Diff
Modified: trunk/Source/WTF/ChangeLog (260246 => 260247)
--- trunk/Source/WTF/ChangeLog 2020-04-17 14:38:43 UTC (rev 260246)
+++ trunk/Source/WTF/ChangeLog 2020-04-17 14:40:09 UTC (rev 260247)
@@ -1,3 +1,12 @@
+2020-04-17 Per Arne Vollan <[email protected]>
+
+ [iOS] Deny iokit open access to graphics related classes
+ https://bugs.webkit.org/show_bug.cgi?id=210616
+
+ Reviewed by Darin Adler.
+
+ * wtf/spi/darwin/SandboxSPI.h:
+
2020-04-17 Youenn Fablet <[email protected]>
Make use of WeakHashSet for MediaStreamTrackPrivate and RealtimeMediaSource observers
Modified: trunk/Source/WTF/wtf/spi/darwin/SandboxSPI.h (260246 => 260247)
--- trunk/Source/WTF/wtf/spi/darwin/SandboxSPI.h 2020-04-17 14:38:43 UTC (rev 260246)
+++ trunk/Source/WTF/wtf/spi/darwin/SandboxSPI.h 2020-04-17 14:40:09 UTC (rev 260247)
@@ -36,6 +36,7 @@
SANDBOX_FILTER_NONE,
SANDBOX_FILTER_GLOBAL_NAME = 2,
SANDBOX_FILTER_XPC_SERVICE_NAME = 12,
+ SANDBOX_FILTER_IOKIT_CONNECTION,
};
#define SANDBOX_NAMED_EXTERNAL 0x0003
@@ -84,6 +85,9 @@
void sandbox_free_profile(sandbox_profile_t);
int sandbox_apply(sandbox_profile_t);
+char *sandbox_extension_issue_iokit_registry_entry_class_to_process(const char *extension_class, const char *registry_entry_class, uint32_t flags, audit_token_t);
+char *sandbox_extension_issue_iokit_registry_entry_class(const char *extension_class, const char *registry_entry_class, uint32_t flags);
+
WTF_EXTERN_C_END
#endif // OS(DARWIN)
Modified: trunk/Source/WebCore/ChangeLog (260246 => 260247)
--- trunk/Source/WebCore/ChangeLog 2020-04-17 14:38:43 UTC (rev 260246)
+++ trunk/Source/WebCore/ChangeLog 2020-04-17 14:40:09 UTC (rev 260247)
@@ -1,3 +1,27 @@
+2020-04-17 Per Arne Vollan <[email protected]>
+
+ [iOS] Deny iokit open access to graphics related classes
+ https://bugs.webkit.org/show_bug.cgi?id=210616
+
+ Reviewed by Darin Adler.
+
+ Deny iokit open access to graphics related classes in the WebContent process on iOS, but issue
+ extensions for these for some devices which still need access to them.
+
+ API test: WebKit.IOKitOpenSandboxAccessForDeviceWithAGXCompilerService
+
+ * WebCore.xcodeproj/project.pbxproj:
+ * platform/cocoa/AGXCompilerService.cpp: Added.
+ (WebCore::setDeviceHasAGXCompilerServiceForTesting):
+ (WebCore::deviceHasAGXCompilerService):
+ * platform/cocoa/AGXCompilerService.h: Added.
+ * testing/Internals.cpp:
+ (WebCore::Internals::hasSandboxIOKitOpenAccessToClass):
+ * testing/Internals.h:
+ * testing/Internals.idl:
+ * testing/Internals.mm:
+ (WebCore::Internals::hasSandboxIOKitOpenAccessToClass):
+
2020-04-17 Youenn Fablet <[email protected]>
Safari doesn't apply frameRate limit when request stream from Camera
Modified: trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj (260246 => 260247)
--- trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj 2020-04-17 14:38:43 UTC (rev 260246)
+++ trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj 2020-04-17 14:40:09 UTC (rev 260247)
@@ -3997,6 +3997,8 @@
C1692DD223D23ABD006E88F7 /* SystemBattery.mm in Sources */ = {isa = PBXBuildFile; fileRef = C1692DD123D23ABD006E88F7 /* SystemBattery.mm */; };
C1692DD523D23E08006E88F7 /* SystemBattery.h in Headers */ = {isa = PBXBuildFile; fileRef = C1692DD423D23AE0006E88F7 /* SystemBattery.h */; settings = {ATTRIBUTES = (Private, ); }; };
C1E1D236203DF15400584665 /* ScreenProperties.h in Headers */ = {isa = PBXBuildFile; fileRef = C1E1D235203DF15400584665 /* ScreenProperties.h */; settings = {ATTRIBUTES = (Private, ); }; };
+ C1F7B7312448F2AC00124557 /* AGXCompilerService.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C1F7B72F2448F2AC00124557 /* AGXCompilerService.cpp */; };
+ C1F7B7322448F2AC00124557 /* AGXCompilerService.h in Headers */ = {isa = PBXBuildFile; fileRef = C1F7B7302448F2AC00124557 /* AGXCompilerService.h */; settings = {ATTRIBUTES = (Private, ); }; };
C2015C0A1BE6FEB200822389 /* FontVariantBuilder.h in Headers */ = {isa = PBXBuildFile; fileRef = C2015C091BE6FE2C00822389 /* FontVariantBuilder.h */; };
C21DF2EA1D9E4E9900F5B24C /* CSSFontVariationValue.h in Headers */ = {isa = PBXBuildFile; fileRef = C21DF2E81D9E4E9900F5B24C /* CSSFontVariationValue.h */; };
C2458E631FE897B000594759 /* FontCacheCoreText.h in Headers */ = {isa = PBXBuildFile; fileRef = C2458E611FE8979E00594759 /* FontCacheCoreText.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -13607,6 +13609,8 @@
C1692DD423D23AE0006E88F7 /* SystemBattery.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SystemBattery.h; sourceTree = "<group>"; };
C18FB518242F9382007E9875 /* SleepDisablerClient.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = SleepDisablerClient.cpp; sourceTree = "<group>"; };
C1E1D235203DF15400584665 /* ScreenProperties.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = ScreenProperties.h; sourceTree = "<group>"; };
+ C1F7B72F2448F2AC00124557 /* AGXCompilerService.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = AGXCompilerService.cpp; sourceTree = "<group>"; };
+ C1F7B7302448F2AC00124557 /* AGXCompilerService.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = AGXCompilerService.h; sourceTree = "<group>"; };
C2015C091BE6FE2C00822389 /* FontVariantBuilder.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = FontVariantBuilder.h; sourceTree = "<group>"; };
C20F4F6421DFBE5C0070C45A /* WHLSLTypeReference.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = WHLSLTypeReference.cpp; sourceTree = "<group>"; };
C20F4F6621DFF2360070C45A /* WHLSLIntegerLiteral.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = WHLSLIntegerLiteral.cpp; sourceTree = "<group>"; };
@@ -23285,6 +23289,8 @@
A5C974CE11485FDA0066F2AB /* cocoa */ = {
isa = PBXGroup;
children = (
+ C1F7B72F2448F2AC00124557 /* AGXCompilerService.cpp */,
+ C1F7B7302448F2AC00124557 /* AGXCompilerService.h */,
A14090FA1AA51E1D0091191A /* ContentFilterUnblockHandlerCocoa.mm */,
CD7D33451C7A16BF00041293 /* CoreVideoSoftLink.cpp */,
CD7D33461C7A16BF00041293 /* CoreVideoSoftLink.h */,
@@ -29358,6 +29364,7 @@
A1677E0E213E02A000A08C34 /* AddressErrors.h in Headers */,
BCF7E491137CD7C7001DDAE7 /* AdjustViewSizeOrNot.h in Headers */,
84D0C4061115F1EA0018AA34 /* AffineTransform.h in Headers */,
+ C1F7B7322448F2AC00124557 /* AGXCompilerService.h in Headers */,
83BB5C881D5D6F45005A71F4 /* AllDescendantsCollection.h in Headers */,
7299BC6723D6A53200CC6883 /* AlphaPremultiplication.h in Headers */,
CEDA12D7152CA1CB00D9E08D /* AlternativeTextClient.h in Headers */,
@@ -33999,6 +34006,7 @@
buildActionMask = 2147483647;
files = (
A9787CB41F5F5C6600C551C6 /* AccessibilityMediaObject.cpp in Sources */,
+ C1F7B7312448F2AC00124557 /* AGXCompilerService.cpp in Sources */,
CD0EEE0E14743F39003EAFA2 /* AudioDestinationIOS.cpp in Sources */,
CD5596911475B678001D0BD0 /* AudioFileReaderIOS.cpp in Sources */,
CDA79827170A279100D45C55 /* AudioSessionIOS.mm in Sources */,
Added: trunk/Source/WebCore/platform/cocoa/AGXCompilerService.cpp (0 => 260247)
--- trunk/Source/WebCore/platform/cocoa/AGXCompilerService.cpp (rev 0)
+++ trunk/Source/WebCore/platform/cocoa/AGXCompilerService.cpp 2020-04-17 14:40:09 UTC (rev 260247)
@@ -0,0 +1,62 @@
+/*
+* Copyright (C) 2020 Apple Inc. All rights reserved.
+*
+* Redistribution and use in source and binary forms, with or without
+* modification, are permitted provided that the following conditions
+* are met:
+* 1. Redistributions of source code must retain the above copyright
+* notice, this list of conditions and the following disclaimer.
+* 2. Redistributions in binary form must reproduce the above copyright
+* notice, this list of conditions and the following disclaimer in the
+* documentation and/or other materials provided with the distribution.
+*
+* THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+* THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+#include "config.h"
+#include "AGXCompilerService.h"
+
+#if PLATFORM(IOS)
+
+#include <sys/utsname.h>
+#include <wtf/Optional.h>
+
+namespace WebCore {
+
+static Optional<bool> hasAGXCompilerService;
+
+void setDeviceHasAGXCompilerServiceForTesting()
+{
+ hasAGXCompilerService = true;
+}
+
+bool deviceHasAGXCompilerService()
+{
+ if (!hasAGXCompilerService) {
+ struct utsname systemInfo;
+ if (uname(&systemInfo)) {
+ hasAGXCompilerService = false;
+ return *hasAGXCompilerService;
+ }
+ const char* machine = systemInfo.machine;
+ if (!strcmp(machine, "iPad5,1") || !strcmp(machine, "iPad5,2") || !strcmp(machine, "iPad5,3") || !strcmp(machine, "iPad5,4"))
+ hasAGXCompilerService = true;
+ else
+ hasAGXCompilerService = false;
+ }
+ return *hasAGXCompilerService;
+}
+
+}
+
+#endif
Added: trunk/Source/WebCore/platform/cocoa/AGXCompilerService.h (0 => 260247)
--- trunk/Source/WebCore/platform/cocoa/AGXCompilerService.h (rev 0)
+++ trunk/Source/WebCore/platform/cocoa/AGXCompilerService.h 2020-04-17 14:40:09 UTC (rev 260247)
@@ -0,0 +1,33 @@
+/*
+* Copyright (C) 2020 Apple Inc. All rights reserved.
+*
+* Redistribution and use in source and binary forms, with or without
+* modification, are permitted provided that the following conditions
+* are met:
+* 1. Redistributions of source code must retain the above copyright
+* notice, this list of conditions and the following disclaimer.
+* 2. Redistributions in binary form must reproduce the above copyright
+* notice, this list of conditions and the following disclaimer in the
+* documentation and/or other materials provided with the distribution.
+*
+* THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+* THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+#pragma once
+
+namespace WebCore {
+
+WEBCORE_EXPORT bool deviceHasAGXCompilerService();
+WEBCORE_EXPORT void setDeviceHasAGXCompilerServiceForTesting();
+
+}
Modified: trunk/Source/WebCore/testing/Internals.cpp (260246 => 260247)
--- trunk/Source/WebCore/testing/Internals.cpp 2020-04-17 14:38:43 UTC (rev 260246)
+++ trunk/Source/WebCore/testing/Internals.cpp 2020-04-17 14:40:09 UTC (rev 260247)
@@ -5611,6 +5611,11 @@
{
return false;
}
+
+bool Internals::hasSandboxIOKitOpenAccessToClass(const String& process, const String& ioKitClass)
+{
+ return false;
+}
#endif
String Internals::mediaMIMETypeForExtension(const String& extension)
Modified: trunk/Source/WebCore/testing/Internals.h (260246 => 260247)
--- trunk/Source/WebCore/testing/Internals.h 2020-04-17 14:38:43 UTC (rev 260246)
+++ trunk/Source/WebCore/testing/Internals.h 2020-04-17 14:40:09 UTC (rev 260247)
@@ -974,6 +974,7 @@
bool hasSandboxMachLookupAccessToGlobalName(const String& process, const String& service);
bool hasSandboxMachLookupAccessToXPCServiceName(const String& process, const String& service);
+ bool hasSandboxIOKitOpenAccessToClass(const String& process, const String& ioKitClass);
String highlightPseudoElementColor(const String& highlightName, Element&);
Modified: trunk/Source/WebCore/testing/Internals.idl (260246 => 260247)
--- trunk/Source/WebCore/testing/Internals.idl 2020-04-17 14:38:43 UTC (rev 260246)
+++ trunk/Source/WebCore/testing/Internals.idl 2020-04-17 14:40:09 UTC (rev 260247)
@@ -885,7 +885,8 @@
boolean hasSandboxMachLookupAccessToGlobalName(DOMString process, DOMString service);
boolean hasSandboxMachLookupAccessToXPCServiceName(DOMString process, DOMString service);
-
+ boolean hasSandboxIOKitOpenAccessToClass(DOMString process, DOMString ioKitClass);
+
DOMString systemColorForCSSValue(DOMString cssValue, boolean useDarkModeAppearance, boolean useElevatedUserInterfaceLevel);
DOMString focusRingColor();
Modified: trunk/Source/WebCore/testing/Internals.mm (260246 => 260247)
--- trunk/Source/WebCore/testing/Internals.mm 2020-04-17 14:38:43 UTC (rev 260246)
+++ trunk/Source/WebCore/testing/Internals.mm 2020-04-17 14:40:09 UTC (rev 260247)
@@ -26,6 +26,7 @@
#import "config.h"
#import "Internals.h"
+#import "AGXCompilerService.h"
#import "DOMURL.h"
#import "DictionaryLookup.h"
#import "Document.h"
@@ -38,6 +39,7 @@
#import <AVFoundation/AVPlayer.h>
#import <pal/spi/cocoa/NSAccessibilitySPI.h>
#import <wtf/cocoa/NSURLExtras.h>
+#import <wtf/spi/darwin/SandboxSPI.h>
#if PLATFORM(IOS_FAMILY)
#import <pal/ios/UIKitSoftLink.h>
@@ -116,4 +118,12 @@
#endif
}
+bool Internals::hasSandboxIOKitOpenAccessToClass(const String& process, const String& ioKitClass)
+{
+ UNUSED_PARAM(process); // TODO: add support for getting PID of other WebKit processes.
+ pid_t pid = getpid();
+
+ return !sandbox_check(pid, "iokit-open", static_cast<enum sandbox_filter_type>(SANDBOX_FILTER_IOKIT_CONNECTION | SANDBOX_CHECK_NO_REPORT), ioKitClass.utf8().data());
}
+
+}
Modified: trunk/Source/WebKit/ChangeLog (260246 => 260247)
--- trunk/Source/WebKit/ChangeLog 2020-04-17 14:38:43 UTC (rev 260246)
+++ trunk/Source/WebKit/ChangeLog 2020-04-17 14:40:09 UTC (rev 260247)
@@ -1,3 +1,34 @@
+2020-04-17 Per Arne Vollan <[email protected]>
+
+ [iOS] Deny iokit open access to graphics related classes
+ https://bugs.webkit.org/show_bug.cgi?id=210616
+
+ Reviewed by Darin Adler.
+
+ Deny iokit open access to graphics related classes in the WebContent process on iOS, but issue
+ extensions for these for some devices which still need access to them.
+
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+ * Shared/Cocoa/SandboxExtensionCocoa.mm:
+ (WebKit::SandboxExtensionImpl::sandboxExtensionForType):
+ (WebKit::SandboxExtension::createHandleForIOKitClassExtension):
+ * Shared/SandboxExtension.h:
+ * Shared/WebProcessCreationParameters.cpp:
+ (WebKit::WebProcessCreationParameters::encode const):
+ (WebKit::WebProcessCreationParameters::decode):
+ * Shared/WebProcessCreationParameters.h:
+ * UIProcess/API/ios/WKWebViewPrivateForTestingIOS.h:
+ * UIProcess/API/ios/WKWebViewTestingIOS.mm:
+ (-[WKWebView _setDeviceHasAGXCompilerServiceForTesting]):
+ * UIProcess/Cocoa/WebProcessPoolCocoa.mm:
+ (WebKit::WebProcessPool::platformInitializeWebProcess):
+ (WebKit::deviceHasAGXCompilerService): Deleted.
+ * UIProcess/WebPageProxy.h:
+ * UIProcess/ios/WebPageProxyIOS.mm:
+ (WebKit::WebPageProxy::setDeviceHasAGXCompilerServiceForTesting const):
+ * WebProcess/cocoa/WebProcessCocoa.mm:
+ (WebKit::WebProcess::platformInitializeWebProcess):
+
2020-04-17 Carlos Garcia Campos <[email protected]>
[GTK] UI process crash when entering compositing mode when WPE_RENDERER is enabled
Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb (260246 => 260247)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb 2020-04-17 14:38:43 UTC (rev 260246)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb 2020-04-17 14:40:09 UTC (rev 260247)
@@ -214,7 +214,7 @@
;;;
(define-once (opengl)
;; Items not seen in testing
- (allow iokit-open (with report) (with telemetry)
+ (deny iokit-open (with telemetry)
(iokit-connection "IOGPU")
(iokit-user-client-class
"AGXCommandQueue"
@@ -924,6 +924,24 @@
)
)
+(allow iokit-open
+ (require-all
+ (extension "com.apple.webkit.extension.iokit")
+ (iokit-user-client-class
+ "AGXCommandQueue"
+ "AGXDevice"
+ "AGXSharedUserClient"
+ "IOAccelContext"
+ "IOAccelDevice"
+ "IOAccelSharedUserClient"
+ "IOAccelSubmitter2"
+ "IOAccelContext2"
+ "IOAccelDevice2"
+ "IOAccelSharedUserClient2"
+ )
+ )
+)
+
(allow mach-lookup
(require-all
(extension "com.apple.webkit.extension.mach")
Modified: trunk/Source/WebKit/Shared/Cocoa/SandboxExtensionCocoa.mm (260246 => 260247)
--- trunk/Source/WebKit/Shared/Cocoa/SandboxExtensionCocoa.mm 2020-04-17 14:38:43 UTC (rev 260246)
+++ trunk/Source/WebKit/Shared/Cocoa/SandboxExtensionCocoa.mm 2020-04-17 14:40:09 UTC (rev 260247)
@@ -105,6 +105,10 @@
ASSERT_NOT_REACHED();
return nullptr;
#endif
+ case SandboxExtension::Type::IOKit:
+ if (!auditToken)
+ return sandbox_extension_issue_iokit_registry_entry_class("com.apple.webkit.extension.iokit"_s, path, extensionFlags);
+ return sandbox_extension_issue_iokit_registry_entry_class_to_process("com.apple.webkit.extension.iokit"_s, path, extensionFlags, *auditToken);
case SandboxExtension::Type::Generic:
return sandbox_extension_issue_generic(path, extensionFlags);
case SandboxExtension::Type::ReadByProcess:
@@ -366,6 +370,19 @@
return true;
}
+bool SandboxExtension::createHandleForIOKitClassExtension(const String& ioKitClass, Optional<audit_token_t> auditToken, Handle& handle, OptionSet<Flags> flags)
+{
+ ASSERT(!handle.m_sandboxExtension);
+
+ handle.m_sandboxExtension = SandboxExtensionImpl::create(ioKitClass.utf8().data(), Type::IOKit, auditToken);
+ if (!handle.m_sandboxExtension) {
+ LOG_ERROR("Could not create a sandbox extension for '%s'", ioKitClass.utf8().data());
+ return false;
+ }
+
+ return true;
+}
+
SandboxExtension::SandboxExtension(const Handle& handle)
: m_sandboxExtension(WTFMove(handle.m_sandboxExtension))
{
Modified: trunk/Source/WebKit/Shared/SandboxExtension.h (260246 => 260247)
--- trunk/Source/WebKit/Shared/SandboxExtension.h 2020-04-17 14:38:43 UTC (rev 260246)
+++ trunk/Source/WebKit/Shared/SandboxExtension.h 2020-04-17 14:40:09 UTC (rev 260247)
@@ -49,6 +49,7 @@
ReadOnly,
ReadWrite,
Mach,
+ IOKit,
Generic,
ReadByProcess
};
@@ -113,6 +114,7 @@
#if HAVE(AUDIT_TOKEN)
static bool createHandleForMachLookup(const String& service, Optional<audit_token_t>, Handle&, OptionSet<Flags> = Flags::Default);
static bool createHandleForReadByAuditToken(const String& path, audit_token_t, Handle&);
+ static bool createHandleForIOKitClassExtension(const String& iokitClass, Optional<audit_token_t>, Handle&, OptionSet<Flags> = Flags::Default);
#endif
~SandboxExtension();
Modified: trunk/Source/WebKit/Shared/WebProcessCreationParameters.cpp (260246 => 260247)
--- trunk/Source/WebKit/Shared/WebProcessCreationParameters.cpp 2020-04-17 14:38:43 UTC (rev 260246)
+++ trunk/Source/WebKit/Shared/WebProcessCreationParameters.cpp 2020-04-17 14:40:09 UTC (rev 260247)
@@ -166,6 +166,7 @@
encoder << diagnosticsExtensionHandle;
encoder << runningboardExtensionHandle;
encoder << dynamicMachExtensionHandles;
+ encoder << dynamicIOKitExtensionHandles;
#endif
#if PLATFORM(COCOA)
@@ -457,6 +458,12 @@
if (!dynamicMachExtensionHandles)
return false;
parameters.dynamicMachExtensionHandles = WTFMove(*dynamicMachExtensionHandles);
+
+ Optional<SandboxExtension::HandleArray> dynamicIOKitExtensionHandles;
+ decoder >> dynamicIOKitExtensionHandles;
+ if (!dynamicIOKitExtensionHandles)
+ return false;
+ parameters.dynamicIOKitExtensionHandles = WTFMove(*dynamicIOKitExtensionHandles);
#endif
#if PLATFORM(COCOA)
Modified: trunk/Source/WebKit/Shared/WebProcessCreationParameters.h (260246 => 260247)
--- trunk/Source/WebKit/Shared/WebProcessCreationParameters.h 2020-04-17 14:38:43 UTC (rev 260246)
+++ trunk/Source/WebKit/Shared/WebProcessCreationParameters.h 2020-04-17 14:40:09 UTC (rev 260247)
@@ -206,6 +206,7 @@
Optional<SandboxExtension::Handle> diagnosticsExtensionHandle;
Optional<SandboxExtension::Handle> runningboardExtensionHandle;
SandboxExtension::HandleArray dynamicMachExtensionHandles;
+ SandboxExtension::HandleArray dynamicIOKitExtensionHandles;
#endif
#if PLATFORM(COCOA)
Modified: trunk/Source/WebKit/UIProcess/API/ios/WKWebViewPrivateForTestingIOS.h (260246 => 260247)
--- trunk/Source/WebKit/UIProcess/API/ios/WKWebViewPrivateForTestingIOS.h 2020-04-17 14:38:43 UTC (rev 260246)
+++ trunk/Source/WebKit/UIProcess/API/ios/WKWebViewPrivateForTestingIOS.h 2020-04-17 14:40:09 UTC (rev 260247)
@@ -72,6 +72,8 @@
- (void)_setDeviceOrientationUserPermissionHandlerForTesting:(BOOL (^)(void))handler;
+- (void)_setDeviceHasAGXCompilerServiceForTesting;
+
@end
#endif // TARGET_OS_IPHONE
Modified: trunk/Source/WebKit/UIProcess/API/ios/WKWebViewTestingIOS.mm (260246 => 260247)
--- trunk/Source/WebKit/UIProcess/API/ios/WKWebViewTestingIOS.mm 2020-04-17 14:38:43 UTC (rev 260246)
+++ trunk/Source/WebKit/UIProcess/API/ios/WKWebViewTestingIOS.mm 2020-04-17 14:40:09 UTC (rev 260247)
@@ -309,6 +309,12 @@
_page->setDeviceOrientationUserPermissionHandlerForTesting(WTFMove(handlerWrapper));
}
+- (void)_setDeviceHasAGXCompilerServiceForTesting
+{
+ if (_page)
+ _page->setDeviceHasAGXCompilerServiceForTesting();
+}
+
@end
#endif // PLATFORM(IOS_FAMILY)
Modified: trunk/Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm (260246 => 260247)
--- trunk/Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm 2020-04-17 14:38:43 UTC (rev 260246)
+++ trunk/Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm 2020-04-17 14:40:09 UTC (rev 260247)
@@ -48,6 +48,7 @@
#import "WebProcessCreationParameters.h"
#import "WebProcessMessages.h"
#import "WindowServerConnection.h"
+#import <WebCore/AGXCompilerService.h>
#import <WebCore/Color.h>
#import <WebCore/LocalizedDeviceModel.h>
#import <WebCore/MIMETypeRegistry.h>
@@ -84,7 +85,6 @@
#if PLATFORM(IOS)
#import <pal/spi/cocoa/WebFilterEvaluatorSPI.h>
#import <pal/spi/ios/MobileGestaltSPI.h>
-#import <sys/utsname.h>
SOFT_LINK_PRIVATE_FRAMEWORK(WebContentAnalysis);
SOFT_LINK_CLASS(WebContentAnalysis, WebFilterEvaluator);
@@ -199,25 +199,6 @@
#endif
}
-#if PLATFORM(IOS)
-static bool deviceHasAGXCompilerService()
-{
- static bool deviceHasAGXCompilerService = false;
- static std::once_flag flag;
- std::call_once(
- flag,
- [] () {
- struct utsname systemInfo;
- if (uname(&systemInfo))
- return;
- const char* machine = systemInfo.machine;
- if (!strcmp(machine, "iPad5,1") || !strcmp(machine, "iPad5,2") || !strcmp(machine, "iPad5,3") || !strcmp(machine, "iPad5,4"))
- deviceHasAGXCompilerService = true;
- });
- return deviceHasAGXCompilerService;
-}
-#endif
-
#if PLATFORM(IOS_FAMILY)
static bool isInternalInstall()
{
@@ -361,7 +342,7 @@
#endif
#if PLATFORM(IOS)
- if (deviceHasAGXCompilerService()) {
+ if (WebCore::deviceHasAGXCompilerService()) {
SandboxExtension::Handle compilerServiceExtensionHandle;
SandboxExtension::createHandleForMachLookup("com.apple.AGXCompilerService", WTF::nullopt, compilerServiceExtensionHandle);
parameters.compilerServiceExtensionHandle = WTFMove(compilerServiceExtensionHandle);
@@ -392,6 +373,25 @@
SandboxExtension::Handle runningboardExtensionHandle;
if (SandboxExtension::createHandleForMachLookup("com.apple.runningboard", WTF::nullopt, runningboardExtensionHandle, SandboxExtension::Flags::NoReport))
parameters.runningboardExtensionHandle = WTFMove(runningboardExtensionHandle);
+
+ if (WebCore::deviceHasAGXCompilerService()) {
+ static const char* const ioKitClasses[] = {
+ "AGXCommandQueue",
+ "AGXDevice",
+ "AGXSharedUserClient",
+ "IOAccelContext",
+ "IOAccelContext2",
+ "IOAccelDevice",
+ "IOAccelDevice2",
+ "IOAccelSharedUserClient",
+ "IOAccelSharedUserClient2"
+ "IOAccelSubmitter2",
+ };
+ auto size = WTF_ARRAY_LENGTH(ioKitClasses);
+ parameters.dynamicIOKitExtensionHandles.allocate(size);
+ for (size_t i = 0; i < size; ++i)
+ SandboxExtension::createHandleForIOKitClassExtension(ioKitClasses[i], WTF::nullopt, parameters.dynamicIOKitExtensionHandles[i]);
+ }
#endif
#if PLATFORM(COCOA)
Modified: trunk/Source/WebKit/UIProcess/WebPageProxy.h (260246 => 260247)
--- trunk/Source/WebKit/UIProcess/WebPageProxy.h 2020-04-17 14:38:43 UTC (rev 260246)
+++ trunk/Source/WebKit/UIProcess/WebPageProxy.h 2020-04-17 14:40:09 UTC (rev 260247)
@@ -1496,6 +1496,7 @@
const Function<bool()>& deviceOrientationUserPermissionHandlerForTesting() const { return m_deviceOrientationUserPermissionHandlerForTesting; };
void setDeviceOrientationUserPermissionHandlerForTesting(Function<bool()>&& handler) { m_deviceOrientationUserPermissionHandlerForTesting = WTFMove(handler); }
+ void setDeviceHasAGXCompilerServiceForTesting() const;
#endif
#if ENABLE(WIRELESS_PLAYBACK_TARGET) && !PLATFORM(IOS_FAMILY)
Modified: trunk/Source/WebKit/UIProcess/ios/WebPageProxyIOS.mm (260246 => 260247)
--- trunk/Source/WebKit/UIProcess/ios/WebPageProxyIOS.mm 2020-04-17 14:38:43 UTC (rev 260246)
+++ trunk/Source/WebKit/UIProcess/ios/WebPageProxyIOS.mm 2020-04-17 14:40:09 UTC (rev 260247)
@@ -62,6 +62,7 @@
#import "WebProcessMessages.h"
#import "WebProcessPool.h"
#import "WebProcessProxy.h"
+#import <WebCore/AGXCompilerService.h>
#import <WebCore/FrameView.h>
#import <WebCore/NotImplemented.h>
#import <WebCore/PlatformScreen.h>
@@ -1591,6 +1592,11 @@
grantAccessToCurrentPasteboardData(UIPasteboardNameGeneral);
}
+void WebPageProxy::setDeviceHasAGXCompilerServiceForTesting() const
+{
+ WebCore::setDeviceHasAGXCompilerServiceForTesting();
+}
+
} // namespace WebKit
#undef RELEASE_LOG_IF_ALLOWED
Modified: trunk/Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm (260246 => 260247)
--- trunk/Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm 2020-04-17 14:38:43 UTC (rev 260246)
+++ trunk/Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm 2020-04-17 14:40:09 UTC (rev 260247)
@@ -296,6 +296,9 @@
for (size_t i = 0, size = parameters.dynamicMachExtensionHandles.size(); i < size; ++i)
SandboxExtension::consumePermanently(parameters.dynamicMachExtensionHandles[i]);
+
+ for (size_t i = 0, size = parameters.dynamicIOKitExtensionHandles.size(); i < size; ++i)
+ SandboxExtension::consumePermanently(parameters.dynamicIOKitExtensionHandles[i]);
#endif
if (parameters.neHelperExtensionHandle)
Modified: trunk/Tools/ChangeLog (260246 => 260247)
--- trunk/Tools/ChangeLog 2020-04-17 14:38:43 UTC (rev 260246)
+++ trunk/Tools/ChangeLog 2020-04-17 14:40:09 UTC (rev 260247)
@@ -1,3 +1,14 @@
+2020-04-17 Per Arne Vollan <[email protected]>
+
+ [iOS] Deny iokit open access to graphics related classes
+ https://bugs.webkit.org/show_bug.cgi?id=210616
+
+ Reviewed by Darin Adler.
+
+ * TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
+ * TestWebKitAPI/Tests/WebKit/AGXCompilerService.mm: Added.
+ (TEST):
+
2020-04-17 Philippe Normand <[email protected]>
[Flatpak SDK] Not fully hooked in BuildSlaveSupport
Modified: trunk/Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj (260246 => 260247)
--- trunk/Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj 2020-04-17 14:38:43 UTC (rev 260246)
+++ trunk/Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj 2020-04-17 14:40:09 UTC (rev 260247)
@@ -893,6 +893,7 @@
C15CBB3023F1FF1A00300CC7 /* BacklightLevelNotification.mm in Sources */ = {isa = PBXBuildFile; fileRef = C15CBB2F23F1FF1A00300CC7 /* BacklightLevelNotification.mm */; };
C15CBB3F23FB177A00300CC7 /* PreferenceChanges.mm in Sources */ = {isa = PBXBuildFile; fileRef = C15CBB3E23FB177A00300CC7 /* PreferenceChanges.mm */; };
C1692DCA23D10DAE006E88F7 /* Battery.mm in Sources */ = {isa = PBXBuildFile; fileRef = C1692DC923D10DAE006E88F7 /* Battery.mm */; };
+ C1F7B7392449083F00124557 /* AGXCompilerService.mm in Sources */ = {isa = PBXBuildFile; fileRef = C1F7B7382449083F00124557 /* AGXCompilerService.mm */; };
C1FF9EDB244644F000839AE4 /* WebFilter.mm in Sources */ = {isa = PBXBuildFile; fileRef = C1FF9EDA244644F000839AE4 /* WebFilter.mm */; };
C20F88A72295B96700D610FA /* CoreText.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = C20F88A62295B96700D610FA /* CoreText.framework */; };
C22FA32B228F8708009D7988 /* TextWidth.mm in Sources */ = {isa = PBXBuildFile; fileRef = C22FA32A228F8708009D7988 /* TextWidth.mm */; };
@@ -2483,6 +2484,7 @@
C15CBB3E23FB177A00300CC7 /* PreferenceChanges.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = PreferenceChanges.mm; sourceTree = "<group>"; };
C1692DC923D10DAE006E88F7 /* Battery.mm */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.objcpp; path = Battery.mm; sourceTree = "<group>"; };
C1D8EE212028E8E3008EB141 /* WebProcessTerminate.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = WebProcessTerminate.mm; sourceTree = "<group>"; };
+ C1F7B7382449083F00124557 /* AGXCompilerService.mm */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.objcpp; path = AGXCompilerService.mm; sourceTree = "<group>"; };
C1FF9EDA244644F000839AE4 /* WebFilter.mm */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.objcpp; path = WebFilter.mm; sourceTree = "<group>"; };
C20F88A62295B96700D610FA /* CoreText.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = CoreText.framework; path = System/Library/Frameworks/CoreText.framework; sourceTree = SDKROOT; };
C22FA32A228F8708009D7988 /* TextWidth.mm */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.objcpp; path = TextWidth.mm; sourceTree = "<group>"; };
@@ -2936,6 +2938,7 @@
isa = PBXGroup;
children = (
E3F8AB91241AB9CE003E2A7E /* AccessibilityRemoteUIApp.mm */,
+ C1F7B7382449083F00124557 /* AGXCompilerService.mm */,
C15CBB2F23F1FF1A00300CC7 /* BacklightLevelNotification.mm */,
C1692DC923D10DAE006E88F7 /* Battery.mm */,
C13D82D82416F13200A62793 /* EnableAccessibility.mm */,
@@ -4729,6 +4732,7 @@
55A817FC218100E00004A39A /* AdditionalSupportedImageTypes.mm in Sources */,
55F9D2E52205031800A9AB38 /* AdditionalSupportedImageTypes.mm in Sources */,
7A909A7D1D877480007E10F8 /* AffineTransform.cpp in Sources */,
+ C1F7B7392449083F00124557 /* AGXCompilerService.mm in Sources */,
A1DF74321C41B65800A2F4D0 /* AlwaysRevalidatedURLSchemes.mm in Sources */,
2DE71AFE1D49C0BD00904094 /* AnimatedResize.mm in Sources */,
57152B5E21CC2045000C37CA /* ApduTest.cpp in Sources */,
Added: trunk/Tools/TestWebKitAPI/Tests/WebKit/AGXCompilerService.mm (0 => 260247)
--- trunk/Tools/TestWebKitAPI/Tests/WebKit/AGXCompilerService.mm (rev 0)
+++ trunk/Tools/TestWebKitAPI/Tests/WebKit/AGXCompilerService.mm 2020-04-17 14:40:09 UTC (rev 260247)
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2020 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#if WK_HAVE_C_SPI && PLATFORM(IOS)
+
+#import "PlatformUtilities.h"
+#import "TestWKWebView.h"
+#import <WebKit/WKWebViewPrivateForTesting.h>
+
+TEST(WebKit, IOKitOpenSandboxAccessForDeviceWithAGXCompilerService)
+{
+ auto configuration = adoptNS([[WKWebViewConfiguration alloc] init]);
+ auto context = adoptWK(TestWebKitAPI::Util::createContextForInjectedBundleTest("InternalsInjectedBundleTest"));
+ configuration.get().processPool = (WKProcessPool *)context.get();
+ auto webView = adoptNS([[TestWKWebView alloc] initWithFrame:NSMakeRect(0, 0, 300, 300) configuration:configuration.get() addToWindow:YES]);
+
+ [webView _setDeviceHasAGXCompilerServiceForTesting];
+
+ auto sandboxAccess = [&] {
+ return [webView stringByEvaluatingJavaScript:@"window.internals.internals.hasSandboxIOKitOpenAccessToClass('com.apple.WebKit.WebContent', 'AGXCommandQueue')"].boolValue;
+ };
+
+ ASSERT_TRUE(sandboxAccess());
+
+}
+
+#endif // WK_HAVE_C_SPI
