- Revision
- 232276
- Author
- jiewen_...@apple.com
- Date
- 2018-05-29 15:59:08 -0700 (Tue, 29 May 2018)
Log Message
Tighten sandbox profiles for Networking Processes to restrict accesses to macOS/iOS Keychains
https://bugs.webkit.org/show_bug.cgi?id=162948
<rdar://problem/40558894>
Reviewed by Brent Fulgham.
The patch conditionally tighten sandbox profiles for Networking Processes to remove Keychain related
permissions and some security permisssions that are not needed. Also it conditionally remove the
Process Privilege for Networking Processes to access Credentials.
In addition, it remove process privilege assertions for SecItemShim as it is supposed to work in processes
that don't have privileges to access Keychains and delegate all operations to UI Process via IPC. Also,
the patch disables SecItemShim for Networking Process conditionally.
* Configurations/Network-iOS.entitlements:
* NetworkProcess/NetworkProcess.cpp:
(WebKit::NetworkProcess::initializeNetworkProcess):
* NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
* Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:
* Shared/mac/SecItemShim.cpp:
(WebKit::sendSecItemRequest):
(WebKit::webSecItemCopyMatching):
(WebKit::webSecItemAdd):
(WebKit::webSecItemUpdate):
(WebKit::webSecItemDelete):
(WebKit::initializeSecItemShim):
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (232275 => 232276)
--- trunk/Source/WebKit/ChangeLog 2018-05-29 22:14:03 UTC (rev 232275)
+++ trunk/Source/WebKit/ChangeLog 2018-05-29 22:59:08 UTC (rev 232276)
@@ -1,3 +1,32 @@
+2018-05-25 Jiewen Tan <jiewen_...@apple.com>
+
+ Tighten sandbox profiles for Networking Processes to restrict accesses to macOS/iOS Keychains
+ https://bugs.webkit.org/show_bug.cgi?id=162948
+ <rdar://problem/40558894>
+
+ Reviewed by Brent Fulgham.
+
+ The patch conditionally tighten sandbox profiles for Networking Processes to remove Keychain related
+ permissions and some security permisssions that are not needed. Also it conditionally remove the
+ Process Privilege for Networking Processes to access Credentials.
+
+ In addition, it remove process privilege assertions for SecItemShim as it is supposed to work in processes
+ that don't have privileges to access Keychains and delegate all operations to UI Process via IPC. Also,
+ the patch disables SecItemShim for Networking Process conditionally.
+
+ * Configurations/Network-iOS.entitlements:
+ * NetworkProcess/NetworkProcess.cpp:
+ (WebKit::NetworkProcess::initializeNetworkProcess):
+ * NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:
+ * Shared/mac/SecItemShim.cpp:
+ (WebKit::sendSecItemRequest):
+ (WebKit::webSecItemCopyMatching):
+ (WebKit::webSecItemAdd):
+ (WebKit::webSecItemUpdate):
+ (WebKit::webSecItemDelete):
+ (WebKit::initializeSecItemShim):
+
2018-05-29 Chris Dumez <cdu...@apple.com>
Store 0-lifetime stylesheets / scripts into the disk cache for faster history navigations
Modified: trunk/Source/WebKit/Configurations/Network-iOS.entitlements (232275 => 232276)
--- trunk/Source/WebKit/Configurations/Network-iOS.entitlements 2018-05-29 22:14:03 UTC (rev 232275)
+++ trunk/Source/WebKit/Configurations/Network-iOS.entitlements 2018-05-29 22:59:08 UTC (rev 232276)
@@ -12,9 +12,5 @@
</array>
<key>com.apple.private.network.socket-delegate</key>
<true/>
- <key>keychain-access-groups</key>
- <array>
- <string>com.apple.identities</string>
- </array>
</dict>
</plist>
Modified: trunk/Source/WebKit/NetworkProcess/NetworkProcess.cpp (232275 => 232276)
--- trunk/Source/WebKit/NetworkProcess/NetworkProcess.cpp 2018-05-29 22:14:03 UTC (rev 232275)
+++ trunk/Source/WebKit/NetworkProcess/NetworkProcess.cpp 2018-05-29 22:59:08 UTC (rev 232276)
@@ -217,7 +217,11 @@
void NetworkProcess::initializeNetworkProcess(NetworkProcessCreationParameters&& parameters)
{
+#if HAVE(SEC_KEY_PROXY)
+ WTF::setProcessPrivileges({ ProcessPrivilege::CanAccessRawCookies });
+#else
WTF::setProcessPrivileges({ ProcessPrivilege::CanAccessRawCookies, ProcessPrivilege::CanAccessCredentials });
+#endif
WebCore::NetworkStorageSession::permitProcessToUseCookieAPI(true);
WebCore::setPresentingApplicationPID(parameters.presentingApplicationPID);
platformInitializeNetworkProcess(parameters);
Modified: trunk/Source/WebKit/NetworkProcess/ios/NetworkProcessIOS.mm (232275 => 232276)
--- trunk/Source/WebKit/NetworkProcess/ios/NetworkProcessIOS.mm 2018-05-29 22:14:03 UTC (rev 232275)
+++ trunk/Source/WebKit/NetworkProcess/ios/NetworkProcessIOS.mm 2018-05-29 22:59:08 UTC (rev 232276)
@@ -84,7 +84,7 @@
void NetworkProcess::platformInitializeNetworkProcess(const NetworkProcessCreationParameters& parameters)
{
-#if ENABLE(SEC_ITEM_SHIM)
+#if ENABLE(SEC_ITEM_SHIM) && !HAVE(SEC_KEY_PROXY)
initializeSecItemShim(*this);
#endif
platformInitializeNetworkProcessCocoa(parameters);
Modified: trunk/Source/WebKit/NetworkProcess/mac/NetworkProcessMac.mm (232275 => 232276)
--- trunk/Source/WebKit/NetworkProcess/mac/NetworkProcessMac.mm 2018-05-29 22:14:03 UTC (rev 232275)
+++ trunk/Source/WebKit/NetworkProcess/mac/NetworkProcessMac.mm 2018-05-29 22:59:08 UTC (rev 232276)
@@ -104,7 +104,7 @@
{
platformInitializeNetworkProcessCocoa(parameters);
-#if ENABLE(SEC_ITEM_SHIM)
+#if ENABLE(SEC_ITEM_SHIM) && !HAVE(SEC_KEY_PROXY)
initializeSecItemShim(*this);
#endif
Modified: trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in (232275 => 232276)
--- trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in 2018-05-29 22:14:03 UTC (rev 232275)
+++ trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in 2018-05-29 22:59:08 UTC (rev 232276)
@@ -161,12 +161,15 @@
;; Security framework
(allow mach-lookup
- (global-name "com.apple.ctkd.token-client")
- (global-name "com.apple.ocspd")
+#if !HAVE(SEC_KEY_PROXY)
+ (global-name "com.apple.ctkd.token-client")
(global-name "com.apple.securityd.xpc")
(global-name "com.apple.CoreAuthentication.agent.libxpc")
+#endif
+ (global-name "com.apple.ocspd")
(global-name "com.apple.SecurityServer"))
+#if !HAVE(SEC_KEY_PROXY)
;; FIXME: This should be removed when <rdar://problem/10479685> is fixed.
;; Restrict AppSandboxed processes from creating /Library/Keychains, but allow access to the contents of /Library/Keychains:
(allow file-read-data file-read-metadata file-write*
@@ -177,6 +180,7 @@
(deny file-read* file-write*
(regex (string-append "/Library/Keychains/" (uuid-regex-string) "(/|$)"))
(home-regex (string-append "/Library/Keychains/" (uuid-regex-string) "(/|$)")))
+#endif
(allow file-read* file-write* (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
@@ -189,16 +193,8 @@
(allow file-read*
(subpath "/private/var/db/mds")
- (literal "/private/var/db/DetachedSignatures")
+ (literal "/private/var/db/DetachedSignatures"))
- ; The following are needed until <rdar://problem/11134688> is resolved.
- (literal "/Library/Preferences/com.apple.security.plist")
- (literal "/Library/Preferences/com.apple.security.common.plist")
- (literal "/Library/Preferences/com.apple.security.revocation.plist")
- (home-literal "/Library/Application Support/SyncServices/Local/ClientsWithChanges/com.apple.Keychain")
- (home-literal "/Library/Preferences/com.apple.security.plist")
- (home-literal "/Library/Preferences/com.apple.security.revocation.plist"))
-
(allow ipc-posix-shm-read* ipc-posix-shm-write-data
(ipc-posix-name "com.apple.AppleDatabaseChanged"))
Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb (232275 => 232276)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb 2018-05-29 22:14:03 UTC (rev 232275)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb 2018-05-29 22:59:08 UTC (rev 232276)
@@ -74,9 +74,11 @@
;; Security framework
(allow mach-lookup
+#if !HAVE(SEC_KEY_PROXY)
+ (global-name "com.apple.accountsd.accountmanager")
+#endif
(global-name "com.apple.ocspd")
- (global-name "com.apple.securityd")
- (global-name "com.apple.accountsd.accountmanager"))
+ (global-name "com.apple.securityd"))
(deny file-write-create
(vnode-type SYMLINK))
Modified: trunk/Source/WebKit/Shared/mac/SecItemShim.cpp (232275 => 232276)
--- trunk/Source/WebKit/Shared/mac/SecItemShim.cpp 2018-05-29 22:14:03 UTC (rev 232275)
+++ trunk/Source/WebKit/Shared/mac/SecItemShim.cpp 2018-05-29 22:59:08 UTC (rev 232276)
@@ -73,8 +73,6 @@
static std::optional<SecItemResponseData> sendSecItemRequest(SecItemRequestData::Type requestType, CFDictionaryRef query, CFDictionaryRef attributesToMatch = 0)
{
- RELEASE_ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessCredentials));
-
std::optional<SecItemResponseData> response;
auto semaphore = adoptOSObject(dispatch_semaphore_create(0));
@@ -93,7 +91,6 @@
static OSStatus webSecItemCopyMatching(CFDictionaryRef query, CFTypeRef* result)
{
- RELEASE_ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessCredentials));
auto response = sendSecItemRequest(SecItemRequestData::CopyMatching, query);
if (!response)
return errSecInteractionNotAllowed;
@@ -104,7 +101,6 @@
static OSStatus webSecItemAdd(CFDictionaryRef query, CFTypeRef* result)
{
- RELEASE_ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessCredentials));
auto response = sendSecItemRequest(SecItemRequestData::Add, query);
if (!response)
return errSecInteractionNotAllowed;
@@ -116,7 +112,6 @@
static OSStatus webSecItemUpdate(CFDictionaryRef query, CFDictionaryRef attributesToUpdate)
{
- RELEASE_ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessCredentials));
auto response = sendSecItemRequest(SecItemRequestData::Update, query, attributesToUpdate);
if (!response)
return errSecInteractionNotAllowed;
@@ -126,7 +121,6 @@
static OSStatus webSecItemDelete(CFDictionaryRef query)
{
- RELEASE_ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessCredentials));
auto response = sendSecItemRequest(SecItemRequestData::Delete, query);
if (!response)
return errSecInteractionNotAllowed;
@@ -136,7 +130,6 @@
void initializeSecItemShim(ChildProcess& process)
{
- RELEASE_ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessCredentials));
sharedProcess = &process;
#if PLATFORM(IOS)