Changeset 289566 in webkit

Timestamp:

Feb 10, 2022, 12:13:19 PM (4 years ago)

Author:

Ben Nham

Message:

Apply default sandbox to webpushd on Mac
​https://bugs.webkit.org/show_bug.cgi?id=236342

Reviewed by Per Arne Vollan.

This applies a default sandbox profile that allows and logs all operations by webpushd on
the Mac. In future patches we'll tighten the sandbox based on the sandbox logs that we
receive.

To do this, I refactored the sandbox initialization logic in AuxiliaryProcess so that it can
be called without creating an AuxiliaryProcess instance. This probably should be refactored
further (e.g. since webpushd isn't an AuxiliaryProcess, but rather a system daemon). But I
wanted to keep the amount of refactoring low for now while we're still figuring things out.

We also do not currently support compiling and caching the sandbox profiles. We'll add that
support later.

• DerivedSources-input.xcfilelist:
• DerivedSources-output.xcfilelist:
• DerivedSources.make:
• PlatformMac.cmake:
• Shared/AuxiliaryProcess.cpp:

(WebKit::applySandboxProfileForDaemon):

• Shared/AuxiliaryProcess.h:
• Shared/mac/AuxiliaryProcessMac.mm:

(WebKit::getUserDirectorySuffix):
(WebKit::populateSandboxInitializationParameters):
(WebKit::AuxiliaryProcess::initializeSandbox):
(WebKit::AuxiliaryProcess::applySandboxProfileForDaemon):

• WebKit.xcodeproj/project.pbxproj:
• webpushd/WebPushDaemonMain.mm:

(WebKit::applySandbox):
(WebKit::WebPushDaemonMain):

• webpushd/mac/com.apple.WebKit.webpushd.sb.in: Added.

Location:

trunk/Source/WebKit

Files:

• ChangeLog (modified) (1 diff)
• Configurations/WebKit.xcconfig (modified) (1 diff)
• DerivedSources-input.xcfilelist (modified) (1 diff)
• DerivedSources-output.xcfilelist (modified) (1 diff)
• DerivedSources.make (modified) (2 diffs)
• PlatformMac.cmake (modified) (1 diff)
• Shared/AuxiliaryProcess.cpp (modified) (1 diff)
• Shared/AuxiliaryProcess.h (modified) (1 diff)
• Shared/mac/AuxiliaryProcessMac.mm (modified) (4 diffs)
• WebKit.xcodeproj/project.pbxproj (modified) (7 diffs)
• webpushd/WebPushDaemonMain.mm (modified) (2 diffs)
• webpushd/mac (added)
• webpushd/mac/com.apple.WebKit.webpushd.sb.in (added)

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2022-02-10  Ben Nham  <nham@apple.com>
+
+        Apply default sandbox to webpushd on Mac
+        https://bugs.webkit.org/show_bug.cgi?id=236342
+
+        Reviewed by Per Arne Vollan.
+
+        This applies a default sandbox profile that allows and logs all operations by webpushd on
+        the Mac. In future patches we'll tighten the sandbox based on the sandbox logs that we
+        receive.
+
+        To do this, I refactored the sandbox initialization logic in AuxiliaryProcess so that it can
+        be called without creating an AuxiliaryProcess instance. This probably should be refactored
+        further (e.g. since webpushd isn't an AuxiliaryProcess, but rather a system daemon). But I
+        wanted to keep the amount of refactoring low for now while we're still figuring things out.
+
+        We also do not currently support compiling and caching the sandbox profiles. We'll add that
+        support later.
+
+        * DerivedSources-input.xcfilelist:
+        * DerivedSources-output.xcfilelist:
+        * DerivedSources.make:
+        * PlatformMac.cmake:
+        * Shared/AuxiliaryProcess.cpp:
+        (WebKit::applySandboxProfileForDaemon):
+        * Shared/AuxiliaryProcess.h:
+        * Shared/mac/AuxiliaryProcessMac.mm:
+        (WebKit::getUserDirectorySuffix):
+        (WebKit::populateSandboxInitializationParameters):
+        (WebKit::AuxiliaryProcess::initializeSandbox):
+        (WebKit::AuxiliaryProcess::applySandboxProfileForDaemon):
+        * WebKit.xcodeproj/project.pbxproj:
+        * webpushd/WebPushDaemonMain.mm:
+        (WebKit::applySandbox):
+        (WebKit::WebPushDaemonMain):
+        * webpushd/mac/com.apple.WebKit.webpushd.sb.in: Added.
+
 2022-02-10  Wenson Hsieh  <wenson_hsieh@apple.com>
 

trunk/Source/WebKit/Configurations/WebKit.xcconfig

@@ -180 +180 @@
 EXCLUDED_IOS_RESOURCE_FILE_NAMES[sdk=iphone*] = ;
 
-EXCLUDED_MACOS_PLUGIN_FILE_NAMES[sdk=iphone*] = SecItemShim.dylib WebProcessShim.dylib *.pdf Resources/mac/* com.apple.WebKit.NetworkProcess.sb com.apple.WebKit.GPUProcess.sb com.apple.WebKit.WebAuthnProcess.sb com.apple.WebProcess.sb;
+EXCLUDED_MACOS_PLUGIN_FILE_NAMES[sdk=iphone*] = SecItemShim.dylib WebProcessShim.dylib *.pdf Resources/mac/* com.apple.WebKit.NetworkProcess.sb com.apple.WebKit.GPUProcess.sb com.apple.WebKit.WebAuthnProcess.sb com.apple.WebKit.webpushd.sb com.apple.WebProcess.sb;
 
 INSTALLHDRS_SCRIPT_PHASE = YES;

trunk/Source/WebKit/DerivedSources-input.xcfilelist

@@ -249 +249 @@
 $(PROJECT_DIR)/WebProcess/cocoa/VideoFullscreenManager.messages.in
 $(PROJECT_DIR)/WebProcess/com.apple.WebProcess.sb.in
+$(PROJECT_DIR)/webpushd/mac/com.apple.WebKit.webpushd.sb.in

trunk/Source/WebKit/DerivedSources-output.xcfilelist

@@ -646 +646 @@
 $(BUILT_PRODUCTS_DIR)/DerivedSources/WebKit/com.apple.WebKit.WebContent.sb
 $(BUILT_PRODUCTS_DIR)/DerivedSources/WebKit/com.apple.WebKit.plugin-common.sb
+$(BUILT_PRODUCTS_DIR)/DerivedSources/WebKit/com.apple.WebKit.webpushd.sb
 $(BUILT_PRODUCTS_DIR)/DerivedSources/WebKit/com.apple.WebProcess.sb
 <<<<<<< HEAD

trunk/Source/WebKit/DerivedSources.make

@@ -105 +105 @@
     $(WebKit2)/UIProcess/mac \
     $(WebKit2)/UIProcess/ios \
+    $(WebKit2)/webpushd/mac \
     $(WEBKITADDITIONS_HEADER_SEARCH_PATHS) \
 #
@@ -352 +353 @@
         com.apple.WebKit.NetworkProcess.sb \
         com.apple.WebKit.GPUProcess.sb \
-        com.apple.WebKit.WebAuthnProcess.sb
+        com.apple.WebKit.WebAuthnProcess.sb \
+        com.apple.WebKit.webpushd.sb
         
 SANDBOX_PROFILES_IOS = \

trunk/Source/WebKit/PlatformMac.cmake

@@ -839 +839 @@
         list(APPEND WebKit_SB_FILES ${WebKit_RESOURCES_DIR}/com.apple.WebKit.WebAuthnProcess.sb)
     endif ()
+    if (ENABLE_BUILT_IN_NOTIFICATIONS)
+        add_custom_command(OUTPUT ${WebKit_RESOURCES_DIR}/com.apple.WebKit.webpushd.sb COMMAND
+            grep -o "^[^;]*" ${WEBKIT_DIR}/webpushd/mac/com.apple.WebKit.webpushd.sb.in | clang -E -P -w -include wtf/Platform.h -I ${WTF_FRAMEWORK_HEADERS_DIR} -I ${bmalloc_FRAMEWORK_HEADERS_DIR} -I ${WEBKIT_DIR} - > ${WebKit_RESOURCES_DIR}/com.apple.WebKit.webpushd.sb
+            VERBATIM)
+        list(APPEND WebKit_SB_FILES ${WebKit_RESOURCES_DIR}/com.apple.WebKit.webpushd.sb)
+    endif ()
     add_custom_target(WebKitSandboxProfiles ALL DEPENDS ${WebKit_SB_FILES})
     add_dependencies(WebKit WebKitSandboxProfiles)

trunk/Source/WebKit/Shared/AuxiliaryProcess.cpp

@@ -278 +278 @@
 #endif
 
+#if !PLATFORM(MAC)
+static void applySandboxProfileForDaemon(const String&, const String&)
+{
+}
+#endif
+
 #endif // !PLATFORM(COCOA)
 

trunk/Source/WebKit/Shared/AuxiliaryProcess.h

@@ -88 +88 @@
 #endif
 
+    static void applySandboxProfileForDaemon(const String& profilePath, const String& userDirectorySuffix);
+
     IPC::Connection* parentProcessConnection() const { return m_connection.get(); }
 

trunk/Source/WebKit/Shared/mac/AuxiliaryProcessMac.mm

@@ -638 +638 @@
 }
 
-static void initializeSandboxParameters(const AuxiliaryProcessInitializationParameters& parameters, SandboxInitializationParameters& sandboxParameters)
-{
-    // Verify user directory suffix.
-    if (sandboxParameters.userDirectorySuffix().isNull()) {
-        auto userDirectorySuffix = parameters.extraInitializationData.find("user-directory-suffix");
-        if (userDirectorySuffix != parameters.extraInitializationData.end()) {
-            String suffix = userDirectorySuffix->value;
-            auto firstPathSeparator = suffix.find("/");
-            if (firstPathSeparator != notFound)
-                suffix.truncate(firstPathSeparator);
-            sandboxParameters.setUserDirectorySuffix(suffix);
-        } else {
-            String clientIdentifier = codeSigningIdentifier(parameters.connectionIdentifier.xpcConnection.get());
-            if (clientIdentifier.isNull())
-                clientIdentifier = parameters.clientIdentifier;
-            sandboxParameters.setUserDirectorySuffix(makeString([[NSBundle mainBundle] bundleIdentifier], '+', clientIdentifier));
-        }
-    }
+static String getUserDirectorySuffix(const AuxiliaryProcessInitializationParameters& parameters)
+{
+    auto userDirectorySuffix = parameters.extraInitializationData.find("user-directory-suffix");
+    if (userDirectorySuffix != parameters.extraInitializationData.end()) {
+        String suffix = userDirectorySuffix->value;
+        auto firstPathSeparator = suffix.find("/");
+        if (firstPathSeparator != notFound)
+            suffix.truncate(firstPathSeparator);
+        return suffix;
+    }
+
+    String clientIdentifier = codeSigningIdentifier(parameters.connectionIdentifier.xpcConnection.get());
+    if (clientIdentifier.isNull())
+        clientIdentifier = parameters.clientIdentifier;
+    return makeString([[NSBundle mainBundle] bundleIdentifier], '+', clientIdentifier);
+}
+
+static void populateSandboxInitializationParameters(SandboxInitializationParameters& sandboxParameters)
+{
+    RELEASE_ASSERT(!sandboxParameters.userDirectorySuffix().isNull());
 
     String osSystemMarketingVersion = systemMarketingVersion();
@@ -715 +717 @@
 
 #if USE(CACHE_COMPILED_SANDBOX)
-    // This must be called before initializeSandboxParameters so that the path does not include the user directory suffix.
+    // This must be called before populateSandboxInitializationParameters so that the path does not include the user directory suffix.
     // We don't want the user directory suffix because we want all processes of the same type to use the same cache directory.
     String dataVaultParentDirectory { sandboxDataVaultParentDirectory() };
@@ -728 +730 @@
     sandboxParameters.addParameter("ENABLE_SANDBOX_MESSAGE_FILTER", enableMessageFilter ? "YES" : "NO");
 
-    initializeSandboxParameters(parameters, sandboxParameters);
+    if (sandboxParameters.userDirectorySuffix().isNull())
+        sandboxParameters.setUserDirectorySuffix(getUserDirectorySuffix(parameters));
+
+    populateSandboxInitializationParameters(sandboxParameters);
 
     if (!applySandbox(parameters, sandboxParameters, dataVaultParentDirectory)) {
@@ -745 +750 @@
 }
 
+void AuxiliaryProcess::applySandboxProfileForDaemon(const String& profilePath, const String& userDirectorySuffix)
+{
+    TraceScope traceScope(InitializeSandboxStart, InitializeSandboxEnd);
+
+    SandboxInitializationParameters parameters { };
+    parameters.setOverrideSandboxProfilePath(profilePath);
+    parameters.setUserDirectorySuffix(userDirectorySuffix);
+    populateSandboxInitializationParameters(parameters);
+
+    String profileOrProfilePath;
+    bool isProfilePath;
+    getSandboxProfileOrProfilePath(parameters, profileOrProfilePath, isProfilePath);
+    RELEASE_ASSERT(!profileOrProfilePath.isEmpty());
+
+    bool success = compileAndApplySandboxSlowCase(profileOrProfilePath, isProfilePath, parameters);
+    RELEASE_ASSERT(success);
+}
+
 #if USE(APPKIT)
 void AuxiliaryProcess::stopNSAppRunLoop()

trunk/Source/WebKit/WebKit.xcodeproj/project.pbxproj

@@ -2012 +2012 @@
                 EB36B16827A7B4500050E00D /* PushService.h in Headers */ = {isa = PBXBuildFile; fileRef = EB36B16627A7B4500050E00D /* PushService.h */; };
                 EB36B16927A7B4500050E00D /* PushService.mm in Sources */ = {isa = PBXBuildFile; fileRef = EB36B16727A7B4500050E00D /* PushService.mm */; };
+                EB7D252B27B31B77009CB586 /* com.apple.WebKit.webpushd.sb in Resources */ = {isa = PBXBuildFile; fileRef = EB7D252A27B31B3F009CB586 /* com.apple.WebKit.webpushd.sb */; };
                 EBA8D3AB27A5E31300CB7900 /* ApplePushServiceSPI.h in Headers */ = {isa = PBXBuildFile; fileRef = EBA8D3AA27A5E31300CB7900 /* ApplePushServiceSPI.h */; };
                 EBA8D3B227A5E33F00CB7900 /* ApplePushServiceConnection.mm in Sources */ = {isa = PBXBuildFile; fileRef = EBA8D3AC27A5E33E00CB7900 /* ApplePushServiceConnection.mm */; };
@@ -6507 +6508 @@
                 EB36B16627A7B4500050E00D /* PushService.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = PushService.h; sourceTree = "<group>"; };
                 EB36B16727A7B4500050E00D /* PushService.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = PushService.mm; sourceTree = "<group>"; };
+                EB7D252927B316A6009CB586 /* com.apple.WebKit.webpushd.sb.in */ = {isa = PBXFileReference; lastKnownFileType = text; path = com.apple.WebKit.webpushd.sb.in; sourceTree = "<group>"; };
+                EB7D252A27B31B3F009CB586 /* com.apple.WebKit.webpushd.sb */ = {isa = PBXFileReference; lastKnownFileType = file; name = com.apple.WebKit.webpushd.sb; path = DerivedSources/WebKit/com.apple.WebKit.webpushd.sb; sourceTree = BUILT_PRODUCTS_DIR; };
                 EBA8D3AA27A5E31300CB7900 /* ApplePushServiceSPI.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ApplePushServiceSPI.h; sourceTree = "<group>"; };
                 EBA8D3AC27A5E33E00CB7900 /* ApplePushServiceConnection.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = ApplePushServiceConnection.mm; sourceTree = "<group>"; };
@@ -10161 +10164 @@
                         isa = PBXGroup;
                         children = (
+                                EB7D252827B316A6009CB586 /* mac */,
                                 517B5F63275A8D5C002DC22D /* webpushtool */,
                                 5160E954274B887100567388 /* AppBundleRequest.h */,
@@ -12095 +12099 @@
                                 572EBBC32536AB84000552B3 /* com.apple.WebKit.WebAuthnProcess.sb */,
                                 E30CFB9D2660663C0094D9C0 /* com.apple.WebKit.WebContent.sb */,
+                                EB7D252A27B31B3F009CB586 /* com.apple.WebKit.webpushd.sb */,
                                 E1967E37150AB5E200C73169 /* com.apple.WebProcess.sb */,
                                 1AB7D6171288B9D900CFD08C /* DownloadProxyMessageReceiver.cpp */,
@@ -12741 +12746 @@
                         );
                         path = cache;
+                        sourceTree = "<group>";
+                };
+                EB7D252827B316A6009CB586 /* mac */ = {
+                        isa = PBXGroup;
+                        children = (
+                                EB7D252927B316A6009CB586 /* com.apple.WebKit.webpushd.sb.in */,
+                        );
+                        path = mac;
                         sourceTree = "<group>";
                 };
@@ -13432 +13445 @@
                                 570AB8F320AE3BD700B8BE87 /* SecKeyProxyStore.h in Headers */,
                                 514D9F5719119D35000063A7 /* ServicesController.h in Headers */,
+                                5164658027A9C77400E1F2BA /* ServiceWorkerNotificationHandler.h in Headers */,
                                 1AFDE65A1954A42B00C48FFA /* SessionState.h in Headers */,
                                 1A002D49196B345D00B9AD44 /* SessionStateCoding.h in Headers */,
@@ -14644 +14658 @@
                                 E17AE2C316B9C63A001C42F1 /* com.apple.WebKit.NetworkProcess.sb in Resources */,
                                 572EBBC42536AB84000552B3 /* com.apple.WebKit.WebAuthnProcess.sb in Resources */,
+                                EB7D252B27B31B77009CB586 /* com.apple.WebKit.webpushd.sb in Resources */,
                                 E11D35AE16B63D1B006D23D7 /* com.apple.WebProcess.sb in Resources */,
                                 6BE969C11E54D452008B7483 /* corePrediction_model in Resources */,

trunk/Source/WebKit/webpushd/WebPushDaemonMain.mm

@@ -27 +27 @@
 #import "WebPushDaemonMain.h"
 
+#import "AuxiliaryProcess.h"
 #import "DaemonConnection.h"
 #import "DaemonDecoder.h"
@@ -72 +73 @@
 namespace WebKit {
 
+static void applySandbox()
+{
+#if PLATFORM(MAC)
+    NSBundle *bundle = [NSBundle bundleWithIdentifier:@"com.apple.WebKit"];
+    auto profilePath = makeString(String([bundle resourcePath]), "/com.apple.WebKit.webpushd.sb");
+    AuxiliaryProcess::applySandboxProfileForDaemon(profilePath, "com.apple.webkit.webpushd"_s);
+#endif
+}
+
 int WebPushDaemonMain(int argc, char** argv)
 {
     @autoreleasepool {
         WTF::initializeMainThread();
+
+        applySandbox();
 
 #if !LOG_DISABLED || !RELEASE_LOG_DISABLED