Skip to content
  • thiago.santos@intel.com's avatar
    [WK2] Drop WebProcess capabilities on Linux using seccomp filters · 0ee9d4d0
    thiago.santos@intel.com authored
    https://bugs.webkit.org/show_bug.cgi?id=89875
    
    Reviewed by Maciej Stachowiak.
    
    .:
    
    Added the bits to EFL/CMake buildsystem to find the libseccomp
    library.
    
    * Source/cmake/FindLibSeccomp.cmake: Added.
    * Source/cmake/OptionsEfl.cmake:
    * Source/cmake/WebKitFeatures.cmake:
    * Source/cmakeconfig.h.cmake:
    
    Source/WebCore:
    
    Make the DATA_DIR global since it is now needed for WebCore and WebKit2.
    It is now used to set a sandbox policy for the EFL port.
    
    * PlatformEfl.cmake:
    
    Source/WebKit2:
    
    Introduce the foundations of the SeccompFilter-based sandbox. The
    hardening of the WebProcess (and potentially PluginProcess, etc)
    works by a combination of the two things:
    
    - Blocking syscalls that are not used, reducing the size of the attack
    surface.
    - Trapping sensitive syscalls and delegating the execution of these
    syscalls to a separated trusted process subject to a set of policies.
    
    The initial implementation traps the open()-family of syscalls on WebKit
    EFL's and Qt's WebProcess, but it could be easily used by any Linux port,
    since the code is suppose to be Linux-compliant. The list of syscalls handled
    by the broker process should definitely grow as we mature the
    implementation. Other syscalls needs to be handled to get this sandbox
    fully functional, like unlink(), mkdir(), etc.
    
    The broker process should be initialized as early as possible on the
    sandboxed process main() function, because it only does a fork(), which
    is cheap on Linux. That also aims to minimize the resident memory footprint
    of the broker process.
    
    Opening of files for upload and saving downloads is not supported yet,
    since it should be handled to the UIProcess in a similar fashion as
    the Mac port does.
    
    * PlatformEfl.cmake:
    * Shared/linux/SeccompFilters/OpenSyscall.cpp: Added.
    (WebKit):
    (WebKit::OpenSyscall::createFromOpenatContext):
    (WebKit::OpenSyscall::createFromCreatContext):
    (WebKit::OpenSyscall::OpenSyscall):
    (WebKit::OpenSyscall::setResult):
    (WebKit::OpenSyscall::execute):
    (WebKit::OpenSyscall::encode):
    (WebKit::OpenSyscall::decode):
    (WebKit::OpenSyscallResult::OpenSyscallResult):
    (WebKit::OpenSyscallResult::~OpenSyscallResult):
    (WebKit::OpenSyscallResult::encode):
    (WebKit::OpenSyscallResult::decode):
    * Shared/linux/SeccompFilters/OpenSyscall.h: Added.
    (CoreIPC):
    (WebKit):
    (OpenSyscall):
    (WebKit::OpenSyscall::setPath):
    (WebKit::OpenSyscall::setFlags):
    (WebKit::OpenSyscall::setMode):
    (OpenSyscallResult):
    (WebKit::OpenSyscallResult::fd):
    (WebKit::OpenSyscallResult::errorNumber):
    * Shared/linux/SeccompFilters/SeccompBroker.cpp: Added.
    (WebKit):
    (SeccompBrokerClient):
    (WebKit::sendMessage):
    (WebKit::receiveMessage):
    (WebKit::SIGSYSHandler):
    (WebKit::registerSIGSYSHandler):
    (WebKit::SeccompBrokerClient::shared):
    (WebKit::SeccompBrokerClient::SeccompBrokerClient):
    (WebKit::SeccompBrokerClient::~SeccompBrokerClient):
    (WebKit::SeccompBrokerClient::dispatch):
    (WebKit::SeccompBrokerClient::handleIfOpeningOnlineCPUCount):
    (WebKit::SeccompBroker::launchProcess):
    (WebKit::SeccompBroker::initialize):
    (WebKit::SeccompBroker::runLoop):
    * Shared/linux/SeccompFilters/SeccompBroker.h: Added.
    (WebKit):
    (SeccompBroker):
    (WebKit::SeccompBroker::setSyscallPolicy):
    (WebKit::SeccompBroker::SeccompBroker):
    * Shared/linux/SeccompFilters/SeccompFilters.cpp: Added.
    (WebKit):
    (WebKit::SeccompFilters::SeccompFilters):
    (WebKit::SeccompFilters::~SeccompFilters):
    (WebKit::SeccompFilters::addRule):
    (WebKit::SeccompFilters::initialize):
    * Shared/linux/SeccompFilters/SeccompFilters.h: Added.
    (WebKit):
    (SeccompFilters):
    (WebKit::SeccompFilters::context):
    (WebKit::SeccompFilters::platformInitialize):
    * Shared/linux/SeccompFilters/SigactionSyscall.cpp: Added.
    (WebKit):
    (WebKit::SigactionSyscall::createFromContext):
    * Shared/linux/SeccompFilters/SigactionSyscall.h: Added.
    (WebKit):
    (SigactionSyscall):
    * Shared/linux/SeccompFilters/SigprocmaskSyscall.cpp: Added.
    (WebKit):
    (WebKit::SigprocmaskSyscall::createFromContext):
    * Shared/linux/SeccompFilters/SigprocmaskSyscall.h: Added.
    (WebKit):
    (SigprocmaskSyscall):
    * Shared/linux/SeccompFilters/Syscall.cpp: Added.
    (WebKit):
    (WebKit::Syscall::createFromContext):
    (WebKit::Syscall::createFromDecoder):
    (WebKit::Syscall::Syscall):
    (WebKit::SyscallResult::createFromDecoder):
    (WebKit::SyscallResult::SyscallResult):
    * Shared/linux/SeccompFilters/Syscall.h: Added.
    (CoreIPC):
    (WebKit):
    (Syscall):
    (WebKit::Syscall::~Syscall):
    (WebKit::Syscall::type):
    (WebKit::Syscall::setContext):
    (WebKit::Syscall::context):
    (SyscallResult):
    (WebKit::SyscallResult::~SyscallResult):
    (WebKit::SyscallResult::type):
    * Shared/linux/SeccompFilters/SyscallPolicy.cpp: Added.
    (WebKit):
    (WebKit::removeTrailingSlash):
    (WebKit::SyscallPolicy::hasPermissionForPath):
    (WebKit::SyscallPolicy::addFilePermission):
    (WebKit::SyscallPolicy::addDirectoryPermission):
    (WebKit::SyscallPolicy::addDefaultWebProcessPolicy):
    * Shared/linux/SeccompFilters/SyscallPolicy.h: Added.
    (WebKit):
    (SyscallPolicy):
    * Target.pri:
    * WebKit2.pri:
    * WebProcess/efl/SeccompFiltersWebProcessEfl.cpp: Added.
    (WebKit):
    (WebKit::SeccompFiltersWebProcessEfl::SeccompFiltersWebProcessEfl):
    (WebKit::SeccompFiltersWebProcessEfl::platformInitialize):
    * WebProcess/efl/SeccompFiltersWebProcessEfl.h: Added.
    (WebKit):
    (SeccompFiltersWebProcessEfl):
    * WebProcess/qt/SeccompFiltersWebProcessQt.cpp: Added.
    (WebKit):
    (WebKit::SeccompFiltersWebProcessQt::SeccompFiltersWebProcessQt):
    (WebKit::SeccompFiltersWebProcessQt::platformInitialize):
    * WebProcess/qt/SeccompFiltersWebProcessQt.h: Added.
    (WebKit):
    (SeccompFiltersWebProcessQt):
    * WebProcess/qt/WebProcessQt.cpp:
    (WebKit::WebProcess::platformInitializeWebProcess):
    * WebProcess/soup/WebProcessSoup.cpp:
    (WebKit::WebProcess::platformInitializeWebProcess):
    
    Tools:
    
    Add unit tests to verify if the handling of the open, openat, creat syscall
    is being done right. We check if the Read/Write/ReadAndWrite permissions
    are respected, if the canonical path is being resolved and if
    the permissions are falling back to the topmost parent directory with a
    policy set when the directory being opened has no policy.
    
    We also test if any attempt of blocking SIGSYS is silently ignored.
    SIGSYS cannot be blocked because in it's handler is where we hook
    syscalls to the broker process.
    
    Also added libseccomp to EFL's jhbuild to make the life of developers
    willing to help easier.
    
    * Scripts/webkitperl/FeatureList.pm:
    * TestWebKitAPI/PlatformEfl.cmake:
    * TestWebKitAPI/Tests/WebKit2/SeccompFilters.cpp: Added.
    (TestWebKitAPI):
    (SeccompEnvironment):
    (TestWebKitAPI::SeccompEnvironment::SetUp):
    (TestWebKitAPI::SeccompEnvironment::TearDown):
    (TestWebKitAPI::dummyHandler):
    (TestWebKitAPI::TEST):
    (TestWebKitAPI::stressTest):
    * efl/jhbuild.modules:
    * qmake/mkspecs/features/features.pri:
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@147998 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    0ee9d4d0