- Revision
- 258803
- Author
- [email protected]
- Date
- 2020-03-20 18:10:42 -0700 (Fri, 20 Mar 2020)
Log Message
[Cocoa] Deny access to database mapping service
https://bugs.webkit.org/show_bug.cgi?id=209339
Source/WebKit:
<rdar://problem/56966010>
Reviewed by Brent Fulgham.
In order for the WebContent process to not have permantent access to the database mapping service,
this patch creates an extension for the service in the UI process, sends it to the WebContent
process, where it is consumed. Then, an API call is made which will map the database, and next the
WebContent process will revoke the extension. The WebContent process has then mapped the database,
and access to the database mapping service is no longer needed.
Tested by: fast/sandbox/ios/sandbox-mach-lookup.html
* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
* Shared/WebProcessCreationParameters.cpp:
(WebKit::WebProcessCreationParameters::encode const):
(WebKit::WebProcessCreationParameters::decode):
* Shared/WebProcessCreationParameters.h:
* UIProcess/Cocoa/WebProcessPoolCocoa.mm:
(WebKit::WebProcessPool::platformInitializeWebProcess):
* WebProcess/cocoa/WebProcessCocoa.mm:
(WebKit::WebProcess::platformInitializeWebProcess):
* WebProcess/com.apple.WebProcess.sb.in:
Source/WTF:
<rdar://problem/56966010>
Reviewed by Brent Fulgham.
Disable the use of UTTypeRecord swizzling, since this is not needed with the new approach
of denying the database mapping service in this patch.
* wtf/PlatformUse.h:
LayoutTests:
Reviewed by Brent Fulgham.
* fast/sandbox/ios/sandbox-mach-lookup-expected.txt:
* fast/sandbox/ios/sandbox-mach-lookup.html:
Modified Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (258802 => 258803)
--- trunk/LayoutTests/ChangeLog 2020-03-21 00:52:08 UTC (rev 258802)
+++ trunk/LayoutTests/ChangeLog 2020-03-21 01:10:42 UTC (rev 258803)
@@ -1,3 +1,13 @@
+2020-03-20 Per Arne Vollan <[email protected]>
+
+ [Cocoa] Deny access to database mapping service
+ https://bugs.webkit.org/show_bug.cgi?id=209339
+
+ Reviewed by Brent Fulgham.
+
+ * fast/sandbox/ios/sandbox-mach-lookup-expected.txt:
+ * fast/sandbox/ios/sandbox-mach-lookup.html:
+
2020-03-20 David Kilzer <[email protected]>
Content-Type & Nosniff Ignored on XML External Entity Resources
Modified: trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-expected.txt (258802 => 258803)
--- trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-expected.txt 2020-03-21 00:52:08 UTC (rev 258802)
+++ trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-expected.txt 2020-03-21 01:10:42 UTC (rev 258803)
@@ -24,3 +24,4 @@
PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.PowerManagement.control") is false
PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.mobileassetd") is false
PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.mobileassetd.v2") is false
+PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.lsd.mapdb") is false
Modified: trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html (258802 => 258803)
--- trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html 2020-03-21 00:52:08 UTC (rev 258802)
+++ trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html 2020-03-21 01:10:42 UTC (rev 258803)
@@ -27,6 +27,7 @@
shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.PowerManagement.control\")");
shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.mobileassetd\")");
shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.mobileassetd.v2\")");
+ shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.lsd.mapdb\")");
}
</script>
</head>
Modified: trunk/Source/WTF/ChangeLog (258802 => 258803)
--- trunk/Source/WTF/ChangeLog 2020-03-21 00:52:08 UTC (rev 258802)
+++ trunk/Source/WTF/ChangeLog 2020-03-21 01:10:42 UTC (rev 258803)
@@ -1,3 +1,16 @@
+2020-03-20 Per Arne Vollan <[email protected]>
+
+ [Cocoa] Deny access to database mapping service
+ https://bugs.webkit.org/show_bug.cgi?id=209339
+ <rdar://problem/56966010>
+
+ Reviewed by Brent Fulgham.
+
+ Disable the use of UTTypeRecord swizzling, since this is not needed with the new approach
+ of denying the database mapping service in this patch.
+
+ * wtf/PlatformUse.h:
+
2020-03-20 Oliver Hunt <oliver@nerget,com>
Add correct annotations to block isa pointer
Modified: trunk/Source/WTF/wtf/PlatformUse.h (258802 => 258803)
--- trunk/Source/WTF/wtf/PlatformUse.h 2020-03-21 00:52:08 UTC (rev 258802)
+++ trunk/Source/WTF/wtf/PlatformUse.h 2020-03-21 01:10:42 UTC (rev 258803)
@@ -321,6 +321,4 @@
#define USE_CTFONTTRANSFORMGLYPHSWITHLANGUAGE 1
#endif
-#if PLATFORM(IOS) && __IPHONE_OS_VERSION_MIN_REQUIRED >= 140000
-#define USE_UTTYPE_SWIZZLER 1
-#endif
+#define USE_UTTYPE_SWIZZLER 0
Modified: trunk/Source/WebKit/ChangeLog (258802 => 258803)
--- trunk/Source/WebKit/ChangeLog 2020-03-21 00:52:08 UTC (rev 258802)
+++ trunk/Source/WebKit/ChangeLog 2020-03-21 01:10:42 UTC (rev 258803)
@@ -1,5 +1,32 @@
2020-03-20 Per Arne Vollan <[email protected]>
+ [Cocoa] Deny access to database mapping service
+ https://bugs.webkit.org/show_bug.cgi?id=209339
+ <rdar://problem/56966010>
+
+ Reviewed by Brent Fulgham.
+
+ In order for the WebContent process to not have permantent access to the database mapping service,
+ this patch creates an extension for the service in the UI process, sends it to the WebContent
+ process, where it is consumed. Then, an API call is made which will map the database, and next the
+ WebContent process will revoke the extension. The WebContent process has then mapped the database,
+ and access to the database mapping service is no longer needed.
+
+ Tested by: fast/sandbox/ios/sandbox-mach-lookup.html
+
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+ * Shared/WebProcessCreationParameters.cpp:
+ (WebKit::WebProcessCreationParameters::encode const):
+ (WebKit::WebProcessCreationParameters::decode):
+ * Shared/WebProcessCreationParameters.h:
+ * UIProcess/Cocoa/WebProcessPoolCocoa.mm:
+ (WebKit::WebProcessPool::platformInitializeWebProcess):
+ * WebProcess/cocoa/WebProcessCocoa.mm:
+ (WebKit::WebProcess::platformInitializeWebProcess):
+ * WebProcess/com.apple.WebProcess.sb.in:
+
+2020-03-20 Per Arne Vollan <[email protected]>
+
[iOS] Add telemetry for message filtering
https://bugs.webkit.org/show_bug.cgi?id=209003
<rdar://problem/60376722>
Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb (258802 => 258803)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb 2020-03-21 00:52:08 UTC (rev 258802)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb 2020-03-21 01:10:42 UTC (rev 258803)
@@ -537,13 +537,13 @@
(global-name "com.apple.cfprefsd.daemon")
)
-(deny mach-lookup (with telemetry)
+(deny mach-lookup (with telemetry-backtrace)
(global-name "com.apple.distributed_notifications@1v3"))
(allow ipc-posix-shm-read*
(ipc-posix-name-prefix "apple.cfprefs."))
-(allow mach-lookup (with telemetry-backtrace)
+(deny mach-lookup (with telemetry-backtrace)
(global-name "com.apple.lsd.mapdb"))
;; <rdar://problem/12413942>
Modified: trunk/Source/WebKit/Shared/WebProcessCreationParameters.cpp (258802 => 258803)
--- trunk/Source/WebKit/Shared/WebProcessCreationParameters.cpp 2020-03-21 00:52:08 UTC (rev 258802)
+++ trunk/Source/WebKit/Shared/WebProcessCreationParameters.cpp 2020-03-21 01:10:42 UTC (rev 258803)
@@ -169,6 +169,7 @@
#if PLATFORM(COCOA)
encoder << neHelperExtensionHandle;
encoder << neSessionManagerExtensionHandle;
+ encoder << mapDBExtensionHandle;
encoder << systemHasBattery;
encoder << mimeTypesMap;
encoder << mapUTIFromMIMEType;
@@ -456,6 +457,12 @@
return false;
parameters.neSessionManagerExtensionHandle = WTFMove(*neSessionManagerExtensionHandle);
+ Optional<Optional<SandboxExtension::Handle>> mapDBExtensionHandle;
+ decoder >> mapDBExtensionHandle;
+ if (!mapDBExtensionHandle)
+ return false;
+ parameters.mapDBExtensionHandle = WTFMove(*mapDBExtensionHandle);
+
Optional<bool> systemHasBattery;
decoder >> systemHasBattery;
if (!systemHasBattery)
Modified: trunk/Source/WebKit/Shared/WebProcessCreationParameters.h (258802 => 258803)
--- trunk/Source/WebKit/Shared/WebProcessCreationParameters.h 2020-03-21 00:52:08 UTC (rev 258802)
+++ trunk/Source/WebKit/Shared/WebProcessCreationParameters.h 2020-03-21 01:10:42 UTC (rev 258803)
@@ -213,6 +213,7 @@
#if PLATFORM(COCOA)
Optional<SandboxExtension::Handle> neHelperExtensionHandle;
Optional<SandboxExtension::Handle> neSessionManagerExtensionHandle;
+ Optional<SandboxExtension::Handle> mapDBExtensionHandle;
bool systemHasBattery { false };
Optional<HashMap<String, Vector<String>, ASCIICaseInsensitiveHash>> mimeTypesMap;
HashMap<String, String> mapUTIFromMIMEType;
Modified: trunk/Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm (258802 => 258803)
--- trunk/Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm 2020-03-21 00:52:08 UTC (rev 258802)
+++ trunk/Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm 2020-03-21 01:10:42 UTC (rev 258803)
@@ -380,7 +380,6 @@
if (!WebCore::IOSApplication::isMobileSafari() || _AXSApplicationAccessibilityEnabled()) {
static const char* services[] = {
"com.apple.lsd.open",
- "com.apple.lsd.mapdb",
"com.apple.mobileassetd",
"com.apple.iconservices",
"com.apple.PowerManagement.control",
@@ -415,6 +414,10 @@
parameters.systemHasBattery = systemHasBattery();
parameters.mimeTypesMap = commonMimeTypesMap();
parameters.mapUTIFromMIMEType = createUTIFromMIMETypeMap();
+
+ SandboxExtension::Handle mapDBHandle;
+ SandboxExtension::createHandleForMachLookup("com.apple.lsd.mapdb", WTF::nullopt, mapDBHandle, SandboxExtension::Flags::NoReport);
+ parameters.mapDBExtensionHandle = WTFMove(mapDBHandle);
#endif
#if PLATFORM(IOS)
Modified: trunk/Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm (258802 => 258803)
--- trunk/Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm 2020-03-21 00:52:08 UTC (rev 258802)
+++ trunk/Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm 2020-03-21 01:10:42 UTC (rev 258803)
@@ -104,6 +104,7 @@
#import "RunningBoardServicesSPI.h"
#import "UserInterfaceIdiom.h"
#import "WKAccessibilityWebPageObjectIOS.h"
+#import <MobileCoreServices/MobileCoreServices.h>
#import <UIKit/UIAccessibility.h>
#import <WebCore/UTTypeRecordSwizzler.h>
#import <pal/spi/ios/GraphicsServicesSPI.h>
@@ -274,6 +275,17 @@
if (parameters.neSessionManagerExtensionHandle)
SandboxExtension::consumePermanently(*parameters.neSessionManagerExtensionHandle);
NetworkExtensionContentFilter::setHasConsumedSandboxExtensions(parameters.neHelperExtensionHandle.hasValue() && parameters.neSessionManagerExtensionHandle.hasValue());
+
+ if (parameters.mapDBExtensionHandle) {
+ auto extension = SandboxExtension::create(WTFMove(*parameters.mapDBExtensionHandle));
+ bool ok = extension->consume();
+ ASSERT_UNUSED(ok, ok);
+ // Perform an API call which will communicate with the database mapping service, and map the database.
+ auto r = adoptCF(UTTypeCreatePreferredIdentifierForTag(kUTTagClassMIMEType, CFSTR("text/html"), 0));
+ ok = extension->revoke();
+ ASSERT_UNUSED(ok, ok);
+ }
+
setSystemHasBattery(parameters.systemHasBattery);
if (parameters.mimeTypesMap)
Modified: trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (258802 => 258803)
--- trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2020-03-21 00:52:08 UTC (rev 258802)
+++ trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2020-03-21 01:10:42 UTC (rev 258803)
@@ -679,7 +679,6 @@
(global-name "com.apple.PowerManagement.control")
(global-name "com.apple.cfprefsd.daemon")
(global-name "com.apple.coreservices.launchservicesd")
- (global-name "com.apple.lsd.mapdb")
(global-name "com.apple.trustd.agent")
)
@@ -887,6 +886,7 @@
"com.apple.webinspector"
"com.apple.cfprefsd.daemon"
"com.apple.tccd"
+ "com.apple.lsd.mapdb"
;;; FIXME(207716): The following should be removed when the GPU process is complete
"com.apple.audio.AudioComponentRegistrar" "com.apple.coremedia.endpoint.xpc" "com.apple.coremedia.endpointstream.xpc"
