nsOSXSystemProxySettings::Init() is failed in socket process when sandbox is enabled
Categories
(Core :: Security: Process Sandboxing, task, P1)
Tracking
()
People
(Reporter: kershaw, Assigned: haik)
Details
Attachments
(2 files)
|
2.25 KB,
patch
|
Details | Diff | Splinter Review | |
|
861 bytes,
patch
|
Details | Diff | Splinter Review |
STR:
- Manually add some code to use
nsOSXSystemProxySettingsin socket process. - SCDynamicStoreCreate returns NULL.
- Turning off sandbox is able to fix this.
|
Reporter | |
Comment 1•5 years ago
|
||
Not sure if it's possible to fix this by adjusting sandbox settings.
Haik, what do you think?
|
Assignee | |
Comment 2•5 years ago
|
||
(In reply to Kershaw Chang [:kershaw] from comment #1)
Not sure if it's possible to fix this by adjusting sandbox settings.
Haik, what do you think?
I'll take a look. Could you post the sample code you're using? Or send it via chat.
|
|
Assignee | |
Updated•5 years ago
|
|
|
Reporter | |
Comment 3•5 years ago
|
||
This is just a test code that tries to use nsISystemProxySettings in socket process.
To execute this code path, please go to about:memory and than click measure button.
|
|
Assignee | |
Comment 4•5 years ago
|
||
This patch allows the test code to work, but we need to spend some time to understand the security impact of allowing the new service com.apple.SystemConfiguration.configd. It is allowed in the profile used for most Mac applications and several other Mac services so I suspect it is low risk. I'll look into this more.
|
|
Assignee | |
Updated•5 years ago
|
|
|
Reporter | |
Comment 5•5 years ago
|
||
(In reply to Haik Aftandilian [:haik] from comment #4)
Created attachment 9149518 [details] [diff] [review]
Test patch to allow access to com.apple.SystemConfiguration.configd from the socket processThis patch allows the test code to work, but we need to spend some time to understand the security impact of allowing the new service
com.apple.SystemConfiguration.configd. It is allowed in the profile used for most Mac applications and several other Mac services so I suspect it is low risk. I'll look into this more.
Thanks for the patch! The socket process is able to read the system configuration now.
However, I also found the callback registered for monitoring proxy changes is not invoked in socket process at all. I am not sure if this is also related to sandboxing. I'll also try to figure this out.
|
|
Assignee | |
Comment 6•5 years ago
|
||
Kershaw, it would be better if we did not allow access to the configuration service and instead had the parent process read the configuration and pass it down to the socket process. Do we just need to read a few configuration properties?
After looking into this some more, allowing access to the service would also allow a compromised socket process to modify system configuration. Additionally, the macOS process that implements com.apple.SystemConfiguration.configd is provided by the /usr/libexec/configd daemon which runs unsandboxed as root.
|
|
Reporter | |
Comment 7•5 years ago
|
||
(In reply to Haik Aftandilian [:haik] from comment #6)
Kershaw, it would be better if we did not allow access to the configuration service and instead had the parent process read the configuration and pass it down to the socket process. Do we just need to read a few configuration properties?
After looking into this some more, allowing access to the service would also allow a compromised socket process to modify system configuration. Additionally, the macOS process that implements
com.apple.SystemConfiguration.configdis provided by the/usr/libexec/configddaemon which runs unsandboxed as root.
Thanks for looking into this.
I'll discuss this with our team members and then decide the next step.
|
|
Assignee | |
Updated•5 years ago
|
|
|
Reporter | |
Comment 8•5 years ago
|
||
We'll keep proxy resolution in parent process, so this bug is WONTFIX.
Description
•