Re: Network service sandbox file restrictions

[Chris Palmer]

+security-dev for wider visibility

On Thu, Dec 7, 2017 at 11:23 AM, 'Matt Menke' via network-service-dev <network-s...@chromium.org> wrote:

I've been assuming that in the network service, we don't want to allow reading from arbitrary files outside the profile directory.  I just want to confirm this is the case.  I've been planning of how to implement upload support with this limitation, but Tom just mentioning restricting writes at the last meeting, so wanted to make sure I wasn't off base.

Thanks!

--
You received this message because you are subscribed to the Google Groups "network-service-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to network-service-dev+unsub...@chromium.org.
To post to this group, send email to network-service-dev@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/network-service-dev/CAEK7mvohXx%3DNuEeTDtqWa%3DL7r1NspatdRVxcDJPDU59eO5s4%3DQ%40mail.gmail.com.

[Thomas Sepez]

Yes, for uploads, the "right" to upload a file comes from a file selection dialog box in the browser process, which should open the file and pass the FD where needed.

On Thu, Dec 7, 2017 at 11:35 AM, Chris Palmer <pal...@chromium.org> wrote:

+security-dev for wider visibility

On Thu, Dec 7, 2017 at 11:23 AM, 'Matt Menke' via network-service-dev <network-service-dev@chromium.org> wrote:

I've been assuming that in the network service, we don't want to allow reading from arbitrary files outside the profile directory.  I just want to confirm this is the case.  I've been planning of how to implement upload support with this limitation, but Tom just mentioning restricting writes at the last meeting, so wanted to make sure I wasn't off base.

Thanks!

--
You received this message because you are subscribed to the Google Groups "network-service-dev" group.

To unsubscribe from this group and stop receiving emails from it, send an email to network-service-dev+unsubscribe...@chromium.org.

To post to this group, send email to network-service-dev@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/network-service-dev/CAEK7mvohXx%3DNuEeTDtqWa%3DL7r1NspatdRVxcDJPDU59eO5s4%3DQ%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "network-service-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to network-service-dev+unsub...@chromium.org.
To post to this group, send email to network-service-dev@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/network-service-dev/CAOuvq23qwW6Rt4b1StNWMfNw2QxVYmaehPQ7h8Tvy29zhhmX5A%40mail.gmail.com.

[Matt Menke]

Only renderer-initiated uploads show such dialog boxes.  I'm mostly talking about browser-initiated ones.  Automatically uploading crash reports, for instance, doesn't show a file selection dialog.

On Thu, Dec 7, 2017 at 5:24 PM, Thomas Sepez <tse...@google.com> wrote:

Yes, for uploads, the "right" to upload a file comes from a file selection dialog box in the browser process, which should open the file and pass the FD where needed.

On Thu, Dec 7, 2017 at 11:35 AM, Chris Palmer <pal...@chromium.org> wrote:

+security-dev for wider visibility

On Thu, Dec 7, 2017 at 11:23 AM, 'Matt Menke' via network-service-dev <network-service-dev@chromium.org> wrote:

I've been assuming that in the network service, we don't want to allow reading from arbitrary files outside the profile directory.  I just want to confirm this is the case.  I've been planning of how to implement upload support with this limitation, but Tom just mentioning restricting writes at the last meeting, so wanted to make sure I wasn't off base.

Thanks!

--
You received this message because you are subscribed to the Google Groups "network-service-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to network-service-dev+unsubscribe...@chromium.org.
To post to this group, send email to network-service-dev@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/network-service-dev/CAEK7mvohXx%3DNuEeTDtqWa%3DL7r1NspatdRVxcDJPDU59eO5s4%3DQ%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "network-service-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to network-service-dev+unsubscribe...@chromium.org.
To post to this group, send email to network-service-dev@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/network-service-dev/CAOuvq23qwW6Rt4b1StNWMfNw2QxVYmaehPQ7h8Tvy29zhhmX5A%40mail.gmail.com.

[Thomas Sepez]

Right, in that case the browser has an implicit right to open the file, and should pass the FD along as needed.

[Matt Menke]

Great, thanks for the confirmation.  Just wanted to make sure I wasn't making my life more difficult than it needed to be (And I completely agree that this restriction makes sense).

[John Abd-El-Malek]

If it's possible to restrict it to just cookies file & cache subdirectories that'd be better than all of profile.

To unsubscribe from this group and stop receiving emails from it, send an email to network-service-dev+unsub...@chromium.org.

To post to this group, send email to network-service-dev@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/network-service-dev/CAEK7mvpiT8GYgdN1ZPoVmJ%2BaApMxDopF1VeDDjRFzm2aMrhMaw%40mail.gmail.com.

[Matt Menke]

No argument there - In particular, I think restricting writes to only certain files in the profile directory is a must.

On Thu, Dec 7, 2017 at 5:41 PM, John Abd-El-Malek <j...@chromium.org> wrote:

If it's possible to restrict it to just cookies file & cache subdirectories that'd be better than all of profile.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/network-service-dev/CAEK7mvpiT8GYgdN1ZPoVmJ%2BaApMxDopF1VeDDjRFzm2aMrhMaw%40mail.gmail.com.

[Randy Smith]

On Thu, Dec 7, 2017 at 5:43 PM, 'Matt Menke' via network-service-dev <network-s...@chromium.org> wrote:

No argument there - In particular, I think restricting writes to only certain files in the profile directory is a must.

It is my belief that the design of the simple cache requires a directory-level permission (as opposed to permission being allowed only for specific files).  It doesn't sound like that's a problem, but I don't want us to go for per-file restrictions without engaging with the simple cache owner.

-- Randy

To unsubscribe from this group and stop receiving emails from it, send an email to network-service-dev+unsub...@chromium.org.

To post to this group, send email to network-service-dev@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/network-service-dev/CAEK7mvpU9kNQ_Gx2iC7PZ5i7RUKgpXEkkQLOmZHv8JnoMCMytQ%40mail.gmail.com.

[Matt Menke]

For the record, I'm including everything in the cache directory in the set of files that the network stack should able to write to.  I'm mostly concerned about write access to files used by other parts of Chrome (Writing to extensions, security preferences, proxy preferences, etc) - both in ways to make Chrome stay infected once the network service is hijacked once, and in ways that allow it to affect things the network service normally can't affect.

On Thu, Dec 7, 2017 at 5:47 PM, Randy Smith <rds...@chromium.org> wrote:

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/network-service-dev/CAEK7mvpU9kNQ_Gx2iC7PZ5i7RUKgpXEkkQLOmZHv8JnoMCMytQ%40mail.gmail.com.

[Thomas Sepez]

Yes, we'll grant read/write BrokerFilePermissions for your cache dir.