Diff
Modified: tags/Safari-606.1.19.1/Source/WebKit/ChangeLog (232407 => 232408)
--- tags/Safari-606.1.19.1/Source/WebKit/ChangeLog 2018-06-01 19:41:10 UTC (rev 232407)
+++ tags/Safari-606.1.19.1/Source/WebKit/ChangeLog 2018-06-01 19:41:14 UTC (rev 232408)
@@ -1,5 +1,9 @@
2018-06-01 Kocsen Chung <[email protected]>
+ Revert r232276. rdar://problem/40728289
+
+2018-06-01 Kocsen Chung <[email protected]>
+
Revert r232186. rdar://problem/40708108
2018-05-31 Kocsen Chung <[email protected]>
Modified: tags/Safari-606.1.19.1/Source/WebKit/Configurations/Network-iOS.entitlements (232407 => 232408)
--- tags/Safari-606.1.19.1/Source/WebKit/Configurations/Network-iOS.entitlements 2018-06-01 19:41:10 UTC (rev 232407)
+++ tags/Safari-606.1.19.1/Source/WebKit/Configurations/Network-iOS.entitlements 2018-06-01 19:41:14 UTC (rev 232408)
@@ -14,5 +14,9 @@
</array>
<key>com.apple.private.network.socket-delegate</key>
<true/>
+ <key>keychain-access-groups</key>
+ <array>
+ <string>com.apple.identities</string>
+ </array>
</dict>
</plist>
Modified: tags/Safari-606.1.19.1/Source/WebKit/NetworkProcess/NetworkProcess.cpp (232407 => 232408)
--- tags/Safari-606.1.19.1/Source/WebKit/NetworkProcess/NetworkProcess.cpp 2018-06-01 19:41:10 UTC (rev 232407)
+++ tags/Safari-606.1.19.1/Source/WebKit/NetworkProcess/NetworkProcess.cpp 2018-06-01 19:41:14 UTC (rev 232408)
@@ -217,11 +217,7 @@
void NetworkProcess::initializeNetworkProcess(NetworkProcessCreationParameters&& parameters)
{
-#if HAVE(SEC_KEY_PROXY)
- WTF::setProcessPrivileges({ ProcessPrivilege::CanAccessRawCookies });
-#else
WTF::setProcessPrivileges({ ProcessPrivilege::CanAccessRawCookies, ProcessPrivilege::CanAccessCredentials });
-#endif
WebCore::NetworkStorageSession::permitProcessToUseCookieAPI(true);
WebCore::setPresentingApplicationPID(parameters.presentingApplicationPID);
platformInitializeNetworkProcess(parameters);
Modified: tags/Safari-606.1.19.1/Source/WebKit/NetworkProcess/ios/NetworkProcessIOS.mm (232407 => 232408)
--- tags/Safari-606.1.19.1/Source/WebKit/NetworkProcess/ios/NetworkProcessIOS.mm 2018-06-01 19:41:10 UTC (rev 232407)
+++ tags/Safari-606.1.19.1/Source/WebKit/NetworkProcess/ios/NetworkProcessIOS.mm 2018-06-01 19:41:14 UTC (rev 232408)
@@ -84,7 +84,7 @@
void NetworkProcess::platformInitializeNetworkProcess(const NetworkProcessCreationParameters& parameters)
{
-#if ENABLE(SEC_ITEM_SHIM) && !HAVE(SEC_KEY_PROXY)
+#if ENABLE(SEC_ITEM_SHIM)
initializeSecItemShim(*this);
#endif
platformInitializeNetworkProcessCocoa(parameters);
Modified: tags/Safari-606.1.19.1/Source/WebKit/NetworkProcess/mac/NetworkProcessMac.mm (232407 => 232408)
--- tags/Safari-606.1.19.1/Source/WebKit/NetworkProcess/mac/NetworkProcessMac.mm 2018-06-01 19:41:10 UTC (rev 232407)
+++ tags/Safari-606.1.19.1/Source/WebKit/NetworkProcess/mac/NetworkProcessMac.mm 2018-06-01 19:41:14 UTC (rev 232408)
@@ -104,7 +104,7 @@
{
platformInitializeNetworkProcessCocoa(parameters);
-#if ENABLE(SEC_ITEM_SHIM) && !HAVE(SEC_KEY_PROXY)
+#if ENABLE(SEC_ITEM_SHIM)
initializeSecItemShim(*this);
#endif
Modified: tags/Safari-606.1.19.1/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in (232407 => 232408)
--- tags/Safari-606.1.19.1/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in 2018-06-01 19:41:10 UTC (rev 232407)
+++ tags/Safari-606.1.19.1/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in 2018-06-01 19:41:14 UTC (rev 232408)
@@ -161,15 +161,12 @@
;; Security framework
(allow mach-lookup
-#if !HAVE(SEC_KEY_PROXY)
- (global-name "com.apple.ctkd.token-client")
+ (global-name "com.apple.ctkd.token-client")
+ (global-name "com.apple.ocspd")
(global-name "com.apple.securityd.xpc")
(global-name "com.apple.CoreAuthentication.agent.libxpc")
-#endif
- (global-name "com.apple.ocspd")
(global-name "com.apple.SecurityServer"))
-#if !HAVE(SEC_KEY_PROXY)
;; FIXME: This should be removed when <rdar://problem/10479685> is fixed.
;; Restrict AppSandboxed processes from creating /Library/Keychains, but allow access to the contents of /Library/Keychains:
(allow file-read-data file-read-metadata file-write*
@@ -180,7 +177,6 @@
(deny file-read* file-write*
(regex (string-append "/Library/Keychains/" (uuid-regex-string) "(/|$)"))
(home-regex (string-append "/Library/Keychains/" (uuid-regex-string) "(/|$)")))
-#endif
(allow file-read* file-write* (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
@@ -193,8 +189,16 @@
(allow file-read*
(subpath "/private/var/db/mds")
- (literal "/private/var/db/DetachedSignatures"))
+ (literal "/private/var/db/DetachedSignatures")
+ ; The following are needed until <rdar://problem/11134688> is resolved.
+ (literal "/Library/Preferences/com.apple.security.plist")
+ (literal "/Library/Preferences/com.apple.security.common.plist")
+ (literal "/Library/Preferences/com.apple.security.revocation.plist")
+ (home-literal "/Library/Application Support/SyncServices/Local/ClientsWithChanges/com.apple.Keychain")
+ (home-literal "/Library/Preferences/com.apple.security.plist")
+ (home-literal "/Library/Preferences/com.apple.security.revocation.plist"))
+
(allow ipc-posix-shm-read* ipc-posix-shm-write-data
(ipc-posix-name "com.apple.AppleDatabaseChanged"))
Modified: tags/Safari-606.1.19.1/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb (232407 => 232408)
--- tags/Safari-606.1.19.1/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb 2018-06-01 19:41:10 UTC (rev 232407)
+++ tags/Safari-606.1.19.1/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb 2018-06-01 19:41:14 UTC (rev 232408)
@@ -74,11 +74,9 @@
;; Security framework
(allow mach-lookup
-#if !HAVE(SEC_KEY_PROXY)
- (global-name "com.apple.accountsd.accountmanager")
-#endif
(global-name "com.apple.ocspd")
- (global-name "com.apple.securityd"))
+ (global-name "com.apple.securityd")
+ (global-name "com.apple.accountsd.accountmanager"))
(deny file-write-create
(vnode-type SYMLINK))
Modified: tags/Safari-606.1.19.1/Source/WebKit/Shared/mac/SecItemShim.cpp (232407 => 232408)
--- tags/Safari-606.1.19.1/Source/WebKit/Shared/mac/SecItemShim.cpp 2018-06-01 19:41:10 UTC (rev 232407)
+++ tags/Safari-606.1.19.1/Source/WebKit/Shared/mac/SecItemShim.cpp 2018-06-01 19:41:14 UTC (rev 232408)
@@ -73,6 +73,8 @@
static std::optional<SecItemResponseData> sendSecItemRequest(SecItemRequestData::Type requestType, CFDictionaryRef query, CFDictionaryRef attributesToMatch = 0)
{
+ RELEASE_ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessCredentials));
+
std::optional<SecItemResponseData> response;
auto semaphore = adoptOSObject(dispatch_semaphore_create(0));
@@ -91,6 +93,7 @@
static OSStatus webSecItemCopyMatching(CFDictionaryRef query, CFTypeRef* result)
{
+ RELEASE_ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessCredentials));
auto response = sendSecItemRequest(SecItemRequestData::CopyMatching, query);
if (!response)
return errSecInteractionNotAllowed;
@@ -101,6 +104,7 @@
static OSStatus webSecItemAdd(CFDictionaryRef query, CFTypeRef* result)
{
+ RELEASE_ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessCredentials));
auto response = sendSecItemRequest(SecItemRequestData::Add, query);
if (!response)
return errSecInteractionNotAllowed;
@@ -112,6 +116,7 @@
static OSStatus webSecItemUpdate(CFDictionaryRef query, CFDictionaryRef attributesToUpdate)
{
+ RELEASE_ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessCredentials));
auto response = sendSecItemRequest(SecItemRequestData::Update, query, attributesToUpdate);
if (!response)
return errSecInteractionNotAllowed;
@@ -121,6 +126,7 @@
static OSStatus webSecItemDelete(CFDictionaryRef query)
{
+ RELEASE_ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessCredentials));
auto response = sendSecItemRequest(SecItemRequestData::Delete, query);
if (!response)
return errSecInteractionNotAllowed;
@@ -130,6 +136,7 @@
void initializeSecItemShim(ChildProcess& process)
{
+ RELEASE_ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessCredentials));
sharedProcess = &process;
#if PLATFORM(IOS)
