Title: [261238] trunk/Source/WebKit
- Revision
- 261238
- Author
- bfulg...@apple.com
- Date
- 2020-05-06 10:32:01 -0700 (Wed, 06 May 2020)
Log Message
[MacCatalyst] Processes should check for network entitlement as we do for macOS apps
https://bugs.webkit.org/show_bug.cgi?id=211474
<rdar://problem/61182060>
Reviewed by Alexey Proskuryakov.
We should make the same entitlement checks in MacCatalyst as we do for macOS.
* Shared/EntryPointUtilities/Cocoa/XPCService/XPCServiceEntryPoint.mm:
(WebKit::XPCServiceInitializerDelegate::checkEntitlements):
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (261237 => 261238)
--- trunk/Source/WebKit/ChangeLog 2020-05-06 17:14:27 UTC (rev 261237)
+++ trunk/Source/WebKit/ChangeLog 2020-05-06 17:32:01 UTC (rev 261238)
@@ -1,3 +1,16 @@
+2020-05-06 Brent Fulgham <bfulg...@apple.com>
+
+ [MacCatalyst] Processes should check for network entitlement as we do for macOS apps
+ https://bugs.webkit.org/show_bug.cgi?id=211474
+ <rdar://problem/61182060>
+
+ Reviewed by Alexey Proskuryakov.
+
+ We should make the same entitlement checks in MacCatalyst as we do for macOS.
+
+ * Shared/EntryPointUtilities/Cocoa/XPCService/XPCServiceEntryPoint.mm:
+ (WebKit::XPCServiceInitializerDelegate::checkEntitlements):
+
2020-05-06 Darin Adler <da...@apple.com>
Eliminate checks of USE(DICTATION_ALTERNATIVES) in Cocoa-specific code
Modified: trunk/Source/WebKit/Shared/EntryPointUtilities/Cocoa/XPCService/XPCServiceEntryPoint.mm (261237 => 261238)
--- trunk/Source/WebKit/Shared/EntryPointUtilities/Cocoa/XPCService/XPCServiceEntryPoint.mm 2020-05-06 17:14:27 UTC (rev 261237)
+++ trunk/Source/WebKit/Shared/EntryPointUtilities/Cocoa/XPCService/XPCServiceEntryPoint.mm 2020-05-06 17:32:01 UTC (rev 261238)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2020 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -30,6 +30,7 @@
#import "XPCServiceEntryPoint.h"
#import <WebCore/ProcessIdentifier.h>
#import <wtf/cocoa/Entitlements.h>
+#import <wtf/spi/darwin/SandboxSPI.h>
namespace WebKit {
using namespace WebCore;
@@ -40,14 +41,15 @@
bool XPCServiceInitializerDelegate::checkEntitlements()
{
-#if PLATFORM(MAC)
- if (!isClientSandboxed())
- return true;
-
- // FIXME: Once we're 100% sure that a process can't access the network we can get rid of this requirement for all processes.
- if (!hasEntitlement("com.apple.security.network.client")) {
- NSLog(@"Application does not have the 'com.apple.security.network.client' entitlement.");
- return false;
+#if PLATFORM(MAC) || PLATFORM(MACCATALYST)
+ if (isClientSandboxed()) {
+ audit_token_t auditToken = { };
+ xpc_connection_get_audit_token(m_connection.get(), &auditToken);
+ if (auto rc = sandbox_check_by_audit_token(auditToken, "mach-lookup", static_cast<enum sandbox_filter_type>(SANDBOX_FILTER_GLOBAL_NAME | SANDBOX_CHECK_NO_REPORT), "com.apple.nsurlsessiond")) {
+ // FIXME (rdar://problem/54178641): This requirement is too strict, it should be possible to load file:// resources without network access.
+ NSLog(@"Application does not have permission to communicate with network resources. rc=%d : errno=%d", rc, errno);
+ return false;
+ }
}
#endif
#if PLATFORM(IOS_FAMILY)
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes