On Mon, 2015-05-11 at 11:21 -0700, Ryan Sleevi wrote: > It's not simply sufficient to load module X into Chrome or not. p11-kit's > security model is *broken* for applications like Chrome, at least with > respect to how you propose to implement.
I've proposed at least four different options and asked for opinions on which might be better and how to refine them; let's not get too hung up on "how I propose to implement". I even have a fifth, which is impractical but perhaps serves to highlight the intent better: Option 5: Hack the *kernel* so that whenever any userspace application opens a file named "pkcs11.txt' it magically sees extra contents in that file. The extra contents being appropriate text to cause NSS to load the additional PKCS#11 modules that are present in the p11-kit policy for the application in question. Obviously it would be insane to actually implement it that way, but perhaps it makes the intent clearer. Certainly I think it should help to alleviate the concern below, which seems to be a misunderstanding... > Let's say you've got Module X. ... where 'got' means it's listed in ~/.pki/nssdb/pkcs11.txt, yes? > Today, Chrome controls loading of modules. It can load module X into the > browser process (and trusted process) and *NOT* load Module X into a > sandboxed zygote process that it then uses to start renderers and such. > > Because Chrome fully controls module loading, and uses the NSS documented > APIs, it can ensure that things are appropriately controlled. The documented API in the case of the sandbox being NSS_NoDB_Init(), yes? ¹ Were you worried that the p11-kit configured modules would get loaded in that case? They certainly shouldn't, and I thought I'd made a fairly explicit reference to that in my first message in this thread. The idea is that p11-kit listed modules should be treated *just* like the modules in the pkcs11.txt file. If you aren't loading the latter (as in the sandbox case), you shouldn't get the former. In fact, another way of implementing the integration might possibly be just to patch NSC_ModuleDBFunc() in the softokn and make it transparently add the list of modules specified by p11-kit to what it finds in pkcs11.txt? (Or perhaps just add p11-kit-proxy.so). -- dwmw2 ¹ https://git.chromium.org/gitweb/?p=chromium/src/crypto.git;a=blob;f=nss_util.cc;h=062bcb51;hb=HEAD#l686
smime.p7s
Description: S/MIME cryptographic signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
