Changeset 140957 in webkit

Timestamp:

Jan 28, 2013 1:54:15 AM (11 years ago)

Author:

reni@webkit.org

Message:

[WK2] Putting QtWebProcess into a chrooted sandbox
​https://bugs.webkit.org/show_bug.cgi?id=90005

.:

Reviewed by Anders Carlsson and Zoltan Herczeg.

Make it possible to build WebKit2 with SandboxProcess.

• Source/QtWebKit.pro:

Source/WebKit2:

Reviewed by Anders Carlsson and Zoltan Herczeg.

This new feature makes possible to run WebProcess inside a chroot. In this case UIProcess calls the
internal SandboxProcess binary what makes up an environment for WebProcess inside the sandbox and runs the WebProcess.
SandboxProcess first creates two needed device files (random and urandom), mounts filesystems (proc and shared memory),
then links run-time dependencies of WebProcess. After this, SandboxProcess moves to a new pid namespace (cloning with
CLONE_NEWPID flag). Then after an other cloning (with CLONE_FS flag) we share our filesystem with our children. This is
needed because we want to call chroot() function from here and jail our child (WebProcess) too. This will be performed
when WebProcess sends a request for it via an socketpair. If sandboxing is done, SandboxProcess exits.
Since chroot() system call needs sudoer rights SandboxProcess binary should have set its suid flag. However we can reduce
its capabilites. First we restrict the capabilities of the process and the number of its possible resources. Furthermore
we fallback to the nobody or the real user.

• Configurations/FeatureDefines.xcconfig:
• SandboxProcess.pro: Added.
• Shared/linux/SandboxProcess/SandboxEnvironmentLinux.cpp: Added.

(launchChangeRootHelper):
(setEnvironmentVariablesForChangeRootHelper):
(prepareAndStartChangeRootHelper):
(setCapabilities):
(dropPrivileges):
(fileExists):
(directoryPermissions):
(createDirectory):
(createDirectoryPath):
(createDeviceFiles):
(mountFileSystems):
(linkFile):
(linkDirectory):
(collectRunTimeDependencies):
(setupXauthorityForNobodyUser):
(initSandbox):
(restrictCapabilities):
(moveToNewPidNamespace):
(run):
(main):

• Shared/linux/SandboxProcess/SandboxEnvironmentLinux.h: Added.
• Shared/linux/SandboxProcess/StringOperations.cpp: Added.

(stringCopy):
(stringConcat):
(stringAppend):

• Shared/linux/SandboxProcess/StringOperations.h: Added.
• UIProcess/Launcher/qt/ProcessLauncherQt.cpp:

(WebKit::ProcessLauncher::launchProcess):

• WebKit2.pri:
• WebProcess.pro:
• WebProcess/qt/WebProcessMainQt.cpp:

(WebKit):
(WebKit::chrootMe):
(WebKit::WebProcessMainQt):

Tools:

Reviewed by Anders Carlsson and Zoltan Herczeg.

Add feature flag for suid sandbox in linux.

• Scripts/webkitperl/FeatureList.pm:

Location:

trunk

Files:

• ChangeLog (modified) (1 diff)
• Source/QtWebKit.pro (modified) (1 diff)
• Source/WebKit2/ChangeLog (modified) (1 diff)
• Source/WebKit2/SandboxProcess.pro (copied) (copied from trunk/Source/WebKit2/WebProcess.pro) (2 diffs)
• Source/WebKit2/Shared/linux/SandboxProcess (added)
• Source/WebKit2/Shared/linux/SandboxProcess/SandboxEnvironmentLinux.cpp (added)
• Source/WebKit2/Shared/linux/SandboxProcess/SandboxEnvironmentLinux.h (added)
• Source/WebKit2/UIProcess/Launcher/qt/ProcessLauncherQt.cpp (modified) (5 diffs)
• Source/WebKit2/WebKit2.pri (modified) (2 diffs)
• Source/WebKit2/WebProcess.pro (modified) (1 diff)
• Source/WebKit2/WebProcess/qt/WebProcessMainQt.cpp (modified) (4 diffs)
• Tools/ChangeLog (modified) (1 diff)
• Tools/Scripts/webkitperl/FeatureList.pm (modified) (2 diffs)

trunk/ChangeLog

@@ +1 @@
+2013-01-28  Renata Hodovan  <reni@webkit.org>
+
+        [WK2] Putting QtWebProcess into a chrooted sandbox
+        https://bugs.webkit.org/show_bug.cgi?id=90005
+
+        Reviewed by Anders Carlsson and Zoltan Herczeg.
+
+        Make it possible to build WebKit2 with SandboxProcess.
+
+        * Source/QtWebKit.pro:
+
 2013-01-27  David Farler  <dfarler@apple.com>
 

trunk/Source/QtWebKit.pro

@@ -23 +23 @@
         SUBDIRS += pluginprocess
     }
+
+    enable?(SUID_SANDBOX_LINUX) {
+        sandboxprocess.file = WebKit2/SandboxProcess.pro
+        SUBDIRS += sandboxprocess
+    }
 }
 

trunk/Source/WebKit2/ChangeLog

@@ +1 @@
+2013-01-28  Renata Hodovan  <reni@webkit.org>
+
+        [WK2] Putting QtWebProcess into a chrooted sandbox
+        https://bugs.webkit.org/show_bug.cgi?id=90005
+
+        Reviewed by Anders Carlsson and Zoltan Herczeg.
+
+        This new feature makes possible to run WebProcess inside a chroot. In this case UIProcess calls the
+        internal SandboxProcess binary what makes up an environment for WebProcess inside the sandbox and runs the WebProcess.
+        SandboxProcess first creates two needed device files (random and urandom), mounts filesystems (proc and shared memory),
+        then links run-time dependencies of WebProcess. After this, SandboxProcess moves to a new pid namespace (cloning with
+        CLONE_NEWPID flag). Then after an other cloning (with CLONE_FS flag) we share our filesystem with our children. This is
+        needed because we want to call chroot() function from here and jail our child (WebProcess) too. This will be performed
+        when WebProcess sends a request for it via an socketpair. If sandboxing is done, SandboxProcess exits.
+        Since chroot() system call needs sudoer rights SandboxProcess binary should have set its suid flag. However we can reduce
+        its capabilites. First we restrict the capabilities of the process and the number of its possible resources. Furthermore
+        we fallback to the nobody or the real user.
+
+        * Configurations/FeatureDefines.xcconfig:
+        * SandboxProcess.pro: Added.
+        * Shared/linux/SandboxProcess/SandboxEnvironmentLinux.cpp: Added.
+        (launchChangeRootHelper):
+        (setEnvironmentVariablesForChangeRootHelper):
+        (prepareAndStartChangeRootHelper):
+        (setCapabilities):
+        (dropPrivileges):
+        (fileExists):
+        (directoryPermissions):
+        (createDirectory):
+        (createDirectoryPath):
+        (createDeviceFiles):
+        (mountFileSystems):
+        (linkFile):
+        (linkDirectory):
+        (collectRunTimeDependencies):
+        (setupXauthorityForNobodyUser):
+        (initSandbox):
+        (restrictCapabilities):
+        (moveToNewPidNamespace):
+        (run):
+        (main):
+        * Shared/linux/SandboxProcess/SandboxEnvironmentLinux.h: Added.
+        * Shared/linux/SandboxProcess/StringOperations.cpp: Added.
+        (stringCopy):
+        (stringConcat):
+        (stringAppend):
+        * Shared/linux/SandboxProcess/StringOperations.h: Added.
+        * UIProcess/Launcher/qt/ProcessLauncherQt.cpp:
+        (WebKit::ProcessLauncher::launchProcess):
+        * WebKit2.pri:
+        * WebProcess.pro:
+        * WebProcess/qt/WebProcessMainQt.cpp:
+        (WebKit):
+        (WebKit::chrootMe):
+        (WebKit::WebProcessMainQt):
+
 2013-01-28  Christophe Dumez  <christophe.dumez@intel.com>
 

trunk/Source/WebKit2/SandboxProcess.pro

@@ -1 +1 @@
 # -------------------------------------------------------------------
-# Project file for the WebKit2 web process binary
+# Project file for the WebKit2 sandbox process binary
 #
 # See 'Tools/qmake/README' for an overview of the build system
@@ -7 +7 @@
 TEMPLATE = app
 
-TARGET = QtWebProcess
+TARGET = SUIDSandboxHelper
 DESTDIR = $${ROOT_BUILD_DIR}/bin
 
-SOURCES += qt/MainQt.cpp
+CONFIG += console
+CONFIG -= qt
 
-QT += network webkit
-macx: QT += xml
-
-haveQtModule(widgets): QT += widgets webkitwidgets
-
-build?(webkit1): DEFINES += HAVE_WEBKIT1
+SOURCES += Shared/linux/SandboxProcess/SandboxEnvironmentLinux.cpp
+HEADERS += Shared/linux/SandboxProcess/SandboxEnvironmentLinux.h
 
 INSTALLS += target
+LIBS += -lcap -ldl
 
 isEmpty(INSTALL_BINS) {
-    target.path = $$[QT_INSTALL_LIBEXECS]
+    target.path = $$[QT_INSTALL_BINS]
 } else {
     target.path = $$INSTALL_BINS
 }
-
-

trunk/Source/WebKit2/UIProcess/Launcher/qt/ProcessLauncherQt.cpp

@@ -62 +62 @@
 #endif
 
+#if ENABLE(SUID_SANDBOX_LINUX)
+#include <QCoreApplication>
+#endif
+
 #if OS(DARWIN)
 #include <mach/mach_init.h>
@@ -167 +171 @@
 #endif
 
-    QProcess* webProcess = new QtWebProcess();
-    webProcess->setProcessChannelMode(QProcess::ForwardedChannels);
-    webProcess->start(commandLine);
+    QProcess* webProcessOrSUIDHelper = new QtWebProcess();
+    webProcessOrSUIDHelper->setProcessChannelMode(QProcess::ForwardedChannels);
+
+#if ENABLE(SUID_SANDBOX_LINUX)
+    if (m_launchOptions.processType == WebProcess) {
+        QString sandboxCommandLine = QLatin1String("%1 %2 %3");
+        sandboxCommandLine = sandboxCommandLine.arg(QCoreApplication::applicationDirPath() + QLatin1String("/SUIDSandboxHelper"));
+        sandboxCommandLine = sandboxCommandLine.arg(executablePathOfWebProcess());
+        sandboxCommandLine = sandboxCommandLine.arg(sockets[0]);
+
+        webProcessOrSUIDHelper->start(sandboxCommandLine);
+    } else
+        webProcessOrSUIDHelper->start(commandLine);
+#else
+    webProcessOrSUIDHelper->start(commandLine);
+#endif
 
 #if OS(UNIX) && !OS(DARWIN)
@@ -176 +193 @@
         if (errno != EINTR) {
             ASSERT_NOT_REACHED();
-            delete webProcess;
+            delete webProcessOrSUIDHelper;
             return;
         }
@@ -182 +199 @@
 #endif
 
-    if (!webProcess->waitForStarted()) {
+    if (!webProcessOrSUIDHelper->waitForStarted()) {
         qDebug() << "Failed to start" << commandLine;
         ASSERT_NOT_REACHED();
@@ -189 +206 @@
         mach_port_mod_refs(mach_task_self(), connector, MACH_PORT_RIGHT_RECEIVE, -1);
 #endif
-        delete webProcess;
-        return;
-    }
-
+        delete webProcessOrSUIDHelper;
+        return;
+    }
 #if OS(UNIX)
-    setpriority(PRIO_PROCESS, webProcess->pid(), 10);
-#endif
-
-    RunLoop::main()->dispatch(bind(&WebKit::ProcessLauncher::didFinishLaunchingProcess, this, webProcess, connector));
+    setpriority(PRIO_PROCESS, webProcessOrSUIDHelper->pid(), 10);
+#endif
+    RunLoop::main()->dispatch(bind(&WebKit::ProcessLauncher::didFinishLaunchingProcess, this, webProcessOrSUIDHelper, connector));
 }
 

trunk/Source/WebKit2/WebKit2.pri

@@ -16 +16 @@
     $$SOURCE_DIR/Platform/qt \
     $$SOURCE_DIR/Shared \
+    $$SOURCE_DIR/Shared/linux/SandboxProcess \
     $$SOURCE_DIR/Shared/API/c \
     $$SOURCE_DIR/Shared/Authentication \
@@ -64 +65 @@
     $$SOURCE_DIR/WebProcess/WebPage/CoordinatedGraphics \
     $$SOURCE_DIR/WebProcess/qt \
-    $$SOURCE_DIR/PluginProcess
+    $$SOURCE_DIR/PluginProcess \
 
 # The WebKit2 Qt APIs depend on qwebkitglobal.h, which lives in WebKit

trunk/Source/WebKit2/WebProcess.pro

@@ -11 +11 @@
 
 SOURCES += qt/MainQt.cpp
+
+INCLUDEPATH = \
+    $$PWD/Shared/linux/SandboxProcess/ \
+    $$INCLUDEPATH
 
 QT += network webkit

trunk/Source/WebKit2/WebProcess/qt/WebProcessMainQt.cpp

@@ -1 +1 @@
 /*
+ * Copyright (C) 2013 University of Szeged
+ * Copyright (C) 2013 Renata Hodovan <reni@inf.u-szeged.hu>
  * Copyright (C) 2010 Apple Inc. All rights reserved.
  * Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies)
@@ -35 +37 @@
 #include <QUrl>
 #include <WebCore/RunLoop.h>
+#include <errno.h>
 #include <runtime/InitializeThreading.h>
+#include <sys/wait.h>
 #include <wtf/MainThread.h>
 
@@ -56 +60 @@
 
 extern "C" kern_return_t bootstrap_look_up2(mach_port_t, const name_t, mach_port_t*, pid_t, uint64_t);
+#endif
+
+#if ENABLE(SUID_SANDBOX_LINUX)
+#include "SandboxEnvironmentLinux.h"
 #endif
 
@@ -140 +148 @@
 }
 
+#if ENABLE(SUID_SANDBOX_LINUX)
+pid_t chrootMe()
+{
+    // Get the file descriptor of the socketpair.
+    char* sandboxSocketDescriptorString = getenv(SANDBOX_DESCRIPTOR);
+    if (!sandboxSocketDescriptorString)
+        return -1;
+
+    char* firstInvalidCharacter;
+    long int sandboxSocketDescriptor = strtol(sandboxSocketDescriptorString, &firstInvalidCharacter, 10);
+    if (*firstInvalidCharacter != '\0') {
+        fprintf(stderr, "The socket descriptor of sandbox is not valid.\n");
+        return -1;
+    }
+
+    // Get the PID of the setuid helper.
+    char* sandboxHelperPIDString = getenv(SANDBOX_HELPER_PID);
+    pid_t sandboxHelperPID = -1;
+
+    // If no PID is available, the default of -1 will do.
+    if (sandboxHelperPIDString) {
+        errno = 0;
+        sandboxHelperPID = strtol(sandboxHelperPIDString, &firstInvalidCharacter, 10);
+        if (*firstInvalidCharacter != '\0') {
+            fprintf(stderr, "The PID of sandbox is not valid.\n");
+            return -1;
+        }
+    }
+
+    // Send the chrootMe message to the helper.
+    char sandboxMeMessage = MSG_CHROOTME;
+    ssize_t numberOfCharacters = write(sandboxSocketDescriptor, &sandboxMeMessage, 1);
+    if (numberOfCharacters != 1) {
+        fprintf(stderr, "ChrootMe msg failed to write: %s.\n", strerror(errno));
+        return -1;
+    }
+
+    // Read the acknowledgement message from the helper.
+    numberOfCharacters = read(sandboxSocketDescriptor, &sandboxMeMessage, 1);
+    if (numberOfCharacters != 1 || sandboxMeMessage != MSG_CHROOTED) {
+        fprintf(stderr, "Couldn't read the confirmation message: %s.\n", strerror(errno));
+        return -1;
+    }
+    close(sandboxSocketDescriptor);
+
+    // Wait for the helper process.
+    int expectedPID = waitpid(sandboxHelperPID, 0, 0);
+    if (expectedPID != -1 && (sandboxHelperPID == -1 || expectedPID == sandboxHelperPID))
+        return expectedPID;
+    fprintf(stderr, "Couldn't wait for the helper process: %s\n", strerror(errno));
+    return -1;
+}
+#endif
+
 Q_DECL_EXPORT int WebProcessMainQt(QGuiApplication* app)
 {
+#if ENABLE(SUID_SANDBOX_LINUX)
+    pid_t helper = chrootMe();
+    if (helper == -1) {
+        fprintf(stderr, "Asking for chroot failed.\n");
+        return -1;
+    }
+#endif
     initializeProxy();
-
     JSC::initializeThreading();
     WTF::initializeMainThread();
     RunLoop::initializeMainRunLoop();
-    
+
 #if USE(QTKIT)
     InitWebCoreSystemInterfaceForWK2();

trunk/Tools/ChangeLog

@@ +1 @@
+2013-01-28  Renata Hodovan  <reni@webkit.org>
+
+        [WK2] Putting QtWebProcess into a chrooted sandbox
+        https://bugs.webkit.org/show_bug.cgi?id=90005
+
+        Reviewed by Anders Carlsson and  Zoltan Herczeg.
+
+        Add feature flag for suid sandbox in linux.
+
+        * Scripts/webkitperl/FeatureList.pm:
+
 2013-01-27  David Farler  <dfarler@apple.com>
 

trunk/Tools/Scripts/webkitperl/FeatureList.pm

@@ -130 +130 @@
     $sqlDatabaseSupport,
     $styleScopedSupport,
+    $suidLinuxSandbox,
     $svgDOMObjCBindingsSupport,
     $svgFontsSupport,
@@ -406 +407 @@
       define => "ENABLE_STYLE_SCOPED", default => (isBlackBerry() || isGtk()), value => \$styleScopedSupport },
 
+    { option => "suid-linux-sandbox", desc => "Toggle suid sandbox for linux",
+      define => "ENABLE_SUID_SANDBOX_LINUX", default => 0, value => \$suidLinuxSandbox },
+
     { option => "svg", desc => "Toggle SVG support",
       define => "ENABLE_SVG", default => 1, value => \$svgSupport },