WebKit

youenn Wed, 05 May 2021 01:54:24 -0700

Title: [277010] trunk/Source/WebKit

Revision: 277010
Author: [email protected]
Date: 2021-05-05 01:53:30 -0700 (Wed, 05 May 2021)

Log Message

Dynamically pass capture sandbox extensions to GPUProcess
https://bugs.webkit.org/show_bug.cgi?id=225319


Reviewed by Eric Carlson.

Make sure to send the sandbox extensions for all WKWebView applications.
We do so once we are ready to start capture since TCC access should have been granted at that point.
Manually tested.

* GPUProcess/GPUProcess.cpp:
(WebKit::GPUProcess::initializeGPUProcess):
(WebKit::GPUProcess::updateSandboxAccess):
* GPUProcess/GPUProcess.h:
* GPUProcess/GPUProcess.messages.in:
* GPUProcess/GPUProcessCreationParameters.cpp:
(WebKit::GPUProcessCreationParameters::encode const):
(WebKit::GPUProcessCreationParameters::decode):
* GPUProcess/GPUProcessCreationParameters.h:
* UIProcess/GPU/GPUProcessProxy.cpp:
(WebKit::GPUProcessProxy::GPUProcessProxy):
(WebKit::GPUProcessProxy::updateSandboxAccess):
(WebKit::GPUProcessProxy::updateCaptureAccess):
(WebKit::isSafari): Deleted.
(WebKit::shouldCreateCameraSandboxExtension): Deleted.
(WebKit::shouldCreateMicrophoneSandboxExtension): Deleted.
* UIProcess/GPU/GPUProcessProxy.h:

Modified Paths

trunk/Source/WebKit/ChangeLog
trunk/Source/WebKit/GPUProcess/GPUProcess.cpp
trunk/Source/WebKit/GPUProcess/GPUProcess.h
trunk/Source/WebKit/GPUProcess/GPUProcess.messages.in
trunk/Source/WebKit/GPUProcess/GPUProcessCreationParameters.cpp
trunk/Source/WebKit/GPUProcess/GPUProcessCreationParameters.h
trunk/Source/WebKit/UIProcess/GPU/GPUProcessProxy.cpp
trunk/Source/WebKit/UIProcess/GPU/GPUProcessProxy.h

Diff

Modified: trunk/Source/WebKit/ChangeLog (277009 => 277010)


--- trunk/Source/WebKit/ChangeLog	2021-05-05 07:17:54 UTC (rev 277009)
+++ trunk/Source/WebKit/ChangeLog	2021-05-05 08:53:30 UTC (rev 277010)
@@ -1,3 +1,32 @@
+2021-05-05  Youenn Fablet  <[email protected]>
+
+        Dynamically pass capture sandbox extensions to GPUProcess
+        https://bugs.webkit.org/show_bug.cgi?id=225319
+
+        Reviewed by Eric Carlson.
+
+        Make sure to send the sandbox extensions for all WKWebView applications.
+        We do so once we are ready to start capture since TCC access should have been granted at that point.
+        Manually tested.
+
+        * GPUProcess/GPUProcess.cpp:
+        (WebKit::GPUProcess::initializeGPUProcess):
+        (WebKit::GPUProcess::updateSandboxAccess):
+        * GPUProcess/GPUProcess.h:
+        * GPUProcess/GPUProcess.messages.in:
+        * GPUProcess/GPUProcessCreationParameters.cpp:
+        (WebKit::GPUProcessCreationParameters::encode const):
+        (WebKit::GPUProcessCreationParameters::decode):
+        * GPUProcess/GPUProcessCreationParameters.h:
+        * UIProcess/GPU/GPUProcessProxy.cpp:
+        (WebKit::GPUProcessProxy::GPUProcessProxy):
+        (WebKit::GPUProcessProxy::updateSandboxAccess):
+        (WebKit::GPUProcessProxy::updateCaptureAccess):
+        (WebKit::isSafari): Deleted.
+        (WebKit::shouldCreateCameraSandboxExtension): Deleted.
+        (WebKit::shouldCreateMicrophoneSandboxExtension): Deleted.
+        * UIProcess/GPU/GPUProcessProxy.h:
+
 2021-05-04  Peng Liu  <[email protected]>
 
         [GPUP] Implement SourceBufferPrivateRemote::bufferFull()

Modified: trunk/Source/WebKit/GPUProcess/GPUProcess.cpp (277009 => 277010)


--- trunk/Source/WebKit/GPUProcess/GPUProcess.cpp	2021-05-05 07:17:54 UTC (rev 277009)
+++ trunk/Source/WebKit/GPUProcess/GPUProcess.cpp	2021-05-05 08:53:30 UTC (rev 277010)
@@ -208,18 +208,10 @@
 
 #if ENABLE(MEDIA_STREAM)
     setMockCaptureDevicesEnabled(parameters.useMockCaptureDevices);
-    SandboxExtension::consumePermanently(parameters.cameraSandboxExtensionHandle);
-#if HAVE(AUDIT_TOKEN)
-    SandboxExtension::consumePermanently(parameters.appleCameraServicePathSandboxExtensionHandle);
-#if HAVE(ADDITIONAL_APPLE_CAMERA_SERVICE)
-    SandboxExtension::consumePermanently(parameters.additionalAppleCameraServicePathSandboxExtensionHandle);
-#endif
-#endif // HAVE(AUDIT_TOKEN)
+#if PLATFORM(MAC)
     SandboxExtension::consumePermanently(parameters.microphoneSandboxExtensionHandle);
-#if PLATFORM(IOS)
-    SandboxExtension::consumePermanently(parameters.tccSandboxExtensionHandle);
 #endif
-#endif
+#endif // ENABLE(MEDIA_STREAM)
 
 #if USE(SANDBOX_EXTENSIONS_FOR_CACHE_AND_TEMP_DIRECTORY_ACCESS)
     SandboxExtension::consumePermanently(parameters.containerCachesDirectoryExtensionHandle);
@@ -301,6 +293,12 @@
     completionHandler();
 }
 
+void GPUProcess::updateSandboxAccess(const Vector<SandboxExtension::Handle>& extensions)
+{
+    for (auto& extension : extensions)
+        SandboxExtension::consumePermanently(extension);
+}
+
 void GPUProcess::addMockMediaDevice(const WebCore::MockMediaDevice& device)
 {
     MockRealtimeMediaSourceCenter::addDevice(device);

Modified: trunk/Source/WebKit/GPUProcess/GPUProcess.h (277009 => 277010)


--- trunk/Source/WebKit/GPUProcess/GPUProcess.h	2021-05-05 07:17:54 UTC (rev 277009)
+++ trunk/Source/WebKit/GPUProcess/GPUProcess.h	2021-05-05 08:53:30 UTC (rev 277010)
@@ -28,6 +28,7 @@
 #if ENABLE(GPU_PROCESS)
 
 #include "AuxiliaryProcess.h"
+#include "SandboxExtension.h"
 #include "WebPageProxyIdentifier.h"
 #include <WebCore/LibWebRTCEnumTraits.h>
 #include <WebCore/Timer.h>
@@ -123,6 +124,7 @@
     void setMockCaptureDevicesEnabled(bool);
     void setOrientationForMediaCapture(uint64_t orientation);
     void updateCaptureAccess(bool allowAudioCapture, bool allowVideoCapture, bool allowDisplayCapture, WebCore::ProcessIdentifier, CompletionHandler<void()>&&);
+    void updateSandboxAccess(const Vector<SandboxExtension::Handle>&);
     void addMockMediaDevice(const WebCore::MockMediaDevice&);
     void clearMockMediaDevices();
     void removeMockMediaDevice(const String& persistentId);

Modified: trunk/Source/WebKit/GPUProcess/GPUProcess.messages.in (277009 => 277010)


--- trunk/Source/WebKit/GPUProcess/GPUProcess.messages.in	2021-05-05 07:17:54 UTC (rev 277009)
+++ trunk/Source/WebKit/GPUProcess/GPUProcess.messages.in	2021-05-05 08:53:30 UTC (rev 277010)
@@ -39,6 +39,7 @@
 #if ENABLE(MEDIA_STREAM)
     SetMockCaptureDevicesEnabled(bool isEnabled)
     SetOrientationForMediaCapture(uint64_t orientation);
+    UpdateSandboxAccess(Vector<WebKit::SandboxExtension::Handle> extensions);
     UpdateCaptureAccess(bool allowAudioCapture, bool allowVideoCapture, bool allowDisplayCapture, WebCore::ProcessIdentifier processID) -> () Async
     AddMockMediaDevice(struct WebCore::MockMediaDevice device);
     ClearMockMediaDevices();

Modified: trunk/Source/WebKit/GPUProcess/GPUProcessCreationParameters.cpp (277009 => 277010)


--- trunk/Source/WebKit/GPUProcess/GPUProcessCreationParameters.cpp	2021-05-05 07:17:54 UTC (rev 277009)
+++ trunk/Source/WebKit/GPUProcess/GPUProcessCreationParameters.cpp	2021-05-05 08:53:30 UTC (rev 277010)
@@ -43,16 +43,8 @@
 {
 #if ENABLE(MEDIA_STREAM)
     encoder << useMockCaptureDevices;
-    encoder << cameraSandboxExtensionHandle;
-#if HAVE(AUDIT_TOKEN)
-    encoder << appleCameraServicePathSandboxExtensionHandle;
-#if HAVE(ADDITIONAL_APPLE_CAMERA_SERVICE)
-    encoder << additionalAppleCameraServicePathSandboxExtensionHandle;
-#endif
-#endif // HAVE(AUDIT_TOKEN)
+#if PLATFORM(MAC)
     encoder << microphoneSandboxExtensionHandle;
-#if PLATFORM(IOS)
-    encoder << tccSandboxExtensionHandle;
 #endif
 #endif
     encoder << parentPID;
@@ -73,21 +65,9 @@
 #if ENABLE(MEDIA_STREAM)
     if (!decoder.decode(result.useMockCaptureDevices))
         return false;
-    if (!decoder.decode(result.cameraSandboxExtensionHandle))
-        return false;
-#if HAVE(AUDIT_TOKEN)
-    if (!decoder.decode(result.appleCameraServicePathSandboxExtensionHandle))
-        return false;
-#if HAVE(ADDITIONAL_APPLE_CAMERA_SERVICE)
-    if (!decoder.decode(result.additionalAppleCameraServicePathSandboxExtensionHandle))
-        return false;
-#endif
-#endif // HAVE(AUDIT_TOKEN)
+#if PLATFORM(MAC)
     if (!decoder.decode(result.microphoneSandboxExtensionHandle))
         return false;
-#if PLATFORM(IOS)
-    if (!decoder.decode(result.tccSandboxExtensionHandle))
-        return false;
 #endif
 #endif
     if (!decoder.decode(result.parentPID))

Modified: trunk/Source/WebKit/GPUProcess/GPUProcessCreationParameters.h (277009 => 277010)


--- trunk/Source/WebKit/GPUProcess/GPUProcessCreationParameters.h	2021-05-05 07:17:54 UTC (rev 277009)
+++ trunk/Source/WebKit/GPUProcess/GPUProcessCreationParameters.h	2021-05-05 08:53:30 UTC (rev 277010)
@@ -41,16 +41,8 @@
 
 #if ENABLE(MEDIA_STREAM)
     bool useMockCaptureDevices { false };
-    SandboxExtension::Handle cameraSandboxExtensionHandle;
-#if HAVE(AUDIT_TOKEN)
-    SandboxExtension::Handle appleCameraServicePathSandboxExtensionHandle;
-#if HAVE(ADDITIONAL_APPLE_CAMERA_SERVICE)
-    SandboxExtension::Handle additionalAppleCameraServicePathSandboxExtensionHandle;
-#endif
-#endif // HAVE(AUDIT_TOKEN)
+#if PLATFORM(MAC)
     SandboxExtension::Handle microphoneSandboxExtensionHandle;
-#if PLATFORM(IOS)
-    SandboxExtension::Handle tccSandboxExtensionHandle;
 #endif
 #endif
     ProcessID parentPID;

Modified: trunk/Source/WebKit/UIProcess/GPU/GPUProcessProxy.cpp (277009 => 277010)


--- trunk/Source/WebKit/UIProcess/GPU/GPUProcessProxy.cpp	2021-05-05 07:17:54 UTC (rev 277009)
+++ trunk/Source/WebKit/UIProcess/GPU/GPUProcessProxy.cpp	2021-05-05 08:53:30 UTC (rev 277010)
@@ -65,35 +65,6 @@
 namespace WebKit {
 using namespace WebCore;
 
-static inline bool isSafari()
-{
-    bool isSafari = false;
-#if PLATFORM(IOS_FAMILY)
-    if (IOSApplication::isMobileSafari())
-        isSafari = true;
-#elif PLATFORM(MAC)
-    if (MacApplication::isSafari())
-        isSafari = true;
-#endif
-    return isSafari;
-}
-
-static inline bool shouldCreateCameraSandboxExtension()
-{
-    // FIXME: We should check for "com.apple.security.device.camera" entitlement.
-    if (!isSafari())
-        return false;
-    return true;
-}
-
-static inline bool shouldCreateMicrophoneSandboxExtension()
-{
-    // FIXME: We should check for "com.apple.security.device.microphone" entitlement.
-    if (!isSafari())
-        return false;
-    return true;
-}
-
 #if ENABLE(MEDIA_STREAM) && HAVE(AUDIT_TOKEN)
 static bool shouldCreateAppleCameraServiceSandboxExtension()
 {
@@ -168,28 +139,15 @@
     GPUProcessCreationParameters parameters;
 #if ENABLE(MEDIA_STREAM)
     parameters.useMockCaptureDevices = m_useMockCaptureDevices;
-
-    bool needsCameraSandboxExtension = shouldCreateCameraSandboxExtension();
-    bool needsMicrophoneSandboxExtension = shouldCreateMicrophoneSandboxExtension();
-    if (needsCameraSandboxExtension)
-        SandboxExtension::createHandleForGenericExtension("com.apple.webkit.camera"_s, parameters.cameraSandboxExtensionHandle);
-    if (needsMicrophoneSandboxExtension)
+#if PLATFORM(MAC)
+    // FIXME: Remove this and related parameter when <rdar://problem/29448368> is fixed.
+    if (MacApplication::isSafari()) {
         SandboxExtension::createHandleForGenericExtension("com.apple.webkit.microphone"_s, parameters.microphoneSandboxExtensionHandle);
-
-#if HAVE(AUDIT_TOKEN)
-    if (needsCameraSandboxExtension && shouldCreateAppleCameraServiceSandboxExtension()) {
-        SandboxExtension::createHandleForMachLookup("com.apple.applecamerad"_s, WTF::nullopt, parameters.appleCameraServicePathSandboxExtensionHandle);
-#if HAVE(ADDITIONAL_APPLE_CAMERA_SERVICE)
-        SandboxExtension::createHandleForMachLookup("com.apple.appleh13camerad"_s, WTF::nullopt, parameters.additionalAppleCameraServicePathSandboxExtensionHandle);
-#endif
+        m_hasSentMicrophoneSandboxExtension = true;
     }
-#endif // HAVE(AUDIT_TOKEN)
-
-#if PLATFORM(IOS)
-    if (needsCameraSandboxExtension || needsMicrophoneSandboxExtension)
-        SandboxExtension::createHandleForMachLookup("com.apple.tccd"_s, WTF::nullopt, parameters.tccSandboxExtensionHandle);
 #endif
 #endif // ENABLE(MEDIA_STREAM)
+
     parameters.parentPID = getCurrentProcessID();
 
 #if USE(SANDBOX_EXTENSIONS_FOR_CACHE_AND_TEMP_DIRECTORY_ACCESS)
@@ -236,8 +194,87 @@
     send(Messages::GPUProcess::SetOrientationForMediaCapture { orientation }, 0);
 }
 
+static inline bool addCameraSandboxExtensions(Vector<SandboxExtension::Handle>& extensions)
+{
+    SandboxExtension::Handle sandboxExtensionHandle;
+    if (!SandboxExtension::createHandleForGenericExtension("com.apple.webkit.camera"_s, sandboxExtensionHandle)) {
+        RELEASE_LOG_ERROR(WebRTC, "Unable to create com.apple.webkit.camera sandbox extension");
+        return false;
+    }
+#if HAVE(AUDIT_TOKEN)
+        if (shouldCreateAppleCameraServiceSandboxExtension()) {
+            SandboxExtension::Handle appleCameraServicePathSandboxExtensionHandle;
+            if (!SandboxExtension::createHandleForMachLookup("com.apple.applecamerad"_s, WTF::nullopt, appleCameraServicePathSandboxExtensionHandle)) {
+                RELEASE_LOG_ERROR(WebRTC, "Unable to create com.apple.applecamerad sandbox extension");
+                return false;
+            }
+#if HAVE(ADDITIONAL_APPLE_CAMERA_SERVICE)
+            SandboxExtension::Handle additionalAppleCameraServicePathSandboxExtensionHandle;
+            if (!SandboxExtension::createHandleForMachLookup("com.apple.appleh13camerad"_s, WTF::nullopt, additionalAppleCameraServicePathSandboxExtensionHandle)) {
+                RELEASE_LOG_ERROR(WebRTC, "Unable to create com.apple.appleh13camerad sandbox extension");
+                return false;
+            }
+            extensions.append(WTFMove(additionalAppleCameraServicePathSandboxExtensionHandle));
+#endif
+            extensions.append(WTFMove(appleCameraServicePathSandboxExtensionHandle));
+        }
+#endif // HAVE(AUDIT_TOKEN)
+
+    extensions.append(WTFMove(sandboxExtensionHandle));
+    return true;
+}
+
+static inline bool addMicrophoneSandboxExtension(Vector<SandboxExtension::Handle>& extensions)
+{
+    SandboxExtension::Handle sandboxExtensionHandle;
+    if (!SandboxExtension::createHandleForGenericExtension("com.apple.webkit.microphone"_s, sandboxExtensionHandle)) {
+        RELEASE_LOG_ERROR(WebRTC, "Unable to create com.apple.webkit.microphone sandbox extension");
+        return false;
+    }
+    extensions.append(WTFMove(sandboxExtensionHandle));
+    return true;
+}
+
+#if PLATFORM(IOS)
+static inline bool addTCCDSandboxExtension(Vector<SandboxExtension::Handle>& extensions)
+{
+    SandboxExtension::Handle sandboxExtensionHandle;
+    if (!SandboxExtension::createHandleForGenericExtension("com.apple.tccd"_s, sandboxExtensionHandle)) {
+        RELEASE_LOG_ERROR(WebRTC, "Unable to create com.apple.tccd sandbox extension");
+        return false;
+    }
+    extensions.append(WTFMove(sandboxExtensionHandle));
+    return true;
+}
+#endif
+
+void GPUProcessProxy::updateSandboxAccess(bool allowAudioCapture, bool allowVideoCapture)
+{
+    if (m_useMockCaptureDevices)
+        return;
+
+#if PLATFORM(COCOA)
+    Vector<SandboxExtension::Handle> extensions;
+
+    if (allowVideoCapture && !m_hasSentCameraSandboxExtension && addCameraSandboxExtensions(extensions))
+        m_hasSentCameraSandboxExtension = true;
+
+    if (allowAudioCapture && !m_hasSentMicrophoneSandboxExtension && addMicrophoneSandboxExtension(extensions))
+        m_hasSentMicrophoneSandboxExtension = true;
+
+#if PLATFORM(IOS)
+    if ((allowAudioCapture || allowVideoCapture) && !m_hasSentTCCDSandboxExtension && addTCCDSandboxExtension(extensions))
+        m_hasSentTCCDSandboxExtension = true;
+#endif // PLATFORM(IOS)
+
+    if (!extensions.isEmpty())
+        send(Messages::GPUProcess::UpdateSandboxAccess { extensions }, 0);
+#endif // PLATFORM(COCOA)
+}
+
 void GPUProcessProxy::updateCaptureAccess(bool allowAudioCapture, bool allowVideoCapture, bool allowDisplayCapture, WebCore::ProcessIdentifier processID, CompletionHandler<void()>&& completionHandler)
 {
+    updateSandboxAccess(allowAudioCapture, allowVideoCapture);
     sendWithAsyncReply(Messages::GPUProcess::UpdateCaptureAccess { allowAudioCapture, allowVideoCapture, allowDisplayCapture, processID }, WTFMove(completionHandler));
 }

Modified: trunk/Source/WebKit/UIProcess/GPU/GPUProcessProxy.h (277009 => 277010)


--- trunk/Source/WebKit/UIProcess/GPU/GPUProcessProxy.h	2021-05-05 07:17:54 UTC (rev 277009)
+++ trunk/Source/WebKit/UIProcess/GPU/GPUProcessProxy.h	2021-05-05 08:53:30 UTC (rev 277010)
@@ -120,6 +120,8 @@
     void terminateWebProcess(WebCore::ProcessIdentifier);
     void processIsReadyToExit();
 
+    void updateSandboxAccess(bool allowAudioCapture, bool allowVideoCapture);
+
 #if HAVE(VISIBILITY_PROPAGATION_VIEW)
     void didCreateContextForVisibilityPropagation(WebPageProxyIdentifier, WebCore::PageIdentifier, LayerHostingContextID);
 #endif
@@ -130,6 +132,11 @@
     bool m_useMockCaptureDevices { false };
     uint64_t m_orientation { 0 };
 #endif
+#if PLATFORM(COCOA)
+    bool m_hasSentTCCDSandboxExtension { false };
+    bool m_hasSentCameraSandboxExtension { false };
+    bool m_hasSentMicrophoneSandboxExtension { false };
+#endif
     HashSet<PAL::SessionID> m_sessionIDs;
 };

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

[webkit-changes] [277010] trunk/Source/WebKit

Log Message

Modified Paths

Diff

Modified: trunk/Source/WebKit/ChangeLog (277009 => 277010)

Modified: trunk/Source/WebKit/GPUProcess/GPUProcess.cpp (277009 => 277010)

Modified: trunk/Source/WebKit/GPUProcess/GPUProcess.h (277009 => 277010)

Modified: trunk/Source/WebKit/GPUProcess/GPUProcess.messages.in (277009 => 277010)

Modified: trunk/Source/WebKit/GPUProcess/GPUProcessCreationParameters.cpp (277009 => 277010)

Modified: trunk/Source/WebKit/GPUProcess/GPUProcessCreationParameters.h (277009 => 277010)

Modified: trunk/Source/WebKit/UIProcess/GPU/GPUProcessProxy.cpp (277009 => 277010)

Modified: trunk/Source/WebKit/UIProcess/GPU/GPUProcessProxy.h (277009 => 277010)

Reply via email to