New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 880522 link

Starred by 5 users

Issue metadata

Status: Fixed
Owner:
Closed: Sep 7
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 1
Type: Bug



Sign in to add a comment

Keychain dialog comes up when network service is enabled on Mac

Project Member Reported by jam@chromium.org, Sep 4

Issue description

Per reports, os_crypt is used in the network process when network service is turned on. This is causing users to get a prompt from the OS as to whether to allow the binary used for child processes to get access to the stored passwords.

From Robert in a private email thread "As Dominic notes, we shouldn't add Google Chrome Helper to the ACL for our keychain secrets. The sandbox does prevent renderers from talking to the security daemon and reading Keychain files, but the ACL is what matters most in the event of a sandbox escape."

https://chromium.googlesource.com/chromium/src/+/1c6f0e1c732f129237c96e7e01622da7d54bdd7a might be related.
 
I don't know much about how the cookie encryption works on Mac. i.e. is there some one-time key that we can ask the browser for, and use that for encryption/decryption? Or does the actual encrypt/decrypt calls have to happen in the browser? The latter would be too slow.
Cc: cfroussios@chromium.org
Note that cookies are all read into memory on start, so even if we have to create some sort of proxied persistent cookie store, it would just affect performance while still loading cookies into memory.  *howeveR*, it might also mean we'd be more likely to lose cookies on shutdown...And there's additional session cookie-settings magic that has to be respected in the network process.
Components: Internals>Network>Cookies
On macOS, the implementation is handled by //components/os_crypt/os_crypt_mac.mm's GetEncryptionKey().

Note that this issue will potentially be present with Linux sandboxing efforts as well, as the Linux os_crypt implementation has a number of backends (see all the KeyStorage implementations), but that functionally return GetKeyImpl (just with various 3P dependencies, such as KWallet)

The encryption within net is handled by the //net/extras/sqlite/cookie_crypto_delegate.h, which is implemented by //components/cookie_config to glue //components/os_crypt to the cookie store.
Owner: cmumford@chromium.org
Status: Assigned (was: Available)
re #1
On Mac and Linux, encryption depends on a safely stored key. If you pass that key between processes, encryption and decryption will work fine. I would defer to the security team on whether it is safe to pass this key between processes.
Cc: morlovich@chromium.org
If it is not possible to keep the key only in the browser process (e.g., round-tripping to the browser for each cookie decrypt is too costly), then sending the key over IPC to the network service seems acceptable. Doing so would be preferable on Mac to expanding the Keychain ACL to include the Helper app.
Status: Started (was: Assigned)
Review: https://chromium-review.googlesource.com/1208457.
Project Member

Comment 10 by bugdroid1@chromium.org, Sep 6

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/82531c641caf83369e66ee2d6635bc72e1ddc83b

commit 82531c641caf83369e66ee2d6635bc72e1ddc83b
Author: Chris Mumford <cmumford@chromium.org>
Date: Thu Sep 06 22:31:36 2018

Send the AES encryption key to the network service.

Send the encryption key to network service so that the process
does not request the item from the keychain directly, which would
cause macOS to show a confirmation prompt.

Bug:  880522 
Cq-Include-Trybots: luci.chromium.try:linux_mojo
Change-Id: Ia1067bf809472653d843b9007a45574bfe10ed2c
Reviewed-on: https://chromium-review.googlesource.com/1208457
Commit-Queue: John Abd-El-Malek <jam@chromium.org>
Reviewed-by: John Abd-El-Malek <jam@chromium.org>
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Cr-Commit-Position: refs/heads/master@{#589343}
[modify] https://crrev.com/82531c641caf83369e66ee2d6635bc72e1ddc83b/chrome/browser/net/system_network_context_manager.cc
[modify] https://crrev.com/82531c641caf83369e66ee2d6635bc72e1ddc83b/components/os_crypt/os_crypt.h
[modify] https://crrev.com/82531c641caf83369e66ee2d6635bc72e1ddc83b/components/os_crypt/os_crypt_mac.mm
[modify] https://crrev.com/82531c641caf83369e66ee2d6635bc72e1ddc83b/services/network/network_service.cc
[modify] https://crrev.com/82531c641caf83369e66ee2d6635bc72e1ddc83b/services/network/network_service.h
[modify] https://crrev.com/82531c641caf83369e66ee2d6635bc72e1ddc83b/services/network/public/mojom/network_service.mojom

Labels: Needs-Feedback
Update:

We are unable to reproduce the issue on old canary build #71.0.3542.0 

@jam :  Could you please provide us with a exact steps of the issue which would help us to verify the issue further.

Attaching screen-cast with performed steps.

Thanks.
#71.0.3542.0-KeyChain-behaviour.mov
4.8 MB View Download
Labels: Merge-Request-70
Labels: -Merge-Request-70 Merge-Approved-70
Branch:3538
aiman.ansari@etouch.net: I had to do two things to repro: 1) Start with a fresh profile directory. i.e. use a new --user-data-dir value when launching Chrome. 2) Make sure you run Chrome with net service enabled: --enable-features=NetworkService, then navigating to https://mail.google.com will display the dialog after a short prompt.
Project Member

Comment 15 by bugdroid1@chromium.org, Sep 7

Labels: -merge-approved-70 merge-merged-3538
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1e1c6c712894e519ecec0ef5d9ed4ca470491c9a

commit 1e1c6c712894e519ecec0ef5d9ed4ca470491c9a
Author: Chris Mumford <cmumford@google.com>
Date: Fri Sep 07 19:51:17 2018

Send the AES encryption key to the network service.

Send the encryption key to network service so that the process
does not request the item from the keychain directly, which would
cause macOS to show a confirmation prompt.

TBR=cmumford@chromium.org

(cherry picked from commit 82531c641caf83369e66ee2d6635bc72e1ddc83b)

Bug:  880522 
Cq-Include-Trybots: luci.chromium.try:linux_mojo
Change-Id: Ia1067bf809472653d843b9007a45574bfe10ed2c
Reviewed-on: https://chromium-review.googlesource.com/1208457
Commit-Queue: John Abd-El-Malek <jam@chromium.org>
Reviewed-by: John Abd-El-Malek <jam@chromium.org>
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#589343}
Reviewed-on: https://chromium-review.googlesource.com/1214156
Reviewed-by: Chris Mumford <cmumford@chromium.org>
Cr-Commit-Position: refs/branch-heads/3538@{#152}
Cr-Branched-From: 79f7c91a2b2a2932cd447fa6f865cb6662fa8fa6-refs/heads/master@{#587811}
[modify] https://crrev.com/1e1c6c712894e519ecec0ef5d9ed4ca470491c9a/chrome/browser/net/system_network_context_manager.cc
[modify] https://crrev.com/1e1c6c712894e519ecec0ef5d9ed4ca470491c9a/components/os_crypt/os_crypt.h
[modify] https://crrev.com/1e1c6c712894e519ecec0ef5d9ed4ca470491c9a/components/os_crypt/os_crypt_mac.mm
[modify] https://crrev.com/1e1c6c712894e519ecec0ef5d9ed4ca470491c9a/services/network/network_service.cc
[modify] https://crrev.com/1e1c6c712894e519ecec0ef5d9ed4ca470491c9a/services/network/network_service.h
[modify] https://crrev.com/1e1c6c712894e519ecec0ef5d9ed4ca470491c9a/services/network/public/mojom/network_service.mojom

Status: Fixed (was: Started)
Labels: -Needs-Feedback TE-Verified-M70 TE-Verified-70.0.3538.16
Update:

Retested the issue using steps mentioned in comment #14 with #network-service flag enbaled and seems issue is fixed. Visited https://mail.google.com and no Keychain dialog is observed even after waiting for 30 sec.

Kindly refer the attached screen-cast from below link.

https://drive.google.com/drive/folders/1HLzk4-pDfurCKpC8XgCtnml_02ulw8yL?usp=sharing

Thanks!


Sign in to add a comment