Changeset 170733 in webkit

Timestamp:

Jul 2, 2014 3:54:32 PM (10 years ago)

Author:

oliver@apple.com

Message:

Restrict network process sandbox
​https://bugs.webkit.org/show_bug.cgi?id=134360

Reviewed by Sam Weinig.

Add more restrictions to the network process sandbox.

• NetworkProcess/cocoa/NetworkProcessCocoa.mm: (WebKit::NetworkProcess::platformInitializeNetworkProcessCocoa):

Always use the cache directory provided in the initialization parameters,
and make sure we consume the cookie directory extension.

• Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:

Make the sandbox profile much more restrictive.

• Shared/Network/NetworkProcessCreationParameters.cpp: (WebKit::NetworkProcessCreationParameters::encode): (WebKit::NetworkProcessCreationParameters::decode):
• Shared/Network/NetworkProcessCreationParameters.h:

The network process now requires an extension to access
its cookie storage.

• Shared/mac/SandboxUtilities.cpp: (WebKit::pathForProcessContainer):
• Shared/mac/SandboxUtilities.h:

We need to be able to get hold of our container so
that we can get the correct cookie storage directory.

• UIProcess/WebContext.cpp: (WebKit::WebContext::ensureNetworkProcess):

We have to pass in the an extension for the cookie storage directory when

initalising the network process

• UIProcess/mac/WebContextMac.mm: (WebKit::WebContext::platformDefaultCookieStorageDirectory):

Make sure we provide the correct location on IOS

• WebProcess/cocoa/WebProcessCocoa.mm: (WebKit::WebProcess::platformInitializeWebProcess):

Consume the cookie storage extension

Location:

trunk/Source/WebKit2

Files:

• ChangeLog (modified) (1 diff)
• NetworkProcess/cocoa/NetworkProcessCocoa.mm (modified) (1 diff)
• Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb (modified) (1 diff)
• Shared/Network/NetworkProcessCreationParameters.cpp (modified) (2 diffs)
• Shared/Network/NetworkProcessCreationParameters.h (modified) (1 diff)
• Shared/mac/SandboxUtilities.cpp (modified) (2 diffs)
• Shared/mac/SandboxUtilities.h (modified) (2 diffs)
• UIProcess/WebContext.cpp (modified) (1 diff)
• UIProcess/mac/WebContextMac.mm (modified) (2 diffs)
• WebProcess/cocoa/WebProcessCocoa.mm (modified) (1 diff)

trunk/Source/WebKit2/ChangeLog

@@ +1 @@
+2014-06-28  Oliver Hunt  <oliver@apple.com>
+
+       Restrict network process sandbox
+       https://bugs.webkit.org/show_bug.cgi?id=134360
+
+       Reviewed by Sam Weinig.
+
+       Add more restrictions to the network process sandbox.
+
+       * NetworkProcess/cocoa/NetworkProcessCocoa.mm:
+       (WebKit::NetworkProcess::platformInitializeNetworkProcessCocoa):
+         Always use the cache directory provided in the initialization parameters,
+         and make sure we consume the cookie directory extension.
+       * Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:
+         Make the sandbox profile much more restrictive.
+       * Shared/Network/NetworkProcessCreationParameters.cpp:
+       (WebKit::NetworkProcessCreationParameters::encode):
+       (WebKit::NetworkProcessCreationParameters::decode):
+       * Shared/Network/NetworkProcessCreationParameters.h:
+         The network process now requires an extension to access
+         its cookie storage.
+       * Shared/mac/SandboxUtilities.cpp:
+       (WebKit::pathForProcessContainer):
+       * Shared/mac/SandboxUtilities.h:
+         We need to be able to get hold of our container so
+         that we can get the correct cookie storage directory.
+       * UIProcess/WebContext.cpp:
+       (WebKit::WebContext::ensureNetworkProcess):
+         We have to pass in the an extension for the cookie storage directory when
+       initalising the network process
+       * UIProcess/mac/WebContextMac.mm:
+       (WebKit::WebContext::platformDefaultCookieStorageDirectory):
+         Make sure we provide the correct location on IOS
+       * WebProcess/cocoa/WebProcessCocoa.mm:
+       (WebKit::WebProcess::platformInitializeWebProcess):
+         Consume the cookie storage extension
+
 2014-07-02  Csaba Osztrogonác  <ossy@webkit.org>
 

trunk/Source/WebKit2/NetworkProcess/cocoa/NetworkProcessCocoa.mm

@@ -61 +61 @@
 void NetworkProcess::platformInitializeNetworkProcessCocoa(const NetworkProcessCreationParameters& parameters)
 {
+    SandboxExtension::consumePermanently(parameters.cookieStorageDirectoryExtensionHandle);
+    m_diskCacheDirectory = parameters.diskCacheDirectory;
+
+    if (!m_diskCacheDirectory.isNull()) {
+        SandboxExtension::consumePermanently(parameters.diskCacheDirectoryExtensionHandle);
 #if PLATFORM(IOS)
-    if (!parameters.uiProcessBundleIdentifier.isNull()) {
         [NSURLCache setSharedURLCache:adoptNS([[NSURLCache alloc]
             _initWithMemoryCapacity:parameters.nsURLCacheMemoryCapacity
             diskCapacity:parameters.nsURLCacheDiskCapacity
             relativePath:parameters.uiProcessBundleIdentifier]).get()];
-    }
 #else
-    m_diskCacheDirectory = parameters.diskCacheDirectory;
-
-    if (!m_diskCacheDirectory.isNull()) {
-        SandboxExtension::consumePermanently(parameters.diskCacheDirectoryExtensionHandle);
         [NSURLCache setSharedURLCache:adoptNS([[NSURLCache alloc]
             initWithMemoryCapacity:parameters.nsURLCacheMemoryCapacity
             diskCapacity:parameters.nsURLCacheDiskCapacity
             diskPath:parameters.diskCacheDirectory]).get()];
+#endif
     }
-#endif
 
 #if PLATFORM(IOS) || __MAC_OS_X_VERSION_MIN_REQUIRED >= 1090

trunk/Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb

@@ -23 +23 @@
 
 (version 1)
-(allow default)
+(deny default (with partial-symbolication))
+(allow system-audit file-read-metadata)
 
 (import "common.sb")
 (import "removed-dev-nodes.sb")
+
+;; Access CFNetwork shared cookies
+;; This is too generous -- <rdar://problem/17496756>
+(apple-cookie-access 'with-read-write)
+
+;; Sandbox extensions
+(allow file-read* (container-subpath "Library/")
+       (extension "com.apple.webkit.read"))
+
+;; Access to client's cache folder & re-vending to CFNetwork.
+(allow file-read* file-write* (require-all (container-subpath "Library/")
+       (extension "com.apple.nsurlstorage.extension-cache")))
+(allow file-issue-extension  (require-all ((container-subpath "Library/")
+       (extension-class "com.apple.nsurlstorage.extension-cache")))
+
+;; App sandbox extensions
+(allow file-read* file-write* (require-all (container-subpath "Library/")
+       (extension "com.apple.app-sandbox.read-write")))
+
+;; Access to own cache & temp folders.
+(allow file-read* file-write* (require-all (container-subpath "")
+       (extension "com.apple.webkit.read-write")))
+
+;; IOKit user clients
+(allow iokit-open
+       (iokit-user-client-class "RootDomainUserClient"))
+
+;; Various services required by CFNetwork and other frameworks
+(allow mach-lookup
+       (global-name "com.apple.PowerManagement.control"))
+
+(network-client)
+
+;; Security framework
+(allow mach-lookup
+       (global-name "com.apple.ocspd")
+       (global-name "com.apple.securityd"))
+
+(deny file-write-create
+       (vnode-type SYMLINK))

trunk/Source/WebKit2/Shared/Network/NetworkProcessCreationParameters.cpp

@@ -43 +43 @@
     encoder << diskCacheDirectory;
     encoder << diskCacheDirectoryExtensionHandle;
+    encoder << cookieStorageDirectory;
+    encoder << cookieStorageDirectoryExtensionHandle;
     encoder << shouldUseTestingNetworkSession;
 #if ENABLE(CUSTOM_PROTOCOLS)
@@ -73 +75 @@
         return false;
     if (!decoder.decode(result.diskCacheDirectoryExtensionHandle))
+        return false;
+    if (!decoder.decode(result.cookieStorageDirectory))
+        return false;
+    if (!decoder.decode(result.cookieStorageDirectoryExtensionHandle))
         return false;
     if (!decoder.decode(result.shouldUseTestingNetworkSession))

trunk/Source/WebKit2/Shared/Network/NetworkProcessCreationParameters.h

@@ -57 +57 @@
     SandboxExtension::Handle diskCacheDirectoryExtensionHandle;
 
+    String cookieStorageDirectory;
+    SandboxExtension::Handle cookieStorageDirectoryExtensionHandle;
+
     bool shouldUseTestingNetworkSession;
 

trunk/Source/WebKit2/Shared/mac/SandboxUtilities.cpp

@@ -28 +28 @@
 
 #include <array>
+#include <wtf/text/WTFString.h>
 
 #if __has_include(<sandbox/private.h>)
@@ -68 +69 @@
 }
 
+String pathForProcessContainer()
+{
+    std::array<char, MAXPATHLEN> path;
+    path[0] = 0;
+    sandbox_container_path_for_pid(getpid(), path.data(), path.size());
+
+    return String::fromUTF8(path.data());
 }
+
+}

trunk/Source/WebKit2/Shared/mac/SandboxUtilities.h

@@ -28 +28 @@
 
 #include <sys/types.h>
+#include <wtf/Forward.h>
 
 namespace WebKit {
@@ -34 +35 @@
 bool processHasContainer();
 
+// Returns an empty string if the process is not in a container.
+String pathForProcessContainer();
+
 }
 

trunk/Source/WebKit2/UIProcess/WebContext.cpp

@@ -412 +412 @@
         SandboxExtension::createHandleForReadWriteDirectory(parameters.diskCacheDirectory, parameters.diskCacheDirectoryExtensionHandle);
 
+    parameters.cookieStorageDirectory = cookieStorageDirectory();
+    if (!parameters.cookieStorageDirectory.isEmpty())
+        SandboxExtension::createHandleForReadWriteDirectory(parameters.cookieStorageDirectory, parameters.cookieStorageDirectoryExtensionHandle);
+
     parameters.shouldUseTestingNetworkSession = m_shouldUseTestingNetworkSession;
 

trunk/Source/WebKit2/UIProcess/mac/WebContextMac.mm

@@ -28 +28 @@
 
 #import "PluginProcessManager.h"
+#import "SandboxUtilities.h"
 #import "TextChecker.h"
 #import "WKBrowsingContextControllerInternal.h"
@@ -270 +271 @@
 String WebContext::platformDefaultCookieStorageDirectory() const
 {
+#if PLATFORM(IOS)
+    String path = pathForProcessContainer();
+    if (path.isEmpty())
+        path = NSHomeDirectory();
+
+    path = path + "/Library/Cookies";
+    return stringByResolvingSymlinksInPath(path);
+#else
     notImplemented();
     return [@"" stringByStandardizingPath];
+#endif
 }
 

trunk/Source/WebKit2/WebProcess/cocoa/WebProcessCocoa.mm

@@ -168 +168 @@
     SandboxExtension::consumePermanently(parameters.applicationCacheDirectoryExtensionHandle);
     SandboxExtension::consumePermanently(parameters.diskCacheDirectoryExtensionHandle);
+    SandboxExtension::consumePermanently(parameters.cookieStorageDirectoryExtensionHandle);
 #endif