- Revision
- 258891
- Author
- [email protected]
- Date
- 2020-03-23 17:15:23 -0700 (Mon, 23 Mar 2020)
Log Message
[Cocoa] Deny access to database mapping service
https://bugs.webkit.org/show_bug.cgi?id=209339
Source/WebKit:
<rdar://problem/56966010>
Reviewed by Brent Fulgham.
In order for the WebContent process to not have permantent access to the database mapping service,
this patch creates an extension for the service in the UI process, sends it to the WebContent
process, where it is consumed. Then, an API call is made which will map the database, and next the
WebContent process will revoke the extension. The WebContent process has then mapped the database,
and access to the database mapping service is no longer needed.
Tested by: fast/sandbox/ios/sandbox-mach-lookup.html
* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
* Shared/WebProcessCreationParameters.cpp:
(WebKit::WebProcessCreationParameters::encode const):
(WebKit::WebProcessCreationParameters::decode):
* Shared/WebProcessCreationParameters.h:
* UIProcess/Cocoa/WebProcessPoolCocoa.mm:
(WebKit::WebProcessPool::platformInitializeWebProcess):
* WebProcess/cocoa/WebProcessCocoa.mm:
(WebKit::WebProcess::platformInitializeWebProcess):
* WebProcess/com.apple.WebProcess.sb.in:
Source/WTF:
<rdar://problem/56966010>
Reviewed by Brent Fulgham.
Disable the use of UTTypeRecord swizzling, since this is not needed with the new approach
of denying the database mapping service in this patch.
* wtf/PlatformUse.h:
LayoutTests:
Reviewed by Brent Fulgham.
* fast/sandbox/ios/sandbox-mach-lookup-expected.txt:
* fast/sandbox/ios/sandbox-mach-lookup.html:
Modified Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (258890 => 258891)
--- trunk/LayoutTests/ChangeLog 2020-03-24 00:06:29 UTC (rev 258890)
+++ trunk/LayoutTests/ChangeLog 2020-03-24 00:15:23 UTC (rev 258891)
@@ -1,3 +1,13 @@
+2020-03-23 Per Arne Vollan <[email protected]>
+
+ [Cocoa] Deny access to database mapping service
+ https://bugs.webkit.org/show_bug.cgi?id=209339
+
+ Reviewed by Brent Fulgham.
+
+ * fast/sandbox/ios/sandbox-mach-lookup-expected.txt:
+ * fast/sandbox/ios/sandbox-mach-lookup.html:
+
2020-03-23 Jason Lawrence <[email protected]>
[ iOS wk2 Debug ] fast/text/control-characters/visible-control-characters-1.html is flaky crashing.
Modified: trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-expected.txt (258890 => 258891)
--- trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-expected.txt 2020-03-24 00:06:29 UTC (rev 258890)
+++ trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-expected.txt 2020-03-24 00:15:23 UTC (rev 258891)
@@ -25,3 +25,4 @@
PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.mobileassetd") is false
PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.mobileassetd.v2") is false
PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.iconservices") is false
+PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.lsd.mapdb") is false
Modified: trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html (258890 => 258891)
--- trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html 2020-03-24 00:06:29 UTC (rev 258890)
+++ trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html 2020-03-24 00:15:23 UTC (rev 258891)
@@ -28,6 +28,7 @@
shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.mobileassetd\")");
shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.mobileassetd.v2\")");
shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.iconservices\")");
+ shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.lsd.mapdb\")");
}
</script>
</head>
Modified: trunk/Source/WTF/ChangeLog (258890 => 258891)
--- trunk/Source/WTF/ChangeLog 2020-03-24 00:06:29 UTC (rev 258890)
+++ trunk/Source/WTF/ChangeLog 2020-03-24 00:15:23 UTC (rev 258891)
@@ -1,3 +1,16 @@
+2020-03-23 Per Arne Vollan <[email protected]>
+
+ [Cocoa] Deny access to database mapping service
+ https://bugs.webkit.org/show_bug.cgi?id=209339
+ <rdar://problem/56966010>
+
+ Reviewed by Brent Fulgham.
+
+ Disable the use of UTTypeRecord swizzling, since this is not needed with the new approach
+ of denying the database mapping service in this patch.
+
+ * wtf/PlatformUse.h:
+
2020-03-23 John Wilander <[email protected]>
Add the capability to change all of a website's cookies to SameSite=Strict
Modified: trunk/Source/WTF/wtf/PlatformUse.h (258890 => 258891)
--- trunk/Source/WTF/wtf/PlatformUse.h 2020-03-24 00:06:29 UTC (rev 258890)
+++ trunk/Source/WTF/wtf/PlatformUse.h 2020-03-24 00:15:23 UTC (rev 258891)
@@ -321,6 +321,4 @@
#define USE_CTFONTTRANSFORMGLYPHSWITHLANGUAGE 1
#endif
-#if PLATFORM(IOS) && __IPHONE_OS_VERSION_MIN_REQUIRED >= 140000
-#define USE_UTTYPE_SWIZZLER 1
-#endif
+#define USE_UTTYPE_SWIZZLER 0
Modified: trunk/Source/WebKit/ChangeLog (258890 => 258891)
--- trunk/Source/WebKit/ChangeLog 2020-03-24 00:06:29 UTC (rev 258890)
+++ trunk/Source/WebKit/ChangeLog 2020-03-24 00:15:23 UTC (rev 258891)
@@ -1,3 +1,30 @@
+2020-03-23 Per Arne Vollan <[email protected]>
+
+ [Cocoa] Deny access to database mapping service
+ https://bugs.webkit.org/show_bug.cgi?id=209339
+ <rdar://problem/56966010>
+
+ Reviewed by Brent Fulgham.
+
+ In order for the WebContent process to not have permantent access to the database mapping service,
+ this patch creates an extension for the service in the UI process, sends it to the WebContent
+ process, where it is consumed. Then, an API call is made which will map the database, and next the
+ WebContent process will revoke the extension. The WebContent process has then mapped the database,
+ and access to the database mapping service is no longer needed.
+
+ Tested by: fast/sandbox/ios/sandbox-mach-lookup.html
+
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+ * Shared/WebProcessCreationParameters.cpp:
+ (WebKit::WebProcessCreationParameters::encode const):
+ (WebKit::WebProcessCreationParameters::decode):
+ * Shared/WebProcessCreationParameters.h:
+ * UIProcess/Cocoa/WebProcessPoolCocoa.mm:
+ (WebKit::WebProcessPool::platformInitializeWebProcess):
+ * WebProcess/cocoa/WebProcessCocoa.mm:
+ (WebKit::WebProcess::platformInitializeWebProcess):
+ * WebProcess/com.apple.WebProcess.sb.in:
+
2020-03-23 Megan Gardner <[email protected]>
Removed FIXME comment for work that had already been done.
Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb (258890 => 258891)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb 2020-03-24 00:06:29 UTC (rev 258890)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb 2020-03-24 00:15:23 UTC (rev 258891)
@@ -537,13 +537,13 @@
(global-name "com.apple.cfprefsd.daemon")
)
-(deny mach-lookup (with telemetry)
+(deny mach-lookup (with telemetry-backtrace)
(global-name "com.apple.distributed_notifications@1v3"))
(allow ipc-posix-shm-read*
(ipc-posix-name-prefix "apple.cfprefs."))
-(allow mach-lookup (with telemetry-backtrace)
+(deny mach-lookup (with telemetry-backtrace)
(global-name "com.apple.lsd.mapdb"))
;; <rdar://problem/12413942>
Modified: trunk/Source/WebKit/Shared/WebProcessCreationParameters.cpp (258890 => 258891)
--- trunk/Source/WebKit/Shared/WebProcessCreationParameters.cpp 2020-03-24 00:06:29 UTC (rev 258890)
+++ trunk/Source/WebKit/Shared/WebProcessCreationParameters.cpp 2020-03-24 00:15:23 UTC (rev 258891)
@@ -169,6 +169,7 @@
#if PLATFORM(COCOA)
encoder << neHelperExtensionHandle;
encoder << neSessionManagerExtensionHandle;
+ encoder << mapDBExtensionHandle;
encoder << systemHasBattery;
encoder << mimeTypesMap;
encoder << mapUTIFromMIMEType;
@@ -456,6 +457,12 @@
return false;
parameters.neSessionManagerExtensionHandle = WTFMove(*neSessionManagerExtensionHandle);
+ Optional<Optional<SandboxExtension::Handle>> mapDBExtensionHandle;
+ decoder >> mapDBExtensionHandle;
+ if (!mapDBExtensionHandle)
+ return false;
+ parameters.mapDBExtensionHandle = WTFMove(*mapDBExtensionHandle);
+
Optional<bool> systemHasBattery;
decoder >> systemHasBattery;
if (!systemHasBattery)
Modified: trunk/Source/WebKit/Shared/WebProcessCreationParameters.h (258890 => 258891)
--- trunk/Source/WebKit/Shared/WebProcessCreationParameters.h 2020-03-24 00:06:29 UTC (rev 258890)
+++ trunk/Source/WebKit/Shared/WebProcessCreationParameters.h 2020-03-24 00:15:23 UTC (rev 258891)
@@ -213,6 +213,7 @@
#if PLATFORM(COCOA)
Optional<SandboxExtension::Handle> neHelperExtensionHandle;
Optional<SandboxExtension::Handle> neSessionManagerExtensionHandle;
+ Optional<SandboxExtension::Handle> mapDBExtensionHandle;
bool systemHasBattery { false };
Optional<HashMap<String, Vector<String>, ASCIICaseInsensitiveHash>> mimeTypesMap;
HashMap<String, String> mapUTIFromMIMEType;
Modified: trunk/Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm (258890 => 258891)
--- trunk/Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm 2020-03-24 00:06:29 UTC (rev 258890)
+++ trunk/Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm 2020-03-24 00:15:23 UTC (rev 258891)
@@ -380,7 +380,6 @@
if (!WebCore::IOSApplication::isMobileSafari() || _AXSApplicationAccessibilityEnabled()) {
static const char* services[] = {
"com.apple.lsd.open",
- "com.apple.lsd.mapdb",
"com.apple.mobileassetd",
"com.apple.iconservices",
"com.apple.PowerManagement.control",
@@ -415,6 +414,10 @@
parameters.systemHasBattery = systemHasBattery();
parameters.mimeTypesMap = commonMimeTypesMap();
parameters.mapUTIFromMIMEType = createUTIFromMIMETypeMap();
+
+ SandboxExtension::Handle mapDBHandle;
+ SandboxExtension::createHandleForMachLookup("com.apple.lsd.mapdb", WTF::nullopt, mapDBHandle, SandboxExtension::Flags::NoReport);
+ parameters.mapDBExtensionHandle = WTFMove(mapDBHandle);
#endif
#if PLATFORM(IOS)
Modified: trunk/Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm (258890 => 258891)
--- trunk/Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm 2020-03-24 00:06:29 UTC (rev 258890)
+++ trunk/Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm 2020-03-24 00:15:23 UTC (rev 258891)
@@ -104,6 +104,7 @@
#import "RunningBoardServicesSPI.h"
#import "UserInterfaceIdiom.h"
#import "WKAccessibilityWebPageObjectIOS.h"
+#import <MobileCoreServices/MobileCoreServices.h>
#import <UIKit/UIAccessibility.h>
#import <WebCore/UTTypeRecordSwizzler.h>
#import <pal/spi/ios/GraphicsServicesSPI.h>
@@ -274,6 +275,18 @@
if (parameters.neSessionManagerExtensionHandle)
SandboxExtension::consumePermanently(*parameters.neSessionManagerExtensionHandle);
NetworkExtensionContentFilter::setHasConsumedSandboxExtensions(parameters.neHelperExtensionHandle.hasValue() && parameters.neSessionManagerExtensionHandle.hasValue());
+
+ if (parameters.mapDBExtensionHandle) {
+ auto extension = SandboxExtension::create(WTFMove(*parameters.mapDBExtensionHandle));
+ bool ok = extension->consume();
+ ASSERT_UNUSED(ok, ok);
+ // Perform API calls which will communicate with the database mapping service, and map the database.
+ auto uti = adoptCF(UTTypeCreatePreferredIdentifierForTag(kUTTagClassMIMEType, CFSTR("text/html"), 0));
+ auto mimeType = adoptCF(UTTypeCopyPreferredTagWithClass(CFSTR("public.png"), kUTTagClassMIMEType));
+ ok = extension->revoke();
+ ASSERT_UNUSED(ok, ok);
+ }
+
setSystemHasBattery(parameters.systemHasBattery);
if (parameters.mimeTypesMap)
Modified: trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (258890 => 258891)
--- trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2020-03-24 00:06:29 UTC (rev 258890)
+++ trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2020-03-24 00:15:23 UTC (rev 258891)
@@ -679,7 +679,6 @@
(global-name "com.apple.PowerManagement.control")
(global-name "com.apple.cfprefsd.daemon")
(global-name "com.apple.coreservices.launchservicesd")
- (global-name "com.apple.lsd.mapdb")
(global-name "com.apple.trustd.agent")
)
@@ -887,6 +886,7 @@
"com.apple.webinspector"
"com.apple.cfprefsd.daemon"
"com.apple.tccd"
+ "com.apple.lsd.mapdb"
;;; FIXME(207716): The following should be removed when the GPU process is complete
"com.apple.audio.AudioComponentRegistrar" "com.apple.coremedia.endpoint.xpc" "com.apple.coremedia.endpointstream.xpc"
