[webkit-gtk] about sandbox extension on gtk port

Michael Catanzaro mcatanzaro at igalia.com
Sun Jan 4 22:26:15 PST 2015 

On Sun, Jan 4, 2015 at 7:45 PM, Renart <spaceshuttle2009 at gmail.com> 
wrote:
> Hi, all
> 
> I noticed that there is a sandbox extension on mac port. I am 
> wondering that if we could implement this extension on gtk port or 
> this indeed has been implemented.
> 
> I have greped this project, but did not find anything useful.
> 
> Thanks,
> Jiayu

Well, the GTK+ port currently doesn't have a sandbox, so there's been 
no need for runtime sandbox extensions. :)

You have good timing, though. I have been working on sandboxing 
recently, and in fact posted several patches tonight (which either 
block or depend on [1]) that enable a sandbox for the GTK+ port. In 
particular, [2] adds API (which we need to discuss on this list, but I 
will send a separate email about this) for sandbox extensions -- but 
it's different from the existing WebKit2 SANDBOX_EXTENSIONS feature 
that allows the UI process to grant additional filesystem access to the 
web process at runtime. I'm going to refer to that in all-caps to avoid 
ambiguity with the proposed API for lowercase sandbox extensions that I 
posted tonight. My GTK-specific sandbox extensions are for allowing the 
UI process to specify filesystem paths that the web process is allowed 
to access before the web process is launched, for the benefit of web 
extensions that need to access the filesystem. (Probably we actually 
want to allow the web extension itself, not the UI process, to specify 
during initialization which paths it is allowed to access.) Contrast 
that to the WebKit2 SANDBOX_EXTENSIONS feature used by the Mac port, 
which allows the UI process to grant additional filesystem permissions 
to the web process at runtime after initialization. (At least, I think 
this is all they do, but I have not researched them fully.) This is 
used e.g. by a browser to implement a file chooser so that the user can 
display files on disk that the web process would otherwise not have 
permission to access.

So far, I haven't had any need to implement SANDBOX_EXTENSIONS support 
because I have only been testing the sandbox with the network process 
enabled, and I have not yet sandboxed the network process. The network 
process is optional in WebKitGTK+, and it's currently what's 
responsible for actually opening a file and reading bytes from it, even 
for local files. With the network process disabled and the sandbox 
enabled, you can no longer display local files. (I've just filed [3] 
for this problem.) I'd rather make the network process mandatory (which 
might not be permissible) or disable the sandbox when the network 
process is disabled than implement SANDBOX_EXTENSIONS in the near term, 
since that would require a significant rearchitecture of our sandbox 
and there are other security priorities I'd rather work on first. But 
in the long run, SANDBOX_EXTENSIONS would let us sandbox the network 
process in addition to the web process, which would be good.

Happy Monday,

Michael

[1] https://bugs.webkit.org/show_bug.cgi?id=110014
[2] https://bugs.webkit.org/show_bug.cgi?id=140073
[3] https://bugs.webkit.org/show_bug.cgi?id=140075
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-gtk/attachments/20150105/29c4c3c4/attachment.html>

More information about the webkit-gtk mailing list