Vanadium WebView and Network permission

ryrona

Let's say an app uses Vanadium WebView, is it the Network permission for the app, or Network permission for Vanadium WebView, that decides whether access to Network is blocked or not?

I am wondering, is it enough to revoke Network permission from the app to be sure it cannot access the Network, even if Vanadium WebView still have Network permission granted?

Does revoking Vanadium WebView Network permission even have any effect at all?

Why does Vanadium WebView declare Network permission, if it is a component that will purely be used within the scope and with the permissions of another app?

pxlkng

ryrona

Revoking the internet permission that GrapheneOS adds for an app reliably restricts it from accessing the internet in any way, this includes the app using webviews or browser intents.
https://grapheneos.org/features#network-permission-toggle

Only "exception" to this is IPC (communication between apps), as apps could potentially work around the network restriction by using a middleman app that does have access to the network.
In practice, this is not something that is being (purposefully) done by apps to bypass network restrictions, in 99% of situations.

argante

ryrona

Does revoking Vanadium WebView Network permission even have any effect at all?

I think that to answer your questions we need to look more closely at SELinux policy. Data for SELinux are saved as extended attributes (xattr) in the file system. An application that starts as a process can have own attributes (polices), but libraries can also have separate rules. So a WebView may not have network permissions, but if it is started by an application that has these permissions, it can also get them. SELinux gives you a lot of possibilities to write different policies. I haven't looked at how they are written in GOS, so I can't answer precisely - but that's why I'm pointing out where to look for it.

ryrona

Anyone knows?

vincente213

I just tested this. The only way to stop a webview from accessing the internet is to disable network access on Vanadium itself, not vanadium webview or the app in question. It seems that the network permission on Vanadium WebView does nothing at all.

fid02

vincente213 You are sure that the apps you tested this on used the Webview and not Custom Tabs?

fid02

pxlkng Revoking the internet permission that GrapheneOS adds for an app reliably restricts it from accessing the internet in any way, this includes the app using webviews or browser intents.
https://grapheneos.org/features#network-permission-toggle

I think this is a very misleading statement, and the provided source does not support it. For one, if I install an app and revoke its Network permission but then give it accessibility permission, what do you think that app can now do? The Network permission is obviously not going to prevent an app with nearly full control over the device – and being able to draw anything on the screen – from accessing the internet. The claim that revoking the Network permission for an app "reliably restricts it from accessing the internet in any way" is not true. It gives a false impression of the toggle's capabilities.

I just revoked the Network permission from an app that doesn't have accessibility permission and I could still navigate the website it launched through a Custom Tab without issues. That's not surprising.

Back on topic…
I can't find anything about Webview in the provided source, so even if that's true or not, I think it's fair to ask that you clarify from where you get the information.

vincente213

fid02 now that you mention this, I am not sure which one they use. I'd be a bit surprised if none of my apps use webview but it is possible and it would explain why removing network permissions did nothing for me

pxlkng

fid02

You are right, there are two issues with my reply:

"in any way" is way too broad. I didn't mean this in a sense of "every way ever possible" but more like "any of the normal methods of access". This was very poor wording on my side. I am aware that there are ways to bypass this, like I already mentioned IPC, but there seem to be more than I was aware of.
" internet" should have been "network", as in, direct network access. It does reliably prevent direct access in means of the API or similar access methods, as far as I understand, but there remain indirect ways of broader internet access (like you mentioned), for example opening links in the browser, which I actually thought was blocked by this toggle, but appears to not be.

I only really get my information from the GrapheneOS twitter posts (or official statements in general) as well as the official community rooms.
I always try to do my best due diligence in applying knowledge and information I get from there, especially before sharing it as advice or help, but I seem to have misunderstood the scope of this toggle, for which I want to apologize.

argante

Up: This gives you a hint. Transition means that the WebView has its own policies, but can switch to the policies assigned to the isolated app (only).

ryrona

I guess maybe I am asking the wrong question.

Custom Tabs are actually launching the web browser app, and thus have all the permissions of the web browser app. Any app can launch any other app after all, including apps that actually have Network permission granted to them.

But WebView is installed as yet another app, with its own set of permissions, yet, this is where I get confused. Is WebView also launched like another app, like in the Custom Tabs case? Or is it just a library that can be loaded into other apps? If the latter case, why does an "app" that is just a library have any permissions assigned to it at all? It should only use the permissions of the app it was loaded into. Or is the WebView something else entirely, neither a separately launched app, nor a library? Is it a separate process that can be launched within the context of another app, with that other apps permissions? If it is, can WebView be launched independently too, like a regular app? Does this affect which permissions gets used?

argante Up: This gives you a hint. Transition means that the WebView has its own policies, but can switch to the policies assigned to the isolated app (only).

Unfortunately, I cannot read SeLinux policies at all. What does these policies actually say?

GrapheneOS

argante This is not what that means. It means that the WebView zygote which is an OS service can switch to the isolated_app domain which it does as part of spawning isolated renderer processes for the WebView. It does not mean what you think it does.

cc ryrona

argante

ryrona Unfortunately, I cannot read SeLinux policies at all. What does these policies actually say?

In short, WebView has its own SELinux rules, but can switch to the rules of the application that WebView runs. SELinux is divided into rules (polices), which are loaded into the kernel, and attributes, which are assigned to a file (xattr). An application, library or data can have different attributes assigned and thus be subject to different rules. SELinux works like a system firewall, but it is very broad, because it does not only concern syscalls, but e.g. memory access (GOS hardened with SELinux NX/PaX). SELinux can also manage network access. I have been using GOS for a very short time and I have not yet familiarized myself with its architecture. However, I suspect that there is some daemon that manages SELinux permissions. It would be nice to hear the opinion of GOS developers or information about where to read more about the GOS architecture.

GrapheneOS

ryrona

Any app can launch any other app after all, including apps that actually have Network permission granted to them.

No, only apps which permit anything to launch them and only in the ways they permit it.

WebView also launched like another app, like in the Custom Tabs case?

No, it's used as a library. The standalone app is only used to provide the library functionality and for spawning the isolated renderer processes the app talks to from the library portion. On the stock OS, it also fetches feature flags for the WebView, which is disabled on GrapheneOS, which is the only reason it really runs by itself as an app. The isolated renderer processes operate through the library in the app using them which acts as the broker process providing network access, etc. when permitted. The isolated WebView processes can't access anything external without going through the app using them.

ryrona

GrapheneOS No, it's used as a library. The standalone app is only used to provide the library functionality and for spawning the isolated renderer processes the app talks to from the library portion. On the stock OS, it also fetches feature flags for the WebView, which is disabled on GrapheneOS, which is the only reason it really runs by itself as an app. The isolated renderer processes operate through the library in the app using them which acts as the broker process providing network access, etc. when permitted. The isolated WebView processes can't access anything external without going through the app using them.

Oh, okay, then I understand how it works.

Cannot the Network permission just be removed from the WebView app in that case? I think that would cause less confusion, since it apparently isn't used at all.