Diff
Modified: trunk/Source/WebKit2/ChangeLog (212745 => 212746)
--- trunk/Source/WebKit2/ChangeLog 2017-02-21 21:29:01 UTC (rev 212745)
+++ trunk/Source/WebKit2/ChangeLog 2017-02-21 21:30:56 UTC (rev 212746)
@@ -1,5 +1,30 @@
2017-02-21 Youenn Fablet <[email protected]>
+ [WebRTC][Mac] Network process sandbox does not allow WebRTC networking
+ https://bugs.webkit.org/show_bug.cgi?id=168594
+
+ Reviewed by Brent Fulgham.
+
+ UIProcess was passing a boolean to know whether WebRTC networking is allowed or not to the network process.
+ This boolean was known to late for the sandbox to be relaxed.
+ A sandbox extension is now used instead to relax the sandbox.
+
+ * NetworkProcess/NetworkProcess.h:
+ * NetworkProcess/NetworkProcessCreationParameters.cpp:
+ (WebKit::NetworkProcessCreationParameters::encode):
+ (WebKit::NetworkProcessCreationParameters::decode):
+ * NetworkProcess/NetworkProcessCreationParameters.h:
+ * NetworkProcess/cocoa/NetworkProcessCocoa.mm:
+ (WebKit::NetworkProcess::platformInitializeNetworkProcessCocoa):
+ * NetworkProcess/mac/NetworkProcessMac.mm:
+ (WebKit::NetworkProcess::platformInitializeNetworkProcess):
+ (WebKit::NetworkProcess::initializeSandbox):
+ * NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
+ * UIProcess/Cocoa/WebProcessPoolCocoa.mm:
+ (WebKit::WebProcessPool::platformInitializeNetworkProcess):
+
+2017-02-21 Youenn Fablet <[email protected]>
+
[WebRTC] ICE candidates should be filtered according a policy
https://bugs.webkit.org/show_bug.cgi?id=168348
Modified: trunk/Source/WebKit2/NetworkProcess/NetworkProcess.h (212745 => 212746)
--- trunk/Source/WebKit2/NetworkProcess/NetworkProcess.h 2017-02-21 21:29:01 UTC (rev 212745)
+++ trunk/Source/WebKit2/NetworkProcess/NetworkProcess.h 2017-02-21 21:30:56 UTC (rev 212746)
@@ -215,10 +215,6 @@
HashMap<uint64_t, Function<void ()>> m_sandboxExtensionForBlobsCompletionHandlers;
HashMap<uint64_t, Ref<NetworkResourceLoader>> m_waitingNetworkResourceLoaders;
-#if ENABLE(WEB_RTC)
- bool m_webRTCEnabled { false };
-#endif
-
#if PLATFORM(COCOA)
void platformInitializeNetworkProcessCocoa(const NetworkProcessCreationParameters&);
void setCookieStoragePartitioningEnabled(bool);
Modified: trunk/Source/WebKit2/NetworkProcess/NetworkProcessCreationParameters.cpp (212745 => 212746)
--- trunk/Source/WebKit2/NetworkProcess/NetworkProcessCreationParameters.cpp 2017-02-21 21:29:01 UTC (rev 212745)
+++ trunk/Source/WebKit2/NetworkProcess/NetworkProcessCreationParameters.cpp 2017-02-21 21:30:56 UTC (rev 212746)
@@ -102,7 +102,7 @@
encoder << recordReplayCacheLocation;
#endif
#if ENABLE(WEB_RTC)
- encoder << webRTCEnabled;
+ encoder << webRTCNetworkingHandle;
#endif
}
@@ -205,8 +205,9 @@
if (!decoder.decode(result.recordReplayCacheLocation))
return false;
#endif
+
#if ENABLE(WEB_RTC)
- if (!decoder.decode(result.webRTCEnabled))
+ if (!decoder.decode(result.webRTCNetworkingHandle))
return false;
#endif
Modified: trunk/Source/WebKit2/NetworkProcess/NetworkProcessCreationParameters.h (212745 => 212746)
--- trunk/Source/WebKit2/NetworkProcess/NetworkProcessCreationParameters.h 2017-02-21 21:29:01 UTC (rev 212745)
+++ trunk/Source/WebKit2/NetworkProcess/NetworkProcessCreationParameters.h 2017-02-21 21:30:56 UTC (rev 212746)
@@ -112,9 +112,8 @@
String recordReplayMode;
String recordReplayCacheLocation;
#endif
-
#if ENABLE(WEB_RTC)
- bool webRTCEnabled { false };
+ SandboxExtension::Handle webRTCNetworkingHandle;
#endif
};
Modified: trunk/Source/WebKit2/NetworkProcess/cocoa/NetworkProcessCocoa.mm (212745 => 212746)
--- trunk/Source/WebKit2/NetworkProcess/cocoa/NetworkProcessCocoa.mm 2017-02-21 21:29:01 UTC (rev 212745)
+++ trunk/Source/WebKit2/NetworkProcess/cocoa/NetworkProcessCocoa.mm 2017-02-21 21:30:56 UTC (rev 212746)
@@ -72,6 +72,9 @@
SandboxExtension::consumePermanently(parameters.containerCachesDirectoryExtensionHandle);
SandboxExtension::consumePermanently(parameters.parentBundleDirectoryExtensionHandle);
#endif
+#if ENABLE(WEB_RTC)
+ SandboxExtension::consumePermanently(parameters.webRTCNetworkingHandle);
+#endif
m_diskCacheDirectory = parameters.diskCacheDirectory;
#if PLATFORM(IOS) || (PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101100)
Modified: trunk/Source/WebKit2/NetworkProcess/mac/NetworkProcessMac.mm (212745 => 212746)
--- trunk/Source/WebKit2/NetworkProcess/mac/NetworkProcessMac.mm 2017-02-21 21:29:01 UTC (rev 212745)
+++ trunk/Source/WebKit2/NetworkProcess/mac/NetworkProcessMac.mm 2017-02-21 21:30:56 UTC (rev 212746)
@@ -105,10 +105,6 @@
if (!parameters.httpProxy.isNull() || !parameters.httpsProxy.isNull())
overrideSystemProxies(parameters.httpProxy, parameters.httpsProxy);
-
-#if ENABLE(WEB_RTC)
- m_webRTCEnabled = parameters.webRTCEnabled;
-#endif
}
void NetworkProcess::allowSpecificHTTPSCertificateForHost(const CertificateInfo& certificateInfo, const String& host)
@@ -122,11 +118,6 @@
NSBundle *webkit2Bundle = [NSBundle bundleForClass:NSClassFromString(@"WKView")];
sandboxParameters.setOverrideSandboxProfilePath([webkit2Bundle pathForResource:@"com.apple.WebKit.NetworkProcess" ofType:@"sb"]);
-#if ENABLE(WEB_RTC)
- if (m_webRTCEnabled)
- sandboxParameters.addParameter("ENABLE_WEB_RTC", "TRUE");
-#endif
-
ChildProcess::initializeSandbox(parameters, sandboxParameters);
}
Modified: trunk/Source/WebKit2/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in (212745 => 212746)
--- trunk/Source/WebKit2/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in 2017-02-21 21:29:01 UTC (rev 212745)
+++ trunk/Source/WebKit2/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in 2017-02-21 21:30:56 UTC (rev 212746)
@@ -209,12 +209,44 @@
(home-literal "/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2")
(home-literal "/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2-journal"))
-#if ENABLE_WEB_RTC
+(macro (with-filter form)
+ (let* ((ps (cdr form))
+ (extra-filter (car ps))
+ (rules (cdr ps)))
+ `(letrec
+ ((collect
+ (lambda (l filters non-filters)
+ (if (null? l)
+ (list filters non-filters)
+ (let*
+ ((x (car l))
+ (rest (cdr l)))
+ (if (sbpl-filter? x)
+ (collect rest (cons x filters) non-filters)
+ (collect rest filters (cons x non-filters)))))))
+ (inject-filter
+ (lambda args
+ (let* ((collected (collect args '() '()))
+ (filters (car collected))
+ (non-filters (cadr collected)))
+ (if (null? filters)
+ (cons ,extra-filter non-filters)
+ (cons (require-all (apply require-any filters) ,extra-filter) non-filters)))))
+ (orig-allow allow)
+ (orig-deny deny)
+ (wrapper
+ (lambda (action)
+ (lambda args (apply action (apply inject-filter args))))))
+ (set! allow (wrapper orig-allow))
+ (set! deny (wrapper orig-deny))
+ ,@rules
+ (set! deny orig-deny)
+ (set! allow orig-allow))))
+
;; FIXME should be removed when <rdar://problem/30498072> is fixed.
-(if (positive? (string-length (param "ENABLE_WEB_RTC")))
+(with-filter (extension "com.apple.webkit.webrtc")
(allow network*
(local udp)
(remote udp)
(local tcp)
(remote tcp)))
-#endif
Modified: trunk/Source/WebKit2/UIProcess/Cocoa/WebProcessPoolCocoa.mm (212745 => 212746)
--- trunk/Source/WebKit2/UIProcess/Cocoa/WebProcessPoolCocoa.mm 2017-02-21 21:29:01 UTC (rev 212745)
+++ trunk/Source/WebKit2/UIProcess/Cocoa/WebProcessPoolCocoa.mm 2017-02-21 21:30:56 UTC (rev 212746)
@@ -308,8 +308,9 @@
bool webRTCEnabled = m_defaultPageGroup->preferences().peerConnectionEnabled();
if ([defaults objectForKey:@"ExperimentalPeerConnectionEnabled"])
webRTCEnabled = [defaults boolForKey:@"ExperimentalPeerConnectionEnabled"];
-
- parameters.webRTCEnabled = webRTCEnabled;
+
+ if (webRTCEnabled)
+ SandboxExtension::createHandleForGenericExtension("com.apple.webkit.webrtc", parameters.webRTCNetworkingHandle);
#endif
}
