[webkit-changes] [286865] trunk/Source/WebKit

Fri, 10 Dec 2021 11:34:49 -0800

Title: [286865] trunk/Source/WebKit
Revision
286865
Author
pvol...@apple.com
Date
2021-12-10 11:34:01 -0800 (Fri, 10 Dec 2021)

Log Message

[WP] Block access to container manager service for Mail
https://bugs.webkit.org/show_bug.cgi?id=234080
<rdar://problem/86269784>

Reviewed by Brent Fulgham.

Local testing is not showing access to this daemon when running Mail.

* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:
* Shared/WebProcessCreationParameters.cpp:
(WebKit::WebProcessCreationParameters::encode const):
(WebKit::WebProcessCreationParameters::decode):
* Shared/WebProcessCreationParameters.h:
* UIProcess/Cocoa/WebProcessPoolCocoa.mm:
(WebKit::WebProcessPool::platformInitializeWebProcess):
* WebProcess/cocoa/WebProcessCocoa.mm:
(WebKit::WebProcess::platformInitializeWebProcess):
* WebProcess/com.apple.WebProcess.sb.in:

Modified Paths

Diff

Modified: trunk/Source/WebKit/ChangeLog (286864 => 286865)


--- trunk/Source/WebKit/ChangeLog	2021-12-10 19:26:37 UTC (rev 286864)
+++ trunk/Source/WebKit/ChangeLog	2021-12-10 19:34:01 UTC (rev 286865)
@@ -1,3 +1,24 @@
+2021-12-10  Per Arne Vollan  <pvol...@apple.com>
+
+        [WP] Block access to container manager service for Mail
+        https://bugs.webkit.org/show_bug.cgi?id=234080
+        <rdar://problem/86269784>
+
+        Reviewed by Brent Fulgham.
+
+        Local testing is not showing access to this daemon when running Mail.
+
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:
+        * Shared/WebProcessCreationParameters.cpp:
+        (WebKit::WebProcessCreationParameters::encode const):
+        (WebKit::WebProcessCreationParameters::decode):
+        * Shared/WebProcessCreationParameters.h:
+        * UIProcess/Cocoa/WebProcessPoolCocoa.mm:
+        (WebKit::WebProcessPool::platformInitializeWebProcess):
+        * WebProcess/cocoa/WebProcessCocoa.mm:
+        (WebKit::WebProcess::platformInitializeWebProcess):
+        * WebProcess/com.apple.WebProcess.sb.in:
+
 2021-12-10  Said Abou-Hallawa  <s...@apple.com>
 
         [GPU Process] [Filters] Make FilterEffectVector a Vector of Ref<FilterEffect>

Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in (286864 => 286865)


--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in	2021-12-10 19:26:37 UTC (rev 286864)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in	2021-12-10 19:34:01 UTC (rev 286865)
@@ -644,7 +644,7 @@
 (allow iokit-get-properties
        (iokit-property "IORegistryEntryPropertyKeys"))
 
-(allow ipc-posix-sem-open
+(allow ipc-posix-sem-open (with telemetry)
        (ipc-posix-name "containermanagerd.fb_check"))
 
 (with-filter (ipc-posix-name "purplebuddy.sentinel")
@@ -1084,7 +1084,6 @@
         (global-name
             "com.apple.cfprefsd.agent"
             "com.apple.cfprefsd.daemon"
-            "com.apple.containermanagerd"
             "com.apple.iphone.axserver-systemwide"
             "com.apple.mobileassetd.v2"
             "com.apple.mobilegestalt.xpc"

Modified: trunk/Source/WebKit/Shared/WebProcessCreationParameters.cpp (286864 => 286865)


--- trunk/Source/WebKit/Shared/WebProcessCreationParameters.cpp	2021-12-10 19:26:37 UTC (rev 286864)
+++ trunk/Source/WebKit/Shared/WebProcessCreationParameters.cpp	2021-12-10 19:34:01 UTC (rev 286865)
@@ -162,7 +162,6 @@
     encoder << compilerServiceExtensionHandles;
 #endif
 
-    encoder << containerManagerExtensionHandle;
     encoder << mobileGestaltExtensionHandle;
     encoder << launchServicesExtensionHandle;
 
@@ -457,12 +456,6 @@
     parameters.compilerServiceExtensionHandles = WTFMove(*compilerServiceExtensionHandles);
 #endif
 
-    std::optional<std::optional<SandboxExtension::Handle>> containerManagerExtensionHandle;
-    decoder >> containerManagerExtensionHandle;
-    if (!containerManagerExtensionHandle)
-        return false;
-    parameters.containerManagerExtensionHandle = WTFMove(*containerManagerExtensionHandle);
-
     std::optional<std::optional<SandboxExtension::Handle>> mobileGestaltExtensionHandle;
     decoder >> mobileGestaltExtensionHandle;
     if (!mobileGestaltExtensionHandle)

Modified: trunk/Source/WebKit/Shared/WebProcessCreationParameters.h (286864 => 286865)


--- trunk/Source/WebKit/Shared/WebProcessCreationParameters.h	2021-12-10 19:26:37 UTC (rev 286864)
+++ trunk/Source/WebKit/Shared/WebProcessCreationParameters.h	2021-12-10 19:34:01 UTC (rev 286865)
@@ -201,7 +201,6 @@
     Vector<SandboxExtension::Handle> compilerServiceExtensionHandles;
 #endif
 
-    std::optional<SandboxExtension::Handle> containerManagerExtensionHandle;
     std::optional<SandboxExtension::Handle> mobileGestaltExtensionHandle;
     std::optional<SandboxExtension::Handle> launchServicesExtensionHandle;
 #if HAVE(VIDEO_RESTRICTED_DECODING)

Modified: trunk/Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm (286864 => 286865)


--- trunk/Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm	2021-12-10 19:26:37 UTC (rev 286864)
+++ trunk/Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm	2021-12-10 19:34:01 UTC (rev 286865)
@@ -291,17 +291,6 @@
 #endif
 }
 
-static bool requiresContainerManagerAccess()
-{
-#if PLATFORM(MAC)
-    return WebCore::MacApplication::isAppleMail();
-#elif PLATFORM(IOS)
-    return WebCore::IOSApplication::isMobileMail();
-#else
-    return false;
-#endif
-}
-
 void WebProcessPool::platformInitializeWebProcess(const WebProcessProxy& process, WebProcessCreationParameters& parameters)
 {
     parameters.mediaMIMETypes = process.mediaMIMETypes();
@@ -427,11 +416,6 @@
     parameters.systemHasBattery = systemHasBattery();
     parameters.systemHasAC = cachedSystemHasAC().value_or(true);
 
-    if (requiresContainerManagerAccess()) {
-        if (auto handle = SandboxExtension::createHandleForMachLookup("com.apple.containermanagerd"_s, std::nullopt))
-            parameters.containerManagerExtensionHandle = WTFMove(*handle);
-    }
-
 #if PLATFORM(IOS_FAMILY)
     parameters.currentUserInterfaceIdiomIsSmallScreen = currentUserInterfaceIdiomIsSmallScreen();
     parameters.supportsPictureInPicture = supportsPictureInPicture();

Modified: trunk/Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm (286864 => 286865)


--- trunk/Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm	2021-12-10 19:26:37 UTC (rev 286864)
+++ trunk/Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm	2021-12-10 19:34:01 UTC (rev 286865)
@@ -409,9 +409,6 @@
     SandboxExtension::consumePermanently(parameters.compilerServiceExtensionHandles);
 #endif
 
-    if (parameters.containerManagerExtensionHandle)
-        SandboxExtension::consumePermanently(*parameters.containerManagerExtensionHandle);
-    
 #if PLATFORM(IOS_FAMILY)
     SandboxExtension::consumePermanently(parameters.dynamicIOKitExtensionHandles);
 #endif

Modified: trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (286864 => 286865)


--- trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in	2021-12-10 19:26:37 UTC (rev 286864)
+++ trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in	2021-12-10 19:34:01 UTC (rev 286865)
@@ -1762,7 +1762,6 @@
             "com.apple.webinspector"
             "com.apple.cfprefsd.agent"
             "com.apple.cfprefsd.daemon"
-            "com.apple.containermanagerd"
             "com.apple.coreservices.launchservicesd"
             "com.apple.iconservices"
             "com.apple.iconservices.store"

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to