Diff
Modified: trunk/Source/WebKit/ChangeLog (270380 => 270381)
--- trunk/Source/WebKit/ChangeLog 2020-12-03 01:08:16 UTC (rev 270380)
+++ trunk/Source/WebKit/ChangeLog 2020-12-03 01:40:53 UTC (rev 270381)
@@ -1,3 +1,20 @@
+2020-12-02 Brent Fulgham <[email protected]>
+
+ [macOS] WebContent sandbox; remove AppleIntelMEUserClient
+ https://bugs.webkit.org/show_bug.cgi?id=219012
+ <rdar://problem/70462796>
+
+ Reviewed by Eric Carlson.
+
+ Instead of globally extending access to the AppleIntelMEUserClient IOKit class,
+ only extend it when the GPU process is not in use.
+
+ * UIProcess/WebPageProxy.cpp:
+ (WebKit::gpuIOKitClasses): Add 'AppleIntelMEUserClient' as a dynamically-extended
+ IOKit class.
+ * WebProcess/com.apple.WebProcess.sb.in: Only allow 'AppleIntelMEUserClient' if it
+ was dynamically extended.
+
2020-12-02 Wenson Hsieh <[email protected]>
Unreviewed, fix the iOS build after r270362
Modified: trunk/Source/WebKit/UIProcess/WebPageProxy.cpp (270380 => 270381)
--- trunk/Source/WebKit/UIProcess/WebPageProxy.cpp 2020-12-03 01:08:16 UTC (rev 270380)
+++ trunk/Source/WebKit/UIProcess/WebPageProxy.cpp 2020-12-03 01:40:53 UTC (rev 270381)
@@ -7739,6 +7739,9 @@
"IOSurfaceAcceleratorClient"_s,
"IOSurfaceRootUserClient"_s,
#endif
+#if PLATFORM(MAC) || PLATFORM(MACCATALYST)
+ "AppleIntelMEUserClient"_s,
+#endif
});
return services;
}
Modified: trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (270380 => 270381)
--- trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2020-12-03 01:08:16 UTC (rev 270380)
+++ trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2020-12-03 01:40:53 UTC (rev 270381)
@@ -180,7 +180,10 @@
;; This is needed for Encrypted Media on some hardware (MacMini8,1 for example)
(allow iokit-open
- (iokit-registry-entry-class "AppleIntelMEUserClient")
+ (require-all
+ (extension "com.apple.webkit.extension.iokit")
+ (iokit-registry-entry-class "AppleIntelMEUserClient")
+ )
#if HAVE(SANDBOX_MESSAGE_FILTERING)
(with telemetry-backtrace)
(apply-message-filter
@@ -1606,4 +1609,16 @@
)
)
)
+
+;; FIXME: This is just for logging. Remove when the GPU process is enabled by default.
+;; These should only be accessed through an iokit-extension, so log if they are not.
+(allow iokit-open (with report) (with telemetry-backtrace)
+ (require-all
+ (require-not (extension "com.apple.webkit.extension.iokit"))
+ (iokit-registry-entry-class
+ "AppleIntelMEUserClient"
+ )
+ )
+)
+
#endif // HAVE(SANDBOX_MESSAGE_FILTERING)
Modified: trunk/Tools/ChangeLog (270380 => 270381)
--- trunk/Tools/ChangeLog 2020-12-03 01:08:16 UTC (rev 270380)
+++ trunk/Tools/ChangeLog 2020-12-03 01:40:53 UTC (rev 270381)
@@ -1,3 +1,19 @@
+2020-12-02 Brent Fulgham <[email protected]>
+
+ [macOS] WebContent sandbox; remove AppleIntelMEUserClient
+ https://bugs.webkit.org/show_bug.cgi?id=219012
+ <rdar://problem/70462796>
+
+ Reviewed by Eric Carlson.
+
+ Update the various sandboxes to allow the UIProcess to extend IOKit classes
+ to child processes on macOS. We already do this on iOS.
+
+ * MiniBrowser/MiniBrowser.entitlements:
+ * TestWebKitAPI/Configurations/TestWebKitAPI-macOS-internal.entitlements:
+ * TestWebKitAPI/Configurations/TestWebKitAPI-macOS.entitlements:
+ * WebKitTestRunner/Configurations/WebKitTestRunner.entitlements:
+
2020-12-02 Jonathan Bedard <[email protected]>
[webkitcorepy] Allow caller of autoinstall to specify CA file
Modified: trunk/Tools/MiniBrowser/MiniBrowser.entitlements (270380 => 270381)
--- trunk/Tools/MiniBrowser/MiniBrowser.entitlements 2020-12-03 01:08:16 UTC (rev 270380)
+++ trunk/Tools/MiniBrowser/MiniBrowser.entitlements 2020-12-03 01:40:53 UTC (rev 270381)
@@ -21,6 +21,7 @@
<key>com.apple.security.temporary-exception.sbpl</key>
<array>
<string>(allow mach-issue-extension (require-all (extension-class "com.apple.webkit.extension.mach")))</string>
+ <string>(allow iokit-issue-extension (require-all (extension-class "com.apple.webkit.extension.iokit")))</string>
</array>
<key>com.apple.security.device.camera</key>
<true/>
Modified: trunk/Tools/TestWebKitAPI/Configurations/TestWebKitAPI-macOS-internal.entitlements (270380 => 270381)
--- trunk/Tools/TestWebKitAPI/Configurations/TestWebKitAPI-macOS-internal.entitlements 2020-12-03 01:08:16 UTC (rev 270380)
+++ trunk/Tools/TestWebKitAPI/Configurations/TestWebKitAPI-macOS-internal.entitlements 2020-12-03 01:40:53 UTC (rev 270381)
@@ -13,6 +13,7 @@
<key>com.apple.security.temporary-exception.sbpl</key>
<array>
<string>(allow mach-issue-extension (require-all (extension-class "com.apple.webkit.extension.mach")))</string>
+ <string>(allow iokit-issue-extension (require-all (extension-class "com.apple.webkit.extension.iokit")))</string>
</array>
</dict>
</plist>
Modified: trunk/Tools/TestWebKitAPI/Configurations/TestWebKitAPI-macOS.entitlements (270380 => 270381)
--- trunk/Tools/TestWebKitAPI/Configurations/TestWebKitAPI-macOS.entitlements 2020-12-03 01:08:16 UTC (rev 270380)
+++ trunk/Tools/TestWebKitAPI/Configurations/TestWebKitAPI-macOS.entitlements 2020-12-03 01:40:53 UTC (rev 270381)
@@ -9,6 +9,7 @@
<key>com.apple.security.temporary-exception.sbpl</key>
<array>
<string>(allow mach-issue-extension (require-all (extension-class "com.apple.webkit.extension.mach")))</string>
+ <string>(allow iokit-issue-extension (require-all (extension-class "com.apple.webkit.extension.iokit")))</string>
</array>
</dict>
</plist>
Modified: trunk/Tools/WebKitTestRunner/Configurations/WebKitTestRunner.entitlements (270380 => 270381)
--- trunk/Tools/WebKitTestRunner/Configurations/WebKitTestRunner.entitlements 2020-12-03 01:08:16 UTC (rev 270380)
+++ trunk/Tools/WebKitTestRunner/Configurations/WebKitTestRunner.entitlements 2020-12-03 01:40:53 UTC (rev 270381)
@@ -1,14 +1,15 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
- <dict>
- <key>keychain-access-groups</key>
- <array>
- <string>com.apple.WebKitTestRunner</string>
- </array>
- <key>com.apple.security.temporary-exception.sbpl</key>
- <array>
- <string>(allow mach-issue-extension (require-all (extension-class "com.apple.webkit.extension.mach")))</string>
- </array>
- </dict>
+<dict>
+ <key>keychain-access-groups</key>
+ <array>
+ <string>com.apple.WebKitTestRunner</string>
+ </array>
+ <key>com.apple.security.temporary-exception.sbpl</key>
+ <array>
+ <string>(allow mach-issue-extension (require-all (extension-class "com.apple.webkit.extension.mach")))</string>
+ <string>(allow iokit-issue-extension (require-all (extension-class "com.apple.webkit.extension.iokit")))</string>
+ </array>
+</dict>
</plist>
