Diff
Modified: trunk/Source/WTF/ChangeLog (251086 => 251087)
--- trunk/Source/WTF/ChangeLog 2019-10-14 19:42:50 UTC (rev 251086)
+++ trunk/Source/WTF/ChangeLog 2019-10-14 19:50:02 UTC (rev 251087)
@@ -1,3 +1,18 @@
+2019-10-14 Per Arne Vollan <pvol...@apple.com>
+
+ [macOS] Sandbox extensions should be created with audit tokens, not PIDs
+ https://bugs.webkit.org/show_bug.cgi?id=201828
+
+ Reviewed by Brent Fulgham.
+
+ Remove HAVE macro for issuing sandbox extension by PID, and fix version checks for the HAVE
+ macros related to issuing sandbox extensions by audit token. Remove SPI for creating
+ extensions by PID, and add SPI for creating mach extension by audit token. Also remove an
+ unneeded flag.
+
+ * wtf/Platform.h:
+ * wtf/spi/darwin/SandboxSPI.h:
+
2019-10-08 Ryosuke Niwa <rn...@webkit.org>
Make WebInspector's remote debug EventLoop code into RunLoop
Modified: trunk/Source/WTF/wtf/Platform.h (251086 => 251087)
--- trunk/Source/WTF/wtf/Platform.h 2019-10-14 19:42:50 UTC (rev 251086)
+++ trunk/Source/WTF/wtf/Platform.h 2019-10-14 19:50:02 UTC (rev 251087)
@@ -1524,15 +1524,11 @@
#define HAVE_CSCHECKFIXDISABLE 1
#endif
-#if (PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101400) || (PLATFORM(IOS_FAMILY) && __IPHONE_OS_VERSION_MIN_REQUIRED >= 130000)
-#define HAVE_SANDBOX_ISSUE_MACH_EXTENSION_TO_PROCESS_BY_PID 1
+#if (PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101400) || PLATFORM(IOS_FAMILY)
+#define HAVE_SANDBOX_ISSUE_MACH_EXTENSION_TO_PROCESS_BY_AUDIT_TOKEN 1
#endif
-#if (PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101500)
-#define HAVE_SANDBOX_ISSUE_READ_EXTENSION_TO_PROCESS_BY_PID 1
-#endif
-
-#if (PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101500)
+#if (PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101400) || PLATFORM(IOS_FAMILY)
#define HAVE_SANDBOX_ISSUE_READ_EXTENSION_TO_PROCESS_BY_AUDIT_TOKEN 1
#endif
Modified: trunk/Source/WTF/wtf/spi/darwin/SandboxSPI.h (251086 => 251087)
--- trunk/Source/WTF/wtf/spi/darwin/SandboxSPI.h 2019-10-14 19:42:50 UTC (rev 251086)
+++ trunk/Source/WTF/wtf/spi/darwin/SandboxSPI.h 2019-10-14 19:50:02 UTC (rev 251087)
@@ -58,15 +58,14 @@
extern const char *const APP_SANDBOX_READ_WRITE;
extern const enum sandbox_filter_type SANDBOX_CHECK_NO_REPORT;
-extern const uint32_t SANDBOX_EXTENSION_USER_INTENT;
-
char *sandbox_extension_issue_file(const char *extension_class, const char *path, uint32_t flags);
char *sandbox_extension_issue_generic(const char *extension_class, uint32_t flags);
-char *sandbox_extension_issue_mach_to_process_by_pid(const char *extension_class, const char *name, uint32_t flags, pid_t);
-char *sandbox_extension_issue_file_to_process_by_pid(const char *extension_class, const char *path, uint32_t flags, pid_t);
-#if (PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101400) || (PLATFORM(IOS_FAMILY) && __IPHONE_OS_VERSION_MIN_REQUIRED >= 120000)
+#if HAVE(SANDBOX_ISSUE_READ_EXTENSION_TO_PROCESS_BY_AUDIT_TOKEN)
char *sandbox_extension_issue_file_to_process(const char *extension_class, const char *path, uint32_t flags, audit_token_t);
#endif
+#if HAVE(SANDBOX_ISSUE_MACH_EXTENSION_TO_PROCESS_BY_AUDIT_TOKEN)
+char *sandbox_extension_issue_mach_to_process(const char *extension_class, const char *name, uint32_t flags, audit_token_t);
+#endif
int sandbox_check(pid_t, const char *operation, enum sandbox_filter_type, ...);
int sandbox_check_by_audit_token(audit_token_t, const char *operation, enum sandbox_filter_type, ...);
int sandbox_container_path_for_pid(pid_t, char *buffer, size_t bufsize);
Modified: trunk/Source/WebKit/ChangeLog (251086 => 251087)
--- trunk/Source/WebKit/ChangeLog 2019-10-14 19:42:50 UTC (rev 251086)
+++ trunk/Source/WebKit/ChangeLog 2019-10-14 19:50:02 UTC (rev 251087)
@@ -1,3 +1,34 @@
+2019-10-14 Per Arne Vollan <pvol...@apple.com>
+
+ [macOS] Sandbox extensions should be created with audit tokens, not PIDs
+ https://bugs.webkit.org/show_bug.cgi?id=201828
+
+ Reviewed by Brent Fulgham.
+
+ Stop issuing mach/read sandbox extensions by PID in the UI process, and use audit tokens instead.
+ The audit tokens for the WebContent processes are retrieved from the IPC connection to the process.
+
+ * Shared/Cocoa/SandboxExtensionCocoa.mm:
+ (WebKit::SandboxExtensionImpl::create):
+ (WebKit::SandboxExtensionImpl::sandboxExtensionForType):
+ (WebKit::SandboxExtensionImpl::SandboxExtensionImpl):
+ (WebKit::SandboxExtension::createHandleForMachLookupByAuditToken):
+ (WebKit::SandboxExtension::createHandleForReadByAuditToken):
+ (WebKit::SandboxExtension::createHandleForMachLookupByPid): Deleted.
+ (WebKit::SandboxExtension::createHandleForReadByPid): Deleted.
+ * Shared/SandboxExtension.h:
+ * UIProcess/Cocoa/WebPageProxyCocoa.mm:
+ (WebKit::WebPageProxy::createSandboxExtensionsIfNeeded):
+ * UIProcess/WebPageProxy.cpp:
+ (WebKit::WebPageProxy::maybeInitializeSandboxExtensionHandle):
+ (WebKit::WebPageProxy::loadRequestWithNavigationShared):
+ (WebKit::WebPageProxy::loadFile):
+ * UIProcess/WebProcessProxy.cpp:
+ (WebKit::WebProcessProxy::shouldSendPendingMessage):
+ (WebKit::WebProcessProxy::didFinishLaunching):
+ * UIProcess/ios/WebProcessProxyIOS.mm:
+ (WebKit::WebProcessProxy::unblockAccessibilityServerIfNeeded):
+
2019-10-14 Myles C. Maxfield <mmaxfi...@apple.com>
[Cocoa] REGRESSION (r245672): Contenteditable with optical sizing freezes Safari
Modified: trunk/Source/WebKit/Shared/Cocoa/SandboxExtensionCocoa.mm (251086 => 251087)
--- trunk/Source/WebKit/Shared/Cocoa/SandboxExtensionCocoa.mm 2019-10-14 19:42:50 UTC (rev 251086)
+++ trunk/Source/WebKit/Shared/Cocoa/SandboxExtensionCocoa.mm 2019-10-14 19:50:02 UTC (rev 251087)
@@ -32,7 +32,6 @@
#import "Decoder.h"
#import "Encoder.h"
#import <wtf/FileSystem.h>
-#import <wtf/Variant.h>
#import <wtf/spi/darwin/SandboxSPI.h>
#import <wtf/text/CString.h>
@@ -41,9 +40,9 @@
class SandboxExtensionImpl {
WTF_MAKE_FAST_ALLOCATED;
public:
- static std::unique_ptr<SandboxExtensionImpl> create(const char* path, SandboxExtension::Type type, Optional<Variant<pid_t, audit_token_t>> processToken = WTF::nullopt)
+ static std::unique_ptr<SandboxExtensionImpl> create(const char* path, SandboxExtension::Type type, Optional<audit_token_t> auditToken = WTF::nullopt)
{
- std::unique_ptr<SandboxExtensionImpl> impl { new SandboxExtensionImpl(path, type, processToken) };
+ std::unique_ptr<SandboxExtensionImpl> impl { new SandboxExtensionImpl(path, type, auditToken) };
if (!impl->m_token)
return nullptr;
return impl;
@@ -85,7 +84,7 @@
}
private:
- char* sandboxExtensionForType(const char* path, SandboxExtension::Type type, Optional<Variant<pid_t, audit_token_t>> processToken)
+ char* sandboxExtensionForType(const char* path, SandboxExtension::Type type, Optional<audit_token_t> auditToken)
{
switch (type) {
case SandboxExtension::Type::ReadOnly:
@@ -93,14 +92,12 @@
case SandboxExtension::Type::ReadWrite:
return sandbox_extension_issue_file(APP_SANDBOX_READ_WRITE, path, 0);
case SandboxExtension::Type::Mach:
-#if HAVE(SANDBOX_ISSUE_MACH_EXTENSION_TO_PROCESS_BY_PID)
- if (!processToken)
+#if HAVE(SANDBOX_ISSUE_MACH_EXTENSION_TO_PROCESS_BY_AUDIT_TOKEN)
+ if (!auditToken)
return nullptr;
- if (!WTF::holds_alternative<pid_t>(*processToken))
- return nullptr;
- return sandbox_extension_issue_mach_to_process_by_pid("com.apple.webkit.extension.mach"_s, path, 0, WTF::get<pid_t>(*processToken));
+ return sandbox_extension_issue_mach_to_process("com.apple.webkit.extension.mach"_s, path, 0, *auditToken);
#else
- UNUSED_PARAM(processToken);
+ UNUSED_PARAM(auditToken);
ASSERT_NOT_REACHED();
return nullptr;
#endif
@@ -107,16 +104,12 @@
case SandboxExtension::Type::Generic:
return sandbox_extension_issue_generic(path, 0);
case SandboxExtension::Type::ReadByProcess:
-#if HAVE(SANDBOX_ISSUE_READ_EXTENSION_TO_PROCESS_BY_PID)
- if (!processToken)
+#if HAVE(SANDBOX_ISSUE_READ_EXTENSION_TO_PROCESS_BY_AUDIT_TOKEN)
+ if (!auditToken)
return nullptr;
- if (WTF::holds_alternative<pid_t>(*processToken))
- return sandbox_extension_issue_file_to_process_by_pid(APP_SANDBOX_READ, path, SANDBOX_EXTENSION_USER_INTENT, WTF::get<pid_t>(*processToken));
- if (WTF::holds_alternative<audit_token_t>(*processToken))
- return sandbox_extension_issue_file_to_process(APP_SANDBOX_READ, path, SANDBOX_EXTENSION_USER_INTENT, WTF::get<audit_token_t>(*processToken));
- return nullptr;
+ return sandbox_extension_issue_file_to_process(APP_SANDBOX_READ, path, 0, *auditToken);
#else
- UNUSED_PARAM(processToken);
+ UNUSED_PARAM(auditToken);
ASSERT_NOT_REACHED();
return nullptr;
#endif
@@ -123,8 +116,8 @@
}
}
- SandboxExtensionImpl(const char* path, SandboxExtension::Type type, Optional<Variant<pid_t, audit_token_t>> processToken)
- : m_token { sandboxExtensionForType(path, type, processToken) }
+ SandboxExtensionImpl(const char* path, SandboxExtension::Type type, Optional<audit_token_t> auditToken)
+ : m_token { sandboxExtensionForType(path, type, auditToken) }
{
}
@@ -343,12 +336,11 @@
return true;
}
-bool SandboxExtension::createHandleForMachLookupByPid(const String& service, pid_t pid, Handle& handle)
+bool SandboxExtension::createHandleForMachLookupByAuditToken(const String& service, audit_token_t auditToken, Handle& handle)
{
ASSERT(!handle.m_sandboxExtension);
- Variant<pid_t, audit_token_t> processToken(pid);
- handle.m_sandboxExtension = SandboxExtensionImpl::create(service.utf8().data(), Type::Mach, WTFMove(processToken));
+ handle.m_sandboxExtension = SandboxExtensionImpl::create(service.utf8().data(), Type::Mach, auditToken);
if (!handle.m_sandboxExtension) {
WTFLogAlways("Could not create a '%s' sandbox extension", service.utf8().data());
return false;
@@ -357,29 +349,11 @@
return true;
}
-bool SandboxExtension::createHandleForReadByPid(const String& path, ProcessID pid, Handle& handle)
-{
- ASSERT(!handle.m_sandboxExtension);
-
- if (!pid)
- return false;
-
- Variant<pid_t, audit_token_t> processToken(pid);
- handle.m_sandboxExtension = SandboxExtensionImpl::create(path.utf8().data(), Type::ReadByProcess, WTFMove(processToken));
- if (!handle.m_sandboxExtension) {
- WTFLogAlways("Could not create sandbox extension");
- return false;
- }
-
- return true;
-}
-
bool SandboxExtension::createHandleForReadByAuditToken(const String& path, audit_token_t auditToken, Handle& handle)
{
ASSERT(!handle.m_sandboxExtension);
- Variant<pid_t, audit_token_t> processToken(auditToken);
- handle.m_sandboxExtension = SandboxExtensionImpl::create(path.utf8().data(), Type::ReadByProcess, WTFMove(processToken));
+ handle.m_sandboxExtension = SandboxExtensionImpl::create(path.utf8().data(), Type::ReadByProcess, auditToken);
if (!handle.m_sandboxExtension) {
WTFLogAlways("Could not create sandbox extension");
return false;
Modified: trunk/Source/WebKit/Shared/SandboxExtension.h (251086 => 251087)
--- trunk/Source/WebKit/Shared/SandboxExtension.h 2019-10-14 19:42:50 UTC (rev 251086)
+++ trunk/Source/WebKit/Shared/SandboxExtension.h 2019-10-14 19:50:02 UTC (rev 251087)
@@ -104,9 +104,8 @@
static bool createHandleForReadWriteDirectory(const String& path, Handle&); // Will attempt to create the directory.
static String createHandleForTemporaryFile(const String& prefix, Type, Handle&);
static bool createHandleForGenericExtension(const String& extensionClass, Handle&);
- static bool createHandleForMachLookupByPid(const String& service, ProcessID, Handle&);
- static bool createHandleForReadByPid(const String& path, ProcessID, Handle&);
#if HAVE(AUDIT_TOKEN)
+ static bool createHandleForMachLookupByAuditToken(const String& service, audit_token_t, Handle&);
static bool createHandleForReadByAuditToken(const String& path, audit_token_t, Handle&);
#endif
~SandboxExtension();
Modified: trunk/Source/WebKit/UIProcess/Cocoa/WebPageProxyCocoa.mm (251086 => 251087)
--- trunk/Source/WebKit/UIProcess/Cocoa/WebPageProxyCocoa.mm 2019-10-14 19:42:50 UTC (rev 251086)
+++ trunk/Source/WebKit/UIProcess/Cocoa/WebPageProxyCocoa.mm 2019-10-14 19:50:02 UTC (rev 251087)
@@ -126,10 +126,15 @@
if (files.size() == 1) {
BOOL isDirectory;
if ([[NSFileManager defaultManager] fileExistsAtPath:files[0] isDirectory:&isDirectory] && !isDirectory) {
-#if HAVE(SANDBOX_ISSUE_READ_EXTENSION_TO_PROCESS_BY_PID)
- if (!SandboxExtension::createHandleForReadByPid("/", processIdentifier(), fileReadHandle))
+#if HAVE(SANDBOX_ISSUE_READ_EXTENSION_TO_PROCESS_BY_AUDIT_TOKEN)
+ ASSERT(process().connection() && process().connection()->getAuditToken());
+ if (process().connection() && process().connection()->getAuditToken())
+ SandboxExtension::createHandleForReadByAuditToken("/", *(process().connection()->getAuditToken()), fileReadHandle);
+ else
+ SandboxExtension::createHandle("/", SandboxExtension::Type::ReadOnly, fileReadHandle);
+#else
+ SandboxExtension::createHandle("/", SandboxExtension::Type::ReadOnly, fileReadHandle);
#endif
- SandboxExtension::createHandle("/", SandboxExtension::Type::ReadOnly, fileReadHandle);
willAcquireUniversalFileReadSandboxExtension(m_process);
}
}
Modified: trunk/Source/WebKit/UIProcess/WebPageProxy.cpp (251086 => 251087)
--- trunk/Source/WebKit/UIProcess/WebPageProxy.cpp 2019-10-14 19:42:50 UTC (rev 251086)
+++ trunk/Source/WebKit/UIProcess/WebPageProxy.cpp 2019-10-14 19:50:02 UTC (rev 251087)
@@ -1088,7 +1088,7 @@
if (!url.isLocalFile())
return;
-#if HAVE(SANDBOX_ISSUE_READ_EXTENSION_TO_PROCESS_BY_PID)
+#if HAVE(SANDBOX_ISSUE_READ_EXTENSION_TO_PROCESS_BY_AUDIT_TOKEN)
// If the process is still launching then it does not have a PID yet. We will take care of creating the sandbox extension
// once the process has finished launching.
if (process.isLaunching())
@@ -1099,8 +1099,15 @@
if (process.hasAssumedReadAccessToURL(resourceDirectoryURL))
return;
-#if HAVE(SANDBOX_ISSUE_READ_EXTENSION_TO_PROCESS_BY_PID)
- if (SandboxExtension::createHandleForReadByPid(resourceDirectoryURL.fileSystemPath(), process.processIdentifier(), sandboxExtensionHandle)) {
+#if HAVE(SANDBOX_ISSUE_READ_EXTENSION_TO_PROCESS_BY_AUDIT_TOKEN)
+ ASSERT(process.connection() && process.connection()->getAuditToken());
+ bool createdExtension = false;
+ if (process.connection() && process.connection()->getAuditToken())
+ createdExtension = SandboxExtension::createHandleForReadByAuditToken(resourceDirectoryURL.fileSystemPath(), *(process.connection()->getAuditToken()), sandboxExtensionHandle);
+ else
+ createdExtension = SandboxExtension::createHandle(resourceDirectoryURL.fileSystemPath(), SandboxExtension::Type::ReadOnly, sandboxExtensionHandle);
+
+ if (createdExtension) {
process.assumeReadAccessToBaseURL(*this, resourceDirectoryURL);
return;
}
@@ -1118,8 +1125,15 @@
// Inspector resources are in a directory with assumed access.
ASSERT_WITH_SECURITY_IMPLICATION(!WebKit::isInspectorPage(*this));
-#if HAVE(SANDBOX_ISSUE_READ_EXTENSION_TO_PROCESS_BY_PID)
- if (SandboxExtension::createHandleForReadByPid("/", process.processIdentifier(), sandboxExtensionHandle)) {
+#if HAVE(SANDBOX_ISSUE_READ_EXTENSION_TO_PROCESS_BY_AUDIT_TOKEN)
+ ASSERT(process.connection() && process.connection()->getAuditToken());
+ bool createdExtension = false;
+ if (process.connection() && process.connection()->getAuditToken())
+ createdExtension = SandboxExtension::createHandleForReadByAuditToken("/", *(process.connection()->getAuditToken()), sandboxExtensionHandle);
+ else
+ createdExtension = SandboxExtension::createHandle("/", SandboxExtension::Type::ReadOnly, sandboxExtensionHandle);
+
+ if (createdExtension) {
willAcquireUniversalFileReadSandboxExtension(process);
return;
}
@@ -1140,8 +1154,13 @@
auto basePath = baseURL.fileSystemPath();
if (basePath.isNull())
return;
-#if HAVE(SANDBOX_ISSUE_READ_EXTENSION_TO_PROCESS_BY_PID)
- if (SandboxExtension::createHandleForReadByPid(basePath, process.processIdentifier(), sandboxExtensionHandle))
+#if HAVE(SANDBOX_ISSUE_READ_EXTENSION_TO_PROCESS_BY_AUDIT_TOKEN)
+ if (process.connection() && process.connection()->getAuditToken())
+ createdExtension = SandboxExtension::createHandleForReadByAuditToken(basePath, *(process.connection()->getAuditToken()), sandboxExtensionHandle);
+ else
+ createdExtension = SandboxExtension::createHandle(basePath, SandboxExtension::Type::ReadOnly, sandboxExtensionHandle);
+
+ if (createdExtension)
process.assumeReadAccessToBaseURL(*this, baseURL);
#else
if (SandboxExtension::createHandle(basePath, SandboxExtension::Type::ReadOnly, sandboxExtensionHandle))
@@ -1204,7 +1223,7 @@
addPlatformLoadParameters(loadParameters);
-#if HAVE(SANDBOX_ISSUE_READ_EXTENSION_TO_PROCESS_BY_PID)
+#if HAVE(SANDBOX_ISSUE_READ_EXTENSION_TO_PROCESS_BY_AUDIT_TOKEN)
if (!process->isLaunching() || !url.isLocalFile())
process->send(Messages::WebPage::LoadRequest(loadParameters), webPageID);
else
@@ -1258,7 +1277,7 @@
maybeInitializeSandboxExtensionHandle(m_process, fileURL, resourceDirectoryURL, loadParameters.sandboxExtensionHandle);
addPlatformLoadParameters(loadParameters);
-#if HAVE(SANDBOX_ISSUE_READ_EXTENSION_TO_PROCESS_BY_PID)
+#if HAVE(SANDBOX_ISSUE_READ_EXTENSION_TO_PROCESS_BY_AUDIT_TOKEN)
if (m_process->isLaunching())
m_process->send(Messages::WebPage::LoadRequestWaitingForPID(loadParameters, resourceDirectoryURL, m_identifier), m_webPageID);
else
Modified: trunk/Source/WebKit/UIProcess/WebProcessProxy.cpp (251086 => 251087)
--- trunk/Source/WebKit/UIProcess/WebProcessProxy.cpp 2019-10-14 19:42:50 UTC (rev 251086)
+++ trunk/Source/WebKit/UIProcess/WebProcessProxy.cpp 2019-10-14 19:50:02 UTC (rev 251087)
@@ -309,7 +309,7 @@
bool WebProcessProxy::shouldSendPendingMessage(const PendingMessage& message)
{
-#if HAVE(SANDBOX_ISSUE_MACH_EXTENSION_TO_PROCESS_BY_PID)
+#if HAVE(SANDBOX_ISSUE_READ_EXTENSION_TO_PROCESS_BY_AUDIT_TOKEN)
if (message.encoder->messageName() == "LoadRequestWaitingForPID") {
auto buffer = message.encoder->buffer();
auto bufferSize = message.encoder->bufferSize();
Modified: trunk/Source/WebKit/UIProcess/ios/WebProcessProxyIOS.mm (251086 => 251087)
--- trunk/Source/WebKit/UIProcess/ios/WebProcessProxyIOS.mm 2019-10-14 19:42:50 UTC (rev 251086)
+++ trunk/Source/WebKit/UIProcess/ios/WebProcessProxyIOS.mm 2019-10-14 19:50:02 UTC (rev 251087)
@@ -54,8 +54,14 @@
if (!canSendMessage())
return;
+ ASSERT(connection() && connection()->getAuditToken());
+ if (!connection() || !connection()->getAuditToken()) {
+ WTFLogAlways("Unable to get audit token.");
+ return;
+ }
+
SandboxExtension::Handle handle;
- if (!SandboxExtension::createHandleForMachLookupByPid("com.apple.iphone.axserver-systemwide", processIdentifier(), handle))
+ if (!SandboxExtension::createHandleForMachLookupByAuditToken("com.apple.iphone.axserver-systemwide", *(connection()->getAuditToken()), handle))
return;
send(Messages::WebProcess::UnblockAccessibilityServer(handle), 0);