Skip to site navigation (Press enter)

[webkit-changes] [277834] trunk/Source/WebKit

bfulgham Thu, 20 May 2021 16:04:21 -0700

Title: [277834] trunk/Source/WebKit

Revision: 277834
Author: [email protected]
Date: 2021-05-20 16:03:12 -0700 (Thu, 20 May 2021)

Log Message

[Cocoa] Adopt "com.apple.QuartzCore.webkit-limited-types" entitlement
https://bugs.webkit.org/show_bug.cgi?id=226044
<rdar://problem/60549120>


Reviewed by Per Arne Vollan.

WebKit should adopt the "com.apple.QuartzCore.webkit-limited-types" entitlement as a further hardening measure to help
QuartzCore limit the features accessible from the WebContent and GPU Process. WebKit only needs a subset of the
features of QuartzCore, and this entitlement allows the framework to block certain code paths.

Tested by existing rendering test cases.

* Scripts/process-entitlements.sh:

Modified Paths

trunk/Source/WebKit/ChangeLog
trunk/Source/WebKit/Scripts/process-entitlements.sh

Diff

Modified: trunk/Source/WebKit/ChangeLog (277833 => 277834)


--- trunk/Source/WebKit/ChangeLog	2021-05-20 23:01:24 UTC (rev 277833)
+++ trunk/Source/WebKit/ChangeLog	2021-05-20 23:03:12 UTC (rev 277834)
@@ -1,3 +1,19 @@
+2021-05-20  Brent Fulgham  <[email protected]>
+
+        [Cocoa] Adopt "com.apple.QuartzCore.webkit-limited-types" entitlement
+        https://bugs.webkit.org/show_bug.cgi?id=226044
+        <rdar://problem/60549120>
+
+        Reviewed by Per Arne Vollan.
+
+        WebKit should adopt the "com.apple.QuartzCore.webkit-limited-types" entitlement as a further hardening measure to help
+        QuartzCore limit the features accessible from the WebContent and GPU Process. WebKit only needs a subset of the
+        features of QuartzCore, and this entitlement allows the framework to block certain code paths.
+
+        Tested by existing rendering test cases.
+
+        * Scripts/process-entitlements.sh:
+
 2021-05-20  Alexey Shvayka  <[email protected]>
 
         [WebIDL] Remove [ImplicitThis] and [CustomProxyToJSObject] extended attributes

Modified: trunk/Source/WebKit/Scripts/process-entitlements.sh (277833 => 277834)


--- trunk/Source/WebKit/Scripts/process-entitlements.sh	2021-05-20 23:01:24 UTC (rev 277833)
+++ trunk/Source/WebKit/Scripts/process-entitlements.sh	2021-05-20 23:03:12 UTC (rev 277834)
@@ -25,6 +25,7 @@
             plistbuddy Add :com.apple.private.pac.exception bool YES
             plistbuddy Add :com.apple.private.security.message-filter bool YES
             plistbuddy Add :com.apple.avfoundation.allow-system-wide-context bool YES
+            plistbuddy add :com.apple.QuartzCore.webkit-limited-types bool YES
         fi
         if (( "${TARGET_MAC_OS_X_VERSION_MAJOR}" >= 120000 ))
         then
@@ -49,6 +50,7 @@
         then
             plistbuddy Add :com.apple.developer.videotoolbox.client-sandboxed-decoder bool YES
             plistbuddy Add :com.apple.avfoundation.allow-system-wide-context bool YES
+            plistbuddy add :com.apple.QuartzCore.webkit-limited-types bool YES
         fi
 
         plistbuddy Add :com.apple.private.memory.ownership_transfer bool YES
@@ -160,6 +162,7 @@
         plistbuddy Add :com.apple.private.pac.exception bool YES
         plistbuddy Add :com.apple.private.security.message-filter bool YES
         plistbuddy Add :com.apple.UIKit.view-service-wants-custom-idiom-and-scale bool YES
+        plistbuddy add :com.apple.QuartzCore.webkit-limited-types bool YES
     fi
     if (( "${TARGET_MAC_OS_X_VERSION_MAJOR}" >= 120000 ))
     then
@@ -173,6 +176,7 @@
     plistbuddy Add :com.apple.runningboard.assertions.webkit bool YES
     plistbuddy Add :com.apple.QuartzCore.webkit-end-points bool YES
     plistbuddy Add :com.apple.private.memory.ownership_transfer bool YES
+    plistbuddy add :com.apple.QuartzCore.webkit-limited-types bool YES
 }
 
 function maccatalyst_process_network_entitlements()
@@ -208,6 +212,7 @@
 {
     plistbuddy Add :com.apple.QuartzCore.secure-mode bool YES
     plistbuddy Add :com.apple.QuartzCore.webkit-end-points bool YES
+    plistbuddy add :com.apple.QuartzCore.webkit-limited-types bool YES
     plistbuddy Add :com.apple.developer.coremedia.allow-alternate-video-decoder-selection bool YES
     plistbuddy Add :com.apple.mediaremote.set-playback-state bool YES
     plistbuddy Add :com.apple.pac.shared_region_id string WebContent
@@ -237,6 +242,7 @@
 {
     plistbuddy Add :com.apple.QuartzCore.secure-mode bool YES
     plistbuddy Add :com.apple.QuartzCore.webkit-end-points bool YES
+    plistbuddy add :com.apple.QuartzCore.webkit-limited-types bool YES
     plistbuddy Add :com.apple.developer.coremedia.allow-alternate-video-decoder-selection bool YES
     plistbuddy Add :com.apple.mediaremote.set-playback-state bool YES
     plistbuddy Add :com.apple.private.allow-explicit-graphics-priority bool YES

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes