- Revision
- 258915
- Author
- [email protected]
- Date
- 2020-03-24 10:14:43 -0700 (Tue, 24 Mar 2020)
Log Message
[Cocoa] Deny access to database mapping service
https://bugs.webkit.org/show_bug.cgi?id=209339
Source/WebKit:
<rdar://problem/56966010>
Reviewed by Brent Fulgham.
In order for the WebContent process to not have permantent access to the database mapping service,
this patch creates an extension for the service in the UI process, sends it to the WebContent
process, where it is consumed. Then, an API call is made which will map the database, and next the
WebContent process will revoke the extension. The WebContent process has then mapped the database,
and access to the database mapping service is no longer needed.
Tested by: fast/sandbox/ios/sandbox-mach-lookup.html
* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
* Shared/WebProcessCreationParameters.cpp:
(WebKit::WebProcessCreationParameters::encode const):
(WebKit::WebProcessCreationParameters::decode):
* Shared/WebProcessCreationParameters.h:
* UIProcess/Cocoa/WebProcessPoolCocoa.mm:
(WebKit::WebProcessPool::platformInitializeWebProcess):
* WebProcess/cocoa/WebProcessCocoa.mm:
(WebKit::WebProcess::platformInitializeWebProcess):
* WebProcess/com.apple.WebProcess.sb.in:
Source/WTF:
<rdar://problem/56966010>
Reviewed by Brent Fulgham.
Disable the use of UTTypeRecord swizzling, since this is not needed with the new approach
of denying the database mapping service in this patch.
* wtf/PlatformUse.h:
LayoutTests:
Reviewed by Brent Fulgham.
* fast/sandbox/ios/sandbox-mach-lookup-expected.txt:
* fast/sandbox/ios/sandbox-mach-lookup.html:
Modified Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (258914 => 258915)
--- trunk/LayoutTests/ChangeLog 2020-03-24 17:07:05 UTC (rev 258914)
+++ trunk/LayoutTests/ChangeLog 2020-03-24 17:14:43 UTC (rev 258915)
@@ -1,3 +1,13 @@
+2020-03-24 Per Arne Vollan <[email protected]>
+
+ [Cocoa] Deny access to database mapping service
+ https://bugs.webkit.org/show_bug.cgi?id=209339
+
+ Reviewed by Brent Fulgham.
+
+ * fast/sandbox/ios/sandbox-mach-lookup-expected.txt:
+ * fast/sandbox/ios/sandbox-mach-lookup.html:
+
2020-03-24 Antoine Quint <[email protected]>
[iOS+macOS Debug] ASSERTION FAILED: m_effects.isEmpty() in WebCore::KeyframeEffectStack::~KeyframeEffectStack()
Modified: trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-expected.txt (258914 => 258915)
--- trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-expected.txt 2020-03-24 17:07:05 UTC (rev 258914)
+++ trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-expected.txt 2020-03-24 17:14:43 UTC (rev 258915)
@@ -25,3 +25,4 @@
PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.mobileassetd") is false
PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.mobileassetd.v2") is false
PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.iconservices") is false
+PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.lsd.mapdb") is false
Modified: trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html (258914 => 258915)
--- trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html 2020-03-24 17:07:05 UTC (rev 258914)
+++ trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html 2020-03-24 17:14:43 UTC (rev 258915)
@@ -28,6 +28,7 @@
shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.mobileassetd\")");
shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.mobileassetd.v2\")");
shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.iconservices\")");
+ shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.lsd.mapdb\")");
}
</script>
</head>
Modified: trunk/Source/WTF/ChangeLog (258914 => 258915)
--- trunk/Source/WTF/ChangeLog 2020-03-24 17:07:05 UTC (rev 258914)
+++ trunk/Source/WTF/ChangeLog 2020-03-24 17:14:43 UTC (rev 258915)
@@ -1,3 +1,16 @@
+2020-03-24 Per Arne Vollan <[email protected]>
+
+ [Cocoa] Deny access to database mapping service
+ https://bugs.webkit.org/show_bug.cgi?id=209339
+ <rdar://problem/56966010>
+
+ Reviewed by Brent Fulgham.
+
+ Disable the use of UTTypeRecord swizzling, since this is not needed with the new approach
+ of denying the database mapping service in this patch.
+
+ * wtf/PlatformUse.h:
+
2020-03-23 Commit Queue <[email protected]>
Unreviewed, reverting r258891.
Modified: trunk/Source/WTF/wtf/PlatformUse.h (258914 => 258915)
--- trunk/Source/WTF/wtf/PlatformUse.h 2020-03-24 17:07:05 UTC (rev 258914)
+++ trunk/Source/WTF/wtf/PlatformUse.h 2020-03-24 17:14:43 UTC (rev 258915)
@@ -321,6 +321,4 @@
#define USE_CTFONTTRANSFORMGLYPHSWITHLANGUAGE 1
#endif
-#if PLATFORM(IOS) && __IPHONE_OS_VERSION_MIN_REQUIRED >= 140000
-#define USE_UTTYPE_SWIZZLER 1
-#endif
+#define USE_UTTYPE_SWIZZLER 0
Modified: trunk/Source/WebKit/ChangeLog (258914 => 258915)
--- trunk/Source/WebKit/ChangeLog 2020-03-24 17:07:05 UTC (rev 258914)
+++ trunk/Source/WebKit/ChangeLog 2020-03-24 17:14:43 UTC (rev 258915)
@@ -1,3 +1,30 @@
+2020-03-24 Per Arne Vollan <[email protected]>
+
+ [Cocoa] Deny access to database mapping service
+ https://bugs.webkit.org/show_bug.cgi?id=209339
+ <rdar://problem/56966010>
+
+ Reviewed by Brent Fulgham.
+
+ In order for the WebContent process to not have permantent access to the database mapping service,
+ this patch creates an extension for the service in the UI process, sends it to the WebContent
+ process, where it is consumed. Then, an API call is made which will map the database, and next the
+ WebContent process will revoke the extension. The WebContent process has then mapped the database,
+ and access to the database mapping service is no longer needed.
+
+ Tested by: fast/sandbox/ios/sandbox-mach-lookup.html
+
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+ * Shared/WebProcessCreationParameters.cpp:
+ (WebKit::WebProcessCreationParameters::encode const):
+ (WebKit::WebProcessCreationParameters::decode):
+ * Shared/WebProcessCreationParameters.h:
+ * UIProcess/Cocoa/WebProcessPoolCocoa.mm:
+ (WebKit::WebProcessPool::platformInitializeWebProcess):
+ * WebProcess/cocoa/WebProcessCocoa.mm:
+ (WebKit::WebProcess::platformInitializeWebProcess):
+ * WebProcess/com.apple.WebProcess.sb.in:
+
2020-03-24 Alex Christensen <[email protected]>
Unreviewed, reverting r258862.
Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb (258914 => 258915)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb 2020-03-24 17:07:05 UTC (rev 258914)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb 2020-03-24 17:14:43 UTC (rev 258915)
@@ -537,13 +537,13 @@
(global-name "com.apple.cfprefsd.daemon")
)
-(deny mach-lookup (with telemetry)
+(deny mach-lookup (with telemetry-backtrace)
(global-name "com.apple.distributed_notifications@1v3"))
(allow ipc-posix-shm-read*
(ipc-posix-name-prefix "apple.cfprefs."))
-(allow mach-lookup (with telemetry-backtrace)
+(deny mach-lookup (with telemetry-backtrace)
(global-name "com.apple.lsd.mapdb"))
;; <rdar://problem/12413942>
Modified: trunk/Source/WebKit/Shared/WebProcessCreationParameters.cpp (258914 => 258915)
--- trunk/Source/WebKit/Shared/WebProcessCreationParameters.cpp 2020-03-24 17:07:05 UTC (rev 258914)
+++ trunk/Source/WebKit/Shared/WebProcessCreationParameters.cpp 2020-03-24 17:14:43 UTC (rev 258915)
@@ -169,6 +169,7 @@
#if PLATFORM(COCOA)
encoder << neHelperExtensionHandle;
encoder << neSessionManagerExtensionHandle;
+ encoder << mapDBExtensionHandle;
encoder << systemHasBattery;
encoder << mimeTypesMap;
encoder << mapUTIFromMIMEType;
@@ -456,6 +457,12 @@
return false;
parameters.neSessionManagerExtensionHandle = WTFMove(*neSessionManagerExtensionHandle);
+ Optional<Optional<SandboxExtension::Handle>> mapDBExtensionHandle;
+ decoder >> mapDBExtensionHandle;
+ if (!mapDBExtensionHandle)
+ return false;
+ parameters.mapDBExtensionHandle = WTFMove(*mapDBExtensionHandle);
+
Optional<bool> systemHasBattery;
decoder >> systemHasBattery;
if (!systemHasBattery)
Modified: trunk/Source/WebKit/Shared/WebProcessCreationParameters.h (258914 => 258915)
--- trunk/Source/WebKit/Shared/WebProcessCreationParameters.h 2020-03-24 17:07:05 UTC (rev 258914)
+++ trunk/Source/WebKit/Shared/WebProcessCreationParameters.h 2020-03-24 17:14:43 UTC (rev 258915)
@@ -213,6 +213,7 @@
#if PLATFORM(COCOA)
Optional<SandboxExtension::Handle> neHelperExtensionHandle;
Optional<SandboxExtension::Handle> neSessionManagerExtensionHandle;
+ Optional<SandboxExtension::Handle> mapDBExtensionHandle;
bool systemHasBattery { false };
Optional<HashMap<String, Vector<String>, ASCIICaseInsensitiveHash>> mimeTypesMap;
HashMap<String, String> mapUTIFromMIMEType;
Modified: trunk/Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm (258914 => 258915)
--- trunk/Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm 2020-03-24 17:07:05 UTC (rev 258914)
+++ trunk/Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm 2020-03-24 17:14:43 UTC (rev 258915)
@@ -380,7 +380,6 @@
if (!WebCore::IOSApplication::isMobileSafari() || _AXSApplicationAccessibilityEnabled()) {
static const char* services[] = {
"com.apple.lsd.open",
- "com.apple.lsd.mapdb",
"com.apple.mobileassetd",
"com.apple.iconservices",
"com.apple.PowerManagement.control",
@@ -435,6 +434,10 @@
if (WebCore::IOSApplication::isMobileSafari())
parameters.vectorOfUTTypeItem = createVectorOfUTTypeItem();
#endif
+
+ SandboxExtension::Handle mapDBHandle;
+ SandboxExtension::createHandleForMachLookup("com.apple.lsd.mapdb", WTF::nullopt, mapDBHandle, SandboxExtension::Flags::NoReport);
+ parameters.mapDBExtensionHandle = WTFMove(mapDBHandle);
#endif
// Allow microphone access if either preference is set because WebRTC requires microphone access.
Modified: trunk/Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm (258914 => 258915)
--- trunk/Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm 2020-03-24 17:07:05 UTC (rev 258914)
+++ trunk/Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm 2020-03-24 17:14:43 UTC (rev 258915)
@@ -104,6 +104,7 @@
#import "RunningBoardServicesSPI.h"
#import "UserInterfaceIdiom.h"
#import "WKAccessibilityWebPageObjectIOS.h"
+#import <MobileCoreServices/MobileCoreServices.h>
#import <UIKit/UIAccessibility.h>
#import <WebCore/UTTypeRecordSwizzler.h>
#import <pal/spi/ios/GraphicsServicesSPI.h>
@@ -274,6 +275,17 @@
if (parameters.neSessionManagerExtensionHandle)
SandboxExtension::consumePermanently(*parameters.neSessionManagerExtensionHandle);
NetworkExtensionContentFilter::setHasConsumedSandboxExtensions(parameters.neHelperExtensionHandle.hasValue() && parameters.neSessionManagerExtensionHandle.hasValue());
+
+ if (parameters.mapDBExtensionHandle) {
+ auto extension = SandboxExtension::create(WTFMove(*parameters.mapDBExtensionHandle));
+ bool ok = extension->consume();
+ ASSERT_UNUSED(ok, ok);
+ // Perform API calls which will communicate with the database mapping service, and map the database.
+ auto uti = adoptCF(UTTypeCreatePreferredIdentifierForTag(kUTTagClassMIMEType, CFSTR("text/html"), 0));
+ ok = extension->revoke();
+ ASSERT_UNUSED(ok, ok);
+ }
+
setSystemHasBattery(parameters.systemHasBattery);
if (parameters.mimeTypesMap)
Modified: trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (258914 => 258915)
--- trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2020-03-24 17:07:05 UTC (rev 258914)
+++ trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2020-03-24 17:14:43 UTC (rev 258915)
@@ -887,6 +887,7 @@
"com.apple.webinspector"
"com.apple.cfprefsd.daemon"
"com.apple.tccd"
+ "com.apple.lsd.mapdb"
;;; FIXME(207716): The following should be removed when the GPU process is complete
"com.apple.audio.AudioComponentRegistrar" "com.apple.coremedia.endpoint.xpc" "com.apple.coremedia.endpointstream.xpc"
