- Revision
- 259366
- Author
- pvol...@apple.com
- Date
- 2020-04-01 15:29:21 -0700 (Wed, 01 Apr 2020)
Log Message
[macOS] Deny mach-lookup access to "com.apple.lsd.mapdb" in sandbox
https://bugs.webkit.org/show_bug.cgi?id=209814
Reviewed by Darin Adler.
Source/WebKit:
This was done for iOS in <https://trac.webkit.org/changeset/258915>, and in order to be able to do this
on macOS, checking in with Launch Services and updating the process name needs to be done after the
Launch Services database mapping has been done in WebProcess::platformInitializeWebProcess. Also, the
previous call to RegisterApplication has been replaced with a call to launchServicesCheckIn, since
RegisterApplication is an AppKit function, and should be avoided since the WebContent process is not
a NSApplication anymore.
Test: fast/sandbox/mac/sandbox-mach-lookup.html
* Shared/mac/AuxiliaryProcessMac.mm:
(WebKit::AuxiliaryProcess::launchServicesCheckIn):
* UIProcess/Cocoa/WebProcessPoolCocoa.mm:
(WebKit::WebProcessPool::platformInitializeWebProcess):
* WebProcess/cocoa/WebProcessCocoa.mm:
(WebKit::WebProcess::platformInitializeWebProcess):
(WebKit::WebProcess::initializeProcessName):
(WebKit::WebProcess::updateProcessName):
(WebKit::WebProcess::platformInitializeProcess):
* WebProcess/com.apple.WebProcess.sb.in:
LayoutTests:
* fast/sandbox/mac/sandbox-mach-lookup-expected.txt:
* fast/sandbox/mac/sandbox-mach-lookup.html:
Modified Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (259365 => 259366)
--- trunk/LayoutTests/ChangeLog 2020-04-01 21:52:35 UTC (rev 259365)
+++ trunk/LayoutTests/ChangeLog 2020-04-01 22:29:21 UTC (rev 259366)
@@ -1,3 +1,13 @@
+2020-04-01 Per Arne Vollan <pvol...@apple.com>
+
+ [macOS] Deny mach-lookup access to "com.apple.lsd.mapdb" in sandbox
+ https://bugs.webkit.org/show_bug.cgi?id=209814
+
+ Reviewed by Darin Adler.
+
+ * fast/sandbox/mac/sandbox-mach-lookup-expected.txt:
+ * fast/sandbox/mac/sandbox-mach-lookup.html:
+
2020-04-01 Jason Lawrence <lawrenc...@apple.com>
[ Mac wk1 Debug ] inspector/page/overrideSetting-ICECandidateFilteringEnabled.html is flaky timing out.
Modified: trunk/LayoutTests/fast/sandbox/mac/sandbox-mach-lookup-expected.txt (259365 => 259366)
--- trunk/LayoutTests/fast/sandbox/mac/sandbox-mach-lookup-expected.txt 2020-04-01 21:52:35 UTC (rev 259365)
+++ trunk/LayoutTests/fast/sandbox/mac/sandbox-mach-lookup-expected.txt 2020-04-01 22:29:21 UTC (rev 259366)
@@ -8,4 +8,5 @@
PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.nesessionmanager") is false
PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.nesessionmanager.content-filter") is false
PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.system.logger") is false
+PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.lsd.mapdb") is false
Modified: trunk/LayoutTests/fast/sandbox/mac/sandbox-mach-lookup.html (259365 => 259366)
--- trunk/LayoutTests/fast/sandbox/mac/sandbox-mach-lookup.html 2020-04-01 21:52:35 UTC (rev 259365)
+++ trunk/LayoutTests/fast/sandbox/mac/sandbox-mach-lookup.html 2020-04-01 22:29:21 UTC (rev 259366)
@@ -11,6 +11,7 @@
shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.nesessionmanager\")");
shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.nesessionmanager.content-filter\")");
shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.system.logger\")");
+ shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.lsd.mapdb\")");
}
</script>
</head>
Modified: trunk/Source/WebKit/ChangeLog (259365 => 259366)
--- trunk/Source/WebKit/ChangeLog 2020-04-01 21:52:35 UTC (rev 259365)
+++ trunk/Source/WebKit/ChangeLog 2020-04-01 22:29:21 UTC (rev 259366)
@@ -1,3 +1,30 @@
+2020-04-01 Per Arne Vollan <pvol...@apple.com>
+
+ [macOS] Deny mach-lookup access to "com.apple.lsd.mapdb" in sandbox
+ https://bugs.webkit.org/show_bug.cgi?id=209814
+
+ Reviewed by Darin Adler.
+
+ This was done for iOS in <https://trac.webkit.org/changeset/258915>, and in order to be able to do this
+ on macOS, checking in with Launch Services and updating the process name needs to be done after the
+ Launch Services database mapping has been done in WebProcess::platformInitializeWebProcess. Also, the
+ previous call to RegisterApplication has been replaced with a call to launchServicesCheckIn, since
+ RegisterApplication is an AppKit function, and should be avoided since the WebContent process is not
+ a NSApplication anymore.
+
+ Test: fast/sandbox/mac/sandbox-mach-lookup.html
+
+ * Shared/mac/AuxiliaryProcessMac.mm:
+ (WebKit::AuxiliaryProcess::launchServicesCheckIn):
+ * UIProcess/Cocoa/WebProcessPoolCocoa.mm:
+ (WebKit::WebProcessPool::platformInitializeWebProcess):
+ * WebProcess/cocoa/WebProcessCocoa.mm:
+ (WebKit::WebProcess::platformInitializeWebProcess):
+ (WebKit::WebProcess::initializeProcessName):
+ (WebKit::WebProcess::updateProcessName):
+ (WebKit::WebProcess::platformInitializeProcess):
+ * WebProcess/com.apple.WebProcess.sb.in:
+
2020-04-01 Chris Dumez <cdu...@apple.com>
Regression(r257963) didFailProvisionalNavigation delegate no longer gets called when cancelling a cross-site provisional navigation
Modified: trunk/Source/WebKit/Shared/mac/AuxiliaryProcessMac.mm (259365 => 259366)
--- trunk/Source/WebKit/Shared/mac/AuxiliaryProcessMac.mm 2020-04-01 21:52:35 UTC (rev 259365)
+++ trunk/Source/WebKit/Shared/mac/AuxiliaryProcessMac.mm 2020-04-01 22:29:21 UTC (rev 259366)
@@ -75,6 +75,9 @@
typedef bool (^LSServerConnectionAllowedBlock) ( CFDictionaryRef optionsRef );
extern "C" void _LSSetApplicationLaunchServicesServerConnectionStatus(uint64_t flags, LSServerConnectionAllowedBlock block);
extern "C" CFDictionaryRef _LSApplicationCheckIn(LSSessionID sessionID, CFDictionaryRef applicationInfo);
+#if HAVE(CSCHECKFIXDISABLE)
+extern "C" void _CSCheckFixDisable();
+#endif
namespace WebKit {
using namespace WebCore;
@@ -151,6 +154,11 @@
void AuxiliaryProcess::launchServicesCheckIn()
{
+#if HAVE(CSCHECKFIXDISABLE)
+ // _CSCheckFixDisable() needs to be called before checking in with Launch Services.
+ _CSCheckFixDisable();
+#endif
+
_LSSetApplicationLaunchServicesServerConnectionStatus(0, 0);
RetainPtr<CFDictionaryRef> unused = _LSApplicationCheckIn(kLSDefaultSessionID, CFBundleGetInfoDictionary(CFBundleGetMainBundle()));
}
Modified: trunk/Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm (259365 => 259366)
--- trunk/Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm 2020-04-01 21:52:35 UTC (rev 259365)
+++ trunk/Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm 2020-04-01 22:29:21 UTC (rev 259366)
@@ -406,6 +406,10 @@
parameters.systemHasBattery = systemHasBattery();
parameters.mimeTypesMap = commonMimeTypesMap();
parameters.mapUTIFromMIMEType = createUTIFromMIMETypeMap();
+
+ SandboxExtension::Handle mapDBHandle;
+ SandboxExtension::createHandleForMachLookup("com.apple.lsd.mapdb", WTF::nullopt, mapDBHandle, SandboxExtension::Flags::NoReport);
+ parameters.mapDBExtensionHandle = WTFMove(mapDBHandle);
#endif
#if PLATFORM(IOS)
@@ -426,10 +430,6 @@
if (WebCore::IOSApplication::isMobileSafari())
parameters.vectorOfUTTypeItem = createVectorOfUTTypeItem();
#endif
-
- SandboxExtension::Handle mapDBHandle;
- SandboxExtension::createHandleForMachLookup("com.apple.lsd.mapdb", WTF::nullopt, mapDBHandle, SandboxExtension::Flags::NoReport);
- parameters.mapDBExtensionHandle = WTFMove(mapDBHandle);
#endif
// Allow microphone access if either preference is set because WebRTC requires microphone access.
Modified: trunk/Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm (259365 => 259366)
--- trunk/Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm 2020-04-01 21:52:35 UTC (rev 259365)
+++ trunk/Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm 2020-04-01 22:29:21 UTC (rev 259366)
@@ -134,10 +134,6 @@
#import <os/state_private.h>
#endif
-#if HAVE(CSCHECKFIXDISABLE)
-extern "C" void _CSCheckFixDisable();
-#endif
-
#define RELEASE_LOG_SESSION_ID (m_sessionID ? m_sessionID->toUInt64() : 0)
#define RELEASE_LOG_IF_ALLOWED(channel, fmt, ...) RELEASE_LOG_IF(isAlwaysOnLoggingAllowed(), channel, "%p - [sessionID=%" PRIu64 "] WebProcess::" fmt, this, RELEASE_LOG_SESSION_ID, ##__VA_ARGS__)
#define RELEASE_LOG_ERROR_IF_ALLOWED(channel, fmt, ...) RELEASE_LOG_ERROR_IF(isAlwaysOnLoggingAllowed(), channel, "%p - [sessionID=%" PRIu64 "] WebProcess::" fmt, this, RELEASE_LOG_SESSION_ID, ##__VA_ARGS__)
@@ -167,6 +163,18 @@
void WebProcess::platformInitializeWebProcess(WebProcessCreationParameters& parameters)
{
+ // Map Launch Services database. This should be done as early as possible, as the mapping will fail
+ // if 'com.apple.lsd.mapdb' is being accessed before this.
+ if (parameters.mapDBExtensionHandle) {
+ auto extension = SandboxExtension::create(WTFMove(*parameters.mapDBExtensionHandle));
+ bool ok = extension->consume();
+ ASSERT_UNUSED(ok, ok);
+ // Perform API calls which will communicate with the database mapping service, and map the database.
+ auto uti = adoptCF(UTTypeCreatePreferredIdentifierForTag(kUTTagClassMIMEType, CFSTR("text/html"), 0));
+ ok = extension->revoke();
+ ASSERT_UNUSED(ok, ok);
+ }
+
#if !LOG_DISABLED || !RELEASE_LOG_DISABLED
WebCore::initializeLogChannelsIfNecessary(parameters.webCoreLoggingChannels);
WebKit::initializeLogChannelsIfNecessary(parameters.webKitLoggingChannels);
@@ -273,16 +281,6 @@
SandboxExtension::consumePermanently(*parameters.neSessionManagerExtensionHandle);
NetworkExtensionContentFilter::setHasConsumedSandboxExtensions(parameters.neHelperExtensionHandle.hasValue() && parameters.neSessionManagerExtensionHandle.hasValue());
- if (parameters.mapDBExtensionHandle) {
- auto extension = SandboxExtension::create(WTFMove(*parameters.mapDBExtensionHandle));
- bool ok = extension->consume();
- ASSERT_UNUSED(ok, ok);
- // Perform API calls which will communicate with the database mapping service, and map the database.
- auto uti = adoptCF(UTTypeCreatePreferredIdentifierForTag(kUTTagClassMIMEType, CFSTR("text/html"), 0));
- ok = extension->revoke();
- ASSERT_UNUSED(ok, ok);
- }
-
setSystemHasBattery(parameters.systemHasBattery);
if (parameters.mimeTypesMap)
@@ -317,6 +315,8 @@
#endif
WebCore::sleepDisablerClient() = makeUnique<WebSleepDisablerClient>();
+
+ updateProcessName();
}
void WebProcess::platformSetWebsiteDataStoreParameters(WebProcessDataStoreParameters&& parameters)
@@ -335,23 +335,26 @@
}
}
-void WebProcess::initializeProcessName(const AuxiliaryProcessInitializationParameters&)
+void WebProcess::initializeProcessName(const AuxiliaryProcessInitializationParameters& parameters)
{
#if PLATFORM(MAC)
-#if HAVE(CSCHECKFIXDISABLE)
- // _CSCheckFixDisable() needs to be called before checking in with Launch Services.
- _CSCheckFixDisable();
+ m_uiProcessName = parameters.uiProcessName;
+#else
+ UNUSED_PARAM(parameters);
#endif
- // This is necessary so that we are able to set the process' display name.
- _RegisterApplication(nullptr, nullptr);
-
- updateProcessName();
-#endif
}
void WebProcess::updateProcessName()
{
#if PLATFORM(MAC)
+ static std::once_flag onceFlag;
+ std::call_once(
+ onceFlag,
+ [this] {
+ // Checking in with Launch Services is necessary to be able to set the process' display name.
+ launchServicesCheckIn();
+ });
+
NSString *applicationName;
switch (m_processType) {
case ProcessType::Inspector:
@@ -521,8 +524,6 @@
launchServicesCheckIn();
}
#endif // ENABLE(WEBPROCESS_WINDOWSERVER_BLOCKING)
-
- m_uiProcessName = parameters.uiProcessName;
#endif // PLATFORM(MAC)
if (parameters.extraInitializationData.get("inspector-process"_s) == "1")
Modified: trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (259365 => 259366)
--- trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2020-04-01 21:52:35 UTC (rev 259365)
+++ trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2020-04-01 22:29:21 UTC (rev 259366)
@@ -679,10 +679,16 @@
#endif
(global-name "com.apple.PowerManagement.control")
(global-name "com.apple.coreservices.launchservicesd")
- (global-name "com.apple.lsd.mapdb")
(global-name "com.apple.trustd.agent")
)
+(deny mach-lookup
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101600
+ (with telemetry-backtrace)
+#endif
+ (global-name "com.apple.lsd.mapdb")
+)
+
(allow mach-lookup
#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101500
(with telemetry)