Changeset 253351 in webkit

Timestamp:

Dec 10, 2019 3:21:41 PM (4 years ago)

Author:

pvollan@apple.com

Message:

[iOS] Deny mach lookup access to network extension services in the WebContent sandbox
​https://bugs.webkit.org/show_bug.cgi?id=203929

Reviewed by Brent Fulgham.

Source/WebCore:

Add a global flag to NetworkExtensionContentFilter to indicate whether network extension sandbox extensions have
been consumed. If the flag has been set, there is no need to check NEFilterSource.filterRequired, since the flag
will tell if filtering is required. Checking NEFilterSource.filterRequired will lead to other mach lookups which
we are trying to avoid.

The test ContentFiltering.LazilyLoadPlatformFrameworks has been modified.

• WebCore.xcodeproj/project.pbxproj:
• platform/cocoa/NetworkExtensionContentFilter.h:
• platform/cocoa/NetworkExtensionContentFilter.mm:

(WebCore::NetworkExtensionContentFilter::enabled):

Source/WebKit:

Mach lookup access to network extension services in the WebContent process is only needed if
NEFilterSource.filterRequired is true. If this is the case, issue the needed mach lookup
sandbox extensions to the WebContent process, where they will be consumed. Eventually, all
the content filtering code should be moved to the Networking process, but since this is a
bigger undertaking, we can issue extensions in the meantime to strengthen the sandbox.

• Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
• Shared/WebProcessCreationParameters.cpp:

(WebKit::WebProcessCreationParameters::encode const):
(WebKit::WebProcessCreationParameters::decode):

• Shared/WebProcessCreationParameters.h:
• UIProcess/Cocoa/WebProcessPoolCocoa.mm:

(WebKit::WebProcessPool::platformInitializeWebProcess):

• WebProcess/cocoa/WebProcessCocoa.mm:

(WebKit::WebProcess::platformInitializeWebProcess):

• WebProcess/com.apple.WebProcess.sb.in:

Location:

trunk/Source

Files:

• WebCore/ChangeLog (modified) (1 diff)
• WebCore/WebCore.xcodeproj/project.pbxproj (modified) (6 diffs)
• WebCore/platform/cocoa/NetworkExtensionContentFilter.h (modified) (2 diffs)
• WebCore/platform/cocoa/NetworkExtensionContentFilter.mm (modified) (2 diffs)
• WebKit/ChangeLog (modified) (1 diff)
• WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb (modified) (2 diffs)
• WebKit/Shared/WebProcessCreationParameters.cpp (modified) (2 diffs)
• WebKit/Shared/WebProcessCreationParameters.h (modified) (1 diff)
• WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm (modified) (2 diffs)
• WebKit/WebProcess/cocoa/WebProcessCocoa.mm (modified) (2 diffs)
• WebKit/WebProcess/com.apple.WebProcess.sb.in (modified) (1 diff)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2019-12-10  Per Arne Vollan  <pvollan@apple.com>
+
+        [iOS] Deny mach lookup access to network extension services in the WebContent sandbox
+        https://bugs.webkit.org/show_bug.cgi?id=203929
+
+        Reviewed by Brent Fulgham.
+
+        Add a global flag to NetworkExtensionContentFilter to indicate whether network extension sandbox extensions have
+        been consumed. If the flag has been set, there is no need to check NEFilterSource.filterRequired, since the flag
+        will tell if filtering is required. Checking NEFilterSource.filterRequired will lead to other mach lookups which
+        we are trying to avoid.
+
+        The test ContentFiltering.LazilyLoadPlatformFrameworks has been modified.
+
+        * WebCore.xcodeproj/project.pbxproj:
+        * platform/cocoa/NetworkExtensionContentFilter.h:
+        * platform/cocoa/NetworkExtensionContentFilter.mm:
+        (WebCore::NetworkExtensionContentFilter::enabled):
+
 2019-12-10  Commit Queue  <commit-queue@webkit.org>
 

trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj

@@ -2973 +2973 @@
                 A1491DA31F859D870095F5D4 /* PaymentSession.h in Headers */ = {isa = PBXBuildFile; fileRef = A1491DA21F859D870095F5D4 /* PaymentSession.h */; };
                 A149786F1ABAF33800CEF7E4 /* ContentFilter.h in Headers */ = {isa = PBXBuildFile; fileRef = A149786D1ABAF33800CEF7E4 /* ContentFilter.h */; };
-                A14978711ABAF3A500CEF7E4 /* PlatformContentFilter.h in Headers */ = {isa = PBXBuildFile; fileRef = A14978701ABAF3A500CEF7E4 /* PlatformContentFilter.h */; };
+                A14978711ABAF3A500CEF7E4 /* PlatformContentFilter.h in Headers */ = {isa = PBXBuildFile; fileRef = A14978701ABAF3A500CEF7E4 /* PlatformContentFilter.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 A14BB0A01F9813B800605A35 /* MockPayment.h in Headers */ = {isa = PBXBuildFile; fileRef = A14BB09E1F9813B800605A35 /* MockPayment.h */; };
                 A15D75161E68F7C800A35FBC /* BlobCallback.h in Headers */ = {isa = PBXBuildFile; fileRef = A15D75131E68F7B100A35FBC /* BlobCallback.h */; };
@@ -3002 +3002 @@
                 A19AEA211AAA808600B52B25 /* JSMockContentFilterSettings.h in Headers */ = {isa = PBXBuildFile; fileRef = A19AEA1E1AAA806E00B52B25 /* JSMockContentFilterSettings.h */; };
                 A19AEA221AAA808A00B52B25 /* JSMockContentFilterSettings.cpp in Sources */ = {isa = PBXBuildFile; fileRef = A19AEA1D1AAA806E00B52B25 /* JSMockContentFilterSettings.cpp */; };
-                A19D934B1AA11B1E00B46C24 /* NetworkExtensionContentFilter.h in Headers */ = {isa = PBXBuildFile; fileRef = A19D93491AA11B1E00B46C24 /* NetworkExtensionContentFilter.h */; };
+                A19D934B1AA11B1E00B46C24 /* NetworkExtensionContentFilter.h in Headers */ = {isa = PBXBuildFile; fileRef = A19D93491AA11B1E00B46C24 /* NetworkExtensionContentFilter.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 A1AA9AB91D23911500FEADB3 /* ContentFilterBlockedPage.html in Resources */ = {isa = PBXBuildFile; fileRef = A1AA9AB81D23911500FEADB3 /* ContentFilterBlockedPage.html */; };
                 A1ADAF7D2360FD3E009CB776 /* PreviewConverterClient.h in Headers */ = {isa = PBXBuildFile; fileRef = A1ADAF7B2360FD3D009CB776 /* PreviewConverterClient.h */; };
@@ -16748 +16748 @@
                                 E4FB4B35239BEB10003C336A /* DisplayInlineContent.cpp */,
                                 E451C6332394058E00993190 /* DisplayInlineContent.h */,
+                                112FB350239C23C40087054A /* DisplayInlineRect.h */,
                                 6FB47E612277425A00C7BCB0 /* DisplayLineBox.h */,
                                 6F77868523491AC6004D9636 /* DisplayPainter.cpp */,
                                 6F77868723491AD7004D9636 /* DisplayPainter.h */,
                                 6FD9CD52227E21C800E53957 /* DisplayRect.h */,
-                                112FB350239C23C40087054A /* DisplayInlineRect.h */,
                                 6FCE1A1822618AB3004F0343 /* DisplayRun.h */,
                         );
@@ -29607 +29607 @@
                                 1199FA5B208E3C7F002358CC /* DisplayBox.h in Headers */,
                                 E451C6342394058F00993190 /* DisplayInlineContent.h in Headers */,
+                                112FB352239C23C40087054A /* DisplayInlineRect.h in Headers */,
+                                6FB47E632277425A00C7BCB0 /* DisplayLineBox.h in Headers */,
                                 0FE5FBD31C3DD51E0007A2CA /* DisplayList.h in Headers */,
                                 0FE5FBD51C3DD51E0007A2CA /* DisplayListItems.h in Headers */,
@@ -30266 +30268 @@
                                 6FE7CFA22177EEF2005B1573 /* InlineItem.h in Headers */,
                                 BCE789161120D6080060ECE5 /* InlineIterator.h in Headers */,
-                                6FB47E632277425A00C7BCB0 /* DisplayLineBox.h in Headers */,
                                 6FE198172178397C00446F08 /* InlineLineBreaker.h in Headers */,
                                 6F0CD695229ED32700C5994E /* InlineLineBuilder.h in Headers */,
@@ -31928 +31929 @@
                                 436708C112D9CA4B00044234 /* RenderSVGBlock.h in Headers */,
                                 436708C312D9CA4B00044234 /* RenderSVGContainer.h in Headers */,
-                                112FB352239C23C40087054A /* DisplayInlineRect.h in Headers */,
                                 2B365C841525119E0091D27B /* RenderSVGEllipse.h in Headers */,
                                 43C092BC12D9E4EE00A989C3 /* RenderSVGForeignObject.h in Headers */,

trunk/Source/WebCore/platform/cocoa/NetworkExtensionContentFilter.h

@@ -54 +54 @@
 #endif
 
+    WEBCORE_EXPORT static void setHasConsumedSandboxExtensions(bool);
+
 private:
     static bool enabled();
@@ -61 +63 @@
     void handleDecision(NEFilterSourceStatus, NSData *replacementData);
 
+    enum class SandboxExtensionsState : uint8_t {
+        Consumed,
+        NotConsumed,
+        NotSet
+    };
+
+    WEBCORE_EXPORT static SandboxExtensionsState m_sandboxExtensionsState;
+
     OSObjectPtr<dispatch_queue_t> m_queue;
     RetainPtr<NSData> m_replacementData;

trunk/Source/WebCore/platform/cocoa/NetworkExtensionContentFilter.mm

@@ -52 +52 @@
 namespace WebCore {
 
+NetworkExtensionContentFilter::SandboxExtensionsState NetworkExtensionContentFilter::m_sandboxExtensionsState = SandboxExtensionsState::NotSet;
+
 bool NetworkExtensionContentFilter::enabled()
 {
-    bool enabled = [getNEFilterSourceClass() filterRequired];
+    bool enabled = false;
+    switch (m_sandboxExtensionsState) {
+    case SandboxExtensionsState::Consumed:
+        enabled = true;
+        break;
+    case SandboxExtensionsState::NotConsumed:
+        enabled = false;
+        break;
+    case SandboxExtensionsState::NotSet:
+        enabled = [getNEFilterSourceClass() filterRequired];
+        break;
+    }
     LOG(ContentFiltering, "NetworkExtensionContentFilter is %s.\n", enabled ? "enabled" : "not enabled");
     return enabled;
@@ -216 +229 @@
 }
 
+void NetworkExtensionContentFilter::setHasConsumedSandboxExtensions(bool hasConsumedSandboxExtensions)
+{
+    m_sandboxExtensionsState = (hasConsumedSandboxExtensions ? SandboxExtensionsState::Consumed : SandboxExtensionsState::NotConsumed);
+}
+
 } // namespace WebCore
 

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2019-12-10  Per Arne Vollan  <pvollan@apple.com>
+
+        [iOS] Deny mach lookup access to network extension services in the WebContent sandbox
+        https://bugs.webkit.org/show_bug.cgi?id=203929
+
+        Reviewed by Brent Fulgham.
+
+        Mach lookup access to network extension services in the WebContent process is only needed if
+        NEFilterSource.filterRequired is true. If this is the case, issue the needed mach lookup
+        sandbox extensions to the WebContent process, where they will be consumed. Eventually, all
+        the content filtering code should be moved to the Networking process, but since this is a
+        bigger undertaking, we can issue extensions in the meantime to strengthen the sandbox.
+
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+        * Shared/WebProcessCreationParameters.cpp:
+        (WebKit::WebProcessCreationParameters::encode const):
+        (WebKit::WebProcessCreationParameters::decode):
+        * Shared/WebProcessCreationParameters.h:
+        * UIProcess/Cocoa/WebProcessPoolCocoa.mm:
+        (WebKit::WebProcessPool::platformInitializeWebProcess):
+        * WebProcess/cocoa/WebProcessCocoa.mm:
+        (WebKit::WebProcess::platformInitializeWebProcess):
+        * WebProcess/com.apple.WebProcess.sb.in:
+
 2019-12-10  Chris Dumez  <cdumez@apple.com>
 

trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb

@@ -478 +478 @@
 (define-once (network-extensions-support)
     ;; Network Extensions / VPN helper.
-    (allow mach-lookup
+    (allow mach-lookup (with report) (with telemetry)
         (global-name "com.apple.nehelper")
         (global-name "com.apple.nesessionmanager.content-filter")) ;; <rdar://problem/48442387>
@@ -967 +967 @@
     (require-all
         (extension "com.apple.webkit.extension.mach")
-        (global-name "com.apple.iphone.axserver-systemwide" "com.apple.tccd" "com.apple.AGXCompilerService")))
+        (global-name "com.apple.iphone.axserver-systemwide" "com.apple.tccd" "com.apple.AGXCompilerService" "com.apple.nehelper" "com.apple.nesessionmanager.content-filter")))
 
 (media-capture-support)

trunk/Source/WebKit/Shared/WebProcessCreationParameters.cpp

@@ -164 +164 @@
     encoder << compilerServiceExtensionHandle;
 #endif
+    
+#if PLATFORM(COCOA)
+    encoder << neHelperExtensionHandle;
+    encoder << neSessionManagerExtensionHandle;
+#endif
 }
 
@@ -404 +409 @@
 #endif
 
+#if PLATFORM(COCOA)
+    Optional<Optional<SandboxExtension::Handle>> neHelperExtensionHandle;
+    decoder >> neHelperExtensionHandle;
+    if (!neHelperExtensionHandle)
+        return false;
+    parameters.neHelperExtensionHandle = WTFMove(*neHelperExtensionHandle);
+
+    Optional<Optional<SandboxExtension::Handle>> neSessionManagerExtensionHandle;
+    decoder >> neSessionManagerExtensionHandle;
+    if (!neSessionManagerExtensionHandle)
+        return false;
+    parameters.neSessionManagerExtensionHandle = WTFMove(*neSessionManagerExtensionHandle);
+#endif
+
     return true;
 }

trunk/Source/WebKit/Shared/WebProcessCreationParameters.h

@@ -202 +202 @@
     Optional<SandboxExtension::Handle> compilerServiceExtensionHandle;
 #endif
+
+#if PLATFORM(COCOA)
+    Optional<SandboxExtension::Handle> neHelperExtensionHandle;
+    Optional<SandboxExtension::Handle> neSessionManagerExtensionHandle;
+#endif
 };
 

trunk/Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm

@@ -73 +73 @@
 #endif
 
+#if PLATFORM(COCOA)
+#import <pal/spi/cocoa/NEFilterSourceSPI.h>
+
+SOFT_LINK_FRAMEWORK_OPTIONAL(NetworkExtension);
+SOFT_LINK_CLASS_OPTIONAL(NetworkExtension, NEFilterSource);
+#endif
+
 NSString *WebServiceWorkerRegistrationDirectoryDefaultsKey = @"WebServiceWorkerRegistrationDirectory";
 NSString *WebKitLocalCacheDefaultsKey = @"WebKitLocalCache";
@@ -296 +303 @@
     }
 #endif
+    
+#if PLATFORM(COCOA)
+    if ([getNEFilterSourceClass() filterRequired]) {
+        SandboxExtension::Handle handle;
+        SandboxExtension::createHandleForMachLookup("com.apple.nehelper", WTF::nullopt, handle);
+        parameters.neHelperExtensionHandle = WTFMove(handle);
+        SandboxExtension::createHandleForMachLookup("com.apple.nesessionmanager.content-filter", WTF::nullopt, handle);
+        parameters.neSessionManagerExtensionHandle = WTFMove(handle);
+    }
+#endif
 }
 

trunk/Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm

@@ -117 +117 @@
 #endif
 
+#if PLATFORM(COCOA)
+#import <WebCore/NetworkExtensionContentFilter.h>
+#endif
+
 #if HAVE(CSCHECKFIXDISABLE)
 extern "C" void _CSCheckFixDisable();
@@ -226 +230 @@
     if (parameters.compilerServiceExtensionHandle)
         SandboxExtension::consumePermanently(*parameters.compilerServiceExtensionHandle);
+#endif
+    
+#if PLATFORM(COCOA)
+    if (parameters.neHelperExtensionHandle)
+        SandboxExtension::consumePermanently(*parameters.neHelperExtensionHandle);
+    if (parameters.neSessionManagerExtensionHandle)
+        SandboxExtension::consumePermanently(*parameters.neSessionManagerExtensionHandle);
+    NetworkExtensionContentFilter::setHasConsumedSandboxExtensions(parameters.neHelperExtensionHandle.hasValue() && parameters.neSessionManagerExtensionHandle.hasValue());
 #endif
 }

trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in

@@ -834 +834 @@
 #endif // PLATFORM(MAC)
 
+(allow mach-lookup
+    (require-all
+        (extension "com.apple.webkit.extension.mach")
+        (global-name "com.apple.nehelper" "com.apple.nesessionmanager.content-filter")))
+
 (when (defined? 'syscall-unix)
     (deny syscall-unix (with send-signal SIGKILL))