[webkit-gtk] Web process sandbox

Michael Catanzaro mcatanzaro at igalia.com
Thu Feb 19 08:32:08 PST 2015 

Hi,

I've been thinking more about this over the past month. In the web 
process, I'm currently experimenting with the approach of whitelisting 
only syscalls that we actually use, rather than just blacklisting 
filesystem access syscalls. This is closer to what Chrome does and is 
obviously more secure as it dramatically reduces the kernel attack 
surface over a more permissive sandbox.

* If we do a syscall whitelist, web extensions *must* have API to 
whitelist their own syscalls. It will simply not feasible to write and 
maintain a web extension otherwise. If we don't allow this then we must 
use a more limited sandbox that only traps a few blacklisted syscalls.
* There is no need to allow web extensions to disable the sandbox. I 
will just print a warning when a syscall is blocked.
* I currently see no need to allow web extensions to override how we 
choose to trap any syscalls that we trap. That is, a web extension 
should be able to say "allow this particular syscall" but need not have 
any finer-grained control than that. (I no longer recommend applying 
the patch I previously proposed.)

For example, we will trap filesystem calls like open() and ensure the 
attempted access is within a directory that the web process should be 
allowed to access, and the web extension need not be allowed to 
override this, because it is already "allowed" just with a restricted 
set of arguments. So the web extension can not claim write access to / 
for example, and there will be little incentive for a web extension 
author to attempt to disable the sandbox by whitelisting everything if 
it has no effect on how we trap filesystem syscalls. This means 
existing web extensions will need to be rewritten slightly, but it 
should not be too bad.

A blacklist rather than a whitelist *may* be desirable regardless, due 
to dependency churn outside of our control. A syscall whitelist will 
work reliably in stable distros like Debian and Ubuntu, but in a distro 
like Arch or Fedora, one of our dependencies will start using a new 
syscall unexpectedly and the web process will be borked until that gets 
fixed. I predict this will happen several times per year. But I think 
one person can keep up with this, and the additional security provided 
by the whitelist will be worth it. Again, the blacklist must be kept 
quite small unless we allow web extensions to whitelist syscalls.

Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-gtk/attachments/20150219/79672eb5/attachment.html>

More information about the webkit-gtk mailing list