Changeset 199401 in webkit
- Timestamp:
- Apr 12, 2016 7:29:23 PM (8 years ago)
- Location:
- trunk/Source/WebKit2
- Files:
-
- 2 added
- 5 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebKit2/ChangeLog
r199399 r199401 1 2016-04-12 Daniel Bates <dabates@apple.com> 2 3 REGRESSION (r198933): Unable to login to Google account from Internet Accounts preference pane 4 https://bugs.webkit.org/show_bug.cgi?id=156447 5 <rdar://problem/25628133> 6 7 Reviewed by Darin Adler. 8 9 Reverts the workaround landed in r199301 and teaches ProcessLauncherMac to use the code 10 signing identifier of the UI process as the client-identifier if it is signed. Otherwise, 11 we fall back to using the main bundle identifier or _NSGetProgname() depending on whether 12 the UI process has an associated app bundle. 13 14 * PlatformMac.cmake: Add file Shared/mac/CodeSigning.mm. 15 * Shared/mac/ChildProcessMac.mm: 16 (WebKit::ChildProcess::initializeSandbox): 17 (WebKit::codeSigningIdentifierForProcess): Deleted; moved from here to file Shared/mac/CodeSigning.mm. 18 * Shared/mac/CodeSigning.h: Added. 19 * Shared/mac/CodeSigning.mm: Added. 20 (WebKit::secCodeForCurrentProcess): Added. 21 (WebKit::secCodeForProcess): Added. 22 (WebKit::secCodeSigningInformation): Added. 23 (WebKit::appleSignedOrMacAppStoreSignedOrAppleDeveloperSignedRequirement): Added. 24 (WebKit::secCodeSigningIdentifier): Added. 25 (WebKit::codeSigningIdentifier): Returns the code signing identifier for the current process. 26 (WebKit::codeSigningIdentifierForProcess): Moved from file Shared/mac/ChildProcessMac.mm. Extracted logic 27 into various helper functions (above) so that it can be shared with WebKit::codeSigningIdentifier() as 28 well as to improve the readability of the code. Removed the OSStatus out argument that was used by callers 29 for logging purposes and moved such logging responsibility into WebKit::secCodeSigningIdentifier() as 30 a release assertion message since we always want to log this error when code signing validation fails. We 31 use a release assertion to cause a noticeable crash because we such failures should not occur and if they 32 do then we want to see crash reports so that we can handle such failures. Using a release assertion for 33 validation failures also simplifies the possible return values of this function as such failures represented 34 the only case where this function would return an empty string. We now return either a null string or a non- 35 empty string. We return a null string when the specified process is either unsigned or signed by a third-party; 36 otherwise, we return a non-empty string that represents the code signing identifier. 37 * UIProcess/Launcher/mac/ProcessLauncherMac.mm: 38 (WebKit::connectToService): Use the code signing identifier for the client-identifier if we have one (e.g. 39 we are signed app). If we do not have a code signing identifier then take client-identifier to be the 40 bundle identifier of our main bundle. Failing that we take client-identifier to be _NSGetProgname(). 41 * WebKit2.xcodeproj/project.pbxproj: Add files Shared/mac/CodeSigning.{h, mm}. 42 1 43 2016-04-12 Enrica Casucci <enrica@apple.com> 2 44 -
trunk/Source/WebKit2/PlatformMac.cmake
r199257 r199401 123 123 Shared/mac/AttributedString.mm 124 124 Shared/mac/ChildProcessMac.mm 125 Shared/mac/CodeSigning.mm 125 126 Shared/mac/ColorSpaceData.mm 126 127 Shared/mac/CookieStorageShim.mm -
trunk/Source/WebKit2/Shared/mac/ChildProcessMac.mm
r199301 r199401 29 29 #import "ChildProcess.h" 30 30 31 #import "CodeSigning.h" 31 32 #import "SandboxInitializationParameters.h" 32 33 #import "WebKitSystemInterface.h" … … 39 40 #import <stdlib.h> 40 41 #import <sysexits.h> 41 #import <wtf/cf/TypeCastsCF.h>42 42 #import <wtf/spi/darwin/SandboxSPI.h> 43 43 … … 77 77 initializeTimerCoalescingPolicy(); 78 78 [[NSFileManager defaultManager] changeCurrentDirectoryPath:[[NSBundle mainBundle] bundlePath]]; 79 }80 81 static String codeSigningIdentifierForProcess(pid_t pid, OSStatus& errorCode)82 {83 RetainPtr<CFNumberRef> pidCFNumber = adoptCF(CFNumberCreate(kCFAllocatorDefault, kCFNumberIntType, &pid));84 const void* keys[] = { kSecGuestAttributePid };85 const void* values[] = { pidCFNumber.get() };86 RetainPtr<CFDictionaryRef> attributes = adoptCF(CFDictionaryCreate(kCFAllocatorDefault, keys, values, WTF_ARRAY_LENGTH(keys), &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks));87 SecCodeRef code = nullptr;88 if ((errorCode = SecCodeCopyGuestWithAttributes(nullptr, attributes.get(), kSecCSDefaultFlags, &code)))89 return String();90 RetainPtr<SecCodeRef> codePtr = adoptCF(code);91 RELEASE_ASSERT(codePtr);92 93 CFStringRef macAppStoreSignedOrAppleDeveloperSignedRequirement = CFSTR("(anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9]) or (anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13])");94 SecRequirementRef signingRequirement = nullptr;95 RELEASE_ASSERT(!SecRequirementCreateWithString(macAppStoreSignedOrAppleDeveloperSignedRequirement, kSecCSDefaultFlags, &signingRequirement));96 RetainPtr<SecRequirementRef> signingRequirementPtr = adoptCF(signingRequirement);97 errorCode = SecCodeCheckValidity(codePtr.get(), kSecCSDefaultFlags, signingRequirementPtr.get());98 if (errorCode == errSecCSUnsigned || errorCode == errSecCSReqFailed)99 return String(); // Unsigned, signed by Apple, or signed by a third-party100 if (errorCode != errSecSuccess)101 return emptyString(); // e.g. invalid/malformed signature102 String codeSigningIdentifier;103 CFDictionaryRef signingInfo = nullptr;104 RELEASE_ASSERT(!SecCodeCopySigningInformation(codePtr.get(), kSecCSDefaultFlags, &signingInfo));105 RetainPtr<CFDictionaryRef> signingInfoPtr = adoptCF(signingInfo);106 if (CFDictionaryRef plist = dynamic_cf_cast<CFDictionaryRef>(CFDictionaryGetValue(signingInfoPtr.get(), kSecCodeInfoPList)))107 codeSigningIdentifier = String(dynamic_cf_cast<CFStringRef>(CFDictionaryGetValue(plist, kCFBundleIdentifierKey)));108 else109 codeSigningIdentifier = String(dynamic_cf_cast<CFStringRef>(CFDictionaryGetValue(signingInfoPtr.get(), kSecCodeInfoIdentifier)));110 RELEASE_ASSERT(!codeSigningIdentifier.isEmpty());111 return codeSigningIdentifier;112 79 } 113 80 … … 211 178 if (willUseUserDirectorySuffixInitializationParameter) 212 179 return; 213 error = noErr; 214 String clientCodeSigningIdentifier = codeSigningIdentifierForProcess(xpc_connection_get_pid(parameters.connectionIdentifier.xpcConnection.get()), error); 180 String clientCodeSigningIdentifier = codeSigningIdentifierForProcess(xpc_connection_get_pid(parameters.connectionIdentifier.xpcConnection.get())); 215 181 bool isClientCodeSigned = !clientCodeSigningIdentifier.isNull(); 216 182 if (isClientCodeSigned && clientCodeSigningIdentifier != parameters.clientIdentifier) { 217 WTFLogAlways("%s: Code signing identifier of client differs from passed client identifier : %ld\n", getprogname(), static_cast<long>(error));183 WTFLogAlways("%s: Code signing identifier of client differs from passed client identifier.\n", getprogname()); 218 184 exit(EX_NOPERM); 219 185 } -
trunk/Source/WebKit2/UIProcess/Launcher/mac/ProcessLauncherMac.mm
r196661 r199401 45 45 #import <wtf/text/WTFString.h> 46 46 47 #if PLATFORM(MAC) 48 #import "CodeSigning.h" 49 #endif 50 47 51 namespace WebKit { 48 52 … … 137 141 mach_port_insert_right(mach_task_self(), listeningPort, listeningPort, MACH_MSG_TYPE_MAKE_SEND); 138 142 139 NSString *bundleIdentifier = [[NSBundle mainBundle] bundleIdentifier]; 140 CString clientIdentifier = bundleIdentifier ? String([[NSBundle mainBundle] bundleIdentifier]).utf8() : *_NSGetProgname(); 143 String clientIdentifier; 144 #if PLATFORM(MAC) 145 clientIdentifier = codeSigningIdentifier(); 146 #endif 147 if (clientIdentifier.isNull()) 148 clientIdentifier = [[NSBundle mainBundle] bundleIdentifier]; 141 149 142 150 // FIXME: Switch to xpc_connection_set_bootstrap once it's available everywhere we need. … … 147 155 mach_port_deallocate(mach_task_self(), listeningPort); 148 156 149 xpc_dictionary_set_string(bootstrapMessage.get(), "client-identifier", clientIdentifier.data());157 xpc_dictionary_set_string(bootstrapMessage.get(), "client-identifier", !clientIdentifier.isEmpty() ? clientIdentifier.utf8().data() : *_NSGetProgname()); 150 158 xpc_dictionary_set_string(bootstrapMessage.get(), "ui-process-name", [[[NSProcessInfo processInfo] processName] UTF8String]); 151 159 -
trunk/Source/WebKit2/WebKit2.xcodeproj/project.pbxproj
r199311 r199401 1712 1712 CDCA85C8132ABA4E00E961DF /* WKFullScreenWindowController.mm in Sources */ = {isa = PBXBuildFile; fileRef = CDCA85C6132ABA4E00E961DF /* WKFullScreenWindowController.mm */; }; 1713 1713 CDCA85C9132ABA4E00E961DF /* WKFullScreenWindowController.h in Headers */ = {isa = PBXBuildFile; fileRef = CDCA85C7132ABA4E00E961DF /* WKFullScreenWindowController.h */; }; 1714 CE11AD501CBC47F800681EE5 /* CodeSigning.mm in Sources */ = {isa = PBXBuildFile; fileRef = CE11AD4F1CBC47F800681EE5 /* CodeSigning.mm */; }; 1715 CE11AD521CBC482F00681EE5 /* CodeSigning.h in Headers */ = {isa = PBXBuildFile; fileRef = CE11AD511CBC482F00681EE5 /* CodeSigning.h */; }; 1714 1716 CE1A0BD21A48E6C60054EF74 /* AssertionServicesSPI.h in Headers */ = {isa = PBXBuildFile; fileRef = CE1A0BCC1A48E6C60054EF74 /* AssertionServicesSPI.h */; }; 1715 1717 CE1A0BD31A48E6C60054EF74 /* CorePDFSPI.h in Headers */ = {isa = PBXBuildFile; fileRef = CE1A0BCD1A48E6C60054EF74 /* CorePDFSPI.h */; }; … … 3787 3789 CDCA85C7132ABA4E00E961DF /* WKFullScreenWindowController.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WKFullScreenWindowController.h; sourceTree = "<group>"; }; 3788 3790 CDCA85D4132AC2B300E961DF /* IOKit.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = IOKit.framework; path = /System/Library/Frameworks/IOKit.framework; sourceTree = "<absolute>"; }; 3791 CE11AD4F1CBC47F800681EE5 /* CodeSigning.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = CodeSigning.mm; sourceTree = "<group>"; }; 3792 CE11AD511CBC482F00681EE5 /* CodeSigning.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CodeSigning.h; sourceTree = "<group>"; }; 3789 3793 CE1A0BCC1A48E6C60054EF74 /* AssertionServicesSPI.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = AssertionServicesSPI.h; sourceTree = "<group>"; }; 3790 3794 CE1A0BCD1A48E6C60054EF74 /* CorePDFSPI.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CorePDFSPI.h; sourceTree = "<group>"; }; … … 6224 6228 E1A31734134CEA80007C9A4F /* AttributedString.mm */, 6225 6229 9F54F88E16488E87007DF81A /* ChildProcessMac.mm */, 6230 CE11AD511CBC482F00681EE5 /* CodeSigning.h */, 6231 CE11AD4F1CBC47F800681EE5 /* CodeSigning.mm */, 6226 6232 1A2A4AFE158693920090C9E9 /* ColorSpaceData.h */, 6227 6233 1A2A4AFD158693920090C9E9 /* ColorSpaceData.mm */, … … 7320 7326 E1513C67166EABB200149FCB /* ChildProcessProxy.h in Headers */, 7321 7327 290F4272172A0C7400939FF0 /* ChildProcessSupplement.h in Headers */, 7328 CE11AD521CBC482F00681EE5 /* CodeSigning.h in Headers */, 7322 7329 1A6F9F9011E13EFC00DB1371 /* CommandLine.h in Headers */, 7323 7330 37BEC4E119491486008B4286 /* CompletionHandlerCallChecker.h in Headers */, … … 8762 8769 51FAEC3B1B0657680009C4E7 /* ChildProcessMessageReceiver.cpp in Sources */, 8763 8770 E1513C66166EABB200149FCB /* ChildProcessProxy.cpp in Sources */, 8771 CE11AD501CBC47F800681EE5 /* CodeSigning.mm in Sources */, 8764 8772 1A2A4B0E1586A2240090C9E9 /* ColorSpaceData.mm in Sources */, 8765 8773 1A6F9FB711E1408500DB1371 /* CommandLinePOSIX.cpp in Sources */,
Note: See TracChangeset
for help on using the changeset viewer.