[webkit-changes] [286437] trunk/Source

Thu, 02 Dec 2021 10:45:44 -0800

Title: [286437] trunk/Source
Revision
286437
Author
pvol...@apple.com
Date
2021-12-02 10:44:46 -0800 (Thu, 02 Dec 2021)

Log Message

[WP] Strengthen sandbox when AppCache is disabled
https://bugs.webkit.org/show_bug.cgi?id=233746
<rdar://problem/85953893>

Reviewed by Brent Fulgham.

Source/WebKit:

When AppCache is disabled, we can remove access to some resources in the WebContent process' sandbox.
This is implemented using a new sandbox state variable representing the AppCache state.

* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:
* WebProcess/WebPage/WebPage.cpp:
* WebProcess/com.apple.WebProcess.sb.in:

Source/WTF:

Add HAVE macro for sandbox state flags support.

* wtf/PlatformHave.h:

Modified Paths

Diff

Modified: trunk/Source/WTF/ChangeLog (286436 => 286437)


--- trunk/Source/WTF/ChangeLog	2021-12-02 17:57:46 UTC (rev 286436)
+++ trunk/Source/WTF/ChangeLog	2021-12-02 18:44:46 UTC (rev 286437)
@@ -1,3 +1,15 @@
+2021-12-02  Per Arne Vollan  <pvol...@apple.com>
+
+        [WP] Strengthen sandbox when AppCache is disabled
+        https://bugs.webkit.org/show_bug.cgi?id=233746
+        <rdar://problem/85953893>
+
+        Reviewed by Brent Fulgham.
+
+        Add HAVE macro for sandbox state flags support.
+
+        * wtf/PlatformHave.h:
+
 2021-12-02  Aditya Keerthi  <akeer...@apple.com>
 
         [macCatalyst] Enable support for date/time inputs

Modified: trunk/Source/WTF/wtf/PlatformHave.h (286436 => 286437)


--- trunk/Source/WTF/wtf/PlatformHave.h	2021-12-02 17:57:46 UTC (rev 286436)
+++ trunk/Source/WTF/wtf/PlatformHave.h	2021-12-02 18:44:46 UTC (rev 286437)
@@ -1102,3 +1102,8 @@
 #if PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED < 120000
 #undef HAVE_AV_DELEGATING_PLAYBACK_COORDINATOR
 #endif
+
+#if ((PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 130000) \
+    || (PLATFORM(IOS) && __IPHONE_OS_VERSION_MIN_REQUIRED >= 160000))
+#define HAVE_SANDBOX_STATE_FLAGS 1
+#endif

Modified: trunk/Source/WebKit/ChangeLog (286436 => 286437)


--- trunk/Source/WebKit/ChangeLog	2021-12-02 17:57:46 UTC (rev 286436)
+++ trunk/Source/WebKit/ChangeLog	2021-12-02 18:44:46 UTC (rev 286437)
@@ -1,3 +1,18 @@
+2021-12-02  Per Arne Vollan  <pvol...@apple.com>
+
+        [WP] Strengthen sandbox when AppCache is disabled
+        https://bugs.webkit.org/show_bug.cgi?id=233746
+        <rdar://problem/85953893>
+
+        Reviewed by Brent Fulgham.
+
+        When AppCache is disabled, we can remove access to some resources in the WebContent process' sandbox.
+        This is implemented using a new sandbox state variable representing the AppCache state.
+
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:
+        * WebProcess/WebPage/WebPage.cpp:
+        * WebProcess/com.apple.WebProcess.sb.in:
+
 2021-12-02  Youenn Fablet  <you...@apple.com>
 
         Add some logging to NetworkRTCProvider

Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in (286436 => 286437)


--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in	2021-12-02 17:57:46 UTC (rev 286436)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in	2021-12-02 18:44:46 UTC (rev 286437)
@@ -1385,27 +1385,45 @@
 (when (defined? 'system-fcntl)
     (deny system-fcntl (with telemetry))
     (allow system-fcntl
-        (fcntl-command F_BARRIERFSYNC)
-        (fcntl-command F_GETCONFINED)
-        (fcntl-command F_GETFL) ;; LibJPEGReadPlugin::copyImageBlockSetStandard
-        (fcntl-command F_GETLK)
-        (fcntl-command F_GETSIGSINFO)
-        (fcntl-command F_NOCACHE)
-        (fcntl-command F_OFD_GETLK)
-        (fcntl-command F_OFD_SETLKWTIMEOUT)
-        (fcntl-command F_RDADVISE)
-        (fcntl-command F_SETCONFINED)
-        (fcntl-command F_GETPATH) ;; used by dyld4 and CGFontURLCreate, getcwd (at least)
-        (fcntl-command F_ADDFILESIGS_RETURN) ;; ImageLoaderMachO::loadCodeSignature
-        (fcntl-command F_CHECK_LV) ;; ImageLoaderMachO::loadCodeSignature
-        (fcntl-command F_SPECULATIVE_READ) ;; ImageLoaderMachO::mapSegments
-        (fcntl-command F_SETFD) ;; libwebrtc.dylib (no backtrace)
-        (fcntl-command F_GETFD) ;; libwebrtc.dylib (no backtrace)
-        (fcntl-command F_SETFL) ;; CMCapture uses when camera is enabled
-        (fcntl-command F_SETNOSIGPIPE)) ;; CMCapture uses when camera is enabled
+        (fcntl-command
+            F_GETPATH)) ;; used by dyld4 and CGFontURLCreate, getcwd (at least)
+    (allow system-fcntl (with report) (with telemetry)
+        (fcntl-command
+            F_BARRIERFSYNC
+            F_GETCONFINED
+            F_GETFL ;; LibJPEGReadPlugin::copyImageBlockSetStandard
+            F_GETSIGSINFO
+            F_NOCACHE
+            F_RDADVISE
+            F_SETCONFINED
+            F_ADDFILESIGS_RETURN ;; ImageLoaderMachO::loadCodeSignature
+            F_CHECK_LV ;; ImageLoaderMachO::loadCodeSignature
+            F_SPECULATIVE_READ ;; ImageLoaderMachO::mapSegments
+            F_SETFD ;; libwebrtc.dylib (no backtrace)
+            F_GETFD ;; libwebrtc.dylib (no backtrace)
+            F_SETFL ;; CMCapture uses when camera is enabled
+            F_SETNOSIGPIPE)) ;; CMCapture uses when camera is enabled
 
-    (allow system-fcntl (with telemetry)
-        (fcntl-command F_OFD_SETLK))
+    (define (appcache-fcntl-commands)
+        (fcntl-command
+            F_GETLK
+            F_OFD_GETLK
+            F_OFD_SETLK
+            F_OFD_SETLKWTIMEOUT))
+            
+#if HAVE(SANDBOX_STATE_FLAGS)
+    ;; This rule enables the WebContent process to flip the "AppCacheDisabled" sandbox variable
+    ;; by reading a preference from the domain "com.apple.WebKit.WebContent.AppCacheDisabled".
+    (deny user-preference-read (with enable-state-flag "AppCacheDisabled")
+        (preference-domain "com.apple.WebKit.WebContent.AppCacheDisabled"))
+ 
+    (with-filter (require-not (state-flag "AppCacheDisabled"))
+        (allow system-fcntl (appcache-fcntl-commands)))
+    (with-filter (state-flag "AppCacheDisabled")
+        (allow system-fcntl (with report) (with telemetry) (appcache-fcntl-commands)))
+#else
+    (allow system-fcntl (with report) (with telemetry) (appcache-fcntl-commands)))
+#endif
 
     (allow system-fcntl
         (fcntl-command F_GETPROTECTIONCLASS)

Modified: trunk/Source/WebKit/WebProcess/WebPage/WebPage.cpp (286436 => 286437)


--- trunk/Source/WebKit/WebProcess/WebPage/WebPage.cpp	2021-12-02 17:57:46 UTC (rev 286436)
+++ trunk/Source/WebKit/WebProcess/WebPage/WebPage.cpp	2021-12-02 18:44:46 UTC (rev 286437)
@@ -902,6 +902,15 @@
 
     m_page->setCanUseCredentialStorage(parameters.canUseCredentialStorage);
 
+#if HAVE(SANDBOX_STATE_FLAGS)
+    if (!m_page->settings().offlineWebApplicationCacheEnabled()) {
+        // This call is not meant to actually read a preference, but is only here to trigger a sandbox rule in the
+        // WebContent process, which will toggle a sandbox variable used to determine if AppCache is disabled
+        // This call should be replaced with proper API when available.
+        CFPreferencesGetAppIntegerValue(CFSTR("key"), CFSTR("com.apple.WebKit.WebContent.AppCacheDisabled"), nullptr);
+    }
+#endif
+
     updateThrottleState();
 }

Modified: trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (286436 => 286437)


--- trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in	2021-12-02 17:57:46 UTC (rev 286436)
+++ trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in	2021-12-02 18:44:46 UTC (rev 286437)
@@ -1812,31 +1812,49 @@
 
 (when (defined? 'system-fcntl)
     (deny system-fcntl (with telemetry))
-    (allow system-fcntl
-        (fcntl-command F_BARRIERFSYNC)
-        (fcntl-command F_GETCONFINED)
-        (fcntl-command F_GETFL) ;; LibJPEGReadPlugin::copyImageBlockSetStandard
-        (fcntl-command F_GETLK)
-        (fcntl-command F_GETSIGSINFO)
-        (fcntl-command F_NOCACHE)
-        (fcntl-command F_OFD_GETLK)
-        (fcntl-command F_OFD_SETLKWTIMEOUT)
-        (fcntl-command F_RDADVISE)
-        (fcntl-command F_SETCONFINED)
-        (fcntl-command F_GETPATH) ;; used by dyld4 and CGFontURLCreate, getcwd (at least)
-        (fcntl-command F_ADDFILESIGS_RETURN) ;; ImageLoaderMachO::loadCodeSignature
-        (fcntl-command F_CHECK_LV) ;; ImageLoaderMachO::loadCodeSignature
-        (fcntl-command F_SPECULATIVE_READ) ;; ImageLoaderMachO::mapSegments
-        (fcntl-command F_SETFD) ;; libwebrtc.dylib (no backtrace)
-        (fcntl-command F_GETFD) ;; libwebrtc.dylib (no backtrace)
-        (fcntl-command F_RDADVISE) ;; CoreNLP::ReadOnlyFile <- +[DDScannerService scanString:range:configuration:] <- WebCore::DictionaryLookup::rangeAtHitTestResult(WebCore::HitTestResult const&)
-        (fcntl-command F_NOCACHE) ;; Security::UnixPlusPlus::FileDesc::fcnt <- MTRegisterPluginFormatReaderBundleDirectory <- invocation function for block in WebCore::registerFormatReaderIfNecessary()
-        (fcntl-command F_SETFL) ;; CMCapture uses when camera is enabled
-        (fcntl-command F_SETNOSIGPIPE)) ;; CMCapture uses when camera is enabled
+     (allow system-fcntl
+        (fcntl-command
+            F_GETPATH)) ;; used by dyld4 and CGFontURLCreate, getcwd (at least)
+    (allow system-fcntl (with report) (with telemetry)
+       (fcntl-command
+            F_BARRIERFSYNC
+            F_GETCONFINED
+            F_GETFL ;; LibJPEGReadPlugin::copyImageBlockSetStandard
+            F_GETSIGSINFO
+            F_NOCACHE
+            F_RDADVISE
+            F_SETCONFINED
+            F_ADDFILESIGS_RETURN ;; ImageLoaderMachO::loadCodeSignature
+            F_CHECK_LV ;; ImageLoaderMachO::loadCodeSignature
+            F_SPECULATIVE_READ ;; ImageLoaderMachO::mapSegments
+            F_SETFD ;; libwebrtc.dylib (no backtrace)
+            F_GETFD ;; libwebrtc.dylib (no backtrace)
+            F_RDADVISE ;; CoreNLP::ReadOnlyFile <- +[DDScannerService scanString:range:configuration:] <- WebCore::DictionaryLookup::rangeAtHitTestResult(WebCore::HitTestResult const&)
+            F_NOCACHE ;; Security::UnixPlusPlus::FileDesc::fcnt <- MTRegisterPluginFormatReaderBundleDirectory <- invocation function for block in WebCore::registerFormatReaderIfNecessary()
+            F_SETFL ;; CMCapture uses when camera is enabled
+            F_SETNOSIGPIPE)) ;; CMCapture uses when camera is enabled
 
-    (allow system-fcntl
-        (fcntl-command F_OFD_SETLK))
+    (define (appcache-fcntl-commands)
+        (fcntl-command
+            F_GETLK
+            F_OFD_GETLK
+            F_OFD_SETLK
+            F_OFD_SETLKWTIMEOUT))
 
+#if HAVE(SANDBOX_STATE_FLAGS)
+    ;; This rule enables the WebContent process to flip the "AppCacheDisabled" sandbox variable
+    ;; by reading a preference from the domain "com.apple.WebKit.WebContent.AppCacheDisabled".
+    (deny user-preference-read (with enable-state-flag "AppCacheDisabled")
+        (preference-domain "com.apple.WebKit.WebContent.AppCacheDisabled"))
+ 
+    (with-filter (require-not (state-flag "AppCacheDisabled"))
+        (allow system-fcntl (appcache-fcntl-commands)))
+    (with-filter (state-flag "AppCacheDisabled")
+        (allow system-fcntl (with report) (with telemetry) (appcache-fcntl-commands)))
+#else
+    (allow system-fcntl (with report) (with telemetry) (appcache-fcntl-commands)))
+#endif
+
     (allow system-fcntl
         (fcntl-command F_GETPROTECTIONCLASS)
         (fcntl-command F_SETPROTECTIONCLASS))

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to