[GTK][WPE] Implement subprocess sandboxing
authormcatanzaro@igalia.com <mcatanzaro@igalia.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 15 Oct 2018 15:02:59 +0000 (15:02 +0000)
committermcatanzaro@igalia.com <mcatanzaro@igalia.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 15 Oct 2018 15:02:59 +0000 (15:02 +0000)
commitb110fa04a175a3ca98d8673966a66f80dfcb2042
treeb8371ac5858b0f362f3bc3ac20ebbc60678a631b
parent3352b3b447a38b839fdc70296283b11483433a3c
[GTK][WPE] Implement subprocess sandboxing
https://bugs.webkit.org/show_bug.cgi?id=188568

Patch by Patrick Griffis <pgriffis@igalia.com> on 2018-10-15
Reviewed by Michael Catanzaro.

.:

Add ENABLE_BUBBLEWRAP_SANDBOX option for sandboxing.

* Source/cmake/FindLibseccomp.cmake: Added.
* Source/cmake/OptionsGTK.cmake:
* Source/cmake/WebKitFeatures.cmake:

Source/WebCore:

Link against libseccomp.

* PlatformGTK.cmake:

Source/WebKit:

This implements sandboxing of WebKitWebProcesses.

The sandbox is opt-in at runtime as it is a behavior change.
See webkit_web_context_set_sandbox_enabled() and the
WEBKIT_FORCE_SANDBOX env var for developers.

This is Linux specific using Namespaces, Seccomp, and a DBus proxy service.
This introduces three new dependencies:

- bwrap executable
- libseccomp library
- xdg-dbus-proxy executable

The use of xdg-dbus-proxy will ideally be replaced once upstream DBus
gains the same filtering abilities which is a work in progress.

Currently the sandbox is not completed and there are a few large holes:

- Pulseaudio: The Pipewire project will solve this.
- DRI device access: No immediate solutions planned.
- Webcam device access: Pipewire will also solve this.
- Webprocess network access: Will require GStreamer changes.
- DConf access: Custom proxy planned.
- X11 access: Wayland solves this.

That is not an exhaustive list but are the noteworthy ones. Filesystem access
is still an evolving list as problems are found as is specific DBus name access.

* PlatformGTK.cmake:
* PlatformWPE.cmake:
* SourcesGTK.txt:
* SourcesWPE.txt:
* UIProcess/API/glib/WebKitWebContext.cpp:
(webkit_web_context_set_sandbox_enabled):
(webkit_web_context_get_sandbox_enabled):
* UIProcess/API/gtk/WebKitWebContext.h:
* UIProcess/API/gtk/docs/webkit2gtk-4.0-sections.txt:
* UIProcess/API/wpe/WebKitWebContext.h:
* UIProcess/ChildProcessProxy.cpp:
(WebKit::ChildProcessProxy::getLaunchOptions):
* UIProcess/ChildProcessProxy.h:
(WebKit::ChildProcessProxy::platformGetLaunchOptions):
* UIProcess/Launcher/ProcessLauncher.h:
* UIProcess/Launcher/glib/BubblewrapLauncher.cpp: Added.
(WebKit::memfd_create):
(WebKit::argsToFd):
(WebKit::XDGDBusProxyLauncher::setAddress):
(WebKit::XDGDBusProxyLauncher::isRunning const):
(WebKit::XDGDBusProxyLauncher::path const):
(WebKit::XDGDBusProxyLauncher::proxyPath const):
(WebKit::XDGDBusProxyLauncher::setPermissions):
(WebKit::XDGDBusProxyLauncher::launch):
(WebKit::XDGDBusProxyLauncher::childSetupFunc):
(WebKit::XDGDBusProxyLauncher::makeProxyPath):
(WebKit::XDGDBusProxyLauncher::dbusAddressToPath):
(WebKit::bindIfExists):
(WebKit::bindDBusSession):
(WebKit::bindX11):
(WebKit::bindDconf):
(WebKit::bindWayland):
(WebKit::bindPulse):
(WebKit::bindFonts):
(WebKit::bindGtkData):
(WebKit::bindA11y):
(WebKit::bindPathVar):
(WebKit::bindGStreamerData):
(WebKit::bindOpenGL):
(WebKit::bindV4l):
(WebKit::bindSymlinksRealPath):
(WebKit::setupSeccomp):
(WebKit::bubblewrapSpawn):
* UIProcess/Launcher/glib/BubblewrapLauncher.h: Added.
* UIProcess/Launcher/glib/FlatpakLauncher.cpp: Added.
(WebKit::flatpakSpawn):
* UIProcess/Launcher/glib/FlatpakLauncher.h: Added.
* UIProcess/Launcher/glib/ProcessLauncherGLib.cpp:
(WebKit::isInsideFlatpak):
(WebKit::ProcessLauncher::launchProcess):
* UIProcess/Plugins/PluginProcessProxy.cpp:
(WebKit::PluginProcessProxy::getLaunchOptions):
* UIProcess/Plugins/PluginProcessProxy.h:
* UIProcess/Plugins/mac/PluginProcessProxyMac.mm:
(WebKit::PluginProcessProxy::platformGetLaunchOptionsWithAttributes):
* UIProcess/Plugins/unix/PluginProcessProxyUnix.cpp:
(WebKit::PluginProcessProxy::platformGetLaunchOptionsWithAttributes):
* UIProcess/WebProcessPool.h:
* UIProcess/WebProcessProxy.cpp:
(WebKit::WebProcessProxy::platformGetLaunchOptions):
* UIProcess/WebProcessProxy.h:
* UIProcess/glib/WebProcessProxyGLib.cpp: Added.
(WebKit::WebProcessProxy::platformGetLaunchOptions):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@237107 268f45cc-cd09-0410-ab3c-d52691b4dbfc
24 files changed:
ChangeLog
Source/WebCore/ChangeLog
Source/WebCore/PlatformGTK.cmake
Source/WebKit/ChangeLog
Source/WebKit/PlatformGTK.cmake
Source/WebKit/PlatformWPE.cmake
Source/WebKit/SourcesGTK.txt
Source/WebKit/SourcesWPE.txt
Source/WebKit/UIProcess/API/glib/WebKitWebContext.cpp
Source/WebKit/UIProcess/API/gtk/WebKitWebContext.h
Source/WebKit/UIProcess/API/gtk/docs/webkit2gtk-4.0-sections.txt
Source/WebKit/UIProcess/API/wpe/WebKitWebContext.h
Source/WebKit/UIProcess/ChildProcessProxy.cpp
Source/WebKit/UIProcess/ChildProcessProxy.h
Source/WebKit/UIProcess/Launcher/glib/ProcessLauncherGLib.cpp
Source/WebKit/UIProcess/Plugins/PluginProcessProxy.cpp
Source/WebKit/UIProcess/Plugins/PluginProcessProxy.h
Source/WebKit/UIProcess/Plugins/mac/PluginProcessProxyMac.mm
Source/WebKit/UIProcess/Plugins/unix/PluginProcessProxyUnix.cpp
Source/WebKit/UIProcess/WebProcessPool.h
Source/WebKit/UIProcess/WebProcessProxy.cpp
Source/WebKit/UIProcess/WebProcessProxy.h
Source/cmake/OptionsGTK.cmake
Source/cmake/WebKitFeatures.cmake