- Revision
- 229845
- Author
- [email protected]
- Date
- 2018-03-21 21:35:13 -0700 (Wed, 21 Mar 2018)
Log Message
Create an assertion mechanism to ensure proper WebCore use in each WebKit Process
https://bugs.webkit.org/show_bug.cgi?id=183806
<rdar://problem/38694251>
Reviewed by Ryosuke Niwa.
Part of our security improvements involve better isolation between the different WebKit
processes (UIProcess, WebContent, Networking, Storage, etc.).
We need an assertion language we can use to protect certain critical APIs and code paths
against accidental misuse.
This patch adds a new enum type meant to represent different categories of program logic
that we do not want used in the wrong process.
This first patch just creates these types and makes them available. New assertions using
these values will be added as we complete our work ensuring proper process isolation.
In a method we want to protect, we can add an assertion describing the process privileges
needed to execute the code. For example, for cookie access we might use this:
ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies);
At the launch of the UIProcess we would use this method to ensure all privileges are available:
setProcessPrivileges(allPrivileges());
In the network process, during platform initialization, we would use something like this:
setProcessPrivileges({ ProcessPrivilege::CanAccessRawCookies, ProcessPrivilege::CanAccessCredentials });
In the WebContent process, we would not set any privileges. We could just leave it as the
default initialization, or use this:
setProcessPrivileges({ });
Later, when we attempt to execute the initial code, we would expect an assertion for the
WebContent process, while Network and UIProcess pass the assertion.
* WTF.xcodeproj/project.pbxproj: Add new files.
* wtf/CMakeLists.txt: Ditto.
* wtf/ProcessPrivilege.cpp: Added.
(WTF::processPrivileges):
(WTF::setProcessPrivileges):
(WTF::hasProcessPrivilege):
* wtf/ProcessPrivilege.h: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/Source/WTF/ChangeLog (229844 => 229845)
--- trunk/Source/WTF/ChangeLog 2018-03-22 04:20:28 UTC (rev 229844)
+++ trunk/Source/WTF/ChangeLog 2018-03-22 04:35:13 UTC (rev 229845)
@@ -1,3 +1,52 @@
+2018-03-20 Brent Fulgham <[email protected]>
+
+ Create an assertion mechanism to ensure proper WebCore use in each WebKit Process
+ https://bugs.webkit.org/show_bug.cgi?id=183806
+ <rdar://problem/38694251>
+
+ Reviewed by Ryosuke Niwa.
+
+ Part of our security improvements involve better isolation between the different WebKit
+ processes (UIProcess, WebContent, Networking, Storage, etc.).
+
+ We need an assertion language we can use to protect certain critical APIs and code paths
+ against accidental misuse.
+
+ This patch adds a new enum type meant to represent different categories of program logic
+ that we do not want used in the wrong process.
+
+ This first patch just creates these types and makes them available. New assertions using
+ these values will be added as we complete our work ensuring proper process isolation.
+
+ In a method we want to protect, we can add an assertion describing the process privileges
+ needed to execute the code. For example, for cookie access we might use this:
+
+ ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessRawCookies);
+
+ At the launch of the UIProcess we would use this method to ensure all privileges are available:
+
+ setProcessPrivileges(allPrivileges());
+
+ In the network process, during platform initialization, we would use something like this:
+
+ setProcessPrivileges({ ProcessPrivilege::CanAccessRawCookies, ProcessPrivilege::CanAccessCredentials });
+
+ In the WebContent process, we would not set any privileges. We could just leave it as the
+ default initialization, or use this:
+
+ setProcessPrivileges({ });
+
+ Later, when we attempt to execute the initial code, we would expect an assertion for the
+ WebContent process, while Network and UIProcess pass the assertion.
+
+ * WTF.xcodeproj/project.pbxproj: Add new files.
+ * wtf/CMakeLists.txt: Ditto.
+ * wtf/ProcessPrivilege.cpp: Added.
+ (WTF::processPrivileges):
+ (WTF::setProcessPrivileges):
+ (WTF::hasProcessPrivilege):
+ * wtf/ProcessPrivilege.h: Added.
+
2018-03-20 Tim Horton <[email protected]>
Introduce HAVE_MEDIA_PLAYER and HAVE_CORE_VIDEO
Modified: trunk/Source/WTF/WTF.xcodeproj/project.pbxproj (229844 => 229845)
--- trunk/Source/WTF/WTF.xcodeproj/project.pbxproj 2018-03-22 04:20:28 UTC (rev 229844)
+++ trunk/Source/WTF/WTF.xcodeproj/project.pbxproj 2018-03-22 04:35:13 UTC (rev 229845)
@@ -78,6 +78,7 @@
70A993FE1AD7151300FA615B /* SymbolRegistry.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 70A993FC1AD7151300FA615B /* SymbolRegistry.cpp */; };
70ECA60D1B02426800449739 /* AtomicStringImpl.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 70ECA60A1B02426800449739 /* AtomicStringImpl.cpp */; };
7A05093F1FB9DCC500B33FB8 /* JSONValues.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 7A05093E1FB9DCC500B33FB8 /* JSONValues.cpp */; };
+ 7AF023B52061E17000A8EFD6 /* ProcessPrivilege.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 7AF023B42061E16F00A8EFD6 /* ProcessPrivilege.cpp */; };
7AFEC6B11EB22B5900DADE36 /* UUID.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 7AFEC6B01EB22B5900DADE36 /* UUID.cpp */; };
8134013815B092FD001FF0B8 /* Base64.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 8134013615B092FD001FF0B8 /* Base64.cpp */; };
93934BD318A1E8C300D0D6A1 /* StringViewObjC.mm in Sources */ = {isa = PBXBuildFile; fileRef = 93934BD218A1E8C300D0D6A1 /* StringViewObjC.mm */; };
@@ -375,6 +376,8 @@
795212021F42588800BD6421 /* SingleRootGraph.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SingleRootGraph.h; sourceTree = "<group>"; };
7A05093D1FB9DCC500B33FB8 /* JSONValues.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSONValues.h; sourceTree = "<group>"; };
7A05093E1FB9DCC500B33FB8 /* JSONValues.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSONValues.cpp; sourceTree = "<group>"; };
+ 7AF023B32061E16C00A8EFD6 /* ProcessPrivilege.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ProcessPrivilege.h; sourceTree = "<group>"; };
+ 7AF023B42061E16F00A8EFD6 /* ProcessPrivilege.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ProcessPrivilege.cpp; sourceTree = "<group>"; };
7AFEC6AE1EB22AC600DADE36 /* UUID.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = UUID.h; sourceTree = "<group>"; };
7AFEC6B01EB22B5900DADE36 /* UUID.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = UUID.cpp; sourceTree = "<group>"; };
7C3F72391D78811900674E26 /* Brigand.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = Brigand.h; sourceTree = "<group>"; };
@@ -996,6 +999,8 @@
0F9D335E165DBA73005AD387 /* PrintStream.h */,
53EC253C1E95AD30000831B9 /* PriorityQueue.h */,
0FC4488216FE9FE100844BE9 /* ProcessID.h */,
+ 7AF023B42061E16F00A8EFD6 /* ProcessPrivilege.cpp */,
+ 7AF023B32061E16C00A8EFD6 /* ProcessPrivilege.h */,
143F611D1565F0F900DB514A /* RAMSize.cpp */,
143F611E1565F0F900DB514A /* RAMSize.h */,
C8F597CA2A57417FBAB92FD6 /* RandomDevice.cpp */,
@@ -1482,6 +1487,7 @@
51F1752D1F3D486000C74950 /* PersistentEncoder.cpp in Sources */,
FE85416E1FBE285D008DA5DA /* Poisoned.cpp in Sources */,
0F9D3362165DBA73005AD387 /* PrintStream.cpp in Sources */,
+ 7AF023B52061E17000A8EFD6 /* ProcessPrivilege.cpp in Sources */,
143F611F1565F0F900DB514A /* RAMSize.cpp in Sources */,
A3B725EC987446AD93F1A440 /* RandomDevice.cpp in Sources */,
A8A47414151A825B004123FF /* RandomNumber.cpp in Sources */,
Modified: trunk/Source/WTF/wtf/CMakeLists.txt (229844 => 229845)
--- trunk/Source/WTF/wtf/CMakeLists.txt 2018-03-22 04:20:28 UTC (rev 229844)
+++ trunk/Source/WTF/wtf/CMakeLists.txt 2018-03-22 04:35:13 UTC (rev 229845)
@@ -165,6 +165,7 @@
PrintStream.h
PriorityQueue.h
ProcessID.h
+ ProcessPrivilege.h
RAMSize.h
RandomDevice.h
RandomNumber.h
@@ -359,6 +360,7 @@
ParkingLot.cpp
Poisoned.cpp
PrintStream.cpp
+ ProcessPrivilege.cpp
RAMSize.cpp
RandomDevice.cpp
RandomNumber.cpp
Added: trunk/Source/WTF/wtf/ProcessPrivilege.cpp (0 => 229845)
--- trunk/Source/WTF/wtf/ProcessPrivilege.cpp (rev 0)
+++ trunk/Source/WTF/wtf/ProcessPrivilege.cpp 2018-03-22 04:35:13 UTC (rev 229845)
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2018 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "ProcessPrivilege.h"
+
+#include <wtf/OptionSet.h>
+
+namespace WTF {
+
+OptionSet<ProcessPrivilege> allPrivileges()
+{
+ return {
+ ProcessPrivilege::CanAccessRawCookies,
+ ProcessPrivilege::CanAccessCredentials,
+ ProcessPrivilege::CanCommunicateWithWindowServer,
+ };
+}
+
+static OptionSet<ProcessPrivilege>& processPrivileges()
+{
+ static OptionSet<ProcessPrivilege> privileges = { };
+ return privileges;
+}
+
+void setProcessPrivileges(OptionSet<ProcessPrivilege> privileges)
+{
+ processPrivileges() = privileges;
+}
+
+bool hasProcessPrivilege(ProcessPrivilege privilege)
+{
+ return processPrivileges().contains(privilege);
+}
+
+} // namespace WTF
Added: trunk/Source/WTF/wtf/ProcessPrivilege.h (0 => 229845)
--- trunk/Source/WTF/wtf/ProcessPrivilege.h (rev 0)
+++ trunk/Source/WTF/wtf/ProcessPrivilege.h 2018-03-22 04:35:13 UTC (rev 229845)
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2018 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#pragma once
+
+#include <wtf/OptionSet.h>
+
+namespace WTF {
+
+enum class ProcessPrivilege {
+ CanAccessRawCookies = 1 << 0,
+ CanAccessCredentials = 1 << 1,
+ CanCommunicateWithWindowServer = 1 << 2,
+};
+
+WTF_EXPORT void setProcessPrivileges(OptionSet<ProcessPrivilege>);
+WTF_EXPORT bool hasProcessPrivilege(ProcessPrivilege);
+WTF_EXPORT OptionSet<ProcessPrivilege> allPrivileges();
+
+} // namespace WTF
+
+using WTF::ProcessPrivilege;
+using WTF::allPrivileges;
+using WTF::hasProcessPrivilege;
+using WTF::setProcessPrivileges;
+
