[webkit-reviews] review denied: [Bug 186110] Add a sandbox profile for com.cisco.webex.plugin.gpc64 plugin : [Attachment 341625] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jun 1 12:14:03 PDT 2018
Brent Fulgham <bfulgham at webkit.org> has denied youenn fablet
<youennf at gmail.com>'s request for review:
Bug 186110: Add a sandbox profile for com.cisco.webex.plugin.gpc64 plugin
https://bugs.webkit.org/show_bug.cgi?id=186110
Attachment 341625: Patch
https://bugs.webkit.org/attachment.cgi?id=341625&action=review
--- Comment #4 from Brent Fulgham <bfulgham at webkit.org> ---
Comment on attachment 341625
--> https://bugs.webkit.org/attachment.cgi?id=341625
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=341625&action=review
I think this is very close, but I'd like to see some tighter rules on the rules
I mentioned above. Maybe you've found that WebEx just won't work without these
open fully -- if so, let me know.
>
Source/WebKit/Resources/PlugInSandboxProfiles/com.cisco.webex.plugin.gpc64.sb:4
4
> +
You might consider preventing symlinks from being created, unless WebEx uses
them:
(if (defined? 'vnode-type)
(deny file-write-create (vnode-type SYMLINK)))
This would help protect against a compromised plugin from creating a symlink
someplace bad.
>
Source/WebKit/Resources/PlugInSandboxProfiles/com.cisco.webex.plugin.gpc64.sb:4
6
> +(allow process-fork)
Lots of powerful operations allowed :-(
>
Source/WebKit/Resources/PlugInSandboxProfiles/com.cisco.webex.plugin.gpc64.sb:7
4
> +(allow network-outbound)
I wonder if these outbound connections could be limited to specific ports?
E.g, like we do in some other plugins:
(allow network-outbound
(remote udp "*:4160" "*:88"))
>
Source/WebKit/Resources/PlugInSandboxProfiles/com.cisco.webex.plugin.gpc64.sb:7
9
> +(allow ipc-posix-shm)
Do you need all ipc-posix-shm? For example, could you just have
"ipc-posix-shm-read-data"? Even better would be to limit it to specific IPC
agents you want to talk to.
>
Source/WebKit/Resources/PlugInSandboxProfiles/com.cisco.webex.plugin.gpc64.sb:8
0
> +(allow mach-lookup)
It would be much better to limit mach-lookup to just the mach endpoints you
actually need. This is a huge window for attackers.
>
Source/WebKit/Resources/PlugInSandboxProfiles/com.cisco.webex.plugin.gpc64.sb:8
1
> +(allow sysctl-read)
Can this be limited to a smaller subset?
(allow sysctl-read
(sysctl-name
"hw.byteorder"
"hw.busfrequency_max"
...
(sysctl-name-regex #"^net.routetable")
)
>
Source/WebKit/Resources/PlugInSandboxProfiles/com.cisco.webex.plugin.gpc64.sb:8
2
> +(allow sysctl-write)
Oh gosh -- can this be limited to specific things? All of WebContent process
manages to avoid sysctl-write for anything!
More information about the webkit-reviews
mailing list