Diff
Modified: trunk/LayoutTests/ChangeLog (253487 => 253488)
--- trunk/LayoutTests/ChangeLog 2019-12-13 18:58:04 UTC (rev 253487)
+++ trunk/LayoutTests/ChangeLog 2019-12-13 19:07:51 UTC (rev 253488)
@@ -1,3 +1,20 @@
+2019-12-13 Per Arne Vollan <[email protected]>
+
+ [iOS] Deny mach lookup access to "*.apple-extension-service" in the WebContent process
+ https://bugs.webkit.org/show_bug.cgi?id=205134
+ <rdar://problem/56984257>
+
+ Reviewed by Brent Fulgham.
+
+ Add test for mach lookup access to "*.apple-extension-service".
+
+ * TestExpectations:
+ * fast/sandbox: Added.
+ * fast/sandbox/ios: Added.
+ * fast/sandbox/ios/sandbox-mach-lookup-expected.txt: Added.
+ * fast/sandbox/ios/sandbox-mach-lookup.html: Added.
+ * platform/ios-device-wk2/TestExpectations:
+
2019-12-13 youenn fablet <[email protected]>
Help debugging flaky http/tests/cache-storage/page-cache-domcachestorage-pending-promise.html
Modified: trunk/LayoutTests/TestExpectations (253487 => 253488)
--- trunk/LayoutTests/TestExpectations 2019-12-13 18:58:04 UTC (rev 253487)
+++ trunk/LayoutTests/TestExpectations 2019-12-13 19:07:51 UTC (rev 253488)
@@ -28,6 +28,7 @@
fast/forms/select/mac-wk2 [ Skip ]
fast/forms/textarea/ios [ Skip ]
fast/forms/watchos [ Skip ]
+fast/sandbox/ios [ Skip ]
fast/viewport/watchos [ Skip ]
fast/visual-viewport/watchos [ Skip ]
fast/visual-viewport/tiled-drawing [ Skip ]
Added: trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-expected.txt (0 => 253488)
--- trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-expected.txt 2019-12-13 19:07:51 UTC (rev 253488)
@@ -0,0 +1,7 @@
+Regression tests for mach lookup sandbox changes on iOS
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS internals.hasSandboxMachLookupAccessToXPCServiceName("com.apple.WebKit.WebContent", "com.apple.apple-extension-service") is false
+
Added: trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html (0 => 253488)
--- trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html (rev 0)
+++ trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html 2019-12-13 19:07:51 UTC (rev 253488)
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+<script>
+description('Regression tests for mach lookup sandbox changes on iOS');
+
+if (window.internals) {
+ shouldBeFalse("internals.hasSandboxMachLookupAccessToXPCServiceName(\"com.apple.WebKit.WebContent\", \"com.apple.apple-extension-service\")");
+}
+</script>
+</head>
+<body>
+</body>
Modified: trunk/LayoutTests/platform/ios-device-wk2/TestExpectations (253487 => 253488)
--- trunk/LayoutTests/platform/ios-device-wk2/TestExpectations 2019-12-13 18:58:04 UTC (rev 253487)
+++ trunk/LayoutTests/platform/ios-device-wk2/TestExpectations 2019-12-13 19:07:51 UTC (rev 253488)
@@ -3,3 +3,4 @@
# See http://trac.webkit.org/wiki/TestExpectations for more information on this file.
#
+fast/sandbox/ios [ Pass ]
Modified: trunk/Source/WTF/ChangeLog (253487 => 253488)
--- trunk/Source/WTF/ChangeLog 2019-12-13 18:58:04 UTC (rev 253487)
+++ trunk/Source/WTF/ChangeLog 2019-12-13 19:07:51 UTC (rev 253488)
@@ -1,3 +1,15 @@
+2019-12-13 Per Arne Vollan <[email protected]>
+
+ [iOS] Deny mach lookup access to "*.apple-extension-service" in the WebContent process
+ https://bugs.webkit.org/show_bug.cgi?id=205134
+ <rdar://problem/56984257>
+
+ Reviewed by Brent Fulgham.
+
+ Add enum value for the XPC service name filter type.
+
+ * wtf/spi/darwin/SandboxSPI.h:
+
2019-12-09 Fujii Hironori <[email protected]>
[MSVC] writeNumberToBufferUnsigned is unsafe for bool type
Modified: trunk/Source/WTF/wtf/spi/darwin/SandboxSPI.h (253487 => 253488)
--- trunk/Source/WTF/wtf/spi/darwin/SandboxSPI.h 2019-12-13 18:58:04 UTC (rev 253487)
+++ trunk/Source/WTF/wtf/spi/darwin/SandboxSPI.h 2019-12-13 19:07:51 UTC (rev 253488)
@@ -35,6 +35,7 @@
enum sandbox_filter_type {
SANDBOX_FILTER_NONE,
SANDBOX_FILTER_GLOBAL_NAME = 2,
+ SANDBOX_FILTER_XPC_SERVICE_NAME = 12,
};
#define SANDBOX_NAMED_EXTERNAL 0x0003
Modified: trunk/Source/WebCore/ChangeLog (253487 => 253488)
--- trunk/Source/WebCore/ChangeLog 2019-12-13 18:58:04 UTC (rev 253487)
+++ trunk/Source/WebCore/ChangeLog 2019-12-13 19:07:51 UTC (rev 253488)
@@ -1,3 +1,20 @@
+2019-12-13 Per Arne Vollan <[email protected]>
+
+ [iOS] Deny mach lookup access to "*.apple-extension-service" in the WebContent process
+ https://bugs.webkit.org/show_bug.cgi?id=205134
+ <rdar://problem/56984257>
+
+ Reviewed by Brent Fulgham.
+
+ Add method to Internals checking mach lookup access to a given XPC service name.
+
+ Test: fast/sandbox/ios/sandbox-mach-lookup.html
+
+ * testing/Internals.cpp:
+ (WebCore::Internals::hasSandboxMachLookupAccessToXPCServiceName):
+ * testing/Internals.h:
+ * testing/Internals.idl:
+
2019-12-13 Wenson Hsieh <[email protected]>
[Clipboard API] Sanitize HTML and image data written using clipboard.write
Modified: trunk/Source/WebCore/testing/Internals.cpp (253487 => 253488)
--- trunk/Source/WebCore/testing/Internals.cpp 2019-12-13 18:58:04 UTC (rev 253487)
+++ trunk/Source/WebCore/testing/Internals.cpp 2019-12-13 19:07:51 UTC (rev 253488)
@@ -5363,4 +5363,19 @@
#endif
}
+bool Internals::hasSandboxMachLookupAccessToXPCServiceName(const String& process, const String& service)
+{
+#if PLATFORM(COCOA)
+ pid_t pid;
+ if (process == "com.apple.WebKit.WebContent")
+ pid = getpid();
+ else
+ RELEASE_ASSERT_NOT_REACHED();
+
+ return !sandbox_check(pid, "mach-lookup", static_cast<enum sandbox_filter_type>(SANDBOX_FILTER_XPC_SERVICE_NAME | SANDBOX_CHECK_NO_REPORT), service.utf8().data());
+#else
+ return false;
+#endif
+}
+
} // namespace WebCore
Modified: trunk/Source/WebCore/testing/Internals.h (253487 => 253488)
--- trunk/Source/WebCore/testing/Internals.h 2019-12-13 18:58:04 UTC (rev 253487)
+++ trunk/Source/WebCore/testing/Internals.h 2019-12-13 19:07:51 UTC (rev 253488)
@@ -914,6 +914,7 @@
Ref<InternalsMapLike> createInternalsMapLike();
bool hasSandboxMachLookupAccessToGlobalName(const String& process, const String& service);
+ bool hasSandboxMachLookupAccessToXPCServiceName(const String& process, const String& service);
String highlightPseudoElementColor(const String& highlightName, Element&);
Modified: trunk/Source/WebCore/testing/Internals.idl (253487 => 253488)
--- trunk/Source/WebCore/testing/Internals.idl 2019-12-13 18:58:04 UTC (rev 253487)
+++ trunk/Source/WebCore/testing/Internals.idl 2019-12-13 19:07:51 UTC (rev 253488)
@@ -825,4 +825,5 @@
DOMString highlightPseudoElementColor(DOMString highlightName, Element element);
boolean hasSandboxMachLookupAccessToGlobalName(DOMString process, DOMString service);
+ boolean hasSandboxMachLookupAccessToXPCServiceName(DOMString process, DOMString service);
};
Modified: trunk/Source/WebKit/ChangeLog (253487 => 253488)
--- trunk/Source/WebKit/ChangeLog 2019-12-13 18:58:04 UTC (rev 253487)
+++ trunk/Source/WebKit/ChangeLog 2019-12-13 19:07:51 UTC (rev 253488)
@@ -1,3 +1,15 @@
+2019-12-13 Per Arne Vollan <[email protected]>
+
+ [iOS] Deny mach lookup access to "*.apple-extension-service" in the WebContent process
+ https://bugs.webkit.org/show_bug.cgi?id=205134
+ <rdar://problem/56984257>
+
+ Reviewed by Brent Fulgham.
+
+ Remove mach lookup access to "*.apple-extension-service" in the sandbox.
+
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+
2019-12-13 youenn fablet <[email protected]>
Help debugging flaky http/tests/cache-storage/page-cache-domcachestorage-pending-promise.html
Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb (253487 => 253488)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb 2019-12-13 18:58:04 UTC (rev 253487)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb 2019-12-13 19:07:51 UTC (rev 253488)
@@ -443,7 +443,6 @@
(allow mach-lookup (with report) (with telemetry)
(global-name-regex #"^com\.apple\.uikit\.viewservice\..+")
- (xpc-service-name-regex #"\.apple-extension-service$") ;; <rdar://problem/19525887>
(xpc-service-name-regex #"\.viewservice$") ;; <rdar://problem/31252371>
)
