Changeset 228589 in webkit

Timestamp:

Feb 16, 2018 4:46:52 PM (6 years ago)

Author:

rniwa@webkit.org

Message:

Add an entitlement check for service worker on iOS
​https://bugs.webkit.org/show_bug.cgi?id=182865
<rdar://problem/37505903>

Reviewed by Brady Eidson.

Source/WebKit:

Added an entitlement check to enable service workers on iOS.

• Shared/mac/SandboxUtilities.h:
• Shared/mac/SandboxUtilities.mm:

(WebKit::connectedProcessHasEntitlement): Added.

• StorageProcess/StorageProcess.cpp:

(WebKit::StorageProcess::createStorageToWebProcessConnection): Enforce the entitlement check by crashing
when this code is executed without the parent process having the service worker entitlement. This should
never happen unless someone is trying to bypass the entitlement check in UI Process since we ordinarily
disable service worker gracefully in WKWebView _initializeWithConfiguration.
(WebKit::StorageProcess::swServerForSession): Ditto.
(WebKit::StorageProcess::registerSWServerConnection): Ditto.

• StorageProcess/StorageProcess.h:

(WebKit::StorageProcess::parentProcessHasServiceWorkerEntitlement const): Added.

• StorageProcess/ios/StorageProcessIOS.mm:

(WebKit::StorageProcess::parentProcessHasServiceWorkerEntitlement const): Added.

• UIProcess/API/Cocoa/WKWebView.mm:

(-[WKWebView _initializeWithConfiguration:]): Disable the service workers when the entitlement is
missing from the current process. The entitlement is enforced by WebContent and Storage process.
This check avoids crashing WebContent process and gracefully disabling the feature.

• WebProcess/WebPage/WebPage.cpp:

(WebKit::WebPage::updatePreferences): Enforce the entitlement check.

• WebProcess/WebPage/WebPage.h:

(WebKit::WebPage::parentProcessHasServiceWorkerEntitlement const): Added.

• WebProcess/WebPage/ios/WebPageIOS.mm:

(WebKit::WebPage::parentProcessHasServiceWorkerEntitlement const): Added.

Tools:

Added the service worker entitlements to WebKitTestRunner and TestWebKitAPI on iOS.

• TestWebKitAPI/Configurations/TestWebKitAPI-iOS.entitlements:
• WebKitTestRunner/Configurations/WebKitTestRunnerApp-iOS.entitlements:
• WebKitTestRunner/Configurations/WebKitTestRunnerApp.xcconfig:
• WebKitTestRunner/WebKitTestRunner.xcodeproj/project.pbxproj:

Location:

trunk

Files:

• Source/WebKit/ChangeLog (modified) (1 diff)
• Source/WebKit/Shared/mac/SandboxUtilities.h (modified) (1 diff)
• Source/WebKit/Shared/mac/SandboxUtilities.mm (modified) (1 diff)
• Source/WebKit/StorageProcess/StorageProcess.cpp (modified) (3 diffs)
• Source/WebKit/StorageProcess/StorageProcess.h (modified) (1 diff)
• Source/WebKit/StorageProcess/ios/StorageProcessIOS.mm (modified) (2 diffs)
• Source/WebKit/UIProcess/API/Cocoa/WKWebView.mm (modified) (2 diffs)
• Source/WebKit/WebProcess/WebPage/WebPage.cpp (modified) (1 diff)
• Source/WebKit/WebProcess/WebPage/WebPage.h (modified) (1 diff)
• Source/WebKit/WebProcess/WebPage/ios/WebPageIOS.mm (modified) (2 diffs)
• Tools/ChangeLog (modified) (1 diff)
• Tools/TestWebKitAPI/Configurations/TestWebKitAPI-iOS.entitlements (modified) (1 diff)
• Tools/WebKitTestRunner/Configurations/WebKitTestRunnerApp-iOS.entitlements (added)
• Tools/WebKitTestRunner/Configurations/WebKitTestRunnerApp.xcconfig (modified) (1 diff)
• Tools/WebKitTestRunner/WebKitTestRunner.xcodeproj/project.pbxproj (modified) (2 diffs)

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2018-02-16  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Add an entitlement check for service worker on iOS
+        https://bugs.webkit.org/show_bug.cgi?id=182865
+        <rdar://problem/37505903>
+
+        Reviewed by Brady Eidson.
+
+        Added an entitlement check to enable service workers on iOS.
+
+        * Shared/mac/SandboxUtilities.h:
+        * Shared/mac/SandboxUtilities.mm:
+        (WebKit::connectedProcessHasEntitlement): Added.
+        * StorageProcess/StorageProcess.cpp:
+        (WebKit::StorageProcess::createStorageToWebProcessConnection): Enforce the entitlement check by crashing
+        when this code is executed without the parent process having the service worker entitlement. This should
+        never happen unless someone is trying to bypass the entitlement check in UI Process since we ordinarily
+        disable service worker gracefully in WKWebView _initializeWithConfiguration.
+        (WebKit::StorageProcess::swServerForSession): Ditto.
+        (WebKit::StorageProcess::registerSWServerConnection): Ditto.
+        * StorageProcess/StorageProcess.h:
+        (WebKit::StorageProcess::parentProcessHasServiceWorkerEntitlement const): Added.
+        * StorageProcess/ios/StorageProcessIOS.mm:
+        (WebKit::StorageProcess::parentProcessHasServiceWorkerEntitlement const): Added.
+        * UIProcess/API/Cocoa/WKWebView.mm:
+        (-[WKWebView _initializeWithConfiguration:]): Disable the service workers when the entitlement is
+        missing from the current process. The entitlement is enforced by WebContent and Storage process.
+        This check avoids crashing WebContent process and gracefully disabling the feature.
+        * WebProcess/WebPage/WebPage.cpp:
+        (WebKit::WebPage::updatePreferences): Enforce the entitlement check.
+        * WebProcess/WebPage/WebPage.h:
+        (WebKit::WebPage::parentProcessHasServiceWorkerEntitlement const): Added.
+        * WebProcess/WebPage/ios/WebPageIOS.mm:
+        (WebKit::WebPage::parentProcessHasServiceWorkerEntitlement const): Added.
+
 2018-02-16  Youenn Fablet  <youenn@apple.com>
 

trunk/Source/WebKit/Shared/mac/SandboxUtilities.h

@@ -40 +40 @@
 
 bool processHasEntitlement(NSString *entitlement);
+bool connectedProcessHasEntitlement(xpc_connection_t, NSString *entitlement);
 
 }

trunk/Source/WebKit/Shared/mac/SandboxUtilities.mm

@@ -93 +93 @@
 }
 
+bool connectedProcessHasEntitlement(xpc_connection_t connection, NSString *entitlement)
+{
+    audit_token_t token;
+    xpc_connection_get_audit_token(connection, &token);
+    auto task = adoptCF(SecTaskCreateWithAuditToken(NULL, token));
+
+    auto value = adoptCF(SecTaskCopyValueForEntitlement(task.get(), (__bridge CFStringRef)entitlement, nullptr));
+    if (!value)
+        return false;
+
+    if (CFGetTypeID(value.get()) != CFBooleanGetTypeID())
+        return false;
+
+    return CFBooleanGetValue(static_cast<CFBooleanRef>(value.get()));
 }
+
+}

trunk/Source/WebKit/StorageProcess/StorageProcess.cpp

@@ -255 +255 @@
 #if ENABLE(SERVICE_WORKER)
     if (isServiceWorkerProcess && !m_storageToWebProcessConnections.isEmpty()) {
+        RELEASE_ASSERT(parentProcessHasServiceWorkerEntitlement());
         ASSERT(m_waitingForServerToContextProcessConnection);
         m_serverToContextConnection = WebSWServerToContextConnection::create(m_storageToWebProcessConnections.last()->connection());
@@ -405 +406 @@
 SWServer& StorageProcess::swServerForSession(PAL::SessionID sessionID)
 {
+    RELEASE_ASSERT(parentProcessHasServiceWorkerEntitlement());
     ASSERT(sessionID.isValid());
     auto result = m_swServers.add(sessionID, nullptr);
@@ -493 +495 @@
 void StorageProcess::registerSWServerConnection(WebSWServerConnection& connection)
 {
+    RELEASE_ASSERT(parentProcessHasServiceWorkerEntitlement());
     ASSERT(!m_swServerConnections.contains(connection.identifier()));
     m_swServerConnections.add(connection.identifier(), &connection);

trunk/Source/WebKit/StorageProcess/StorageProcess.h

@@ -85 +85 @@
 #if ENABLE(SANDBOX_EXTENSIONS)
     void getSandboxExtensionsForBlobFiles(const Vector<String>& filenames, WTF::Function<void (SandboxExtension::HandleArray&&)>&& completionHandler);
+#endif
+
+#if PLATFORM(IOS)
+    bool parentProcessHasServiceWorkerEntitlement() const;
+#else
+    bool parentProcessHasServiceWorkerEntitlement() const { return true; }
 #endif
 

trunk/Source/WebKit/StorageProcess/ios/StorageProcessIOS.mm

@@ -31 +31 @@
 
 #import "SandboxInitializationParameters.h"
+#import "SandboxUtilities.h"
 #import <WebCore/FileSystem.h>
 #import <WebCore/LocalizedStrings.h>
@@ -59 +60 @@
 }
 
+bool StorageProcess::parentProcessHasServiceWorkerEntitlement() const
+{
+    static bool hasEntitlement = connectedProcessHasEntitlement(parentProcessConnection()->xpcConnection(), @"com.apple.developer.WebKit.ServiceWorkers");
+    return hasEntitlement;
+}
+
 } // namespace WebKit
 

trunk/Source/WebKit/UIProcess/API/Cocoa/WKWebView.mm

@@ -45 +45 @@
 #import "RemoteObjectRegistry.h"
 #import "RemoteObjectRegistryMessages.h"
+#import "SandboxUtilities.h"
 #import "UIDelegate.h"
 #import "VersionChecks.h"
@@ -605 +606 @@
 #if ENABLE(LEGACY_ENCRYPTED_MEDIA)
     pageConfiguration->preferenceValues().set(WebKit::WebPreferencesKey::legacyEncryptedMediaAPIEnabledKey(), WebKit::WebPreferencesStore::Value(!![_configuration _legacyEncryptedMediaAPIEnabled]));
+#endif
+
+#if PLATFORM(IOS) && ENABLE(SERVICE_WORKER)
+    if (!WebKit::processHasEntitlement(@"com.apple.developer.WebKit.ServiceWorkers"))
+        pageConfiguration->preferenceValues().set(WebKit::WebPreferencesKey::serviceWorkersEnabledKey(), WebKit::WebPreferencesStore::Value(false));
 #endif
 

trunk/Source/WebKit/WebProcess/WebPage/WebPage.cpp

@@ -3181 +3181 @@
 #endif
 
+    if (store.getBoolValueForKey(WebPreferencesKey::serviceWorkersEnabledKey()))
+        RELEASE_ASSERT(parentProcessHasServiceWorkerEntitlement());
+
     if (m_drawingArea)
         m_drawingArea->updatePreferences(store);

trunk/Source/WebKit/WebProcess/WebPage/WebPage.h

@@ -1214 +1214 @@
     void updatePreferencesGenerated(const WebPreferencesStore&);
 
+#if PLATFORM(IOS)
+    bool parentProcessHasServiceWorkerEntitlement() const;
+#else
+    bool parentProcessHasServiceWorkerEntitlement() const { return true; }
+#endif
+
     void didReceivePolicyDecision(uint64_t frameID, uint64_t listenerID, WebCore::PolicyAction, uint64_t navigationID, const DownloadID&, std::optional<WebsitePoliciesData>&&);
     void continueWillSubmitForm(uint64_t frameID, uint64_t listenerID);

trunk/Source/WebKit/WebProcess/WebPage/ios/WebPageIOS.mm

@@ -41 +41 @@
 #import "PrintInfo.h"
 #import "RemoteLayerTreeDrawingArea.h"
+#import "SandboxUtilities.h"
 #import "UserData.h"
 #import "VisibleContentRectUpdateInfo.h"
@@ -390 +391 @@
 }
 
+bool WebPage::parentProcessHasServiceWorkerEntitlement() const
+{
+    static bool hasEntitlement = connectedProcessHasEntitlement(WebProcess::singleton().parentProcessConnection()->xpcConnection(), @"com.apple.developer.WebKit.ServiceWorkers");
+    return hasEntitlement;
+}
+
 void WebPage::sendComplexTextInputToPlugin(uint64_t, const String&)
 {

trunk/Tools/ChangeLog

@@ +1 @@
+2018-02-16  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Add an entitlement check for service worker on iOS
+        https://bugs.webkit.org/show_bug.cgi?id=182865
+        <rdar://problem/37505903>
+
+        Reviewed by Brady Eidson.
+
+        Added the service worker entitlements to WebKitTestRunner and TestWebKitAPI on iOS.
+
+        * TestWebKitAPI/Configurations/TestWebKitAPI-iOS.entitlements:
+        * WebKitTestRunner/Configurations/WebKitTestRunnerApp-iOS.entitlements:
+        * WebKitTestRunner/Configurations/WebKitTestRunnerApp.xcconfig:
+        * WebKitTestRunner/WebKitTestRunner.xcodeproj/project.pbxproj:
+
 2018-02-16  Youenn Fablet  <youenn@apple.com>
 

trunk/Tools/TestWebKitAPI/Configurations/TestWebKitAPI-iOS.entitlements

@@ -7 +7 @@
                 <string>com.apple.TestWebKitAPI</string>
         </array>
+        <key>com.apple.developer.WebKit.ServiceWorkers</key>
+        <true/>
 </dict>
 </plist>

trunk/Tools/WebKitTestRunner/Configurations/WebKitTestRunnerApp.xcconfig

@@ -40 +40 @@
 
 TARGETED_DEVICE_FAMILY = 1,2;
+
+CODE_SIGN_ENTITLEMENTS[sdk=iphone*] = Configurations/WebKitTestRunnerApp-iOS.entitlements;

trunk/Tools/WebKitTestRunner/WebKitTestRunner.xcodeproj/project.pbxproj

@@ -314 +314 @@
                 841CC00E181185BF0042E9B6 /* Options.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = Options.h; sourceTree = "<group>"; };
                 8DD76FA10486AA7600D96B5E /* WebKitTestRunner */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = WebKitTestRunner; sourceTree = BUILT_PRODUCTS_DIR; };
+                9B0D132E2036D346008FC8FB /* WebKitTestRunnerApp-iOS.entitlements */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.entitlements; path = "WebKitTestRunnerApp-iOS.entitlements"; sourceTree = "<group>"; };
                 A18510271B9ADE4800744AEB /* libWebKitTestRunner.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = libWebKitTestRunner.a; sourceTree = BUILT_PRODUCTS_DIR; };
                 A18510381B9ADF2200744AEB /* WebKitTestRunner.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; path = WebKitTestRunner.xcconfig; sourceTree = "<group>"; };
@@ -753 +754 @@
                                 BC25197111D15E61002EBC01 /* InjectedBundle.xcconfig */,
                                 A18510381B9ADF2200744AEB /* WebKitTestRunner.xcconfig */,
+                                9B0D132E2036D346008FC8FB /* WebKitTestRunnerApp-iOS.entitlements */,
                                 A18510391B9ADFF800744AEB /* WebKitTestRunnerApp.xcconfig */,
                                 BC251A1811D16795002EBC01 /* WebKitTestRunnerLibrary.xcconfig */,