- Revision
- 257508
- Author
- pvol...@apple.com
- Date
- 2020-02-26 13:38:40 -0800 (Wed, 26 Feb 2020)
Log Message
[iOS] Issue mach sandbox extensions to the WebContent process for a set of specific services
https://bugs.webkit.org/show_bug.cgi?id=208146
Reviewed by Brent Fulgham.
Source/WebKit:
We are still seeing some accesses from the WebContent process to a small set of services. Since we do not currently have
backtraces for these accesses, make a speculative patch, where we issue these extension for all apps except Safari.
Test: fast/sandbox/ios/sandbox-mach-lookup-mail.html
* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
* Shared/WebProcessCreationParameters.cpp:
(WebKit::WebProcessCreationParameters::encode const):
(WebKit::WebProcessCreationParameters::decode):
* Shared/WebProcessCreationParameters.h:
* UIProcess/Cocoa/WebProcessPoolCocoa.mm:
(WebKit::WebProcessPool::platformInitializeWebProcess):
* WebProcess/cocoa/WebProcessCocoa.mm:
(WebKit::WebProcess::platformInitializeWebProcess):
LayoutTests:
* fast/sandbox/ios/sandbox-mach-lookup-mail-expected.txt:
* fast/sandbox/ios/sandbox-mach-lookup-mail.html:
Modified Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (257507 => 257508)
--- trunk/LayoutTests/ChangeLog 2020-02-26 21:30:58 UTC (rev 257507)
+++ trunk/LayoutTests/ChangeLog 2020-02-26 21:38:40 UTC (rev 257508)
@@ -1,3 +1,13 @@
+2020-02-26 Per Arne Vollan <pvol...@apple.com>
+
+ [iOS] Issue mach sandbox extensions to the WebContent process for a set of specific services
+ https://bugs.webkit.org/show_bug.cgi?id=208146
+
+ Reviewed by Brent Fulgham.
+
+ * fast/sandbox/ios/sandbox-mach-lookup-mail-expected.txt:
+ * fast/sandbox/ios/sandbox-mach-lookup-mail.html:
+
2020-02-26 Nikos Mouchtaris <nmouchta...@apple.com>
Regression r257289: fast/web-share/share-with-files.html is missing expected results
Modified: trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-mail-expected.txt (257507 => 257508)
--- trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-mail-expected.txt 2020-02-26 21:30:58 UTC (rev 257507)
+++ trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-mail-expected.txt 2020-02-26 21:38:40 UTC (rev 257508)
@@ -4,4 +4,7 @@
PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.lsd.open") is true
-
+PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.mobileassetd") is true
+PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.iconservices") is true
+PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.PowerManagement.control") is true
+PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", ""com.apple.frontboard.systemappservices"") is true
Modified: trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-mail.html (257507 => 257508)
--- trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-mail.html 2020-02-26 21:30:58 UTC (rev 257507)
+++ trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-mail.html 2020-02-26 21:38:40 UTC (rev 257508)
@@ -7,6 +7,10 @@
if (window.internals) {
shouldBeTrue("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.lsd.open\")");
+ shouldBeTrue("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.mobileassetd\")");
+ shouldBeTrue("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.iconservices\")");
+ shouldBeTrue("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.PowerManagement.control\")");
+ shouldBeTrue("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.frontboard.systemappservices\")");
}
</script>
</head>
Modified: trunk/Source/WebKit/ChangeLog (257507 => 257508)
--- trunk/Source/WebKit/ChangeLog 2020-02-26 21:30:58 UTC (rev 257507)
+++ trunk/Source/WebKit/ChangeLog 2020-02-26 21:38:40 UTC (rev 257508)
@@ -1,3 +1,25 @@
+2020-02-26 Per Arne Vollan <pvol...@apple.com>
+
+ [iOS] Issue mach sandbox extensions to the WebContent process for a set of specific services
+ https://bugs.webkit.org/show_bug.cgi?id=208146
+
+ Reviewed by Brent Fulgham.
+
+ We are still seeing some accesses from the WebContent process to a small set of services. Since we do not currently have
+ backtraces for these accesses, make a speculative patch, where we issue these extension for all apps except Safari.
+
+ Test: fast/sandbox/ios/sandbox-mach-lookup-mail.html
+
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+ * Shared/WebProcessCreationParameters.cpp:
+ (WebKit::WebProcessCreationParameters::encode const):
+ (WebKit::WebProcessCreationParameters::decode):
+ * Shared/WebProcessCreationParameters.h:
+ * UIProcess/Cocoa/WebProcessPoolCocoa.mm:
+ (WebKit::WebProcessPool::platformInitializeWebProcess):
+ * WebProcess/cocoa/WebProcessCocoa.mm:
+ (WebKit::WebProcess::platformInitializeWebProcess):
+
2020-02-26 Keith Rollin <krol...@apple.com>
Add logging to help diagnose redirect issue
Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb (257507 => 257508)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb 2020-02-26 21:30:58 UTC (rev 257507)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb 2020-02-26 21:38:40 UTC (rev 257508)
@@ -847,7 +847,7 @@
(allow mach-lookup
(require-all
(extension "com.apple.webkit.extension.mach")
- (global-name "com.apple.iphone.axserver-systemwide" "com.apple.tccd" "com.apple.nehelper" "com.apple.nesessionmanager.content-filter" "com.apple.uikit.viewservice.com.apple.WebContentFilter.remoteUI" "com.apple.diagnosticd" "com.apple.lsd.open" "com.apple.mobileassetd" "com.apple.mobileassetd.v2" "com.apple.frontboard.systemappservices" "com.apple.iconservices" "com.apple.webinspector"
+ (global-name "com.apple.iphone.axserver-systemwide" "com.apple.tccd" "com.apple.nehelper" "com.apple.nesessionmanager.content-filter" "com.apple.uikit.viewservice.com.apple.WebContentFilter.remoteUI" "com.apple.diagnosticd" "com.apple.lsd.open" "com.apple.mobileassetd" "com.apple.mobileassetd.v2" "com.apple.frontboard.systemappservices" "com.apple.iconservices" "com.apple.webinspector" "com.apple.PowerManagement.control"
;;; FIXME(207716): The following should be removed when the GPU process is complete
"com.apple.airplay.apsynccontroller.xpc" "com.apple.audio.AURemoteIOServer" "com.apple.audio.AudioComponentRegistrar"
Modified: trunk/Source/WebKit/Shared/WebProcessCreationParameters.cpp (257507 => 257508)
--- trunk/Source/WebKit/Shared/WebProcessCreationParameters.cpp 2020-02-26 21:30:58 UTC (rev 257507)
+++ trunk/Source/WebKit/Shared/WebProcessCreationParameters.cpp 2020-02-26 21:38:40 UTC (rev 257508)
@@ -159,10 +159,13 @@
#if PLATFORM(IOS)
encoder << compilerServiceExtensionHandle;
encoder << contentFilterExtensionHandle;
- encoder << launchServicesOpenExtensionHandle;
+#endif
+
+#if PLATFORM(IOS_FAMILY)
encoder << diagnosticsExtensionHandle;
+ encoder << dynamicMachExtensionHandles;
#endif
-
+
#if PLATFORM(COCOA)
encoder << neHelperExtensionHandle;
encoder << neSessionManagerExtensionHandle;
@@ -417,18 +420,20 @@
if (!contentFilterExtensionHandle)
return false;
parameters.contentFilterExtensionHandle = WTFMove(*contentFilterExtensionHandle);
+#endif
- Optional<Optional<SandboxExtension::Handle>> launchServicesOpenExtensionHandle;
- decoder >> launchServicesOpenExtensionHandle;
- if (!launchServicesOpenExtensionHandle)
- return false;
- parameters.launchServicesOpenExtensionHandle = WTFMove(*launchServicesOpenExtensionHandle);
-
+#if PLATFORM(IOS_FAMILY)
Optional<Optional<SandboxExtension::Handle>> diagnosticsExtensionHandle;
decoder >> diagnosticsExtensionHandle;
if (!diagnosticsExtensionHandle)
return false;
parameters.diagnosticsExtensionHandle = WTFMove(*diagnosticsExtensionHandle);
+
+ Optional<SandboxExtension::HandleArray> dynamicMachExtensionHandles;
+ decoder >> dynamicMachExtensionHandles;
+ if (!dynamicMachExtensionHandles)
+ return false;
+ parameters.dynamicMachExtensionHandles = WTFMove(*dynamicMachExtensionHandles);
#endif
#if PLATFORM(COCOA)
Modified: trunk/Source/WebKit/Shared/WebProcessCreationParameters.h (257507 => 257508)
--- trunk/Source/WebKit/Shared/WebProcessCreationParameters.h 2020-02-26 21:30:58 UTC (rev 257507)
+++ trunk/Source/WebKit/Shared/WebProcessCreationParameters.h 2020-02-26 21:38:40 UTC (rev 257508)
@@ -201,8 +201,11 @@
#if PLATFORM(IOS)
Optional<SandboxExtension::Handle> compilerServiceExtensionHandle;
Optional<SandboxExtension::Handle> contentFilterExtensionHandle;
- Optional<SandboxExtension::Handle> launchServicesOpenExtensionHandle;
+#endif
+
+#if PLATFORM(IOS_FAMILY)
Optional<SandboxExtension::Handle> diagnosticsExtensionHandle;
+ SandboxExtension::HandleArray dynamicMachExtensionHandles;
#endif
#if PLATFORM(COCOA)
Modified: trunk/Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm (257507 => 257508)
--- trunk/Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm 2020-02-26 21:30:58 UTC (rev 257507)
+++ trunk/Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm 2020-02-26 21:38:40 UTC (rev 257508)
@@ -366,11 +366,21 @@
SandboxExtension::createHandleForMachLookup("com.apple.AGXCompilerService", WTF::nullopt, compilerServiceExtensionHandle);
parameters.compilerServiceExtensionHandle = WTFMove(compilerServiceExtensionHandle);
}
+#endif
- if (WebCore::IOSApplication::isMobileMail()) {
- SandboxExtension::Handle launchServicesOpenExtensionHandle;
- SandboxExtension::createHandleForMachLookup("com.apple.lsd.open", WTF::nullopt, launchServicesOpenExtensionHandle);
- parameters.launchServicesOpenExtensionHandle = WTFMove(launchServicesOpenExtensionHandle);
+#if PLATFORM(IOS_FAMILY)
+ if (!isSafari) {
+ static const char* services[] = {
+ "com.apple.lsd.open",
+ "com.apple.mobileassetd",
+ "com.apple.iconservices",
+ "com.apple.PowerManagement.control",
+ "com.apple.frontboard.systemappservices"
+ };
+ auto size = WTF_ARRAY_LENGTH(services);
+ parameters.dynamicMachExtensionHandles.allocate(size);
+ for (size_t i = 0; i < size; ++i)
+ SandboxExtension::createHandleForMachLookup(services[i], WTF::nullopt, parameters.dynamicMachExtensionHandles[i]);
}
if (isInternalInstall()) {
Modified: trunk/Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm (257507 => 257508)
--- trunk/Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm 2020-02-26 21:30:58 UTC (rev 257507)
+++ trunk/Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm 2020-02-26 21:38:40 UTC (rev 257508)
@@ -251,15 +251,17 @@
if (parameters.compilerServiceExtensionHandle)
SandboxExtension::consumePermanently(*parameters.compilerServiceExtensionHandle);
- if (parameters.launchServicesOpenExtensionHandle)
- SandboxExtension::consumePermanently(*parameters.launchServicesOpenExtensionHandle);
+ if (parameters.contentFilterExtensionHandle)
+ SandboxExtension::consumePermanently(*parameters.contentFilterExtensionHandle);
+ ParentalControlsContentFilter::setHasConsumedSandboxExtension(parameters.contentFilterExtensionHandle.hasValue());
+#endif
+#if PLATFORM(IOS_FAMILY)
if (parameters.diagnosticsExtensionHandle)
SandboxExtension::consumePermanently(*parameters.diagnosticsExtensionHandle);
- if (parameters.contentFilterExtensionHandle)
- SandboxExtension::consumePermanently(*parameters.contentFilterExtensionHandle);
- ParentalControlsContentFilter::setHasConsumedSandboxExtension(parameters.contentFilterExtensionHandle.hasValue());
+ for (size_t i = 0, size = parameters.dynamicMachExtensionHandles.size(); i < size; ++i)
+ SandboxExtension::consumePermanently(parameters.dynamicMachExtensionHandles[i]);
#endif
#if PLATFORM(COCOA)
