Changeset 194660 in webkit
- Timestamp:
- Jan 6, 2016 1:15:35 PM (8 years ago)
- Location:
- trunk/Source/WebKit2
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebKit2/ChangeLog
r194646 r194660 1 2016-01-06 Daniel Bates <dabates@apple.com> 2 3 Use code signed identifier as part of user directory suffix 4 https://bugs.webkit.org/show_bug.cgi?id=152310 5 <rdar://problem/13352225> 6 7 Reviewed by Brent Fulgham. 8 9 * Shared/mac/ChildProcessMac.mm: 10 (WebKit::findSecCodeForProcess): Added. 11 (WebKit::ChildProcess::initializeSandbox): Modified to use an identifier 12 from the code signature of the app/tool as part of the user directory suffix. 13 1 14 2016-01-06 Brian Burg <bburg@apple.com> 2 15 -
trunk/Source/WebKit2/Shared/mac/ChildProcessMac.mm
r193783 r194660 1 1 /* 2 * Copyright (C) 2012 Apple Inc. All rights reserved.2 * Copyright (C) 2012, 2015 Apple Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 39 39 #import <stdlib.h> 40 40 #import <sysexits.h> 41 #import <wtf/cf/TypeCastsCF.h> 41 42 #import <wtf/spi/darwin/SandboxSPI.h> 42 43 … … 78 79 initializeTimerCoalescingPolicy(); 79 80 [[NSFileManager defaultManager] changeCurrentDirectoryPath:[[NSBundle mainBundle] bundlePath]]; 81 } 82 83 static RetainPtr<SecCodeRef> findSecCodeForProcess(pid_t pid) 84 { 85 RetainPtr<CFNumberRef> pidCFNumber = adoptCF(CFNumberCreate(kCFAllocatorDefault, kCFNumberIntType, &pid)); 86 const void* keys[] = { kSecGuestAttributePid }; 87 const void* values[] = { pidCFNumber.get() }; 88 RetainPtr<CFDictionaryRef> attributes = adoptCF(CFDictionaryCreate(kCFAllocatorDefault, keys, values, WTF_ARRAY_LENGTH(keys), &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks)); 89 SecCodeRef code = nullptr; 90 if (SecCodeCopyGuestWithAttributes(nullptr, attributes.get(), kSecCSDefaultFlags, &code)) 91 return nullptr; 92 return adoptCF(code); 80 93 } 81 94 … … 90 103 sandboxParameters.setUserDirectorySuffix([makeString(userDirectorySuffix->value, '/', String([[NSBundle mainBundle] bundleIdentifier])) fileSystemRepresentation]); 91 104 else { 92 String defaultUserDirectorySuffix = makeString(String([[NSBundle mainBundle] bundleIdentifier]), '+', parameters.clientIdentifier); 93 sandboxParameters.setUserDirectorySuffix(defaultUserDirectorySuffix); 105 String clientIdentifierToUse; 106 RetainPtr<SecCodeRef> code = findSecCodeForProcess(xpc_connection_get_pid(parameters.connectionIdentifier.xpcConnection.get())); 107 RELEASE_ASSERT(code); 108 109 CFStringRef appleSignedOrMacAppStoreSignedOrAppleDeveloperSignedRequirement = CFSTR("(anchor apple) or (anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9]) or (anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13])"); 110 SecRequirementRef signingRequirement; 111 OSStatus status = SecRequirementCreateWithString(appleSignedOrMacAppStoreSignedOrAppleDeveloperSignedRequirement, kSecCSDefaultFlags, &signingRequirement); 112 RELEASE_ASSERT(status == errSecSuccess); 113 114 status = SecCodeCheckValidity(code.get(), kSecCSDefaultFlags, signingRequirement); 115 if (status == errSecSuccess) { 116 CFDictionaryRef signingInfo = nullptr; 117 if (!SecCodeCopySigningInformation(code.get(), kSecCSDefaultFlags, &signingInfo)) { 118 if (CFDictionaryRef plist = dynamic_cf_cast<CFDictionaryRef>(CFDictionaryGetValue(signingInfo, kSecCodeInfoPList))) 119 clientIdentifierToUse = String(dynamic_cf_cast<CFStringRef>(CFDictionaryGetValue(plist, kCFBundleIdentifierKey))); 120 else 121 clientIdentifierToUse = String(dynamic_cf_cast<CFStringRef>(CFDictionaryGetValue(signingInfo, kSecCodeInfoIdentifier))); 122 CFRelease(signingInfo); 123 } 124 } else { 125 // Unsigned, signed by a third party, or has an invalid/malformed signature 126 clientIdentifierToUse = parameters.clientIdentifier; 127 } 128 CFRelease(signingRequirement); 129 if (clientIdentifierToUse.isEmpty()) { 130 WTFLogAlways("%s: Couldn't get code signed identifier for client: %d\n", getprogname(), status); 131 exit(EX_NOPERM); 132 } 133 sandboxParameters.setUserDirectorySuffix(makeString(String([[NSBundle mainBundle] bundleIdentifier]), '+', clientIdentifierToUse)); 94 134 } 95 135 }
Note: See TracChangeset
for help on using the changeset viewer.