Skip to content
Commit 0ee9d4d0 authored by thiago.santos@intel.com's avatar thiago.santos@intel.com
Browse files

[WK2] Drop WebProcess capabilities on Linux using seccomp filters

https://bugs.webkit.org/show_bug.cgi?id=89875

Reviewed by Maciej Stachowiak.

.:

Added the bits to EFL/CMake buildsystem to find the libseccomp
library.

* Source/cmake/FindLibSeccomp.cmake: Added.
* Source/cmake/OptionsEfl.cmake:
* Source/cmake/WebKitFeatures.cmake:
* Source/cmakeconfig.h.cmake:

Source/WebCore:

Make the DATA_DIR global since it is now needed for WebCore and WebKit2.
It is now used to set a sandbox policy for the EFL port.

* PlatformEfl.cmake:

Source/WebKit2:

Introduce the foundations of the SeccompFilter-based sandbox. The
hardening of the WebProcess (and potentially PluginProcess, etc)
works by a combination of the two things:

- Blocking syscalls that are not used, reducing the size of the attack
surface.
- Trapping sensitive syscalls and delegating the execution of these
syscalls to a separated trusted process subject to a set of policies.

The initial implementation traps the open()-family of syscalls on WebKit
EFL's and Qt's WebProcess, but it could be easily used by any Linux port,
since the code is suppose to be Linux-compliant. The list of syscalls handled
by the broker process should definitely grow as we mature the
implementation. Other syscalls needs to be handled to get this sandbox
fully functional, like unlink(), mkdir(), etc.

The broker process should be initialized as early as possible on the
sandboxed process main() function, because it only does a fork(), which
is cheap on Linux. That also aims to minimize the resident memory footprint
of the broker process.

Opening of files for upload and saving downloads is not supported yet,
since it should be handled to the UIProcess in a similar fashion as
the Mac port does.

* PlatformEfl.cmake:
* Shared/linux/SeccompFilters/OpenSyscall.cpp: Added.
(WebKit):
(WebKit::OpenSyscall::createFromOpenatContext):
(WebKit::OpenSyscall::createFromCreatContext):
(WebKit::OpenSyscall::OpenSyscall):
(WebKit::OpenSyscall::setResult):
(WebKit::OpenSyscall::execute):
(WebKit::OpenSyscall::encode):
(WebKit::OpenSyscall::decode):
(WebKit::OpenSyscallResult::OpenSyscallResult):
(WebKit::OpenSyscallResult::~OpenSyscallResult):
(WebKit::OpenSyscallResult::encode):
(WebKit::OpenSyscallResult::decode):
* Shared/linux/SeccompFilters/OpenSyscall.h: Added.
(CoreIPC):
(WebKit):
(OpenSyscall):
(WebKit::OpenSyscall::setPath):
(WebKit::OpenSyscall::setFlags):
(WebKit::OpenSyscall::setMode):
(OpenSyscallResult):
(WebKit::OpenSyscallResult::fd):
(WebKit::OpenSyscallResult::errorNumber):
* Shared/linux/SeccompFilters/SeccompBroker.cpp: Added.
(WebKit):
(SeccompBrokerClient):
(WebKit::sendMessage):
(WebKit::receiveMessage):
(WebKit::SIGSYSHandler):
(WebKit::registerSIGSYSHandler):
(WebKit::SeccompBrokerClient::shared):
(WebKit::SeccompBrokerClient::SeccompBrokerClient):
(WebKit::SeccompBrokerClient::~SeccompBrokerClient):
(WebKit::SeccompBrokerClient::dispatch):
(WebKit::SeccompBrokerClient::handleIfOpeningOnlineCPUCount):
(WebKit::SeccompBroker::launchProcess):
(WebKit::SeccompBroker::initialize):
(WebKit::SeccompBroker::runLoop):
* Shared/linux/SeccompFilters/SeccompBroker.h: Added.
(WebKit):
(SeccompBroker):
(WebKit::SeccompBroker::setSyscallPolicy):
(WebKit::SeccompBroker::SeccompBroker):
* Shared/linux/SeccompFilters/SeccompFilters.cpp: Added.
(WebKit):
(WebKit::SeccompFilters::SeccompFilters):
(WebKit::SeccompFilters::~SeccompFilters):
(WebKit::SeccompFilters::addRule):
(WebKit::SeccompFilters::initialize):
* Shared/linux/SeccompFilters/SeccompFilters.h: Added.
(WebKit):
(SeccompFilters):
(WebKit::SeccompFilters::context):
(WebKit::SeccompFilters::platformInitialize):
* Shared/linux/SeccompFilters/SigactionSyscall.cpp: Added.
(WebKit):
(WebKit::SigactionSyscall::createFromContext):
* Shared/linux/SeccompFilters/SigactionSyscall.h: Added.
(WebKit):
(SigactionSyscall):
* Shared/linux/SeccompFilters/SigprocmaskSyscall.cpp: Added.
(WebKit):
(WebKit::SigprocmaskSyscall::createFromContext):
* Shared/linux/SeccompFilters/SigprocmaskSyscall.h: Added.
(WebKit):
(SigprocmaskSyscall):
* Shared/linux/SeccompFilters/Syscall.cpp: Added.
(WebKit):
(WebKit::Syscall::createFromContext):
(WebKit::Syscall::createFromDecoder):
(WebKit::Syscall::Syscall):
(WebKit::SyscallResult::createFromDecoder):
(WebKit::SyscallResult::SyscallResult):
* Shared/linux/SeccompFilters/Syscall.h: Added.
(CoreIPC):
(WebKit):
(Syscall):
(WebKit::Syscall::~Syscall):
(WebKit::Syscall::type):
(WebKit::Syscall::setContext):
(WebKit::Syscall::context):
(SyscallResult):
(WebKit::SyscallResult::~SyscallResult):
(WebKit::SyscallResult::type):
* Shared/linux/SeccompFilters/SyscallPolicy.cpp: Added.
(WebKit):
(WebKit::removeTrailingSlash):
(WebKit::SyscallPolicy::hasPermissionForPath):
(WebKit::SyscallPolicy::addFilePermission):
(WebKit::SyscallPolicy::addDirectoryPermission):
(WebKit::SyscallPolicy::addDefaultWebProcessPolicy):
* Shared/linux/SeccompFilters/SyscallPolicy.h: Added.
(WebKit):
(SyscallPolicy):
* Target.pri:
* WebKit2.pri:
* WebProcess/efl/SeccompFiltersWebProcessEfl.cpp: Added.
(WebKit):
(WebKit::SeccompFiltersWebProcessEfl::SeccompFiltersWebProcessEfl):
(WebKit::SeccompFiltersWebProcessEfl::platformInitialize):
* WebProcess/efl/SeccompFiltersWebProcessEfl.h: Added.
(WebKit):
(SeccompFiltersWebProcessEfl):
* WebProcess/qt/SeccompFiltersWebProcessQt.cpp: Added.
(WebKit):
(WebKit::SeccompFiltersWebProcessQt::SeccompFiltersWebProcessQt):
(WebKit::SeccompFiltersWebProcessQt::platformInitialize):
* WebProcess/qt/SeccompFiltersWebProcessQt.h: Added.
(WebKit):
(SeccompFiltersWebProcessQt):
* WebProcess/qt/WebProcessQt.cpp:
(WebKit::WebProcess::platformInitializeWebProcess):
* WebProcess/soup/WebProcessSoup.cpp:
(WebKit::WebProcess::platformInitializeWebProcess):

Tools:

Add unit tests to verify if the handling of the open, openat, creat syscall
is being done right. We check if the Read/Write/ReadAndWrite permissions
are respected, if the canonical path is being resolved and if
the permissions are falling back to the topmost parent directory with a
policy set when the directory being opened has no policy.

We also test if any attempt of blocking SIGSYS is silently ignored.
SIGSYS cannot be blocked because in it's handler is where we hook
syscalls to the broker process.

Also added libseccomp to EFL's jhbuild to make the life of developers
willing to help easier.

* Scripts/webkitperl/FeatureList.pm:
* TestWebKitAPI/PlatformEfl.cmake:
* TestWebKitAPI/Tests/WebKit2/SeccompFilters.cpp: Added.
(TestWebKitAPI):
(SeccompEnvironment):
(TestWebKitAPI::SeccompEnvironment::SetUp):
(TestWebKitAPI::SeccompEnvironment::TearDown):
(TestWebKitAPI::dummyHandler):
(TestWebKitAPI::TEST):
(TestWebKitAPI::stressTest):
* efl/jhbuild.modules:
* qmake/mkspecs/features/features.pri:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@147998 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 1a35730e
Loading
Loading
Loading
Loading
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment