webextensions: add a portal for managing WebExtensions native messaging servers #1537
Conversation
xhorak
force-pushed
the
webextensions
branch
from
cd2b365 to
3568500
Compare
|
Has the other PR really been abandoned, or is the author merely focused on other tasks or even away from work? The latter would not be surprising considering that we are approaching the end of the year. This patch squashes all changes from #705 into one, along with new changes. I suppose that this was the easiest way to rebase, but it causes the lost of context because some individual commits offered context that are missing from the squashed commit. Out of all, I think that it would make most sense to include the context of 59d7b4b addresses #769 . E.g. by including the issue reference in the commit message ("Fixes xxx") and a code comment pointing to the discussion. |
|
I'd really like if the test was moved over to python. |
|
I've been trying to contact authors since late October but did not received any reply. I would happily keep the original PR but I want to move this forward. Especially now when the Firefox part landed. The squash was suggested, so I did it. I'll check the 59d7b4b |
xhorak
force-pushed
the
webextensions
branch
from
3568500 to
7324625
Compare
|
In latest update I've fixed the |
xhorak
force-pushed
the
webextensions
branch
from
7324625 to
b59c90f
Compare
That's the usual issue we have with host apps. The application id comes from cgroups, which is set depending on the way you start the app, e.g. you start it from a terminal app it might get app id of the terminal app. Or you start it with Alt + F2 in GNOME and the app id will be just See #1512 what we did for the camera portal, where this was causing issues. |
|
Regarding the appid mismatch that unfortunately still happens: I'd much rather see us adding #1521 than special casing every portal that firefox actually depends on. |
Looking at the python vs C tests, there seems to be missing permission store service in Python. I'm not sufficiently familiar with the code to implement it for python tests or is it done somewhere already? |
|
The permission store is supposed to get started (https://github.com/flatpak/xdg-desktop-portal/blob/1c902cc77e53b422d49988bab58b6cca0ed9b112/tests/conftest.py#L458C5-L458C25) when the test case uses either the |
…ng servers. Rebase, fix and continue work on webextensions: add a portal for managing WebExtensions native messaging servers: flatpak#705 This commit builds on the work done in the original MR authored by @jhenstridge but resolves pending items and brings it closer to completion. This is intended to provide a way for a confined web browser to start native code helpers for their extensions. At present it can start the servers installed on the host system. But in future this could be extended to cover sandboxed native messaging servers too. Fixes: flatpak#769
|
The proposal (by @swick) suggests replacing xdg-desktop-portal with a separate service, The service API remains unchanged, but as noted by @swick, this approach does not address potential sandbox escapes but it will be exclusive to those who want to use the @Rob--W please share your thoughts from the Firefox point of view and all the work that has been done on the Firefox side. |
|
Could you elaborate on the changes that you're considering? What are the current values and the proposed values? It sounds like the proposal may effectively introduce a backwards-incompatible change, requiring changes to https://searchfox.org/mozilla-central/rev/7d1b5c88343879056168aa710a9ee743392604c0/toolkit/components/extensions/NativeMessagingPortal.cpp#110-112, and maybe other places too. The feature in Firefox is currently disabled by default to offer room for such breaking changes if really needed. I would imagine Canonical to either apply distro-specific patches to Firefox, or update the portal to transition to the new state. But I cannot speak on behalf of them, so once you've clarified the exact changes that you're considering, I'll ping them. |
@swick I'm not sure how the separate service will support creating and maintaining sessions currently implemented by xdp. Could you help? |
|
Maybe I should try to explain why I would like to keep the native messaging host functionality out of portals and expand a bit on the alternative that I'm suggesting. Portal APIs are meant to be generically useful platform APIs with high stability which work with the restrictions of a sandbox, and in particular don't allow sandbox escapes. In my opinion the native messaging host portal doesn't meet those criteria:
The potential sandbox escape comes from the fact that native messaging hosts (NMH) didn't have to deal with a sandboxed browser before as they were both running in the trusted computing base (TCB). If an attacker takes control over firefox, it can use the portal to use all APIs exposed via any NMH. If any of those provides an API that can be used to escape the sandbox, so can the attacker. This could be something as simple as providing an arbitrary path to write a file into. The portal does ask the user the question "Allow %s to start WebExtension backend" but in general a user which has NHMs installed wants to use them and doesn't know if the browser is malicious, so this doesn't prevent the attack. Besides not preventing the sandbox escape, the question serves no other purpose because installing the browser extension and having the NMH installed is already enough intent to let them communicate (under the assumption that there is no sandbox escape). So I'm suggesting to move the code out of the x-d-p project and expose it on a bus name that is not visible to sandboxed apps such as It doesn't fix the inherent sandbox escape problem, but at least it gets us some time to figure out how to get there properly. |
|
@jhenstridge resumed work on the original PR (#705). Have you all synchronized with each other? Which PR is intended to be the one to be merged? To me (as a relatively outsider in this project who merely contributes reviews as a subject matter expert in the topic of extensions and NativeMessaging), it is unclear what the desired intermediate and long-term direction is:
Could someone clarify? |
|
Maybe this:
|
I've tried to contact @jhenstridge in past few months without any luck, so I've decide to move things forward with this PR. |
|
I'd like to chip in a thought: Do we really need the portal to be able to start other applications? I know that the original idea is about supporting the known and well established Native Messaging API with Flatpak and Snap. However, the API's capability of running and communicating with arbitrary binaries somewhat conflicts with the concept of containerization. The debate revolves around the question of how the Native Messaging API with its powerful capabilities could be limited to fit into Flatpak's security model and has ultimately led to a more or less finished solution not being integrated for several years now. So I'd like to ask whether we even need it: Is there a reason (besides requiring changes to applications using Native Messaging, I rather mean conceptionally) why we couldn't flip things over, i.e. requiring other applications to provide the necessary communication endpoints and the browser connecting to these endpoints, rather than the browser starting other applications? The exact solution doesn't really matter right now: It could be a DBus interface (requiring |
|
The problem isn't who execs the native messaging hosts. The problem is that the native messaging hosts might expose APIs on that socket which can be used to escape the sandbox. |
@swick As you correctly stated before, this is by design and more or less the point of Native Messaging. I personally don't see much issue with it, because this isn't something Flatpak needs to or even can sort out, but something the browser vendors must sort out with the developers of applications using the Native Messaging API. This issue isn't even special to the Native Messaging API: As you correctly pointed out in the same post, the same could happen with any custom bus. I therefore suggest focusing on things that increase the attack surface in comparison to the status quo, like the Native Messaging API being able to more or less execute arbitrary binaries outside the sandbox. IMHO this is a critical issue and requires not just "some" user interaction, but must allow the user to fully understand what's going on. @Mikenux's suggestions address this pretty well IMHO. However, if the Native Messaging API couldn't start applications, I personally don't see much of an issue: Browsers then can only communicate with applications that already run and advertised that they want to talk with a browser using the Native Messaging API (i.e. e.g. by using a custom bus, or creating a socket file in a well-known runtime directory). The issue is then similar to any other custom bus, and users are made aware of running applications by other means already. Long story short: I'm asking whether we even need a portal. And whether I've missed other issues. |
|
@PhrozenByte: To clarify, what I've written is for long-term direction, not for intermediate direction. However, I guess people want to know what to make an intermediate solution on which the "right" solution can be built. |
This is not by design, it's just how it turned out to be because native messaging hosts didn't have to care about not providing sandbox escapes for the browser before. Focusing on another aspect is pointless because this is a fundamental flaw that must get sorted out before it can be exposed.
That's why we only expose APIs (including busses) where the end-points understand the threat-model of having a potentially malicious actor on the other side which will try to escape the sandbox or otherwise mess up the system. The the Native Messaging APIs are not one of those.
It cannot. There is no such issue. This is distracting from the main problem. |
I don't agree with that assessment. However, I'd only repeat things that were said in #705 multiple times before. I agree that this whole discussion is a distraction though. Let's get this PR or #705 merged first and discuss alternative approaches later. |
|
Sorry, but the correct response to "this PR contains a security vulnerability" is not to go ahead and merge it. |
|
This has been discussed extensively in #705 over the past three years. You have your opinion on the matter and were able to express it in detail. Others don't agree with it, yet respect your opinion and have addressed your concerns. You don't have to agree with the solution, but please accept that others have different opinions on the matter and please refrain from depicting your opinion as fact ("this PR contains a security vulnerability"). This is disruptive behaviour and rude. |
|
Rebased because of the testing changes. Works locally but somehow CI fails with the |
This MR continues the work from the abandoned MR #705.
The following updates and improvements have been made:
@jhenstridge thank you for your work on this! Let me know if you'd like to collaborate further.
This is intended to provide a way for a confined web browser to start native code helpers for their extensions. At present it can start the servers installed on the host system. But in future this could be extended to cover sandboxed native messaging servers too.