Title: [283586] trunk
- Revision
- 283586
- Author
- [email protected]
- Date
- 2021-10-05 16:47:47 -0700 (Tue, 05 Oct 2021)
Log Message
Add an entitlement check to only allow AdAttributionDaemon to be connected to by the network process
https://bugs.webkit.org/show_bug.cgi?id=231248
Patch by Alex Christensen <[email protected]> on 2021-10-05
Reviewed by Alexey Proskuryakov.
Source/WebKit:
Adding a restricted entitlement on macOS when using a non-internal SDK causes the network process to not start,
so in open source builds (in which the daemon is only used for unit tests) just skip the entitlement check.
* Scripts/process-entitlements.sh:
* Shared/EntryPointUtilities/Cocoa/Daemon/PCMDaemonEntryPoint.mm:
(WebKit::startListeningForMachServiceConnections):
Tools:
Also add a system call to "launchctl unload" to clear any residual state in launchd before starting the unit test.
Otherwise we could get into a state where the plist is registered with launchd from an old test that registered it
but didn't start the daemon, causing the test to time out until you reboot the machine. This makes it recover nicely.
* TestWebKitAPI/Tests/WebKitCocoa/EventAttribution.mm:
(TestWebKitAPI::attemptConnectionInProcessWithoutEntitlement):
(TestWebKitAPI::setInjectedBundleClient): Deleted.
(TestWebKitAPI::webViewWithOpenInspector): Deleted.
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (283585 => 283586)
--- trunk/Source/WebKit/ChangeLog 2021-10-05 23:43:27 UTC (rev 283585)
+++ trunk/Source/WebKit/ChangeLog 2021-10-05 23:47:47 UTC (rev 283586)
@@ -1,3 +1,17 @@
+2021-10-05 Alex Christensen <[email protected]>
+
+ Add an entitlement check to only allow AdAttributionDaemon to be connected to by the network process
+ https://bugs.webkit.org/show_bug.cgi?id=231248
+
+ Reviewed by Alexey Proskuryakov.
+
+ Adding a restricted entitlement on macOS when using a non-internal SDK causes the network process to not start,
+ so in open source builds (in which the daemon is only used for unit tests) just skip the entitlement check.
+
+ * Scripts/process-entitlements.sh:
+ * Shared/EntryPointUtilities/Cocoa/Daemon/PCMDaemonEntryPoint.mm:
+ (WebKit::startListeningForMachServiceConnections):
+
2021-10-05 Chris Dumez <[email protected]>
Authorization header lost on 30x redirects
Modified: trunk/Source/WebKit/Scripts/process-entitlements.sh (283585 => 283586)
--- trunk/Source/WebKit/Scripts/process-entitlements.sh 2021-10-05 23:43:27 UTC (rev 283585)
+++ trunk/Source/WebKit/Scripts/process-entitlements.sh 2021-10-05 23:47:47 UTC (rev 283586)
@@ -118,6 +118,7 @@
plistbuddy Add :com.apple.private.webkit.use-xpc-endpoint bool YES
plistbuddy Add :com.apple.rootless.storage.WebKitNetworkingSandbox bool YES
plistbuddy Add :com.apple.symptom_analytics.configure bool YES
+ plistbuddy Add :com.apple.private.webkit.adattributiondaemon bool YES
fi
}
@@ -369,6 +370,7 @@
function ios_family_process_network_entitlements()
{
+ plistbuddy Add :com.apple.private.webkit.adattributiondaemon bool YES
plistbuddy Add :com.apple.multitasking.systemappassertions bool YES
plistbuddy Add :com.apple.payment.all-access bool YES
plistbuddy Add :com.apple.private.accounts.bundleidspoofing bool YES
Modified: trunk/Source/WebKit/Shared/EntryPointUtilities/Cocoa/Daemon/PCMDaemonEntryPoint.mm (283585 => 283586)
--- trunk/Source/WebKit/Shared/EntryPointUtilities/Cocoa/Daemon/PCMDaemonEntryPoint.mm 2021-10-05 23:43:27 UTC (rev 283585)
+++ trunk/Source/WebKit/Shared/EntryPointUtilities/Cocoa/Daemon/PCMDaemonEntryPoint.mm 2021-10-05 23:47:47 UTC (rev 283586)
@@ -61,7 +61,7 @@
if (xpc_get_type(request) != XPC_TYPE_DICTIONARY)
return;
if (xpc_dictionary_get_uint64(request, PCM::protocolVersionKey) != PCM::protocolVersionValue) {
- NSLog(@"received request that was not the current protocol version");
+ NSLog(@"Received request that was not the current protocol version");
return;
}
@@ -79,13 +79,19 @@
if (xpc_get_type(peer) != XPC_TYPE_CONNECTION)
return;
- // FIXME: Add an entitlement check here so that only the network process can successfully connect.
+#if USE(APPLE_INTERNAL_SDK)
+ if (!WTF::hasEntitlement(peer, "com.apple.private.webkit.adattributiondaemon")) {
+ NSLog(@"Connection attempted without required entitlement");
+ xpc_connection_cancel(peer);
+ return;
+ }
+#endif
xpc_connection_set_event_handler(peer, ^(xpc_object_t event) {
if (event == XPC_ERROR_CONNECTION_INVALID)
NSLog(@"Failed to start listening for connections to mach service %s, likely because it is not registered with launchd", serviceName);
if (event == XPC_ERROR_CONNECTION_INTERRUPTED) {
- NSLog(@"removing peer connection %p", peer);
+ NSLog(@"Removing peer connection %p", peer);
PCM::DaemonConnectionSet::singleton().remove(peer);
return;
}
@@ -94,7 +100,7 @@
xpc_connection_set_target_queue(peer, dispatch_get_main_queue());
xpc_connection_activate(peer);
- NSLog(@"adding peer connection %p", peer);
+ NSLog(@"Adding peer connection %p", peer);
PCM::DaemonConnectionSet::singleton().add(peer);
});
xpc_connection_activate(listener.get().get());
Modified: trunk/Tools/ChangeLog (283585 => 283586)
--- trunk/Tools/ChangeLog 2021-10-05 23:43:27 UTC (rev 283585)
+++ trunk/Tools/ChangeLog 2021-10-05 23:47:47 UTC (rev 283586)
@@ -1,5 +1,21 @@
2021-10-05 Alex Christensen <[email protected]>
+ Add an entitlement check to only allow AdAttributionDaemon to be connected to by the network process
+ https://bugs.webkit.org/show_bug.cgi?id=231248
+
+ Reviewed by Alexey Proskuryakov.
+
+ Also add a system call to "launchctl unload" to clear any residual state in launchd before starting the unit test.
+ Otherwise we could get into a state where the plist is registered with launchd from an old test that registered it
+ but didn't start the daemon, causing the test to time out until you reboot the machine. This makes it recover nicely.
+
+ * TestWebKitAPI/Tests/WebKitCocoa/EventAttribution.mm:
+ (TestWebKitAPI::attemptConnectionInProcessWithoutEntitlement):
+ (TestWebKitAPI::setInjectedBundleClient): Deleted.
+ (TestWebKitAPI::webViewWithOpenInspector): Deleted.
+
+2021-10-05 Alex Christensen <[email protected]>
+
TestWebKitAPI.PrivateClickMeasurement.DaemonBasicFunctionality is timing out
https://bugs.webkit.org/show_bug.cgi?id=231257
Modified: trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/EventAttribution.mm (283585 => 283586)
--- trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/EventAttribution.mm 2021-10-05 23:43:27 UTC (rev 283585)
+++ trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/EventAttribution.mm 2021-10-05 23:47:47 UTC (rev 283586)
@@ -502,9 +502,26 @@
EXPECT_NULL(error);
}
+static void attemptConnectionInProcessWithoutEntitlement()
+{
+#if USE(APPLE_INTERNAL_SDK)
+ __block bool done = false;
+ auto connection = adoptNS(xpc_connection_create_mach_service("org.webkit.pcmtestdaemon.service", dispatch_get_main_queue(), 0));
+ xpc_connection_set_event_handler(connection.get(), ^(xpc_object_t event) {
+ EXPECT_EQ(event, XPC_ERROR_CONNECTION_INTERRUPTED);
+ done = true;
+ });
+ xpc_connection_activate(connection.get());
+ auto dictionary = adoptNS(xpc_dictionary_create(nullptr, nullptr, 0));
+ xpc_connection_send_message(connection.get(), dictionary.get());
+ TestWebKitAPI::Util::run(&done);
+#endif
+}
+
TEST(PrivateClickMeasurement, DaemonBasicFunctionality)
{
auto [tempDir, configuration] = setUpDaemon(adoptNS([WKWebViewConfiguration new]).autorelease());
+ attemptConnectionInProcessWithoutEntitlement();
runBasicPCMTest(configuration, [](WKWebView *webView, const HTTPServer& server) {
[webView _addEventAttributionWithSourceID:42 destinationURL:exampleURL() sourceDescription:@"test source description" purchaser:@"test purchaser" reportEndpoint:server.request().URL optionalNonce:nil applicationBundleID:@"test.bundle.id"];
});
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
