Changeset 215132 in webkit


Ignore:
Timestamp:
Apr 7, 2017 5:24:58 PM (7 years ago)
Author:
commit-queue@webkit.org
Message:

Use audit_token_t instead of pid_t for checking sandbox of other processes
https://bugs.webkit.org/show_bug.cgi?id=170616
<rdar://problem/31158189>

Patch by Alex Christensen <achristensen@webkit.org> on 2017-04-07
Reviewed by Daniel Bates.

Source/WebKit2:

pid's can be reused, so it's theoretically unsafe to use the pid of another process to check whether it's sandboxed.
Use an audit_token_t instead to be more sure that we are not mistakenly checking a new process that has reused the
old process's pid. For the current process, though, we have no xpc_connection_t to the process because we are the process.

  • PluginProcess/mac/PluginProcessMac.mm:

(WebKit::PluginProcess::initializeSandbox):

  • Shared/EntryPointUtilities/mac/XPCService/XPCServiceEntryPoint.mm:

(WebKit::XPCServiceInitializerDelegate::isClientSandboxed):

  • Shared/mac/SandboxUtilities.h:
  • Shared/mac/SandboxUtilities.mm:

(WebKit::currentProcessIsSandboxed):
(WebKit::connectedProcessIsSandboxed):
(WebKit::processIsSandboxed): Deleted.

  • UIProcess/Cocoa/WebProcessProxyCocoa.mm:

(WebKit::WebProcessProxy::platformIsBeingDebugged):

  • UIProcess/Plugins/mac/PluginInfoStoreMac.mm:

(WebKit::PluginInfoStore::shouldUsePlugin):

  • UIProcess/Plugins/mac/PluginProcessProxyMac.mm:

(WebKit::PluginProcessProxy::platformGetLaunchOptions):

Source/WTF:

  • wtf/spi/darwin/SandboxSPI.h:

Declare more SPI.

Location:
trunk/Source
Files:
10 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/WTF/ChangeLog

    r215107 r215132  
     12017-04-07  Alex Christensen  <achristensen@webkit.org>
     2
     3        Use audit_token_t instead of pid_t for checking sandbox of other processes
     4        https://bugs.webkit.org/show_bug.cgi?id=170616
     5        <rdar://problem/31158189>
     6
     7        Reviewed by Daniel Bates.
     8
     9        * wtf/spi/darwin/SandboxSPI.h:
     10        Declare more SPI.
     11
    1122017-04-07  Ting-Wei Lan  <lantw44@gmail.com>
    213
  • trunk/Source/WTF/wtf/spi/darwin/SandboxSPI.h

    r205488 r215132  
    2424 */
    2525
    26 #ifndef SandboxSPI_h
    27 #define SandboxSPI_h
     26#pragma once
    2827
    2928#if OS(DARWIN)
     
    4645extern const enum sandbox_filter_type SANDBOX_CHECK_NO_REPORT;
    4746int sandbox_check(pid_t, const char *operation, enum sandbox_filter_type, ...);
     47int sandbox_check_by_audit_token(audit_token_t, const char *operation, enum sandbox_filter_type, ...);
    4848int sandbox_container_path_for_pid(pid_t, char *buffer, size_t bufsize);
    4949int sandbox_init_with_parameters(const char *profile, uint64_t flags, const char *const parameters[], char **errorbuf);
     
    5252
    5353#endif // OS(DARWIN)
    54 
    55 #endif // SandboxSPI_h
  • trunk/Source/WebKit2/ChangeLog

    r215129 r215132  
     12017-04-07  Alex Christensen  <achristensen@webkit.org>
     2
     3        Use audit_token_t instead of pid_t for checking sandbox of other processes
     4        https://bugs.webkit.org/show_bug.cgi?id=170616
     5        <rdar://problem/31158189>
     6
     7        Reviewed by Daniel Bates.
     8
     9        pid's can be reused, so it's theoretically unsafe to use the pid of another process to check whether it's sandboxed.
     10        Use an audit_token_t instead to be more sure that we are not mistakenly checking a new process that has reused the
     11        old process's pid. For the current process, though, we have no xpc_connection_t to the process because we are the process.
     12
     13        * PluginProcess/mac/PluginProcessMac.mm:
     14        (WebKit::PluginProcess::initializeSandbox):
     15        * Shared/EntryPointUtilities/mac/XPCService/XPCServiceEntryPoint.mm:
     16        (WebKit::XPCServiceInitializerDelegate::isClientSandboxed):
     17        * Shared/mac/SandboxUtilities.h:
     18        * Shared/mac/SandboxUtilities.mm:
     19        (WebKit::currentProcessIsSandboxed):
     20        (WebKit::connectedProcessIsSandboxed):
     21        (WebKit::processIsSandboxed): Deleted.
     22        * UIProcess/Cocoa/WebProcessProxyCocoa.mm:
     23        (WebKit::WebProcessProxy::platformIsBeingDebugged):
     24        * UIProcess/Plugins/mac/PluginInfoStoreMac.mm:
     25        (WebKit::PluginInfoStore::shouldUsePlugin):
     26        * UIProcess/Plugins/mac/PluginProcessProxyMac.mm:
     27        (WebKit::PluginProcessProxy::platformGetLaunchOptions):
     28
    1292017-04-07  Brent Fulgham  <bfulgham@apple.com>
    230
  • trunk/Source/WebKit2/PluginProcess/mac/PluginProcessMac.mm

    r206675 r215132  
    621621    // PluginProcess may already be sandboxed if its parent process was sandboxed, and launched a child process instead of an XPC service.
    622622    // This is generally not expected, however we currently always spawn a child process to create a MIME type preferences file.
    623     if (processIsSandboxed(getpid())) {
     623    if (currentProcessIsSandboxed()) {
    624624        RELEASE_ASSERT(!parameters.connectionIdentifier.xpcConnection);
    625         RELEASE_ASSERT(processIsSandboxed(getppid()));
    626         return;
    627     }
    628 
    629     bool parentIsSandboxed = parameters.connectionIdentifier.xpcConnection && processIsSandboxed(xpc_connection_get_pid(parameters.connectionIdentifier.xpcConnection.get()));
     625        return;
     626    }
     627
     628    bool parentIsSandboxed = parameters.connectionIdentifier.xpcConnection && connectedProcessIsSandboxed(parameters.connectionIdentifier.xpcConnection.get());
    630629
    631630    if (parameters.extraInitializationData.get("disable-sandbox") == "1") {
  • trunk/Source/WebKit2/Shared/EntryPointUtilities/mac/XPCService/XPCServiceEntryPoint.mm

    r211482 r215132  
    122122bool XPCServiceInitializerDelegate::isClientSandboxed()
    123123{
    124     return processIsSandboxed(xpc_connection_get_pid(m_connection.get()));
     124    return connectedProcessIsSandboxed(m_connection.get());
    125125}
    126126
  • trunk/Source/WebKit2/Shared/mac/SandboxUtilities.h

    r186718 r215132  
    2424 */
    2525
    26 #ifndef SandboxUtilities_h
    27 #define SandboxUtilities_h
     26#pragma once
    2827
    2928#import <sys/types.h>
    3029#import <wtf/Forward.h>
     30#import <wtf/spi/darwin/XPCSPI.h>
    3131
    3232namespace WebKit {
    3333
    34 bool processIsSandboxed(pid_t);
     34bool connectedProcessIsSandboxed(xpc_connection_t);
     35bool currentProcessIsSandboxed();
    3536bool processHasContainer();
    3637
     
    4142
    4243}
    43 
    44 #endif // SandboxUtilities_h
  • trunk/Source/WebKit2/Shared/mac/SandboxUtilities.mm

    r193937 r215132  
    3131#import <wtf/spi/cocoa/SecuritySPI.h>
    3232#import <wtf/spi/darwin/SandboxSPI.h>
     33#import <wtf/spi/darwin/XPCSPI.h>
    3334#import <wtf/text/WTFString.h>
    3435
    3536namespace WebKit {
    3637
    37 bool processIsSandboxed(pid_t pid)
     38bool currentProcessIsSandboxed()
    3839{
    39     return sandbox_check(pid, nullptr, SANDBOX_FILTER_NONE);
     40    return sandbox_check(getpid(), nullptr, SANDBOX_FILTER_NONE);
     41}
     42
     43bool connectedProcessIsSandboxed(xpc_connection_t connectionToParent)
     44{
     45    audit_token_t token;
     46    xpc_connection_get_audit_token(connectionToParent, &token);
     47    return sandbox_check_by_audit_token(token, nullptr, SANDBOX_FILTER_NONE);
    4048}
    4149
  • trunk/Source/WebKit2/UIProcess/Cocoa/WebProcessProxyCocoa.mm

    r207807 r215132  
    126126{
    127127    // If the UI process is sandboxed, it cannot find out whether other processes are being debugged.
    128     if (processIsSandboxed(getpid()))
     128    if (currentProcessIsSandboxed())
    129129        return false;
    130130
  • trunk/Source/WebKit2/UIProcess/Plugins/mac/PluginInfoStoreMac.mm

    r204462 r215132  
    101101    }
    102102
    103     if (processIsSandboxed(getpid()) && !plugin.hasSandboxProfile) {
     103    if (currentProcessIsSandboxed() && !plugin.hasSandboxProfile) {
    104104        LOG(Plugins, "Ignoring unsandboxed plug-in %s", plugin.bundleIdentifier.utf8().data());
    105105        return false;
  • trunk/Source/WebKit2/UIProcess/Plugins/mac/PluginProcessProxyMac.mm

    r208455 r215132  
    106106
    107107    if (pluginProcessAttributes.sandboxPolicy == PluginProcessSandboxPolicyUnsandboxed) {
    108         if (!processIsSandboxed(getpid()))
     108        if (!currentProcessIsSandboxed())
    109109            launchOptions.extraInitializationData.add("disable-sandbox", "1");
    110110        else
Note: See TracChangeset for help on using the changeset viewer.