[23] Pass an extra ApplicationBundleIdentifier through PCM

Severity: Low | Component: WebKit Networking / PCM | f8277ab

이번 commit은 vulnerability fix가 아닌 기능 추가에 해당하므로 Severity를 Low로 평가합니다. 다만 두 가지 구조적 변경이 포함되어 있어 주목이 필요합니다. privacy-proxy fail-closed flag가 loader의 무조건적 설정에서 중앙화된 helper의 조건부 설정으로 이동했고, adattributiond daemon의 sandbox와 entitlement가 직접 네트워크 egress를 허용하는 방향으로 확장되었습니다. 두 변경 모두 privacy invariant를 약화시키고 daemon의 attack surface를 넓히는 결과로 이어집니다.

"secondary" identifier(com.apple.webkit.adattributiond)가 PrivateClickMeasurementManager와 NetworkLoader::start를 거쳐 전달되도록 추가되었습니다. adattributiond의 URLSession에는 해당 식별자가 NSURLSessionConfiguration을 통해 설정됩니다. 아울러 daemon에는 network-client/socket-delegate/networkserviceproxy entitlement와 com.apple.networkserviceproxy에 대한 mach-lookup 권한이 새로 부여되었습니다. _privacyProxyFailClosed flag는 PrivateClickMeasurementNetworkLoaderCocoa.mm의 무조건적 설정에서 NetworkDataTaskCocoa.mm::setPCMDataCarriedOnRequest 내부의 _needsNetworkTrackingPrevention 옆으로 이동했습니다. commit message에 따르면 이 flag는 이제 debug mode 외부에서만 적용됩니다.

Source/WebKit/NetworkProcess/PrivateClickMeasurement/cocoa/PrivateClickMeasurementNetworkLoaderCocoa.mm

         WTF::switchOn(applicationBundleIdentifier,
-            [&] (const String& bundleIdentifier) {
-                configuration.get()._sourceApplicationBundleIdentifier = bundleIdentifier.createNSString().get();
+            [&] (const std::pair<String, String>& bundleIdentifiers) {
+                configuration.get()._sourceApplicationBundleIdentifier = bundleIdentifiers.first.createNSString().get();
+                configuration.get()._sourceApplicationSecondaryIdentifier = bundleIdentifiers.second.createNSString().get();
             }, ...);
-    [request _setPrivacyProxyFailClosed:YES];
+    [request setAttribution:NSURLRequestAttributionUser];

Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm

request._needsNetworkTrackingPrevention = YES;

+ request._privacyProxyFailClosed = YES;

Source/WebKit/Scripts/process-entitlements.sh

+    plistbuddy Add :com.apple.private.network.socket-delegate bool YES
+    plistbuddy Add :com.apple.security.network.client bool YES
+    plistbuddy Add :com.apple.private.networkserviceproxy bool YES
+    plistbuddy Add :com.apple.security.exception.mach-lookup.global-name:0 string com.apple.networkserviceproxy

Privacy-proxy fail-closed guard가 debug mode 조건부로 재배치되었으며, attribution daemon에 network egress 경로를 부여하는 sandbox/entitlement 완화와 함께 적용되었습니다.

Patch Details

ApplicationBundleIdentifierOrAuditToken이 ApplicationBundleIdentifiersOrAuditToken(Variant<std::pair<String, String>, Vector<uint8_t>>)으로 변경되었습니다. 이 타입은 PrivateClickMeasurementManager::create/ctor, NetworkLoader::start, managerOrProxy, initializePCMStorageInDirectory를 거쳐 전달됩니다. Cocoa loader는 _sourceApplicationBundleIdentifier와 _sourceApplicationSecondaryIdentifier 양쪽을 모두 설정합니다. PCMDaemonEntryPoint.mm에서는 secondary identifier가 com.apple.webkit.adattributiond로 하드코딩되었습니다. PCM report 요청에는 setAttribution:NSURLRequestAttributionUser가 설정되도록 변경되었으며, adattributiond sandbox profile은 com.apple.networkextension.uuidcache.plist를 읽을 수 있도록 완화되었습니다.

Background

PCM은 WebKit의 privacy-preserving ad-click attribution 메커니즘입니다. source 사이트에서의 클릭 정보를 메타데이터로 저장하고, 이후 conversion이 발생하면 해당 source의 endpoint로 attribution report를 전송합니다. iOS에서는 PCM이 XPC daemon(adattributiond)으로 실행되며, NSURLSession을 통해 report를 전송합니다. _sourceApplicationBundleIdentifier와 _sourceApplicationSecondaryIdentifier는 발신 트래픽에 원본 애플리케이션의 identity를 태그하는 NSURLSessionConfiguration SPI입니다. _privacyProxyFailClosed는 NSMutableURLRequest SPI로, privacy relay를 사용할 수 없는 경우 직접 연결로 fallback하는 대신 요청 자체를 실패시키도록 networking stack에 지시합니다. 이 설정이 없으면 relay 장애 시 직접 연결로 저하되어 클라이언트 IP가 노출될 수 있습니다. networkserviceproxy는 sandboxed daemon의 네트워크 연결을 중개하는 시스템 서비스입니다.

Analysis

이번 refactoring 자체는 기계적이며 ownership을 유지하는 변경입니다. Variant는 여전히 String 쌍 또는 Vector<uint8_t>를 값으로 보유하므로 lifetime 변화는 없습니다. 주목해야 할 것은 동작상의 두 가지 변화입니다. _privacyProxyFailClosed의 이동으로 인해 invariant가 "loader를 벗어나기 전 해당 request 객체에 설정"에서 "PCM 데이터 전달 여부를 조건으로 downstream 어딘가에서 설정"으로 범위가 좁아졌습니다. 향후 PCM-bound request를 생성하면서 setPCMDataCarriedOnRequest를 우회하는 code path가 추가될 경우, fail-closed 보장이 조용히 약화될 수 있으므로 주의가 필요합니다.

Aaaaaaaaaaaaaa Aaaaaaa Aaa Aa Aaaaaaa Aaaaaa Aaa Aa Aaaaaaa Aa Aa Aa Aaa Aaa Aaa Aaaaa Aaaaaaa Aaaaaa Aaaaaaa Aa Aaaaaaaaaaaaaaaaaaaa Aaa a Aa Aaaaaa Aaaaa Aaaa Aa Aaaaaaaaaa Aaaaaa Aaa Aaaaaa Aaaa Aaaaaaa Aaaaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaa Aaaaa Aaaaaa Aaa Aaa Aaaa Aaaaaaaaa Aaaaaaaaaaa Aaaaa Aa Aaa Aaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaa Aaaaaaa Aa Aaaaaaaaaaa Aaaaaaaa Aaaaa Aa Aa Aaaaaa Aaa Aaa Aa Aa Aa Aaaaa Aa Aaa Aaa Aaaaa Aaa Aaa Aaaaaaaaaa Aaaa Aaa Aa Aa Aaaaaaaa Aaaa Aa Aa Aaaaa Aaaaaaa Aaa Aaaa Aaaaa Aa Aa Aaaa Aaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aaaaaaaaaaa Aaaaaaaaa Aa Aaa Aaa a Aaaaa

Aa Aaa Aaa Aaa Aaaaaaaaaaaaaa Aaaaaaaaaaa Aaa Aaaaaaa Aaaa Aaa Aaaaaaa Aaaaaa Aa Aaaa Aaaaa Aaaaaaaaaa Aaaaaaaaaa Aaaaaaaa Aaa Aaa Aaaaa Aa Aaaa Aaa Aaaaaaa Aa Aa Aaaaaa Aaaaa Aaaa Aaaaaaaaaaaa Aaaaaaaaaa Aaaaa Aaaaa

🔒

The privacy-proxy and sandbox/entitlement implications of routing PCM traffic through a network-capable daemon are examined in depth.

더 확인하려면 구독해 주세요

Audit directions

a Aaaaaaaaaaaaaaaaaa Aaaaa Aaaaaaa Aa Aaaa Aaaa Aaaaaaa Aaaaaa Aa Aaaaaaa Aaaaaaaa Aaaaa Aa Aaaa Aaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaa Aaaaaaaa Aaaa Aa Aa Aaa Aaaa Aaaaaaaaaaaaaaaa Aaa Aa Aaaaaaaaaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaaa a Aaaaa Aaaaa Aaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaa
a Aaaaa Aaaaaaaaaa Aaaa Aaaa Aaaaaa Aaaaaaaaaaaaaaaaaaa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aaaaaaa Aaaaaa a Aaaaaaa Aa Aaaaaa Aa Aa Aaa Aaa Aaaa Aaaa Aaa Aa a Aa Aaaaa Aaaa Aaa Aaaaaa Aaa Aaaa Aaaa Aaaaaa Aaaaaaaaaaaaaaa Aa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaa Aaa Aaaaaa Aaa Aa Aaa Aaaaaa
a Aaaa a Aaa Aaaaa Aaaa Aaaa Aaaaaaaaa Aa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aa Aaaaaaaaaaaaaaaaaaaaaaa Aa Aaa Aaaa Aa Aaaa Aaaaaaaa Aaaaaaaa Aaa Aaaaaaaa Aaa a Aaa Aaaa Aaa Aaa Aaa Aaaaa Aaa Aaa Aaaaaa
a Aaaaaaaaaaaa Aaaaaaa Aaaaaaa Aaaaaaaaaa Aaaa Aaaaa Aaaaaa Aaaaaa Aaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaa Aaaaaaa Aaaa Aaaa Aaa Aaaaaaa Aaaaaaaaaaaa a Aaaa Aaaaaaa Aaaaaaa Aaaa Aaa Aaaaaa

🔒

Multiple reusable audit patterns identified around flag-relocation, daemon entitlement expansion, and Variant-shape migrations, each with concrete starting points.

더 확인하려면 구독해 주세요