Changeset 261238 in webkit


Ignore:
Timestamp:
May 6, 2020, 10:32:01 AM (5 years ago)
Author:
Brent Fulgham
Message:

[MacCatalyst] Processes should check for network entitlement as we do for macOS apps
https://bugs.webkit.org/show_bug.cgi?id=211474
<rdar://problem/61182060>

Reviewed by Alexey Proskuryakov.

We should make the same entitlement checks in MacCatalyst as we do for macOS.

  • Shared/EntryPointUtilities/Cocoa/XPCService/XPCServiceEntryPoint.mm:

(WebKit::XPCServiceInitializerDelegate::checkEntitlements):

Location:
trunk/Source/WebKit
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/WebKit/ChangeLog

    r261232 r261238  
     12020-05-06  Brent Fulgham  <bfulgham@apple.com>
     2
     3        [MacCatalyst] Processes should check for network entitlement as we do for macOS apps
     4        https://bugs.webkit.org/show_bug.cgi?id=211474
     5        <rdar://problem/61182060>
     6
     7        Reviewed by Alexey Proskuryakov.
     8
     9        We should make the same entitlement checks in MacCatalyst as we do for macOS.
     10
     11        * Shared/EntryPointUtilities/Cocoa/XPCService/XPCServiceEntryPoint.mm:
     12        (WebKit::XPCServiceInitializerDelegate::checkEntitlements):
     13
    1142020-05-06  Darin Adler  <darin@apple.com>
    215

  • trunk/Source/WebKit/Shared/EntryPointUtilities/Cocoa/XPCService/XPCServiceEntryPoint.mm

    r243880 r261238  
    11/*
    2  * Copyright (C) 2013 Apple Inc. All rights reserved.
     2 * Copyright (C) 2013-2020 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    3131#import <WebCore/ProcessIdentifier.h>
    3232#import <wtf/cocoa/Entitlements.h>
     33#import <wtf/spi/darwin/SandboxSPI.h>
    3334
    3435namespace WebKit {
     
    4142bool XPCServiceInitializerDelegate::checkEntitlements()
    4243{
    43 #if PLATFORM(MAC)
    44     if (!isClientSandboxed())
    45         return true;
    46 
    47     // FIXME: Once we're 100% sure that a process can't access the network we can get rid of this requirement for all processes.
    48     if (!hasEntitlement("com.apple.security.network.client")) {
    49         NSLog(@"Application does not have the 'com.apple.security.network.client' entitlement.");
    50         return false;
     44#if PLATFORM(MAC) || PLATFORM(MACCATALYST)
     45    if (isClientSandboxed()) {
     46        audit_token_t auditToken = { };
     47        xpc_connection_get_audit_token(m_connection.get(), &auditToken);
     48        if (auto rc = sandbox_check_by_audit_token(auditToken, "mach-lookup", static_cast<enum sandbox_filter_type>(SANDBOX_FILTER_GLOBAL_NAME | SANDBOX_CHECK_NO_REPORT), "com.apple.nsurlsessiond")) {
     49            // FIXME (rdar://problem/54178641): This requirement is too strict, it should be possible to load file:// resources without network access.
     50            NSLog(@"Application does not have permission to communicate with network resources. rc=%d : errno=%d", rc, errno);
     51            return false;
     52        }
    5153    }
    5254#endif
Note: See TracChangeset for help on using the changeset viewer.