Changeset 234167 in webkit

Timestamp:

Jul 24, 2018 12:57:36 PM (6 years ago)

Author:

Ryan Haddad

Message:

Unreviewed, rolling out r234121.

Caused perf test failures.

Reverted changeset:

"We should cache the compiled sandbox profile in a data vault"
​https://bugs.webkit.org/show_bug.cgi?id=184991
​https://trac.webkit.org/changeset/234121

Location:

trunk

Files:

• Source/WTF/ChangeLog (modified) (1 diff)
• Source/WTF/wtf/SystemTracing.h (modified) (1 diff)
• Source/WTF/wtf/spi/darwin/SandboxSPI.h (modified) (2 diffs)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/platform/FileHandle.cpp (modified) (3 diffs)
• Source/WebCore/platform/FileHandle.h (modified) (2 diffs)
• Source/WebCore/platform/FileSystem.h (modified) (1 diff)
• Source/WebCore/platform/cocoa/FileSystemCocoa.mm (modified) (1 diff)
• Source/WebKit/ChangeLog (modified) (1 diff)
• Source/WebKit/Configurations/Network-OSX-sandbox.entitlements (deleted)
• Source/WebKit/Configurations/Plugin-OSX-sandbox.entitlements (deleted)
• Source/WebKit/Configurations/Storage-OSX-sandbox.entitlements (deleted)
• Source/WebKit/Configurations/StorageService.xcconfig (modified) (1 diff)
• Source/WebKit/Configurations/WebContent-OSX-sandbox.entitlements (deleted)
• Source/WebKit/Configurations/WebKit.xcconfig (modified) (2 diffs)
• Source/WebKit/NetworkProcess/NetworkProcess.h (modified) (1 diff)
• Source/WebKit/PluginProcess/PluginProcess.h (modified) (1 diff)
• Source/WebKit/Scripts/process-network-entitlements.sh (deleted)
• Source/WebKit/Scripts/process-plugin-entitlements.sh (deleted)
• Source/WebKit/Scripts/process-webcontent-entitlements.sh (modified) (1 diff)
• Source/WebKit/Shared/ChildProcess.h (modified) (3 diffs)
• Source/WebKit/Shared/EntryPointUtilities/mac/XPCService/XPCServiceEntryPoint.h (modified) (1 diff)
• Source/WebKit/Shared/SandboxInitializationParameters.h (modified) (5 diffs)
• Source/WebKit/Shared/mac/ChildProcessMac.mm (modified) (5 diffs)
• Source/WebKit/Shared/mac/SandboxInitialiationParametersMac.mm (modified) (1 diff)
• Source/WebKit/StorageProcess/StorageProcess.h (modified) (1 diff)
• Source/WebKit/WebKit.xcodeproj/project.pbxproj (modified) (12 diffs)
• Source/WebKit/WebProcess/WebProcess.h (modified) (1 diff)
• Tools/ChangeLog (modified) (1 diff)
• Tools/Tracing/SystemTracePoints.plist (modified) (1 diff)

trunk/Source/WTF/ChangeLog

@@ +1 @@
+2018-07-24  Ryan Haddad  <ryanhaddad@apple.com>
+
+        Unreviewed, rolling out r234121.
+
+        Caused perf test failures.
+
+        Reverted changeset:
+
+        "We should cache the compiled sandbox profile in a data vault"
+        https://bugs.webkit.org/show_bug.cgi?id=184991
+        https://trac.webkit.org/changeset/234121
+
 2018-07-24  Thibault Saunier  <tsaunier@igalia.com>
 

trunk/Source/WTF/wtf/SystemTracing.h

@@ -97 +97 @@
     ProcessLaunchStart,
     ProcessLaunchEnd,
-    InitializeSandboxStart,
-    InitializeSandboxEnd,
 };
 

trunk/Source/WTF/wtf/spi/darwin/SandboxSPI.h

@@ -43 +43 @@
 WTF_EXTERN_C_BEGIN
 
-typedef struct {
-    char* builtin;
-    unsigned char* data;
-    size_t size;
-} *sandbox_profile_t;
-
-typedef struct {
-    const char **params;
-    size_t size;
-    size_t available;
-} *sandbox_params_t;
-
 extern const char *const APP_SANDBOX_READ;
 extern const char *const APP_SANDBOX_READ_WRITE;
@@ -67 +55 @@
 int sandbox_init_with_parameters(const char *profile, uint64_t flags, const char *const parameters[], char **errorbuf);
 int64_t sandbox_extension_consume(const char *extension_token);
-sandbox_params_t sandbox_create_params(void);
-int sandbox_set_param(sandbox_params_t, const char *key, const char *value);
-void sandbox_free_params(sandbox_params_t);
-sandbox_profile_t sandbox_compile_file(const char *path, sandbox_params_t, char **error);
-void sandbox_free_profile(sandbox_profile_t);
-int sandbox_apply(sandbox_profile_t);
 
 WTF_EXTERN_C_END

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2018-07-24  Ryan Haddad  <ryanhaddad@apple.com>
+
+        Unreviewed, rolling out r234121.
+
+        Caused perf test failures.
+
+        Reverted changeset:
+
+        "We should cache the compiled sandbox profile in a data vault"
+        https://bugs.webkit.org/show_bug.cgi?id=184991
+        https://trac.webkit.org/changeset/234121
+
 2018-07-24  Antoine Quint  <graouts@apple.com>
 

trunk/Source/WebCore/platform/FileHandle.cpp

@@ -33 +33 @@
 
 FileHandle::FileHandle(const String& path, FileSystem::FileOpenMode mode)
-    : m_path { path }
-    , m_mode { mode }
+    : m_path(path)
+    , m_mode(mode)
 {
 }
 
 FileHandle::FileHandle(FileHandle&& other)
-    : m_path { WTFMove(other.m_path) }
-    , m_mode { WTFMove(other.m_mode) }
-    , m_fileHandle { std::exchange(other.m_fileHandle, FileSystem::invalidPlatformFileHandle) }
-{
-}
-    
-FileHandle::FileHandle(const String& path, FileSystem::FileOpenMode mode, OptionSet<FileSystem::FileLockMode> lockMode)
-    : m_path { path }
-    , m_mode { mode }
-    , m_shouldLock { true }
-    , m_lockMode { lockMode }
+    : m_path(WTFMove(other.m_path))
+    , m_mode(WTFMove(other.m_mode))
+    , m_fileHandle(std::exchange(other.m_fileHandle, FileSystem::invalidPlatformFileHandle))
 {
 }
@@ -86 +78 @@
 {
     if (!*this)
-        m_fileHandle = m_shouldLock ? FileSystem::openAndLockFile(m_path, m_mode, m_lockMode) :  FileSystem::openFile(m_path, m_mode);
+        m_fileHandle = FileSystem::openFile(m_path, m_mode);
     return static_cast<bool>(*this);
 }
@@ -124 +116 @@
 void FileHandle::close()
 {
-    if (m_shouldLock && *this) {
-        // FileSystem::unlockAndCloseFile requires the file handle to be valid while closeFile does not
-        FileSystem::unlockAndCloseFile(m_fileHandle);
-    } else
-        FileSystem::closeFile(m_fileHandle);
+    FileSystem::closeFile(m_fileHandle);
 }
 

trunk/Source/WebCore/platform/FileHandle.h

@@ -39 +39 @@
     FileHandle() = default;
     FileHandle(const String& path, FileSystem::FileOpenMode);
-    FileHandle(const String& path, FileSystem::FileOpenMode, OptionSet<FileSystem::FileLockMode>);
     FileHandle(const FileHandle& other) = delete;
     FileHandle(FileHandle&& other);
@@ -61 +60 @@
     FileSystem::FileOpenMode m_mode { FileSystem::FileOpenMode::Read };
     FileSystem::PlatformFileHandle m_fileHandle { FileSystem::invalidPlatformFileHandle };
-    bool m_shouldLock { false };
-    OptionSet<FileSystem::FileLockMode> m_lockMode;
 };
 

trunk/Source/WebCore/platform/FileSystem.h

@@ -185 +185 @@
 #if PLATFORM(COCOA)
 WEBCORE_EXPORT NSString *createTemporaryDirectory(NSString *directoryPrefix);
-WEBCORE_EXPORT bool deleteNonEmptyDirectory(const String&);
 #endif
 

trunk/Source/WebCore/platform/cocoa/FileSystemCocoa.mm

@@ -134 +134 @@
     return [[NSFileManager defaultManager] stringWithFileSystemRepresentation:path.data() length:length];
 }
-    
-bool deleteNonEmptyDirectory(const String& path)
-{
-    return [[NSFileManager defaultManager] removeItemAtPath:path error:nil];
-}
 
 } // namespace FileSystem

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2018-07-24  Ryan Haddad  <ryanhaddad@apple.com>
+
+        Unreviewed, rolling out r234121.
+
+        Caused perf test failures.
+
+        Reverted changeset:
+
+        "We should cache the compiled sandbox profile in a data vault"
+        https://bugs.webkit.org/show_bug.cgi?id=184991
+        https://trac.webkit.org/changeset/234121
+
 2018-07-24  Jeff Miller  <jeffm@apple.com>
 

trunk/Source/WebKit/Configurations/StorageService.xcconfig

@@ -26 +26 @@
 WK_XPC_SERVICE_IOS_ENTITLEMENTS_BASE = Databases-iOS;
 
-WK_STORAGE_ENTITLEMENTS_RESTRICTED_NO = ;
-WK_STORAGE_ENTITLEMENTS_RESTRICTED_YES = Configurations/Storage-OSX-sandbox.entitlements;
-
-CODE_SIGN_ENTITLEMENTS_COCOA_TOUCH_NO = $(WK_STORAGE_ENTITLEMENTS_RESTRICTED_$(WK_USE_RESTRICTED_ENTITLEMENTS));
 OTHER_CODE_SIGN_FLAGS = $(WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS);
 

trunk/Source/WebKit/Configurations/WebKit.xcconfig

@@ -83 +83 @@
 WK_MOBILE_GESTALT_LDFLAGS_cocoatouch = -lMobileGestalt;
 
-WK_LIBSANDBOX_LDFLAGS = $(WK_LIBSANDBOX_LDFLAGS_$(WK_PLATFORM_NAME));
-WK_LIBSANDBOX_LDFLAGS_macosx = -lsandbox;
-
 WK_OPENGL_LDFLAGS = $(WK_OPENGL_LDFLAGS_$(WK_PLATFORM_NAME));
 WK_OPENGL_LDFLAGS_iphoneos = -framework OpenGLES;
@@ -116 +113 @@
 WK_URL_FORMATTING_LDFLAGS_YES = -framework URLFormatting;
 
-FRAMEWORK_AND_LIBRARY_LDFLAGS = -lobjc -framework CFNetwork -framework CoreAudio -framework CoreFoundation -framework CoreGraphics -framework CoreText -framework Foundation -framework ImageIO -framework IOKit -framework WebKitLegacy -lnetwork $(WK_ACCESSIBILITY_LDFLAGS) $(WK_APPKIT_LDFLAGS) $(WK_ASSERTION_SERVICES_LDFLAGS) $(WK_CARBON_LDFLAGS) $(WK_CORE_PDF_LDFLAGS) $(WK_CORE_PREDICTION_LDFLAGS) $(WK_CORE_SERVICES_LDFLAGS) $(WK_GRAPHICS_SERVICES_LDFLAGS) $(WK_IOSURFACE_LDFLAGS) $(WK_LIBSANDBOX_LDFLAGS) $(WK_LIBWEBRTC_LDFLAGS) $(WK_MOBILE_CORE_SERVICES_LDFLAGS) $(WK_MOBILE_GESTALT_LDFLAGS) $(WK_OPENGL_LDFLAGS) $(WK_PDFKIT_LDFLAGS) $(WK_SAFE_BROWSING_LDFLAGS) $(WK_UIKIT_LDFLAGS) $(WK_URL_FORMATTING_LDFLAGS);
+FRAMEWORK_AND_LIBRARY_LDFLAGS = -lobjc -framework CFNetwork -framework CoreAudio -framework CoreFoundation -framework CoreGraphics -framework CoreText -framework Foundation -framework ImageIO -framework IOKit -framework WebKitLegacy -lnetwork $(WK_ACCESSIBILITY_LDFLAGS) $(WK_APPKIT_LDFLAGS) $(WK_ASSERTION_SERVICES_LDFLAGS) $(WK_CARBON_LDFLAGS) $(WK_CORE_PDF_LDFLAGS) $(WK_CORE_PREDICTION_LDFLAGS) $(WK_CORE_SERVICES_LDFLAGS) $(WK_GRAPHICS_SERVICES_LDFLAGS) $(WK_IOSURFACE_LDFLAGS) $(WK_LIBWEBRTC_LDFLAGS) $(WK_MOBILE_CORE_SERVICES_LDFLAGS) $(WK_MOBILE_GESTALT_LDFLAGS) $(WK_OPENGL_LDFLAGS) $(WK_PDFKIT_LDFLAGS) $(WK_SAFE_BROWSING_LDFLAGS) $(WK_UIKIT_LDFLAGS) $(WK_URL_FORMATTING_LDFLAGS);
 
 // Prevent C++ standard library basic_stringstream, operator new, delete and their related exception types from being exported as weak symbols.

trunk/Source/WebKit/NetworkProcess/NetworkProcess.h

@@ -81 +81 @@
 public:
     static NetworkProcess& singleton();
-    static constexpr ProcessType processType = ProcessType::Network;
 
     template <typename T>

trunk/Source/WebKit/PluginProcess/PluginProcess.h

@@ -50 +50 @@
 public:
     static PluginProcess& singleton();
-    static constexpr ProcessType processType = ProcessType::Plugin;
 
     void removeWebProcessConnection(WebProcessConnection*);

trunk/Source/WebKit/Scripts/process-webcontent-entitlements.sh

@@ -8 +8 @@
     if [[ ${WK_USE_RESTRICTED_ENTITLEMENTS} == "YES" ]]; then
         echo "Processing restricted entitlements for Internal SDK";
-
-        echo "Adding sandbox entitlements for WebContent process.";
-        /usr/libexec/PlistBuddy -c "Merge Configurations/WebContent-OSX-sandbox.entitlements" "${PROCESSED_XCENT_FILE}";
 
         if (( ${TARGET_MAC_OS_X_VERSION_MAJOR} >= 101400 )); then

trunk/Source/WebKit/Shared/ChildProcess.h

@@ -40 +40 @@
 
 class SandboxInitializationParameters;
-struct ChildProcessInitializationParameters;
+
+struct ChildProcessInitializationParameters {
+    String uiProcessName;
+    String clientIdentifier;
+    std::optional<WebCore::ProcessIdentifier> processIdentifier;
+    IPC::Connection::Identifier connectionIdentifier;
+    HashMap<String, String> extraInitializationData;
+#if PLATFORM(COCOA)
+    OSObjectPtr<xpc_object_t> priorityBoostMessage;
+#endif
+};
 
 class ChildProcess : protected IPC::Connection::Client, public IPC::MessageSender {
@@ -46 +56 @@
 
 public:
-    enum class ProcessType : uint8_t {
-        WebContent,
-        Network,
-        Storage,
-        Plugin
-    };
-
     void initialize(const ChildProcessInitializationParameters&);
 
@@ -147 +150 @@
 };
 
-struct ChildProcessInitializationParameters {
-    String uiProcessName;
-    String clientIdentifier;
-    std::optional<WebCore::ProcessIdentifier> processIdentifier;
-    IPC::Connection::Identifier connectionIdentifier;
-    HashMap<String, String> extraInitializationData;
-    ChildProcess::ProcessType processType;
-#if PLATFORM(COCOA)
-    OSObjectPtr<xpc_object_t> priorityBoostMessage;
-#endif
-};
-
 } // namespace WebKit
 

trunk/Source/WebKit/Shared/EntryPointUtilities/mac/XPCService/XPCServiceEntryPoint.h

@@ -113 +113 @@
 #endif
 
-    parameters.processType = XPCServiceType::processType;
-
     XPCServiceType::singleton().initialize(parameters);
 }

trunk/Source/WebKit/Shared/SandboxInitializationParameters.h

@@ -55 +55 @@
     const char* value(size_t index) const;
 
-    enum class ProfileSelectionMode : uint8_t {
+    enum ProfileSelectionMode {
         UseDefaultSandboxProfilePath,
         UseOverrideSandboxProfilePath,
@@ -65 +65 @@
     void setOverrideSandboxProfilePath(const String& path)
     {
-        m_profileSelectionMode = ProfileSelectionMode::UseOverrideSandboxProfilePath;
+        m_profileSelectionMode = UseOverrideSandboxProfilePath;
         m_overrideSandboxProfilePathOrSandboxProfile = path;
     }
@@ -71 +71 @@
     const String& overrideSandboxProfilePath() const
     {
-        ASSERT(m_profileSelectionMode == ProfileSelectionMode::UseOverrideSandboxProfilePath);
+        ASSERT(m_profileSelectionMode == UseOverrideSandboxProfilePath);
         return m_overrideSandboxProfilePathOrSandboxProfile;
     }
@@ -77 +77 @@
     void setSandboxProfile(const String& profile)
     {
-        m_profileSelectionMode = ProfileSelectionMode::UseSandboxProfile;
+        m_profileSelectionMode = UseSandboxProfile;
         m_overrideSandboxProfilePathOrSandboxProfile = profile;
     }
@@ -83 +83 @@
     const String& sandboxProfile() const
     {
-        ASSERT(m_profileSelectionMode == ProfileSelectionMode::UseSandboxProfile);
+        ASSERT(m_profileSelectionMode == UseSandboxProfile);
         return m_overrideSandboxProfilePathOrSandboxProfile;
     }

trunk/Source/WebKit/Shared/mac/ChildProcessMac.mm

@@ -32 +32 @@
 #import "QuarantineSPI.h"
 #import "SandboxInitializationParameters.h"
-#import "SandboxUtilities.h"
 #import "WKFoundation.h"
 #import "XPCServiceEntryPoint.h"
-#import <WebCore/FileHandle.h>
 #import <WebCore/FileSystem.h>
 #import <WebCore/SystemVersion.h>
-#import <mach-o/dyld.h>
 #import <mach/mach.h>
 #import <mach/task.h>
-#import <pal/crypto/CryptoDigest.h>
 #import <pwd.h>
 #import <stdlib.h>
-#import <sys/sysctl.h>
 #import <sysexits.h>
-#import <wtf/DataLog.h>
-#import <wtf/RandomNumber.h>
 #import <wtf/Scope.h>
-#import <wtf/SystemTracing.h>
-#import <wtf/WallTime.h>
 #import <wtf/spi/darwin/SandboxSPI.h>
-#import <wtf/text/Base64.h>
-#import <wtf/text/StringBuilder.h>
 
 #if USE(APPLE_INTERNAL_SDK)
-#import <HIServices/ProcessesPriv.h>
-#import <rootless.h>
+#include <HIServices/ProcessesPriv.h>
 #endif
 
@@ -69 +57 @@
 
 namespace WebKit {
-
-using SandboxProfile = typename std::remove_pointer<sandbox_profile_t>::type;
-struct SandboxProfileDeleter {
-    void operator()(SandboxProfile* ptr)
-    {
-        sandbox_free_profile(ptr);
-    }
-};
-using SandboxProfilePtr = std::unique_ptr<SandboxProfile, SandboxProfileDeleter>;
-    
-using SandboxParameters = typename std::remove_pointer<sandbox_params_t>::type;
-struct SandboxParametersDeleter {
-    void operator()(SandboxParameters* ptr)
-    {
-        sandbox_free_params(ptr);
-    }
-};
-using SandboxParametersPtr = std::unique_ptr<SandboxParameters, SandboxParametersDeleter>;
-
-struct CachedSandboxHeader {
-    uint32_t versionNumber;
-    uint32_t libsandboxVersion;
-    uint32_t headerSize;
-    uint32_t builtinSize; // If a builtin doesn't exist, this is UINT_MAX.
-    uint32_t dataSize;
-};
-// The file is layed out on disk like:
-// byte 0
-// CachedSandboxHeader <- sizeof(CachedSandboxHeader) bytes
-// SandboxHeader <- CachedSandboxHeader::headerSize bytes
-// [SandboxBuiltin] optional. Present if CachedSandboxHeader::builtinSize is not UINT_MAX. If present, builtinSize bytes (not including null termination).
-// SandboxData <- CachedSandboxHeader::dataSize bytes
-// byte N
-
-struct SandboxInfo {
-    SandboxInfo(const String& parentDirectoryPath, const String& directoryPath, const String& filePath, const String& profilePath, const SandboxParametersPtr& sandboxParameters, const CString& header, const ChildProcess::ProcessType& processType, const SandboxInitializationParameters& initializationParameters)
-        : parentDirectoryPath { parentDirectoryPath }
-        , directoryPath { directoryPath }
-        , filePath { filePath }
-        , profilePath { profilePath }
-        , sandboxParameters { sandboxParameters }
-        , header { header }
-        , processType { processType }
-        , initializationParameters { initializationParameters }
-    {
-    }
-    
-    const String& parentDirectoryPath;
-    const String& directoryPath;
-    const String& filePath;
-    const String& profilePath;
-    const SandboxParametersPtr& sandboxParameters;
-    const CString& header;
-    const ChildProcess::ProcessType& processType;
-    const SandboxInitializationParameters& initializationParameters;
-};
-
-constexpr uint32_t CachedSandboxVersionNumber = 0;
 
 static void initializeTimerCoalescingPolicy()
@@ -183 +113 @@
 }
 
-static std::optional<Vector<char>> fileContents(const String& path, bool shouldLock = false, OptionSet<FileSystem::FileLockMode> lockMode = FileSystem::FileLockMode::Exclusive)
-{
-    FileHandle file = shouldLock ? FileHandle(path, FileSystem::FileOpenMode::Read, lockMode) : FileHandle(path, FileSystem::FileOpenMode::Read);
-    file.open();
-    if (!file)
-        return std::nullopt;
-    
-    char chunk[4096];
-    constexpr size_t chunkSize = WTF_ARRAY_LENGTH(chunk);
-    size_t contentSize = 0;
-    Vector<char> contents;
-    contents.reserveInitialCapacity(chunkSize);
-    while (size_t bytesRead = file.read(chunk, chunkSize)) {
-        contents.append(chunk, bytesRead);
-        contentSize += bytesRead;
-    }
-    contents.resize(contentSize);
-    
-    return contents;
-}
-
-#if USE(APPLE_INTERNAL_SDK)
-// These strings must match the last segment of the "com.apple.rootless.storage.<this part must match>" entry in each
-// process's restricted entitlements file (ex. Configurations/Networking-OSX-restricted.entitlements).
-constexpr const char* processStorageClass(ChildProcess::ProcessType type)
-{
-    switch (type) {
-    case ChildProcess::ProcessType::WebContent:
-        return "WebKitWebContentSandbox";
-    case ChildProcess::ProcessType::Network:
-        return "WebKitNetworkingSandbox";
-    case ChildProcess::ProcessType::Storage:
-        return "WebKitStorageSandbox";
-    case ChildProcess::ProcessType::Plugin:
-        return "WebKitPluginSandbox";
-    }
-}
-#endif
-
-static std::optional<CString> setAndSerializeSandboxParameters(const SandboxInitializationParameters& initializationParameters, const SandboxParametersPtr& sandboxParameters, const String& profilePath)
-{
-    StringBuilder builder;
-    for (size_t i = 0; i < initializationParameters.count(); ++i) {
-        CString name = initializationParameters.name(i);
-        CString value = initializationParameters.value(i);
-        if (name.isNull() || value.isNull())
-            return std::nullopt;
-        if (sandbox_set_param(sandboxParameters.get(), name.data(), value.data())) {
-            WTFLogAlways("%s: Couldn't set sandbox parameter, errno: %d\n", getprogname(), errno);
-            CRASH();
-        }
-        builder.append(name.data(), name.length());
-        builder.append(':');
-        builder.append(value.data(), value.length());
-        builder.append(':');
-    }
-    auto contents = fileContents(profilePath);
-    if (!contents)
-        return std::nullopt;
-    builder.append(contents->data(), contents->size());
-    return builder.toString().ascii();
-}
-    
-static size_t getUserCacheDirectory(Vector<char>& buffer)
-{
-    size_t result = confstr(_CS_DARWIN_USER_CACHE_DIR, buffer.data(), buffer.size());
-    if (!result) {
-        WTFLogAlways("%s: couldn't retrieve private cache directory path: %d\n", getprogname(), errno);
-        exit(EX_NOPERM);
-    }
-    return result;
-}
-
-static inline String sandboxDataVaultParentDirectory()
-{
-    // DIRHELPER_USER_DIR_SUFFIX is set in initializeSandboxParameters (called before this function).
-    char parentDirectory[PATH_MAX];
-    
-    Vector<char> temp;
-    temp.grow(PATH_MAX);
-    
-    size_t neededBufferSize = getUserCacheDirectory(temp);
-    if (neededBufferSize > temp.size()) {
-        temp.grow(neededBufferSize);
-        size_t bufferSize = getUserCacheDirectory(temp);
-        RELEASE_ASSERT(bufferSize == temp.size());
-    }
-    if (!realpath(temp.data(), parentDirectory)) {
-        WTFLogAlways("%s: couldn't retrieve private cache directory path: %d\n", getprogname(), errno);
-        exit(EX_NOPERM);
-    }
-    
-    return parentDirectory;
-}
-
-static inline String sandboxDirectory(ChildProcess::ProcessType processType, const String& parentDirectory)
-{
-    StringBuilder directory;
-    directory.append(parentDirectory);
-    switch (processType) {
-    case ChildProcess::ProcessType::WebContent:
-        directory.append("/com.apple.WebKit.WebContent.Sandbox");
-        break;
-    case ChildProcess::ProcessType::Network:
-        directory.append("/com.apple.WebKit.Networking.Sandbox");
-        break;
-    case ChildProcess::ProcessType::Storage:
-        directory.append("/com.apple.WebKit.Storage.Sandbox");
-        break;
-    case ChildProcess::ProcessType::Plugin:
-        directory.append("/com.apple.WebKit.Plugin.Sandbox");
-        break;
-    }
-
-#if !USE(APPLE_INTERNAL_SDK)
-    // Add .OpenSource suffix so that open source builds don't try to access a data vault used by system Safari.
-    directory.append(".OpenSource");
-#endif
-
-    return directory.toString();
-}
-
-static inline String sandboxFilePath(const String& directoryPath, const CString& header)
-{
-    StringBuilder sandboxFile;
-    sandboxFile.append(directoryPath);
-    sandboxFile.append("/CompiledSandbox+");
-
-    // Make the filename semi-unique based on the contents of the header.
-    auto crypto = PAL::CryptoDigest::create(PAL::CryptoDigest::Algorithm::SHA_256);
-    crypto->addBytes(header.data(), header.length());
-    Vector<uint8_t> hash = crypto->computeHash();
-    String readableHash = WTF::base64URLEncode(hash.data(), hash.size());
-
-    sandboxFile.append(readableHash);
-    return sandboxFile.toString();
-}
-
-static bool ensureSandboxCacheDirectory(const SandboxInfo& info)
-{
-    if (!FileSystem::fileIsDirectory(info.parentDirectoryPath, FileSystem::ShouldFollowSymbolicLinks::Yes)) {
-        FileSystem::makeAllDirectories(info.parentDirectoryPath);
-        if (!FileSystem::fileIsDirectory(info.parentDirectoryPath, FileSystem::ShouldFollowSymbolicLinks::Yes)) {
-            WTFLogAlways("%s: Couldn't create sandbox directory\n", getprogname());
-            return false;
-        }
-    }
-
-#if USE(APPLE_INTERNAL_SDK)
-    const char* storageClass = processStorageClass(info.processType);
-    CString directoryPath = FileSystem::fileSystemRepresentation(info.directoryPath);
-    if (directoryPath.isNull())
-        return false;
-
-    auto makeDataVault = [&] {
-        do {
-            if (!rootless_mkdir_datavault(directoryPath.data(), 0700, storageClass))
-                return true;
-        } while (errno == EAGAIN);
-        return false;
-    };
-
-    if (makeDataVault())
-        return true;
-
-    if (errno == EEXIST) {
-        // The directory already exists. First we'll check if it is a data vault. If it is then
-        // we are the ones who created it and we can continue. If it is not a datavault then we'll just
-        // delete it and try to make a new one.
-        if (!rootless_check_datavault_flag(directoryPath.data(), storageClass))
-            return true;
-        
-        bool isDirectory = FileSystem::fileIsDirectory(info.directoryPath, FileSystem::ShouldFollowSymbolicLinks::No);
-        if (isDirectory) {
-            if (!FileSystem::deleteNonEmptyDirectory(info.directoryPath))
-                return false;
-        } else {
-            if (!FileSystem::deleteFile(info.directoryPath))
-                return false;
-        }
-        
-        if (!makeDataVault())
-            return false;
-    } else {
-        WTFLogAlways("Sandbox directory couldn't be created, errno: %d", errno);
-        return false;
-    }
+void ChildProcess::initializeSandbox(const ChildProcessInitializationParameters& parameters, SandboxInitializationParameters& sandboxParameters)
+{
+#if WK_API_ENABLED
+    NSBundle *webKit2Bundle = [NSBundle bundleForClass:NSClassFromString(@"WKWebView")];
 #else
-    bool hasSandboxDirectory = FileSystem::fileIsDirectory(info.directoryPath, FileSystem::ShouldFollowSymbolicLinks::Yes);
-    if (!hasSandboxDirectory) {
-        if (FileSystem::makeAllDirectories(info.directoryPath)) {
-            ASSERT(FileSystem::fileIsDirectory(info.directoryPath, FileSystem::ShouldFollowSymbolicLinks::Yes));
-            hasSandboxDirectory = true;
-        } else {
-            // We may have raced with someone else making it. That's ok.
-            hasSandboxDirectory = FileSystem::fileIsDirectory(info.directoryPath, FileSystem::ShouldFollowSymbolicLinks::Yes);
-        }
-    }
-
-    if (!hasSandboxDirectory) {
-        // Bailing because we don't have a sandbox directory.
-        return false;
-    }
-#endif // USE(APPLE_INTERNAL_SDK)
-
-    return true;
-}
-    
-static bool writeSandboxDataToCacheFile(const SandboxInfo& info, const Vector<char>& cacheFile)
-{
-    FileHandle file { info.filePath, FileSystem::FileOpenMode::Write, FileSystem::FileLockMode::Exclusive };
-    return file.write(cacheFile.data(), cacheFile.size()) == safeCast<int>(cacheFile.size());
-}
-
-static SandboxProfilePtr compileAndCacheSandboxProfile(const SandboxInfo& info)
-{
-    if (!ensureSandboxCacheDirectory(info))
-        return nullptr;
-
-    char* error = nullptr;
-    CString profilePath = FileSystem::fileSystemRepresentation(info.profilePath);
-    if (profilePath.isNull())
-        return nullptr;
-    SandboxProfilePtr sandboxProfile { sandbox_compile_file(profilePath.data(), info.sandboxParameters.get(), &error) };
-    if (!sandboxProfile) {
-        WTFLogAlways("%s: Couldn't compile WebContent sandbox %s\n", getprogname(), error);
-        return nullptr;
-    }
-    
-    const bool haveBuiltin = sandboxProfile->builtin;
-    int32_t libsandboxVersion = NSVersionOfRunTimeLibrary("sandbox");
-    RELEASE_ASSERT(libsandboxVersion > 0);
-    CachedSandboxHeader cachedHeader {
-        CachedSandboxVersionNumber,
-        static_cast<uint32_t>(libsandboxVersion),
-        safeCast<uint32_t>(info.header.length()),
-        haveBuiltin ? safeCast<uint32_t>(strlen(sandboxProfile->builtin)) : std::numeric_limits<uint32_t>::max(),
-        safeCast<uint32_t>(sandboxProfile->size)
-    };
-    const size_t expectedFileSize = sizeof(cachedHeader) + cachedHeader.headerSize + (haveBuiltin ? cachedHeader.builtinSize : 0) + cachedHeader.dataSize;
-    
-    Vector<char> cacheFile;
-    cacheFile.reserveInitialCapacity(expectedFileSize);
-    cacheFile.append(bitwise_cast<uint8_t*>(&cachedHeader), sizeof(CachedSandboxHeader));
-    cacheFile.append(info.header.data(), info.header.length());
-    if (haveBuiltin)
-        cacheFile.append(sandboxProfile->builtin, cachedHeader.builtinSize);
-    cacheFile.append(sandboxProfile->data, cachedHeader.dataSize);
-
-    if (!writeSandboxDataToCacheFile(info, cacheFile))
-        WTFLogAlways("%s: Unable to cache compiled sandbox", getprogname());
-
-    return sandboxProfile;
-}
-
-static bool tryApplyCachedSandbox(const SandboxInfo& info)
-{
-#if USE(APPLE_INTERNAL_SDK)
-    CString directoryPath = FileSystem::fileSystemRepresentation(info.directoryPath);
-    if (directoryPath.isNull())
-        return false;
-    if (rootless_check_datavault_flag(directoryPath.data(), processStorageClass(info.processType)))
-        return false;
-#endif
-
-    auto contents = fileContents(info.filePath, true, FileSystem::FileLockMode::Shared);
-    if (!contents || contents->isEmpty())
-        return false;
-    Vector<char> cachedSandboxContents = WTFMove(*contents);
-    if (sizeof(CachedSandboxHeader) > cachedSandboxContents.size())
-        return false;
-
-    // This data may be corrupted if the sandbox file was cached on a different platform with different endianness
-    CachedSandboxHeader cachedSandboxHeader;
-    memcpy(&cachedSandboxHeader, cachedSandboxContents.data(), sizeof(CachedSandboxHeader));
-    int32_t libsandboxVersion = NSVersionOfRunTimeLibrary("sandbox");
-    RELEASE_ASSERT(libsandboxVersion > 0);
-    if (static_cast<uint32_t>(libsandboxVersion) != cachedSandboxHeader.libsandboxVersion)
-        return false;
-    if (cachedSandboxHeader.versionNumber != CachedSandboxVersionNumber)
-        return false;
-    const bool haveBuiltin = cachedSandboxHeader.builtinSize != std::numeric_limits<uint32_t>::max();
-
-    // These values are computed based on the disk layout specified below the definition of the CachedSandboxHeader struct
-    // and must be changed if the layout changes.
-    const char* sandboxHeaderPtr = bitwise_cast<char *>(cachedSandboxContents.data()) + sizeof(CachedSandboxHeader);
-    const char* sandboxBuiltinPtr = sandboxHeaderPtr + cachedSandboxHeader.headerSize;
-    unsigned char* sandboxDataPtr = bitwise_cast<unsigned char*>(haveBuiltin ? sandboxBuiltinPtr + cachedSandboxHeader.builtinSize : sandboxBuiltinPtr);
-
-    size_t expectedFileSize = sizeof(CachedSandboxHeader) + cachedSandboxHeader.headerSize + cachedSandboxHeader.dataSize;
-    if (haveBuiltin)
-        expectedFileSize += cachedSandboxHeader.builtinSize;
-    if (cachedSandboxContents.size() != expectedFileSize)
-        return false;
-    if (cachedSandboxHeader.headerSize != info.header.length())
-        return false;
-    if (memcmp(sandboxHeaderPtr, info.header.data(), info.header.length()))
-        return false;
-
-    SandboxProfile profile;
-    CString builtin;
-    profile.builtin = nullptr;
-    profile.size = cachedSandboxHeader.dataSize;
-    if (haveBuiltin) {
-        builtin = CString::newUninitialized(cachedSandboxHeader.builtinSize, profile.builtin);
-        if (builtin.isNull())
-            return false;
-        memcpy(profile.builtin, sandboxBuiltinPtr, cachedSandboxHeader.builtinSize);
-    }
-    ASSERT(static_cast<void *>(sandboxDataPtr + profile.size) <= static_cast<void *>(cachedSandboxContents.data() + cachedSandboxContents.size()));
-    profile.data = sandboxDataPtr;
-
-    if (sandbox_apply(&profile)) {
-        WTFLogAlways("%s: Could not apply cached sandbox\n", getprogname());
-        return false;
-    }
-
-    return true;
-}
-
-static inline const NSBundle *webKit2Bundle()
-{
-#if WK_API_ENABLED
-    const static NSBundle *bundle = [NSBundle bundleForClass:NSClassFromString(@"WKWebView")];
-#else
-    const static NSBundle *bundle = [NSBundle bundleForClass:NSClassFromString(@"WKView")];
-#endif
-
-    return bundle;
-}
-
-static inline String sandboxProfilePath(const SandboxInitializationParameters& parameters)
-{
-    switch (parameters.mode()) {
-    case SandboxInitializationParameters::ProfileSelectionMode::UseDefaultSandboxProfilePath:
-        return [webKit2Bundle() pathForResource:[[NSBundle mainBundle] bundleIdentifier] ofType:@"sb"];
-    case SandboxInitializationParameters::ProfileSelectionMode::UseOverrideSandboxProfilePath:
-        return parameters.overrideSandboxProfilePath();
-    case SandboxInitializationParameters::ProfileSelectionMode::UseSandboxProfile:
-        return parameters.sandboxProfile();
-    }
-}
-
-static bool compileAndApplySandboxSlowCase(const SandboxInfo& info)
-{
-    char* errorBuf;
-    CString profilePath = FileSystem::fileSystemRepresentation(info.profilePath);
-#pragma clang diagnostic push
-#pragma clang diagnostic ignored "-Wdeprecated-declarations"
-    if (sandbox_init_with_parameters(profilePath.data(), SANDBOX_NAMED_EXTERNAL, info.initializationParameters.namedParameterArray(), &errorBuf)) {
-#pragma clang diagnostic pop
-        WTFLogAlways("%s: Couldn't initialize sandbox profile [%s], error '%s'\n", getprogname(), profilePath.data(), errorBuf);
-        for (size_t i = 0, count = info.initializationParameters.count(); i != count; ++i)
-            WTFLogAlways("%s=%s\n", info.initializationParameters.name(i), info.initializationParameters.value(i));
-        return false;
-    }
-    return true;
-}
-
-static bool applySandbox(const ChildProcessInitializationParameters& parameters, const SandboxInitializationParameters& sandboxInitializationParameters)
-{
-    String profilePath { sandboxProfilePath(sandboxInitializationParameters) };
-    if (profilePath.isEmpty()) {
-        WTFLogAlways("%s: Profile path is invalid\n", getprogname());
-        return false;
-    }
-
-    SandboxParametersPtr sandboxParameters { sandbox_create_params() };
-    auto header = setAndSerializeSandboxParameters(sandboxInitializationParameters, sandboxParameters, profilePath);
-    if (!header) {
-        WTFLogAlways("%s: Sandbox parameters are invalid\n", getprogname());
-        CRASH();
-    }
-
-    String parentDirectoryPath { sandboxDataVaultParentDirectory() };
-    String directoryPath { sandboxDirectory(parameters.processType, parentDirectoryPath) };
-    String filePath = sandboxFilePath(directoryPath, *header);
-    SandboxInfo info {
-        parentDirectoryPath,
-        directoryPath,
-        filePath,
-        profilePath,
-        sandboxParameters,
-        *header,
-        parameters.processType,
-        sandboxInitializationParameters
-    };
-
-    if (tryApplyCachedSandbox(info))
-        return true;
-
-    SandboxProfilePtr sandboxProfile = compileAndCacheSandboxProfile(info);
-    if (!sandboxProfile)
-        return compileAndApplySandboxSlowCase(info);
-
-    if (sandbox_apply(sandboxProfile.get())) {
-        WTFLogAlways("%s: Couldn't apply compiled sandbox profile, errno: %d\n", getprogname(), errno);
-        exit(EX_NOPERM);
-    }
-
-    return true;
-}
-
-static void initializeSandboxParameters(const ChildProcessInitializationParameters& parameters, SandboxInitializationParameters& sandboxParameters)
-{
-    // Verify user directory suffix.
+    NSBundle *webKit2Bundle = [NSBundle bundleForClass:NSClassFromString(@"WKView")];
+#endif
+    String defaultProfilePath = [webKit2Bundle pathForResource:[[NSBundle mainBundle] bundleIdentifier] ofType:@"sb"];
+
     if (sandboxParameters.userDirectorySuffix().isNull()) {
         auto userDirectorySuffix = parameters.extraInitializationData.find("user-directory-suffix");
@@ -621 +154 @@
     setenv("TMPDIR", temporaryDirectory, 1);
 
-    sandboxParameters.addPathParameter("WEBKIT2_FRAMEWORK_DIR", [[webKit2Bundle() bundlePath] stringByDeletingLastPathComponent]);
+    sandboxParameters.addPathParameter("WEBKIT2_FRAMEWORK_DIR", [[webKit2Bundle bundlePath] stringByDeletingLastPathComponent]);
     sandboxParameters.addConfDirectoryParameter("DARWIN_USER_TEMP_DIR", _CS_DARWIN_USER_TEMP_DIR);
     sandboxParameters.addConfDirectoryParameter("DARWIN_USER_CACHE_DIR", _CS_DARWIN_USER_CACHE_DIR);
@@ -635 +168 @@
 
     sandboxParameters.addPathParameter("HOME_DIR", pwd.pw_dir);
+
     String path = String::fromUTF8(pwd.pw_dir);
     path.append("/Library");
+
     sandboxParameters.addPathParameter("HOME_LIBRARY_DIR", FileSystem::fileSystemRepresentation(path).data());
+
     path.append("/Preferences");
+
     sandboxParameters.addPathParameter("HOME_LIBRARY_PREFERENCES_DIR", FileSystem::fileSystemRepresentation(path).data());
-}
-
-void ChildProcess::initializeSandbox(const ChildProcessInitializationParameters& parameters, SandboxInitializationParameters& sandboxParameters)
-{
-    TraceScope traceScope(InitializeSandboxStart, InitializeSandboxEnd);
-
-    initializeSandboxParameters(parameters, sandboxParameters);
-
-    if (!applySandbox(parameters, sandboxParameters)) {
-        WTFLogAlways("%s: Unable to apply sandbox\n", getprogname());
-        CRASH();
+
+    switch (sandboxParameters.mode()) {
+    case SandboxInitializationParameters::UseDefaultSandboxProfilePath:
+    case SandboxInitializationParameters::UseOverrideSandboxProfilePath: {
+        String sandboxProfilePath = sandboxParameters.mode() == SandboxInitializationParameters::UseDefaultSandboxProfilePath ? defaultProfilePath : sandboxParameters.overrideSandboxProfilePath();
+        if (!sandboxProfilePath.isEmpty()) {
+            CString profilePath = FileSystem::fileSystemRepresentation(sandboxProfilePath);
+            char* errorBuf;
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
+            if (sandbox_init_with_parameters(profilePath.data(), SANDBOX_NAMED_EXTERNAL, sandboxParameters.namedParameterArray(), &errorBuf)) {
+#pragma clang diagnostic pop
+                WTFLogAlways("%s: Couldn't initialize sandbox profile [%s], error '%s'\n", getprogname(), profilePath.data(), errorBuf);
+                for (size_t i = 0, count = sandboxParameters.count(); i != count; ++i)
+                    WTFLogAlways("%s=%s\n", sandboxParameters.name(i), sandboxParameters.value(i));
+                exit(EX_NOPERM);
+            }
+        }
+
+        break;
+    }
+    case SandboxInitializationParameters::UseSandboxProfile: {
+        char* errorBuf;
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
+        if (sandbox_init_with_parameters(sandboxParameters.sandboxProfile().utf8().data(), 0, sandboxParameters.namedParameterArray(), &errorBuf)) {
+#pragma clang diagnostic pop
+            WTFLogAlways("%s: Couldn't initialize sandbox profile, error '%s'\n", getprogname(), errorBuf);
+            for (size_t i = 0, count = sandboxParameters.count(); i != count; ++i)
+                WTFLogAlways("%s=%s\n", sandboxParameters.name(i), sandboxParameters.value(i));
+            exit(EX_NOPERM);
+        }
+
+        break;
+    }
     }
 

trunk/Source/WebKit/Shared/mac/SandboxInitialiationParametersMac.mm

@@ -30 +30 @@
 
 SandboxInitializationParameters::SandboxInitializationParameters()
-    : m_profileSelectionMode(ProfileSelectionMode::UseDefaultSandboxProfilePath)
+    : m_profileSelectionMode(UseDefaultSandboxProfilePath)
 {
 }

trunk/Source/WebKit/StorageProcess/StorageProcess.h

@@ -72 +72 @@
 public:
     static StorageProcess& singleton();
-    static constexpr ProcessType processType = ProcessType::Storage;
-
     ~StorageProcess();
 

trunk/Source/WebKit/WebKit.xcodeproj/project.pbxproj

@@ -3413 +3413 @@
                 411A8DDA20DDB6050060D34F /* WKMockMediaDevice.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = WKMockMediaDevice.cpp; sourceTree = "<group>"; };
                 411B22621E371244004F7363 /* LibWebRTCNetwork.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = LibWebRTCNetwork.h; path = Network/webrtc/LibWebRTCNetwork.h; sourceTree = "<group>"; };
-                41303BC920E2F0FD005827BA /* process-plugin-entitlements.sh */ = {isa = PBXFileReference; lastKnownFileType = text.script.sh; path = "process-plugin-entitlements.sh"; sourceTree = "<group>"; };
-                41303BCA20E2F248005827BA /* Plugin-OSX-sandbox.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = "Plugin-OSX-sandbox.entitlements"; sourceTree = "<group>"; };
                 413075981DE84FB00039EC69 /* NetworkRTCSocket.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = NetworkRTCSocket.cpp; path = NetworkProcess/webrtc/NetworkRTCSocket.cpp; sourceTree = "<group>"; };
                 413075991DE84FB00039EC69 /* NetworkRTCSocket.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = NetworkRTCSocket.h; path = NetworkProcess/webrtc/NetworkRTCSocket.h; sourceTree = "<group>"; };
@@ -3464 +3462 @@
                 41B7ED71206965900087D853 /* NetworkMDNSRegister.messages.in */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; name = NetworkMDNSRegister.messages.in; path = NetworkProcess/webrtc/NetworkMDNSRegister.messages.in; sourceTree = "<group>"; };
                 41C858191F510DEE0065E085 /* CacheStorageEngineCache.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = CacheStorageEngineCache.cpp; sourceTree = "<group>"; };
-                41D0FC7820E438DD00076AE8 /* WebContent-OSX-sandbox.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = "WebContent-OSX-sandbox.entitlements"; sourceTree = "<group>"; };
-                41D0FC7920E439AD00076AE8 /* process-network-entitlements.sh */ = {isa = PBXFileReference; lastKnownFileType = text.script.sh; path = "process-network-entitlements.sh"; sourceTree = "<group>"; };
-                41D0FC7C20E43A5100076AE8 /* Storage-OSX-sandbox.entitlements */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.entitlements; path = "Storage-OSX-sandbox.entitlements"; sourceTree = "<group>"; };
-                41D0FC7D20E43A5100076AE8 /* Network-OSX-sandbox.entitlements */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.entitlements; path = "Network-OSX-sandbox.entitlements"; sourceTree = "<group>"; };
                 41D129D91F3D101400D15E47 /* WebCacheStorageProvider.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = WebCacheStorageProvider.h; sourceTree = "<group>"; };
                 41DC45941E3D6E1E00B11F51 /* NetworkRTCProvider.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = NetworkRTCProvider.h; path = NetworkProcess/webrtc/NetworkRTCProvider.h; sourceTree = "<group>"; };
@@ -5191 +5185 @@
                                 37119A7D20CCB64E002C6DC9 /* Network-iOS-minimalsimulator.entitlements */,
                                 7C0BB9A918DCDF5A0006C086 /* Network-iOS.entitlements */,
-                                41D0FC7D20E43A5100076AE8 /* Network-OSX-sandbox.entitlements */,
                                 BC8283AB16B4BEAD00A278FE /* NetworkService.xcconfig */,
-                                41303BCA20E2F248005827BA /* Plugin-OSX-sandbox.entitlements */,
                                 A1EDD2DB1884B96400BBFE98 /* PluginProcessShim.xcconfig */,
                                 BC8283F216B4FC5300A278FE /* PluginService.32.xcconfig */,
@@ -5201 +5193 @@
                                 A1EDD2DC1884B9B500BBFE98 /* SecItemShim.xcconfig */,
                                 5183B3931379F85C00E8754E /* Shim.xcconfig */,
-                                41D0FC7C20E43A5100076AE8 /* Storage-OSX-sandbox.entitlements */,
                                 51A60B29180CCD9000F3BF50 /* StorageService.xcconfig */,
                                 1A4F976E100E7B6600637A18 /* Version.xcconfig */,
@@ -5207 +5198 @@
                                 7C0BB9A818DCDE890006C086 /* WebContent-iOS.entitlements */,
                                 37B418EB1C9624F20031E63B /* WebContent-OSX-restricted.entitlements */,
-                                41D0FC7820E438DD00076AE8 /* WebContent-OSX-sandbox.entitlements */,
                                 7AF66E1120C07CB6007828EA /* WebContent-OSX.entitlements */,
                                 372EBB4A2017E76000085064 /* WebContentService.Development.xcconfig */,
@@ -8654 +8644 @@
                                 0FC08570187CE0A900780D86 /* model.py */,
                                 0FC08571187CE0A900780D86 /* parser.py */,
-                                41D0FC7920E439AD00076AE8 /* process-network-entitlements.sh */,
-                                41303BC920E2F0FD005827BA /* process-plugin-entitlements.sh */,
                                 7ACFAAD820B88D4F00C53203 /* process-webcontent-entitlements.sh */,
                         );
@@ -10152 +10140 @@
                         buildConfigurationList = BC8283BD16B4BF7700A278FE /* Build configuration list for PBXNativeTarget "Networking" */;
                         buildPhases = (
-                                41D0FC7F20E43B0B00076AE8 /* Remove stale entitlements file */,
                                 BC8283AD16B4BF7700A278FE /* Sources */,
                                 BC8283AE16B4BF7700A278FE /* Frameworks */,
                                 BC8283AF16B4BF7700A278FE /* Resources */,
-                                41D0FC8020E43B4500076AE8 /* Unlock keychain */,
-                                41D0FC8120E43B7000076AE8 /* Process Network entitlements */,
                         );
                         buildRules = (
@@ -10174 +10159 @@
                         buildConfigurationList = BC82840416B4FDDE00A278FE /* Build configuration list for PBXNativeTarget "Plugin.32" */;
                         buildPhases = (
-                                41303BC320E2EC67005827BA /* Remove stale entitlement file */,
                                 BC8283F516B4FDDE00A278FE /* Sources */,
                                 BC8283F616B4FDDE00A278FE /* Frameworks */,
                                 BC8283F716B4FDDE00A278FE /* Resources */,
-                                41303BC420E2ED41005827BA /* Unlock keychain */,
-                                41303BC520E2ED54005827BA /* Process Plugin entitlements */,
                         );
                         buildRules = (
@@ -10196 +10178 @@
                         buildConfigurationList = BC82842A16B4FDF700A278FE /* Build configuration list for PBXNativeTarget "Plugin.64" */;
                         buildPhases = (
-                                41303BC620E2EFDF005827BA /* Remove stale entitlement file */,
                                 BC82841B16B4FDF600A278FE /* Sources */,
                                 BC82841C16B4FDF600A278FE /* Frameworks */,
                                 BC82841D16B4FDF600A278FE /* Resources */,
-                                41303BC720E2F016005827BA /* Unlock keychain */,
-                                41303BC820E2F047005827BA /* Process Plugin entitlements */,
                         );
                         buildRules = (
@@ -10420 +10399 @@
                         runOnlyForDeploymentPostprocessing = 0;
                         shellPath = /bin/sh;
-                        shellScript = "set -e\n\nRELATIVE_SOURCE_PATH=\"usr/local/include/WebKitAdditions/WebKit/AdditionalResources\"\nSOURCE_PATH=\"$BUILT_PRODUCTS_DIR/$RELATIVE_SOURCE_PATH\"\n\nif [[ ! -d \"$SOURCE_PATH\" ]]; then\n    SOURCE_PATH=\"$SDK_DIR/$RELATIVE_SOURCE_PATH\"\nfi\n\nif [[ -d \"$SOURCE_PATH\" ]]; then\n    ditto $SOURCE_PATH \"$BUILT_PRODUCTS_DIR/$UNLOCALIZED_RESOURCES_FOLDER_PATH\"\nfi\n";
+                        shellScript = "set -e\n\nRELATIVE_SOURCE_PATH=\"usr/local/include/WebKitAdditions/WebKit/AdditionalResources\"\nSOURCE_PATH=\"$BUILT_PRODUCTS_DIR/$RELATIVE_SOURCE_PATH\"\n\nif [[ ! -d \"$SOURCE_PATH\" ]]; then\n    SOURCE_PATH=\"$SDK_DIR/$RELATIVE_SOURCE_PATH\"\nfi\n\nif [[ -d \"$SOURCE_PATH\" ]]; then\n    ditto $SOURCE_PATH \"$BUILT_PRODUCTS_DIR/$UNLOCALIZED_RESOURCES_FOLDER_PATH\"\nfi";
                 };
                 3713F0231429063D0036387F /* Check For Inappropriate Objective-C Class Names */ = {
@@ -10459 +10438 @@
                         runOnlyForDeploymentPostprocessing = 0;
                         shellPath = /bin/sh;
-                        shellScript = "if [[ \"${WK_MANUAL_SANDBOXING_ENABLED}\" != \"YES\" || \"${WK_PLATFORM_NAME}\" == \"macosx\" ]]; then\n    exit\nfi\n\nif [[ \"${ACTION}\" == \"build\" || \"${ACTION}\" == \"install\" ]]; then\n    for ((i = 0; i < ${SCRIPT_INPUT_FILE_COUNT}; ++i)); do\n        eval ENTITLEMENTS=\\${SCRIPT_INPUT_FILE_${i}}\n        ENTITLEMENTS_BASE=${ENTITLEMENTS##*/}\n        ENTITLEMENTS_BASE=${ENTITLEMENTS_BASE%.entitlements}\n        plutil -remove seatbelt-profiles -o \"${BUILT_PRODUCTS_DIR}/DerivedSources/WebKit2/${ENTITLEMENTS_BASE}-no-sandbox.entitlements\" \"${ENTITLEMENTS}\"\n    done\nfi\n";
+                        shellScript = "if [[ \"${WK_MANUAL_SANDBOXING_ENABLED}\" != \"YES\" || \"${WK_PLATFORM_NAME}\" == \"macosx\" ]]; then\n    exit\nfi\n\nif [[ \"${ACTION}\" == \"build\" || \"${ACTION}\" == \"install\" ]]; then\n    for ((i = 0; i < ${SCRIPT_INPUT_FILE_COUNT}; ++i)); do\n        eval ENTITLEMENTS=\\${SCRIPT_INPUT_FILE_${i}}\n        ENTITLEMENTS_BASE=${ENTITLEMENTS##*/}\n        ENTITLEMENTS_BASE=${ENTITLEMENTS_BASE%.entitlements}\n        plutil -remove seatbelt-profiles -o \"${BUILT_PRODUCTS_DIR}/DerivedSources/WebKit2/${ENTITLEMENTS_BASE}-no-sandbox.entitlements\" \"${ENTITLEMENTS}\"\n    done\nfi";
                 };
                 375A248817E5048E00C9A086 /* Postprocess WKBase.h */ = {
@@ -10492 +10471 @@
                         shellPath = /bin/sh;
                         shellScript = "if [[ \"${WK_MANUAL_SANDBOXING_ENABLED}\" != \"YES\" || \"${WK_PLATFORM_NAME}\" == \"macosx\" || \"${WK_PLATFORM_NAME}\" == \"iosmac\" ]]; then\n    exit\nfi\n\nif [[ \"${ACTION}\" == \"build\" || \"${ACTION}\" == \"install\" ]]; then\n    for ((i = 0; i < ${SCRIPT_INPUT_FILE_COUNT}; ++i)); do\n        eval SANDBOX_PROFILE=\\${SCRIPT_INPUT_FILE_${i}}\n        ditto \"${SANDBOX_PROFILE}\" \"${TARGET_BUILD_DIR}/${UNLOCALIZED_RESOURCES_FOLDER_PATH}/${SANDBOX_PROFILE##*/}\"\n    done\nfi\n";
-                };
-                41303BC320E2EC67005827BA /* Remove stale entitlement file */ = {
-                        isa = PBXShellScriptBuildPhase;
-                        buildActionMask = 2147483647;
-                        files = (
-                        );
-                        inputFileListPaths = (
-                        );
-                        inputPaths = (
-                        );
-                        name = "Remove stale entitlement file";
-                        outputFileListPaths = (
-                        );
-                        outputPaths = (
-                        );
-                        runOnlyForDeploymentPostprocessing = 0;
-                        shellPath = /bin/sh;
-                        shellScript = "# We autogenerate this file, so don't want to retain an old copy during builds.\nrm -f ${TEMP_FILE_DIR}/${FULL_PRODUCT_NAME}.xcent\n";
-                };
-                41303BC420E2ED41005827BA /* Unlock keychain */ = {
-                        isa = PBXShellScriptBuildPhase;
-                        buildActionMask = 2147483647;
-                        files = (
-                        );
-                        inputFileListPaths = (
-                        );
-                        inputPaths = (
-                        );
-                        name = "Unlock keychain";
-                        outputFileListPaths = (
-                        );
-                        outputPaths = (
-                        );
-                        runOnlyForDeploymentPostprocessing = 0;
-                        shellPath = /bin/sh;
-                        shellScript = "UNLOCK_SCRIPT_PATH=\"${SRCROOT}/../../../Internal/Tools/Scripts/unlock-safari-engineering-keychain-if-needed\"\n\n[[ -x \"${UNLOCK_SCRIPT_PATH}\" ]] && exec \"${UNLOCK_SCRIPT_PATH}\"\n\nexit 0\n";
-                };
-                41303BC520E2ED54005827BA /* Process Plugin entitlements */ = {
-                        isa = PBXShellScriptBuildPhase;
-                        buildActionMask = 2147483647;
-                        files = (
-                        );
-                        inputFileListPaths = (
-                        );
-                        inputPaths = (
-                                "$(TEMP_FILE_DIR)/$(FULL_PRODUCT_NAME).xcent",
-                        );
-                        name = "Process Plugin entitlements";
-                        outputFileListPaths = (
-                        );
-                        outputPaths = (
-                        );
-                        runOnlyForDeploymentPostprocessing = 0;
-                        shellPath = /bin/sh;
-                        shellScript = "Scripts/process-plugin-entitlements.sh\n";
-                };
-                41303BC620E2EFDF005827BA /* Remove stale entitlement file */ = {
-                        isa = PBXShellScriptBuildPhase;
-                        buildActionMask = 2147483647;
-                        files = (
-                        );
-                        inputFileListPaths = (
-                        );
-                        inputPaths = (
-                        );
-                        name = "Remove stale entitlement file";
-                        outputFileListPaths = (
-                        );
-                        outputPaths = (
-                        );
-                        runOnlyForDeploymentPostprocessing = 0;
-                        shellPath = /bin/sh;
-                        shellScript = "# We autogenerate this file, so don't want to retain an old copy during builds.\nrm -f ${TEMP_FILE_DIR}/${FULL_PRODUCT_NAME}.xcent\n";
-                };
-                41303BC720E2F016005827BA /* Unlock keychain */ = {
-                        isa = PBXShellScriptBuildPhase;
-                        buildActionMask = 2147483647;
-                        files = (
-                        );
-                        inputFileListPaths = (
-                        );
-                        inputPaths = (
-                        );
-                        name = "Unlock keychain";
-                        outputFileListPaths = (
-                        );
-                        outputPaths = (
-                        );
-                        runOnlyForDeploymentPostprocessing = 0;
-                        shellPath = /bin/sh;
-                        shellScript = "UNLOCK_SCRIPT_PATH=\"${SRCROOT}/../../../Internal/Tools/Scripts/unlock-safari-engineering-keychain-if-needed\"\n\n[[ -x \"${UNLOCK_SCRIPT_PATH}\" ]] && exec \"${UNLOCK_SCRIPT_PATH}\"\n\nexit 0\n";
-                };
-                41303BC820E2F047005827BA /* Process Plugin entitlements */ = {
-                        isa = PBXShellScriptBuildPhase;
-                        buildActionMask = 2147483647;
-                        files = (
-                        );
-                        inputFileListPaths = (
-                        );
-                        inputPaths = (
-                                "$(TEMP_FILE_DIR)/$(FULL_PRODUCT_NAME).xcent",
-                        );
-                        name = "Process Plugin entitlements";
-                        outputFileListPaths = (
-                        );
-                        outputPaths = (
-                        );
-                        runOnlyForDeploymentPostprocessing = 0;
-                        shellPath = /bin/sh;
-                        shellScript = "Scripts/process-plugin-entitlements.sh\n";
-                };
-                41D0FC7F20E43B0B00076AE8 /* Remove stale entitlements file */ = {
-                        isa = PBXShellScriptBuildPhase;
-                        buildActionMask = 2147483647;
-                        files = (
-                        );
-                        inputFileListPaths = (
-                        );
-                        inputPaths = (
-                        );
-                        name = "Remove stale entitlements file";
-                        outputFileListPaths = (
-                        );
-                        outputPaths = (
-                        );
-                        runOnlyForDeploymentPostprocessing = 0;
-                        shellPath = /bin/sh;
-                        shellScript = "# We autogenerate this file, so don't want to retain an old copy during builds.\nrm -f ${TEMP_FILE_DIR}/${FULL_PRODUCT_NAME}.xcent\n";
-                };
-                41D0FC8020E43B4500076AE8 /* Unlock keychain */ = {
-                        isa = PBXShellScriptBuildPhase;
-                        buildActionMask = 2147483647;
-                        files = (
-                        );
-                        inputFileListPaths = (
-                        );
-                        inputPaths = (
-                        );
-                        name = "Unlock keychain";
-                        outputFileListPaths = (
-                        );
-                        outputPaths = (
-                        );
-                        runOnlyForDeploymentPostprocessing = 0;
-                        shellPath = /bin/sh;
-                        shellScript = "UNLOCK_SCRIPT_PATH=\"${SRCROOT}/../../../Internal/Tools/Scripts/unlock-safari-engineering-keychain-if-needed\"\n\n[[ -x \"${UNLOCK_SCRIPT_PATH}\" ]] && exec \"${UNLOCK_SCRIPT_PATH}\"\n\nexit 0\n";
-                };
-                41D0FC8120E43B7000076AE8 /* Process Network entitlements */ = {
-                        isa = PBXShellScriptBuildPhase;
-                        buildActionMask = 2147483647;
-                        files = (
-                        );
-                        inputFileListPaths = (
-                        );
-                        inputPaths = (
-                                "$(TEMP_FILE_DIR)/$(FULL_PRODUCT_NAME).xcent",
-                        );
-                        name = "Process Network entitlements";
-                        outputFileListPaths = (
-                        );
-                        outputPaths = (
-                        );
-                        runOnlyForDeploymentPostprocessing = 0;
-                        shellPath = /bin/sh;
-                        shellScript = "Scripts/process-network-entitlements.sh\n";
                 };
                 5DF408C5131DD46700130071 /* Check For Weak VTables and Externals */ = {

trunk/Source/WebKit/WebProcess/WebProcess.h

@@ -110 +110 @@
 public:
     static WebProcess& singleton();
-    static constexpr ProcessType processType = ProcessType::WebContent;
 
     template <typename T>

trunk/Tools/ChangeLog

@@ +1 @@
+2018-07-24  Ryan Haddad  <ryanhaddad@apple.com>
+
+        Unreviewed, rolling out r234121.
+
+        Caused perf test failures.
+
+        Reverted changeset:
+
+        "We should cache the compiled sandbox profile in a data vault"
+        https://bugs.webkit.org/show_bug.cgi?id=184991
+        https://trac.webkit.org/changeset/234121
+
 2018-07-24  Thibault Saunier  <tsaunier@igalia.com>
 

trunk/Tools/Tracing/SystemTracePoints.plist

@@ -301 +301 @@
                  <string>14004</string>
              </dict>
-             <dict>
-                 <key>Name</key>
-                 <string>Initialize Sandbox</string>
-                 <key>Type</key>
-                 <string>Interval</string>
-                 <key>Component</key>
-                 <string>47</string>
-                 <key>CodeBegin</key>
-                 <string>14005</string>
-                 <key>CodeEnd</key>
-                 <string>14006</string>
-             </dict>
          </array>
      </dict>