychain directory access
https://bugs.webkit.org/show_bug.cgi?id=165818
<rdar://problem/16863857>
Reviewed by Anders Carlsson.
Lock down Keychain directory access to just the file-read-data, file-read-metadata, and
file-write-data operations we actually need.
* NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
* PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in:
* WebProcess/com.apple.WebProcess.sb.in:
Modified Paths
Diff
Modified: trunk/Source/WebKit2/ChangeLog (209778 => 209779)
--- trunk/Source/WebKit2/ChangeLog 2016-12-13 22:27:48 UTC (rev 209778)
+++ trunk/Source/WebKit2/ChangeLog 2016-12-13 22:56:28 UTC (rev 209779)
@@ -1,3 +1,18 @@
+2016-12-13 Brent Fulgham <[email protected]>
+
+ [Mac][WK2] Tighten Keychain directory access
+ https://bugs.webkit.org/show_bug.cgi?id=165818
+ <rdar://problem/16863857>
+
+ Reviewed by Anders Carlsson.
+
+ Lock down Keychain directory access to just the file-read-data, file-read-metadata, and
+ file-write-data operations we actually need.
+
+ * NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
+ * PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in:
+ * WebProcess/com.apple.WebProcess.sb.in:
+
2016-12-13 Andy Estes <[email protected]>
[Cocoa] Implement -shouldInsertText: on WKWebProcessPlugInEditingDelegate
Modified: trunk/Source/WebKit2/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in (209778 => 209779)
--- trunk/Source/WebKit2/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in 2016-12-13 22:27:48 UTC (rev 209778)
+++ trunk/Source/WebKit2/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in 2016-12-13 22:56:28 UTC (rev 209779)
@@ -37,6 +37,32 @@
(define (home-literal home-relative-literal)
(literal (string-append (param "HOME_DIR") home-relative-literal)))
+;; Remove when <rdar://problem/29646094> is fixed.
+(define (HEX-pattern-match-generator pattern-descriptor)
+ (letrec ((pattern-string ""))
+ (for-each (lambda (repeat-count)
+ (if (zero? repeat-count)
+ (set! pattern-string (string-append pattern-string "-"))
+ (let appender ((count repeat-count))
+ (if (> count 0)
+ (begin
+ (set! pattern-string (string-append pattern-string "[0-9A-F]"))
+ (appender (- count 1)))))))
+ pattern-descriptor)
+ pattern-string))
+
+;; return a regex pattern matching string for 8-4-4-4-12 UUIDs:
+(define (uuid-HEX-pattern-match-string)
+ (HEX-pattern-match-generator '(8 0 4 0 4 0 4 0 12)))
+
+;; global to hold the computed UUID matching pattern.
+(define *uuid-pattern* "")
+
+(define (uuid-regex-string)
+ (if (zero? (string-length *uuid-pattern*))
+ (set! *uuid-pattern* (uuid-HEX-pattern-match-string)))
+ *uuid-pattern*)
+
;; Read-only preferences and data
(allow user-preference-read
(preference-domain
@@ -110,7 +136,16 @@
(global-name "com.apple.SecurityServer"))
#if __MAC_OS_X_VERSION_MIN_REQUIRED < 101240
-(allow file-read* file-write* (home-subpath "/Library/Keychains")) ;; FIXME: This should be removed when <rdar://problem/10479685> is fixed.
+;; FIXME: This should be removed when <rdar://problem/10479685> is fixed.
+;; Restrict AppSandboxed processes from creating /Library/Keychains, but allow access to the contents of /Library/Keychains:
+(allow file-read-data file-read-metadata file-write-data
+ (subpath "/Library/Keychains")
+ (home-subpath "/Library/Keychains"))
+
+;; Except deny access to new-style iOS Keychain folders which are UUIDs.
+(deny file-read* file-write*
+ (regex (string-append "/Library/Keychains/" (uuid-regex-string) "(/|$)"))
+ (home-regex (string-append "/Library/Keychains/" (uuid-regex-string) "(/|$)")))
#endif
(allow file-read* file-write* (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
@@ -123,9 +158,6 @@
"com.apple.security.revocation"))
(allow file-read*
-#if __MAC_OS_X_VERSION_MIN_REQUIRED < 101240
- (subpath "/Library/Keychains")
-#endif
(subpath "/private/var/db/mds")
(literal "/private/var/db/DetachedSignatures")
Modified: trunk/Source/WebKit2/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in (209778 => 209779)
--- trunk/Source/WebKit2/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in 2016-12-13 22:27:48 UTC (rev 209778)
+++ trunk/Source/WebKit2/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in 2016-12-13 22:56:28 UTC (rev 209779)
@@ -73,6 +73,32 @@
(home-library-preferences-regex (string-append #"/ByHost/" (regex-quote domain) #"\..*\.plist$")))))
domains))
+;; Remove when <rdar://problem/29646094> is fixed.
+(define (HEX-pattern-match-generator pattern-descriptor)
+ (letrec ((pattern-string ""))
+ (for-each (lambda (repeat-count)
+ (if (zero? repeat-count)
+ (set! pattern-string (string-append pattern-string "-"))
+ (let appender ((count repeat-count))
+ (if (> count 0)
+ (begin
+ (set! pattern-string (string-append pattern-string "[0-9A-F]"))
+ (appender (- count 1)))))))
+ pattern-descriptor)
+ pattern-string))
+
+;; return a regex pattern matching string for 8-4-4-4-12 UUIDs:
+(define (uuid-HEX-pattern-match-string)
+ (HEX-pattern-match-generator '(8 0 4 0 4 0 4 0 12)))
+
+;; global to hold the computed UUID matching pattern.
+(define *uuid-pattern* "")
+
+(define (uuid-regex-string)
+ (if (zero? (string-length *uuid-pattern*))
+ (set! *uuid-pattern* (uuid-HEX-pattern-match-string)))
+ *uuid-pattern*)
+
;; WebKit2 sandbox launcher needs to define an _OS_VERSION parameter
;; This parameter is the major OS Version number.
(if (not (defined? 'os-version))
@@ -162,14 +188,23 @@
(subpath "/Library/ColorSync")
- (home-literal "/Library/Preferences/com.apple.lookup.shared.plist")
+ (home-literal "/Library/Preferences/com.apple.lookup.shared.plist"))
- ;; FIXME: This should be removed when <rdar://problem/10479685> is fixed.
- (subpath "/Library/Keychains"))
+#if __MAC_OS_X_VERSION_MIN_REQUIRED < 101240
+;; FIXME: This should be removed when <rdar://problem/10479685> is fixed.
+;; Restrict AppSandboxed processes from creating /Library/Keychains, but allow access to the contents of /Library/Keychains:
+(allow file-read-data file-read-metadata file-write-data
+ (subpath "/Library/Keychains")
+ (home-library-subpath "/Keychains"))
+;; Except deny access to new-style iOS Keychain folders which are UUIDs.
+(deny file-read* file-write*
+ (regex (string-append "/Library/Keychains/" (uuid-regex-string) "(/|$)"))
+ (home-library-regex (string-append "/Library/Keychains/" (uuid-regex-string) "(/|$)")))
+#endif
+
;; Security framework
(allow mach-lookup (global-name "com.apple.ocspd"))
-(allow file-read* file-write* (home-library-subpath "/Keychains"))
(allow file-read*
(subpath "/private/var/db/mds")
(literal "/private/var/db/DetachedSignatures"))
@@ -177,9 +212,6 @@
(ipc-posix-name "com.apple.AppleDatabaseChanged"))
;; Read-write preferences and data
-(allow file*
- ;; FIXME: This should be removed when <rdar://problem/10479685> is fixed.
- (home-library-subpath "/Keychains"))
(allow system-fsctl (fsctl-command (_IO "h" 47)))
;; IOKit user clients
Modified: trunk/Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in (209778 => 209779)
--- trunk/Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in 2016-12-13 22:27:48 UTC (rev 209778)
+++ trunk/Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in 2016-12-13 22:56:28 UTC (rev 209779)
@@ -43,6 +43,32 @@
(allow file-read* (subpath path))
(allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") (subpath path))))))
+;; Remove when <rdar://problem/29646094> is fixed.
+(define (HEX-pattern-match-generator pattern-descriptor)
+ (letrec ((pattern-string ""))
+ (for-each (lambda (repeat-count)
+ (if (zero? repeat-count)
+ (set! pattern-string (string-append pattern-string "-"))
+ (let appender ((count repeat-count))
+ (if (> count 0)
+ (begin
+ (set! pattern-string (string-append pattern-string "[0-9A-F]"))
+ (appender (- count 1)))))))
+ pattern-descriptor)
+ pattern-string))
+
+;; return a regex pattern matching string for 8-4-4-4-12 UUIDs:
+(define (uuid-HEX-pattern-match-string)
+ (HEX-pattern-match-generator '(8 0 4 0 4 0 4 0 12)))
+
+;; global to hold the computed UUID matching pattern.
+(define *uuid-pattern* "")
+
+(define (uuid-regex-string)
+ (if (zero? (string-length *uuid-pattern*))
+ (set! *uuid-pattern* (uuid-HEX-pattern-match-string)))
+ *uuid-pattern*)
+
;; Read-only preferences and data
(allow file-read*
;; Basic system paths
@@ -221,15 +247,21 @@
(global-name "com.apple.SecurityServer"))
#if __MAC_OS_X_VERSION_MIN_REQUIRED < 101240
-(allow file-read* file-write* (home-subpath "/Library/Keychains")) ;; FIXME: This should be removed when <rdar://problem/10479685> is fixed.
+;; FIXME: This should be removed when <rdar://problem/10479685> is fixed.
+;; Restrict AppSandboxed processes from creating /Library/Keychains, but allow access to the contents of /Library/Keychains:
+(allow file-read-data file-read-metadata file-write-data
+ (subpath "/Library/Keychains")
+ (home-subpath "/Library/Keychains"))
+
+;; Except deny access to new-style iOS Keychain folders which are UUIDs.
+(deny file-read* file-write*
+ (regex (string-append "/Library/Keychains/" (uuid-regex-string) "(/|$)"))
+ (home-regex (string-append "/Library/Keychains/" (uuid-regex-string) "(/|$)")))
#endif
(allow file-read* file-write* (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
(allow file-read*
-#if __MAC_OS_X_VERSION_MIN_REQUIRED < 101240
- (subpath "/Library/Keychains")
-#endif
(subpath "/private/var/db/mds")
(literal "/private/var/db/DetachedSignatures")
; The following are needed until <rdar://problem/11134688> is resolved.
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
