Mozilla2:CAPSSecurity: Difference between revisions

Jump to navigation Jump to search

Mozilla2:CAPSSecurity (view source)

Revision as of 07:01, 22 October 2006

283 bytes removed ,  22 October 2006
m
wikify, avoid html, to get OL types 1,A,i we need tweek wiki's style CSS
m (wikify, avoid html, to get OL types 1,A,i we need tweek wiki's style CSS)
Line 40: Line 40:
Access to interfaces on XPCOM objects is currently managed variously by xpconnect and by objects through several mechanisms:
Access to interfaces on XPCOM objects is currently managed variously by xpconnect and by objects through several mechanisms:


<html>
 
<ol type="1">
# Wrapper-creation check
<li> Wrapper-creation check
## get nsIClassInfo, check the flags for a DOM node. If it's a DOM node, you can have a wrapper.
  <ol>
## else get nsISecurityCheckedComponent and check canCreateWrapper
  <li>get nsIClassInfo, check the flags for a DOM node. If it's a DOM node, you can have a wrapper.
# xpconnect access checks go through nsIXPCSecurityManager CanAccess
  <li>else get nsISecurityCheckedComponent and check canCreateWrapper
## Get the security policy of the current calling code (subject)
  </ol>
## do same-origin checks if specified
<li>xpconnect access checks go through nsIXPCSecurityManager CanAccess
## reject access to anonymous content
  <ol>
## check the object for nsISecurityCheckedComponent and ask the appropriate method for non-default permissions
  <li>Get the security policy of the current calling code (subject)
## There is a method nsIXPCScriptable.checkAccess which is never called. This seems suspicious to me.
  <li>do same-origin checks if specified
# Methods can perform additional customized security checks in method implementations through the scriptsecuritymanager. [http://lxr.mozilla.org/mozilla/source/content/html/content/src/nsHTMLInputElement.cpp#679 Example of fileinput.setValue doing its custom check].
  <li>reject access to anonymous content
  <li>check the object for nsISecurityCheckedComponent and ask the appropriate method for non-default permissions
  <li>There is a method nsIXPCScriptable.checkAccess which is never called. This seems suspicious to me.
  </ol>
<li>Methods can perform additional customized security checks in method implementations through the scriptsecuritymanager. <a href="http://lxr.mozilla.org/mozilla/source/content/html/content/src/nsHTMLInputElement.cpp#679">Example of fileinput.setValue doing its custom check.</a>
</ol>
</html>


''Note: I'm a little hazy on step 1a, I thought there was more to it, like a same-origin check.''
''Note: I'm a little hazy on step 1a, I thought there was more to it, like a same-origin check.''
Line 71: Line 64:
This is my concept of '''The Rules''' for interacting between secured and unsecured code.
This is my concept of '''The Rules''' for interacting between secured and unsecured code.


<html>
# Unsecured Code
<ol type="I">
## Unsecured code may call other unsecured code without regard to the security stack.
<li>Unsecured Code
## When unsecured code calls secured code, it must initialize CAPS with a security stack.
  <ol type="A">
### This might be a simple stack of one principal (system principal or a codebase)
  <li>Unsecured code may call other unsecured code without regard to the security stack.
### It could also be a stored stack. For instance, when a DOM timer is set, the DOM code will store the security stack. When the timer is fired, that same security stack will be used.
  <li>When unsecured code calls secured code, it must initialize CAPS with a security stack.
# Secured Code
    <ol type="i">
## When secured code is called, it must have a valid security stack. If it doesn't, that's a design/security flaw. See the second bullet above. The secured code must then perform appropriate security checks.
    <li>This might be a simple stack of one principal (system principal or a codebase)
## When secured code calls secured code from another origin, The fooconnect for the new code must push the new origin onto the stack.
    <li>It could also be a stored stack. For instance, when a DOM timer is set, the DOM code will store the security stack. When the timer is fired, that same security stack will be used.
## Secured code may Assert privileges that it needs by pushing them onto the stack. It must pop these privileges off before returning. (Assert is the CAS equivalent to enablePrivilege()).
    </ol>
### This needs to be exposed to FooConnect code through an object Components.security or somesuch. Or maybe just keep using netscape.securitymanager, need to investigate.
  </ol>
### need a stack-based C++ wrapper for this, so that early returns clean up asserts properly
<li>Secured Code
## Secured may only call unsecured code if the secured code currently has the system/universalxpconnect privilege. At this point, the security context is invalid and must not be used. We probably want to explicitly invalidate the security stack, at least in debug builds, to catch logic errors.
  <ol type="A">
  <li>When secured code is called, it must have a valid security stack. If it doesn't, that's a design/security flaw. See the second bullet above. The secured code must then perform appropriate security checks.
  <li>When secured code calls secured code from another origin, The fooconnect for the new code must push the new origin onto the stack.
  <li>Secured code may Assert privileges that it needs by pushing them onto the stack. It must pop these privileges off before returning. (Assert is the CAS equivalent to enablePrivilege()).
    <ol type="i">
    <li>This needs to be exposed to FooConnect code through an object Components.security or somesuch. Or maybe just keep using netscape.securitymanager, need to investigate.
    <li>need a stack-based C++ wrapper for this, so that early returns clean up asserts properly
    </ol>
  <li>Secured may only call unsecured code if the secured code currently has the system/universalxpconnect privilege. At this point, the security context is invalid and must not be used. We probably want to explicitly invalidate the security stack, at least in debug builds, to catch logic errors.
  </ol>
</ol>
</html>


=== Defining Secured Code ===
=== Defining Secured Code ===
Line 140: Line 121:
When unsecured code is finished with the stack frame that calls CAPS_StartStack, it calls CAPS_EndStack to clean up.
When unsecured code is finished with the stack frame that calls CAPS_StartStack, it calls CAPS_EndStack to clean up.
When performing a security check, call CAPS_CheckAccess(origin, named-privilege). For example, to see if the calling code has access to read the DOM of a page at http://www.foo.com, call CheckAccess([origin of http://www.foo.com], "read").
When performing a security check, call CAPS_CheckAccess(origin, named-privilege). For example, to see if the calling code has access to read the DOM of a page at http://www.foo.com, call CheckAccess([origin of http://www.foo.com], "read").


When secured code calls unsecured code, it calls CAPS_SuspendStack. When it is finished calling unsecured code, it calls CAPS_ResumeStack.
When secured code calls unsecured code, it calls CAPS_SuspendStack. When it is finished calling unsecured code, it calls CAPS_ResumeStack.


Here are a list of the possible named-privileges I know we need so far (I'm sure there are more):
Here are a list of the possible named-privileges I know we need so far (I'm sure there are more):


* "read" (read the DOM or other content belonging to the origin) (UniversalFileRead would be CAPS_CheckAccess([origin for file://], "read"))
* "read" (read the DOM or other content belonging to the origin) (UniversalFileRead would be CAPS_CheckAccess([origin for file://], "read"))
BijuGC
17

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/38783"

Navigation menu