Changeset 234167 in webkit
- Timestamp:
- Jul 24, 2018 12:57:36 PM (6 years ago)
- Location:
- trunk
- Files:
-
- 6 deleted
- 24 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WTF/ChangeLog
r234141 r234167 1 2018-07-24 Ryan Haddad <ryanhaddad@apple.com> 2 3 Unreviewed, rolling out r234121. 4 5 Caused perf test failures. 6 7 Reverted changeset: 8 9 "We should cache the compiled sandbox profile in a data vault" 10 https://bugs.webkit.org/show_bug.cgi?id=184991 11 https://trac.webkit.org/changeset/234121 12 1 13 2018-07-24 Thibault Saunier <tsaunier@igalia.com> 2 14 -
trunk/Source/WTF/wtf/SystemTracing.h
r234121 r234167 97 97 ProcessLaunchStart, 98 98 ProcessLaunchEnd, 99 InitializeSandboxStart,100 InitializeSandboxEnd,101 99 }; 102 100 -
trunk/Source/WTF/wtf/spi/darwin/SandboxSPI.h
r234121 r234167 43 43 WTF_EXTERN_C_BEGIN 44 44 45 typedef struct {46 char* builtin;47 unsigned char* data;48 size_t size;49 } *sandbox_profile_t;50 51 typedef struct {52 const char **params;53 size_t size;54 size_t available;55 } *sandbox_params_t;56 57 45 extern const char *const APP_SANDBOX_READ; 58 46 extern const char *const APP_SANDBOX_READ_WRITE; … … 67 55 int sandbox_init_with_parameters(const char *profile, uint64_t flags, const char *const parameters[], char **errorbuf); 68 56 int64_t sandbox_extension_consume(const char *extension_token); 69 sandbox_params_t sandbox_create_params(void);70 int sandbox_set_param(sandbox_params_t, const char *key, const char *value);71 void sandbox_free_params(sandbox_params_t);72 sandbox_profile_t sandbox_compile_file(const char *path, sandbox_params_t, char **error);73 void sandbox_free_profile(sandbox_profile_t);74 int sandbox_apply(sandbox_profile_t);75 57 76 58 WTF_EXTERN_C_END -
trunk/Source/WebCore/ChangeLog
r234166 r234167 1 2018-07-24 Ryan Haddad <ryanhaddad@apple.com> 2 3 Unreviewed, rolling out r234121. 4 5 Caused perf test failures. 6 7 Reverted changeset: 8 9 "We should cache the compiled sandbox profile in a data vault" 10 https://bugs.webkit.org/show_bug.cgi?id=184991 11 https://trac.webkit.org/changeset/234121 12 1 13 2018-07-24 Antoine Quint <graouts@apple.com> 2 14 -
trunk/Source/WebCore/platform/FileHandle.cpp
r234121 r234167 33 33 34 34 FileHandle::FileHandle(const String& path, FileSystem::FileOpenMode mode) 35 : m_path { path }36 , m_mode { mode }35 : m_path(path) 36 , m_mode(mode) 37 37 { 38 38 } 39 39 40 40 FileHandle::FileHandle(FileHandle&& other) 41 : m_path { WTFMove(other.m_path) } 42 , m_mode { WTFMove(other.m_mode) } 43 , m_fileHandle { std::exchange(other.m_fileHandle, FileSystem::invalidPlatformFileHandle) } 44 { 45 } 46 47 FileHandle::FileHandle(const String& path, FileSystem::FileOpenMode mode, OptionSet<FileSystem::FileLockMode> lockMode) 48 : m_path { path } 49 , m_mode { mode } 50 , m_shouldLock { true } 51 , m_lockMode { lockMode } 41 : m_path(WTFMove(other.m_path)) 42 , m_mode(WTFMove(other.m_mode)) 43 , m_fileHandle(std::exchange(other.m_fileHandle, FileSystem::invalidPlatformFileHandle)) 52 44 { 53 45 } … … 86 78 { 87 79 if (!*this) 88 m_fileHandle = m_shouldLock ? FileSystem::openAndLockFile(m_path, m_mode, m_lockMode) :FileSystem::openFile(m_path, m_mode);80 m_fileHandle = FileSystem::openFile(m_path, m_mode); 89 81 return static_cast<bool>(*this); 90 82 } … … 124 116 void FileHandle::close() 125 117 { 126 if (m_shouldLock && *this) { 127 // FileSystem::unlockAndCloseFile requires the file handle to be valid while closeFile does not 128 FileSystem::unlockAndCloseFile(m_fileHandle); 129 } else 130 FileSystem::closeFile(m_fileHandle); 118 FileSystem::closeFile(m_fileHandle); 131 119 } 132 120 -
trunk/Source/WebCore/platform/FileHandle.h
r234121 r234167 39 39 FileHandle() = default; 40 40 FileHandle(const String& path, FileSystem::FileOpenMode); 41 FileHandle(const String& path, FileSystem::FileOpenMode, OptionSet<FileSystem::FileLockMode>);42 41 FileHandle(const FileHandle& other) = delete; 43 42 FileHandle(FileHandle&& other); … … 61 60 FileSystem::FileOpenMode m_mode { FileSystem::FileOpenMode::Read }; 62 61 FileSystem::PlatformFileHandle m_fileHandle { FileSystem::invalidPlatformFileHandle }; 63 bool m_shouldLock { false };64 OptionSet<FileSystem::FileLockMode> m_lockMode;65 62 }; 66 63 -
trunk/Source/WebCore/platform/FileSystem.h
r234121 r234167 185 185 #if PLATFORM(COCOA) 186 186 WEBCORE_EXPORT NSString *createTemporaryDirectory(NSString *directoryPrefix); 187 WEBCORE_EXPORT bool deleteNonEmptyDirectory(const String&);188 187 #endif 189 188 -
trunk/Source/WebCore/platform/cocoa/FileSystemCocoa.mm
r234121 r234167 134 134 return [[NSFileManager defaultManager] stringWithFileSystemRepresentation:path.data() length:length]; 135 135 } 136 137 bool deleteNonEmptyDirectory(const String& path)138 {139 return [[NSFileManager defaultManager] removeItemAtPath:path error:nil];140 }141 136 142 137 } // namespace FileSystem -
trunk/Source/WebKit/ChangeLog
r234157 r234167 1 2018-07-24 Ryan Haddad <ryanhaddad@apple.com> 2 3 Unreviewed, rolling out r234121. 4 5 Caused perf test failures. 6 7 Reverted changeset: 8 9 "We should cache the compiled sandbox profile in a data vault" 10 https://bugs.webkit.org/show_bug.cgi?id=184991 11 https://trac.webkit.org/changeset/234121 12 1 13 2018-07-24 Jeff Miller <jeffm@apple.com> 2 14 -
trunk/Source/WebKit/Configurations/StorageService.xcconfig
r234121 r234167 26 26 WK_XPC_SERVICE_IOS_ENTITLEMENTS_BASE = Databases-iOS; 27 27 28 WK_STORAGE_ENTITLEMENTS_RESTRICTED_NO = ;29 WK_STORAGE_ENTITLEMENTS_RESTRICTED_YES = Configurations/Storage-OSX-sandbox.entitlements;30 31 CODE_SIGN_ENTITLEMENTS_COCOA_TOUCH_NO = $(WK_STORAGE_ENTITLEMENTS_RESTRICTED_$(WK_USE_RESTRICTED_ENTITLEMENTS));32 28 OTHER_CODE_SIGN_FLAGS = $(WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS); 33 29 -
trunk/Source/WebKit/Configurations/WebKit.xcconfig
r234121 r234167 83 83 WK_MOBILE_GESTALT_LDFLAGS_cocoatouch = -lMobileGestalt; 84 84 85 WK_LIBSANDBOX_LDFLAGS = $(WK_LIBSANDBOX_LDFLAGS_$(WK_PLATFORM_NAME));86 WK_LIBSANDBOX_LDFLAGS_macosx = -lsandbox;87 88 85 WK_OPENGL_LDFLAGS = $(WK_OPENGL_LDFLAGS_$(WK_PLATFORM_NAME)); 89 86 WK_OPENGL_LDFLAGS_iphoneos = -framework OpenGLES; … … 116 113 WK_URL_FORMATTING_LDFLAGS_YES = -framework URLFormatting; 117 114 118 FRAMEWORK_AND_LIBRARY_LDFLAGS = -lobjc -framework CFNetwork -framework CoreAudio -framework CoreFoundation -framework CoreGraphics -framework CoreText -framework Foundation -framework ImageIO -framework IOKit -framework WebKitLegacy -lnetwork $(WK_ACCESSIBILITY_LDFLAGS) $(WK_APPKIT_LDFLAGS) $(WK_ASSERTION_SERVICES_LDFLAGS) $(WK_CARBON_LDFLAGS) $(WK_CORE_PDF_LDFLAGS) $(WK_CORE_PREDICTION_LDFLAGS) $(WK_CORE_SERVICES_LDFLAGS) $(WK_GRAPHICS_SERVICES_LDFLAGS) $(WK_IOSURFACE_LDFLAGS) $(WK_LIB SANDBOX_LDFLAGS) $(WK_LIBWEBRTC_LDFLAGS) $(WK_MOBILE_CORE_SERVICES_LDFLAGS) $(WK_MOBILE_GESTALT_LDFLAGS) $(WK_OPENGL_LDFLAGS) $(WK_PDFKIT_LDFLAGS) $(WK_SAFE_BROWSING_LDFLAGS) $(WK_UIKIT_LDFLAGS) $(WK_URL_FORMATTING_LDFLAGS);115 FRAMEWORK_AND_LIBRARY_LDFLAGS = -lobjc -framework CFNetwork -framework CoreAudio -framework CoreFoundation -framework CoreGraphics -framework CoreText -framework Foundation -framework ImageIO -framework IOKit -framework WebKitLegacy -lnetwork $(WK_ACCESSIBILITY_LDFLAGS) $(WK_APPKIT_LDFLAGS) $(WK_ASSERTION_SERVICES_LDFLAGS) $(WK_CARBON_LDFLAGS) $(WK_CORE_PDF_LDFLAGS) $(WK_CORE_PREDICTION_LDFLAGS) $(WK_CORE_SERVICES_LDFLAGS) $(WK_GRAPHICS_SERVICES_LDFLAGS) $(WK_IOSURFACE_LDFLAGS) $(WK_LIBWEBRTC_LDFLAGS) $(WK_MOBILE_CORE_SERVICES_LDFLAGS) $(WK_MOBILE_GESTALT_LDFLAGS) $(WK_OPENGL_LDFLAGS) $(WK_PDFKIT_LDFLAGS) $(WK_SAFE_BROWSING_LDFLAGS) $(WK_UIKIT_LDFLAGS) $(WK_URL_FORMATTING_LDFLAGS); 119 116 120 117 // Prevent C++ standard library basic_stringstream, operator new, delete and their related exception types from being exported as weak symbols. -
trunk/Source/WebKit/NetworkProcess/NetworkProcess.h
r234121 r234167 81 81 public: 82 82 static NetworkProcess& singleton(); 83 static constexpr ProcessType processType = ProcessType::Network;84 83 85 84 template <typename T> -
trunk/Source/WebKit/PluginProcess/PluginProcess.h
r234121 r234167 50 50 public: 51 51 static PluginProcess& singleton(); 52 static constexpr ProcessType processType = ProcessType::Plugin;53 52 54 53 void removeWebProcessConnection(WebProcessConnection*); -
trunk/Source/WebKit/Scripts/process-webcontent-entitlements.sh
r234121 r234167 8 8 if [[ ${WK_USE_RESTRICTED_ENTITLEMENTS} == "YES" ]]; then 9 9 echo "Processing restricted entitlements for Internal SDK"; 10 11 echo "Adding sandbox entitlements for WebContent process.";12 /usr/libexec/PlistBuddy -c "Merge Configurations/WebContent-OSX-sandbox.entitlements" "${PROCESSED_XCENT_FILE}";13 10 14 11 if (( ${TARGET_MAC_OS_X_VERSION_MAJOR} >= 101400 )); then -
trunk/Source/WebKit/Shared/ChildProcess.h
r234121 r234167 40 40 41 41 class SandboxInitializationParameters; 42 struct ChildProcessInitializationParameters; 42 43 struct ChildProcessInitializationParameters { 44 String uiProcessName; 45 String clientIdentifier; 46 std::optional<WebCore::ProcessIdentifier> processIdentifier; 47 IPC::Connection::Identifier connectionIdentifier; 48 HashMap<String, String> extraInitializationData; 49 #if PLATFORM(COCOA) 50 OSObjectPtr<xpc_object_t> priorityBoostMessage; 51 #endif 52 }; 43 53 44 54 class ChildProcess : protected IPC::Connection::Client, public IPC::MessageSender { … … 46 56 47 57 public: 48 enum class ProcessType : uint8_t {49 WebContent,50 Network,51 Storage,52 Plugin53 };54 55 58 void initialize(const ChildProcessInitializationParameters&); 56 59 … … 147 150 }; 148 151 149 struct ChildProcessInitializationParameters {150 String uiProcessName;151 String clientIdentifier;152 std::optional<WebCore::ProcessIdentifier> processIdentifier;153 IPC::Connection::Identifier connectionIdentifier;154 HashMap<String, String> extraInitializationData;155 ChildProcess::ProcessType processType;156 #if PLATFORM(COCOA)157 OSObjectPtr<xpc_object_t> priorityBoostMessage;158 #endif159 };160 161 152 } // namespace WebKit 162 153 -
trunk/Source/WebKit/Shared/EntryPointUtilities/mac/XPCService/XPCServiceEntryPoint.h
r234121 r234167 113 113 #endif 114 114 115 parameters.processType = XPCServiceType::processType;116 117 115 XPCServiceType::singleton().initialize(parameters); 118 116 } -
trunk/Source/WebKit/Shared/SandboxInitializationParameters.h
r234121 r234167 55 55 const char* value(size_t index) const; 56 56 57 enum class ProfileSelectionMode : uint8_t{57 enum ProfileSelectionMode { 58 58 UseDefaultSandboxProfilePath, 59 59 UseOverrideSandboxProfilePath, … … 65 65 void setOverrideSandboxProfilePath(const String& path) 66 66 { 67 m_profileSelectionMode = ProfileSelectionMode::UseOverrideSandboxProfilePath;67 m_profileSelectionMode = UseOverrideSandboxProfilePath; 68 68 m_overrideSandboxProfilePathOrSandboxProfile = path; 69 69 } … … 71 71 const String& overrideSandboxProfilePath() const 72 72 { 73 ASSERT(m_profileSelectionMode == ProfileSelectionMode::UseOverrideSandboxProfilePath);73 ASSERT(m_profileSelectionMode == UseOverrideSandboxProfilePath); 74 74 return m_overrideSandboxProfilePathOrSandboxProfile; 75 75 } … … 77 77 void setSandboxProfile(const String& profile) 78 78 { 79 m_profileSelectionMode = ProfileSelectionMode::UseSandboxProfile;79 m_profileSelectionMode = UseSandboxProfile; 80 80 m_overrideSandboxProfilePathOrSandboxProfile = profile; 81 81 } … … 83 83 const String& sandboxProfile() const 84 84 { 85 ASSERT(m_profileSelectionMode == ProfileSelectionMode::UseSandboxProfile);85 ASSERT(m_profileSelectionMode == UseSandboxProfile); 86 86 return m_overrideSandboxProfilePathOrSandboxProfile; 87 87 } -
trunk/Source/WebKit/Shared/mac/ChildProcessMac.mm
r234121 r234167 32 32 #import "QuarantineSPI.h" 33 33 #import "SandboxInitializationParameters.h" 34 #import "SandboxUtilities.h"35 34 #import "WKFoundation.h" 36 35 #import "XPCServiceEntryPoint.h" 37 #import <WebCore/FileHandle.h>38 36 #import <WebCore/FileSystem.h> 39 37 #import <WebCore/SystemVersion.h> 40 #import <mach-o/dyld.h>41 38 #import <mach/mach.h> 42 39 #import <mach/task.h> 43 #import <pal/crypto/CryptoDigest.h>44 40 #import <pwd.h> 45 41 #import <stdlib.h> 46 #import <sys/sysctl.h>47 42 #import <sysexits.h> 48 #import <wtf/DataLog.h>49 #import <wtf/RandomNumber.h>50 43 #import <wtf/Scope.h> 51 #import <wtf/SystemTracing.h>52 #import <wtf/WallTime.h>53 44 #import <wtf/spi/darwin/SandboxSPI.h> 54 #import <wtf/text/Base64.h>55 #import <wtf/text/StringBuilder.h>56 45 57 46 #if USE(APPLE_INTERNAL_SDK) 58 #import <HIServices/ProcessesPriv.h> 59 #import <rootless.h> 47 #include <HIServices/ProcessesPriv.h> 60 48 #endif 61 49 … … 69 57 70 58 namespace WebKit { 71 72 using SandboxProfile = typename std::remove_pointer<sandbox_profile_t>::type;73 struct SandboxProfileDeleter {74 void operator()(SandboxProfile* ptr)75 {76 sandbox_free_profile(ptr);77 }78 };79 using SandboxProfilePtr = std::unique_ptr<SandboxProfile, SandboxProfileDeleter>;80 81 using SandboxParameters = typename std::remove_pointer<sandbox_params_t>::type;82 struct SandboxParametersDeleter {83 void operator()(SandboxParameters* ptr)84 {85 sandbox_free_params(ptr);86 }87 };88 using SandboxParametersPtr = std::unique_ptr<SandboxParameters, SandboxParametersDeleter>;89 90 struct CachedSandboxHeader {91 uint32_t versionNumber;92 uint32_t libsandboxVersion;93 uint32_t headerSize;94 uint32_t builtinSize; // If a builtin doesn't exist, this is UINT_MAX.95 uint32_t dataSize;96 };97 // The file is layed out on disk like:98 // byte 099 // CachedSandboxHeader <- sizeof(CachedSandboxHeader) bytes100 // SandboxHeader <- CachedSandboxHeader::headerSize bytes101 // [SandboxBuiltin] optional. Present if CachedSandboxHeader::builtinSize is not UINT_MAX. If present, builtinSize bytes (not including null termination).102 // SandboxData <- CachedSandboxHeader::dataSize bytes103 // byte N104 105 struct SandboxInfo {106 SandboxInfo(const String& parentDirectoryPath, const String& directoryPath, const String& filePath, const String& profilePath, const SandboxParametersPtr& sandboxParameters, const CString& header, const ChildProcess::ProcessType& processType, const SandboxInitializationParameters& initializationParameters)107 : parentDirectoryPath { parentDirectoryPath }108 , directoryPath { directoryPath }109 , filePath { filePath }110 , profilePath { profilePath }111 , sandboxParameters { sandboxParameters }112 , header { header }113 , processType { processType }114 , initializationParameters { initializationParameters }115 {116 }117 118 const String& parentDirectoryPath;119 const String& directoryPath;120 const String& filePath;121 const String& profilePath;122 const SandboxParametersPtr& sandboxParameters;123 const CString& header;124 const ChildProcess::ProcessType& processType;125 const SandboxInitializationParameters& initializationParameters;126 };127 128 constexpr uint32_t CachedSandboxVersionNumber = 0;129 59 130 60 static void initializeTimerCoalescingPolicy() … … 183 113 } 184 114 185 static std::optional<Vector<char>> fileContents(const String& path, bool shouldLock = false, OptionSet<FileSystem::FileLockMode> lockMode = FileSystem::FileLockMode::Exclusive) 186 { 187 FileHandle file = shouldLock ? FileHandle(path, FileSystem::FileOpenMode::Read, lockMode) : FileHandle(path, FileSystem::FileOpenMode::Read); 188 file.open(); 189 if (!file) 190 return std::nullopt; 191 192 char chunk[4096]; 193 constexpr size_t chunkSize = WTF_ARRAY_LENGTH(chunk); 194 size_t contentSize = 0; 195 Vector<char> contents; 196 contents.reserveInitialCapacity(chunkSize); 197 while (size_t bytesRead = file.read(chunk, chunkSize)) { 198 contents.append(chunk, bytesRead); 199 contentSize += bytesRead; 200 } 201 contents.resize(contentSize); 202 203 return contents; 204 } 205 206 #if USE(APPLE_INTERNAL_SDK) 207 // These strings must match the last segment of the "com.apple.rootless.storage.<this part must match>" entry in each 208 // process's restricted entitlements file (ex. Configurations/Networking-OSX-restricted.entitlements). 209 constexpr const char* processStorageClass(ChildProcess::ProcessType type) 210 { 211 switch (type) { 212 case ChildProcess::ProcessType::WebContent: 213 return "WebKitWebContentSandbox"; 214 case ChildProcess::ProcessType::Network: 215 return "WebKitNetworkingSandbox"; 216 case ChildProcess::ProcessType::Storage: 217 return "WebKitStorageSandbox"; 218 case ChildProcess::ProcessType::Plugin: 219 return "WebKitPluginSandbox"; 220 } 221 } 222 #endif 223 224 static std::optional<CString> setAndSerializeSandboxParameters(const SandboxInitializationParameters& initializationParameters, const SandboxParametersPtr& sandboxParameters, const String& profilePath) 225 { 226 StringBuilder builder; 227 for (size_t i = 0; i < initializationParameters.count(); ++i) { 228 CString name = initializationParameters.name(i); 229 CString value = initializationParameters.value(i); 230 if (name.isNull() || value.isNull()) 231 return std::nullopt; 232 if (sandbox_set_param(sandboxParameters.get(), name.data(), value.data())) { 233 WTFLogAlways("%s: Couldn't set sandbox parameter, errno: %d\n", getprogname(), errno); 234 CRASH(); 235 } 236 builder.append(name.data(), name.length()); 237 builder.append(':'); 238 builder.append(value.data(), value.length()); 239 builder.append(':'); 240 } 241 auto contents = fileContents(profilePath); 242 if (!contents) 243 return std::nullopt; 244 builder.append(contents->data(), contents->size()); 245 return builder.toString().ascii(); 246 } 247 248 static size_t getUserCacheDirectory(Vector<char>& buffer) 249 { 250 size_t result = confstr(_CS_DARWIN_USER_CACHE_DIR, buffer.data(), buffer.size()); 251 if (!result) { 252 WTFLogAlways("%s: couldn't retrieve private cache directory path: %d\n", getprogname(), errno); 253 exit(EX_NOPERM); 254 } 255 return result; 256 } 257 258 static inline String sandboxDataVaultParentDirectory() 259 { 260 // DIRHELPER_USER_DIR_SUFFIX is set in initializeSandboxParameters (called before this function). 261 char parentDirectory[PATH_MAX]; 262 263 Vector<char> temp; 264 temp.grow(PATH_MAX); 265 266 size_t neededBufferSize = getUserCacheDirectory(temp); 267 if (neededBufferSize > temp.size()) { 268 temp.grow(neededBufferSize); 269 size_t bufferSize = getUserCacheDirectory(temp); 270 RELEASE_ASSERT(bufferSize == temp.size()); 271 } 272 if (!realpath(temp.data(), parentDirectory)) { 273 WTFLogAlways("%s: couldn't retrieve private cache directory path: %d\n", getprogname(), errno); 274 exit(EX_NOPERM); 275 } 276 277 return parentDirectory; 278 } 279 280 static inline String sandboxDirectory(ChildProcess::ProcessType processType, const String& parentDirectory) 281 { 282 StringBuilder directory; 283 directory.append(parentDirectory); 284 switch (processType) { 285 case ChildProcess::ProcessType::WebContent: 286 directory.append("/com.apple.WebKit.WebContent.Sandbox"); 287 break; 288 case ChildProcess::ProcessType::Network: 289 directory.append("/com.apple.WebKit.Networking.Sandbox"); 290 break; 291 case ChildProcess::ProcessType::Storage: 292 directory.append("/com.apple.WebKit.Storage.Sandbox"); 293 break; 294 case ChildProcess::ProcessType::Plugin: 295 directory.append("/com.apple.WebKit.Plugin.Sandbox"); 296 break; 297 } 298 299 #if !USE(APPLE_INTERNAL_SDK) 300 // Add .OpenSource suffix so that open source builds don't try to access a data vault used by system Safari. 301 directory.append(".OpenSource"); 302 #endif 303 304 return directory.toString(); 305 } 306 307 static inline String sandboxFilePath(const String& directoryPath, const CString& header) 308 { 309 StringBuilder sandboxFile; 310 sandboxFile.append(directoryPath); 311 sandboxFile.append("/CompiledSandbox+"); 312 313 // Make the filename semi-unique based on the contents of the header. 314 auto crypto = PAL::CryptoDigest::create(PAL::CryptoDigest::Algorithm::SHA_256); 315 crypto->addBytes(header.data(), header.length()); 316 Vector<uint8_t> hash = crypto->computeHash(); 317 String readableHash = WTF::base64URLEncode(hash.data(), hash.size()); 318 319 sandboxFile.append(readableHash); 320 return sandboxFile.toString(); 321 } 322 323 static bool ensureSandboxCacheDirectory(const SandboxInfo& info) 324 { 325 if (!FileSystem::fileIsDirectory(info.parentDirectoryPath, FileSystem::ShouldFollowSymbolicLinks::Yes)) { 326 FileSystem::makeAllDirectories(info.parentDirectoryPath); 327 if (!FileSystem::fileIsDirectory(info.parentDirectoryPath, FileSystem::ShouldFollowSymbolicLinks::Yes)) { 328 WTFLogAlways("%s: Couldn't create sandbox directory\n", getprogname()); 329 return false; 330 } 331 } 332 333 #if USE(APPLE_INTERNAL_SDK) 334 const char* storageClass = processStorageClass(info.processType); 335 CString directoryPath = FileSystem::fileSystemRepresentation(info.directoryPath); 336 if (directoryPath.isNull()) 337 return false; 338 339 auto makeDataVault = [&] { 340 do { 341 if (!rootless_mkdir_datavault(directoryPath.data(), 0700, storageClass)) 342 return true; 343 } while (errno == EAGAIN); 344 return false; 345 }; 346 347 if (makeDataVault()) 348 return true; 349 350 if (errno == EEXIST) { 351 // The directory already exists. First we'll check if it is a data vault. If it is then 352 // we are the ones who created it and we can continue. If it is not a datavault then we'll just 353 // delete it and try to make a new one. 354 if (!rootless_check_datavault_flag(directoryPath.data(), storageClass)) 355 return true; 356 357 bool isDirectory = FileSystem::fileIsDirectory(info.directoryPath, FileSystem::ShouldFollowSymbolicLinks::No); 358 if (isDirectory) { 359 if (!FileSystem::deleteNonEmptyDirectory(info.directoryPath)) 360 return false; 361 } else { 362 if (!FileSystem::deleteFile(info.directoryPath)) 363 return false; 364 } 365 366 if (!makeDataVault()) 367 return false; 368 } else { 369 WTFLogAlways("Sandbox directory couldn't be created, errno: %d", errno); 370 return false; 371 } 115 void ChildProcess::initializeSandbox(const ChildProcessInitializationParameters& parameters, SandboxInitializationParameters& sandboxParameters) 116 { 117 #if WK_API_ENABLED 118 NSBundle *webKit2Bundle = [NSBundle bundleForClass:NSClassFromString(@"WKWebView")]; 372 119 #else 373 bool hasSandboxDirectory = FileSystem::fileIsDirectory(info.directoryPath, FileSystem::ShouldFollowSymbolicLinks::Yes); 374 if (!hasSandboxDirectory) { 375 if (FileSystem::makeAllDirectories(info.directoryPath)) { 376 ASSERT(FileSystem::fileIsDirectory(info.directoryPath, FileSystem::ShouldFollowSymbolicLinks::Yes)); 377 hasSandboxDirectory = true; 378 } else { 379 // We may have raced with someone else making it. That's ok. 380 hasSandboxDirectory = FileSystem::fileIsDirectory(info.directoryPath, FileSystem::ShouldFollowSymbolicLinks::Yes); 381 } 382 } 383 384 if (!hasSandboxDirectory) { 385 // Bailing because we don't have a sandbox directory. 386 return false; 387 } 388 #endif // USE(APPLE_INTERNAL_SDK) 389 390 return true; 391 } 392 393 static bool writeSandboxDataToCacheFile(const SandboxInfo& info, const Vector<char>& cacheFile) 394 { 395 FileHandle file { info.filePath, FileSystem::FileOpenMode::Write, FileSystem::FileLockMode::Exclusive }; 396 return file.write(cacheFile.data(), cacheFile.size()) == safeCast<int>(cacheFile.size()); 397 } 398 399 static SandboxProfilePtr compileAndCacheSandboxProfile(const SandboxInfo& info) 400 { 401 if (!ensureSandboxCacheDirectory(info)) 402 return nullptr; 403 404 char* error = nullptr; 405 CString profilePath = FileSystem::fileSystemRepresentation(info.profilePath); 406 if (profilePath.isNull()) 407 return nullptr; 408 SandboxProfilePtr sandboxProfile { sandbox_compile_file(profilePath.data(), info.sandboxParameters.get(), &error) }; 409 if (!sandboxProfile) { 410 WTFLogAlways("%s: Couldn't compile WebContent sandbox %s\n", getprogname(), error); 411 return nullptr; 412 } 413 414 const bool haveBuiltin = sandboxProfile->builtin; 415 int32_t libsandboxVersion = NSVersionOfRunTimeLibrary("sandbox"); 416 RELEASE_ASSERT(libsandboxVersion > 0); 417 CachedSandboxHeader cachedHeader { 418 CachedSandboxVersionNumber, 419 static_cast<uint32_t>(libsandboxVersion), 420 safeCast<uint32_t>(info.header.length()), 421 haveBuiltin ? safeCast<uint32_t>(strlen(sandboxProfile->builtin)) : std::numeric_limits<uint32_t>::max(), 422 safeCast<uint32_t>(sandboxProfile->size) 423 }; 424 const size_t expectedFileSize = sizeof(cachedHeader) + cachedHeader.headerSize + (haveBuiltin ? cachedHeader.builtinSize : 0) + cachedHeader.dataSize; 425 426 Vector<char> cacheFile; 427 cacheFile.reserveInitialCapacity(expectedFileSize); 428 cacheFile.append(bitwise_cast<uint8_t*>(&cachedHeader), sizeof(CachedSandboxHeader)); 429 cacheFile.append(info.header.data(), info.header.length()); 430 if (haveBuiltin) 431 cacheFile.append(sandboxProfile->builtin, cachedHeader.builtinSize); 432 cacheFile.append(sandboxProfile->data, cachedHeader.dataSize); 433 434 if (!writeSandboxDataToCacheFile(info, cacheFile)) 435 WTFLogAlways("%s: Unable to cache compiled sandbox", getprogname()); 436 437 return sandboxProfile; 438 } 439 440 static bool tryApplyCachedSandbox(const SandboxInfo& info) 441 { 442 #if USE(APPLE_INTERNAL_SDK) 443 CString directoryPath = FileSystem::fileSystemRepresentation(info.directoryPath); 444 if (directoryPath.isNull()) 445 return false; 446 if (rootless_check_datavault_flag(directoryPath.data(), processStorageClass(info.processType))) 447 return false; 448 #endif 449 450 auto contents = fileContents(info.filePath, true, FileSystem::FileLockMode::Shared); 451 if (!contents || contents->isEmpty()) 452 return false; 453 Vector<char> cachedSandboxContents = WTFMove(*contents); 454 if (sizeof(CachedSandboxHeader) > cachedSandboxContents.size()) 455 return false; 456 457 // This data may be corrupted if the sandbox file was cached on a different platform with different endianness 458 CachedSandboxHeader cachedSandboxHeader; 459 memcpy(&cachedSandboxHeader, cachedSandboxContents.data(), sizeof(CachedSandboxHeader)); 460 int32_t libsandboxVersion = NSVersionOfRunTimeLibrary("sandbox"); 461 RELEASE_ASSERT(libsandboxVersion > 0); 462 if (static_cast<uint32_t>(libsandboxVersion) != cachedSandboxHeader.libsandboxVersion) 463 return false; 464 if (cachedSandboxHeader.versionNumber != CachedSandboxVersionNumber) 465 return false; 466 const bool haveBuiltin = cachedSandboxHeader.builtinSize != std::numeric_limits<uint32_t>::max(); 467 468 // These values are computed based on the disk layout specified below the definition of the CachedSandboxHeader struct 469 // and must be changed if the layout changes. 470 const char* sandboxHeaderPtr = bitwise_cast<char *>(cachedSandboxContents.data()) + sizeof(CachedSandboxHeader); 471 const char* sandboxBuiltinPtr = sandboxHeaderPtr + cachedSandboxHeader.headerSize; 472 unsigned char* sandboxDataPtr = bitwise_cast<unsigned char*>(haveBuiltin ? sandboxBuiltinPtr + cachedSandboxHeader.builtinSize : sandboxBuiltinPtr); 473 474 size_t expectedFileSize = sizeof(CachedSandboxHeader) + cachedSandboxHeader.headerSize + cachedSandboxHeader.dataSize; 475 if (haveBuiltin) 476 expectedFileSize += cachedSandboxHeader.builtinSize; 477 if (cachedSandboxContents.size() != expectedFileSize) 478 return false; 479 if (cachedSandboxHeader.headerSize != info.header.length()) 480 return false; 481 if (memcmp(sandboxHeaderPtr, info.header.data(), info.header.length())) 482 return false; 483 484 SandboxProfile profile; 485 CString builtin; 486 profile.builtin = nullptr; 487 profile.size = cachedSandboxHeader.dataSize; 488 if (haveBuiltin) { 489 builtin = CString::newUninitialized(cachedSandboxHeader.builtinSize, profile.builtin); 490 if (builtin.isNull()) 491 return false; 492 memcpy(profile.builtin, sandboxBuiltinPtr, cachedSandboxHeader.builtinSize); 493 } 494 ASSERT(static_cast<void *>(sandboxDataPtr + profile.size) <= static_cast<void *>(cachedSandboxContents.data() + cachedSandboxContents.size())); 495 profile.data = sandboxDataPtr; 496 497 if (sandbox_apply(&profile)) { 498 WTFLogAlways("%s: Could not apply cached sandbox\n", getprogname()); 499 return false; 500 } 501 502 return true; 503 } 504 505 static inline const NSBundle *webKit2Bundle() 506 { 507 #if WK_API_ENABLED 508 const static NSBundle *bundle = [NSBundle bundleForClass:NSClassFromString(@"WKWebView")]; 509 #else 510 const static NSBundle *bundle = [NSBundle bundleForClass:NSClassFromString(@"WKView")]; 511 #endif 512 513 return bundle; 514 } 515 516 static inline String sandboxProfilePath(const SandboxInitializationParameters& parameters) 517 { 518 switch (parameters.mode()) { 519 case SandboxInitializationParameters::ProfileSelectionMode::UseDefaultSandboxProfilePath: 520 return [webKit2Bundle() pathForResource:[[NSBundle mainBundle] bundleIdentifier] ofType:@"sb"]; 521 case SandboxInitializationParameters::ProfileSelectionMode::UseOverrideSandboxProfilePath: 522 return parameters.overrideSandboxProfilePath(); 523 case SandboxInitializationParameters::ProfileSelectionMode::UseSandboxProfile: 524 return parameters.sandboxProfile(); 525 } 526 } 527 528 static bool compileAndApplySandboxSlowCase(const SandboxInfo& info) 529 { 530 char* errorBuf; 531 CString profilePath = FileSystem::fileSystemRepresentation(info.profilePath); 532 #pragma clang diagnostic push 533 #pragma clang diagnostic ignored "-Wdeprecated-declarations" 534 if (sandbox_init_with_parameters(profilePath.data(), SANDBOX_NAMED_EXTERNAL, info.initializationParameters.namedParameterArray(), &errorBuf)) { 535 #pragma clang diagnostic pop 536 WTFLogAlways("%s: Couldn't initialize sandbox profile [%s], error '%s'\n", getprogname(), profilePath.data(), errorBuf); 537 for (size_t i = 0, count = info.initializationParameters.count(); i != count; ++i) 538 WTFLogAlways("%s=%s\n", info.initializationParameters.name(i), info.initializationParameters.value(i)); 539 return false; 540 } 541 return true; 542 } 543 544 static bool applySandbox(const ChildProcessInitializationParameters& parameters, const SandboxInitializationParameters& sandboxInitializationParameters) 545 { 546 String profilePath { sandboxProfilePath(sandboxInitializationParameters) }; 547 if (profilePath.isEmpty()) { 548 WTFLogAlways("%s: Profile path is invalid\n", getprogname()); 549 return false; 550 } 551 552 SandboxParametersPtr sandboxParameters { sandbox_create_params() }; 553 auto header = setAndSerializeSandboxParameters(sandboxInitializationParameters, sandboxParameters, profilePath); 554 if (!header) { 555 WTFLogAlways("%s: Sandbox parameters are invalid\n", getprogname()); 556 CRASH(); 557 } 558 559 String parentDirectoryPath { sandboxDataVaultParentDirectory() }; 560 String directoryPath { sandboxDirectory(parameters.processType, parentDirectoryPath) }; 561 String filePath = sandboxFilePath(directoryPath, *header); 562 SandboxInfo info { 563 parentDirectoryPath, 564 directoryPath, 565 filePath, 566 profilePath, 567 sandboxParameters, 568 *header, 569 parameters.processType, 570 sandboxInitializationParameters 571 }; 572 573 if (tryApplyCachedSandbox(info)) 574 return true; 575 576 SandboxProfilePtr sandboxProfile = compileAndCacheSandboxProfile(info); 577 if (!sandboxProfile) 578 return compileAndApplySandboxSlowCase(info); 579 580 if (sandbox_apply(sandboxProfile.get())) { 581 WTFLogAlways("%s: Couldn't apply compiled sandbox profile, errno: %d\n", getprogname(), errno); 582 exit(EX_NOPERM); 583 } 584 585 return true; 586 } 587 588 static void initializeSandboxParameters(const ChildProcessInitializationParameters& parameters, SandboxInitializationParameters& sandboxParameters) 589 { 590 // Verify user directory suffix. 120 NSBundle *webKit2Bundle = [NSBundle bundleForClass:NSClassFromString(@"WKView")]; 121 #endif 122 String defaultProfilePath = [webKit2Bundle pathForResource:[[NSBundle mainBundle] bundleIdentifier] ofType:@"sb"]; 123 591 124 if (sandboxParameters.userDirectorySuffix().isNull()) { 592 125 auto userDirectorySuffix = parameters.extraInitializationData.find("user-directory-suffix"); … … 621 154 setenv("TMPDIR", temporaryDirectory, 1); 622 155 623 sandboxParameters.addPathParameter("WEBKIT2_FRAMEWORK_DIR", [[webKit2Bundle ()bundlePath] stringByDeletingLastPathComponent]);156 sandboxParameters.addPathParameter("WEBKIT2_FRAMEWORK_DIR", [[webKit2Bundle bundlePath] stringByDeletingLastPathComponent]); 624 157 sandboxParameters.addConfDirectoryParameter("DARWIN_USER_TEMP_DIR", _CS_DARWIN_USER_TEMP_DIR); 625 158 sandboxParameters.addConfDirectoryParameter("DARWIN_USER_CACHE_DIR", _CS_DARWIN_USER_CACHE_DIR); … … 635 168 636 169 sandboxParameters.addPathParameter("HOME_DIR", pwd.pw_dir); 170 637 171 String path = String::fromUTF8(pwd.pw_dir); 638 172 path.append("/Library"); 173 639 174 sandboxParameters.addPathParameter("HOME_LIBRARY_DIR", FileSystem::fileSystemRepresentation(path).data()); 175 640 176 path.append("/Preferences"); 177 641 178 sandboxParameters.addPathParameter("HOME_LIBRARY_PREFERENCES_DIR", FileSystem::fileSystemRepresentation(path).data()); 642 } 643 644 void ChildProcess::initializeSandbox(const ChildProcessInitializationParameters& parameters, SandboxInitializationParameters& sandboxParameters) 645 { 646 TraceScope traceScope(InitializeSandboxStart, InitializeSandboxEnd); 647 648 initializeSandboxParameters(parameters, sandboxParameters); 649 650 if (!applySandbox(parameters, sandboxParameters)) { 651 WTFLogAlways("%s: Unable to apply sandbox\n", getprogname()); 652 CRASH(); 179 180 switch (sandboxParameters.mode()) { 181 case SandboxInitializationParameters::UseDefaultSandboxProfilePath: 182 case SandboxInitializationParameters::UseOverrideSandboxProfilePath: { 183 String sandboxProfilePath = sandboxParameters.mode() == SandboxInitializationParameters::UseDefaultSandboxProfilePath ? defaultProfilePath : sandboxParameters.overrideSandboxProfilePath(); 184 if (!sandboxProfilePath.isEmpty()) { 185 CString profilePath = FileSystem::fileSystemRepresentation(sandboxProfilePath); 186 char* errorBuf; 187 #pragma clang diagnostic push 188 #pragma clang diagnostic ignored "-Wdeprecated-declarations" 189 if (sandbox_init_with_parameters(profilePath.data(), SANDBOX_NAMED_EXTERNAL, sandboxParameters.namedParameterArray(), &errorBuf)) { 190 #pragma clang diagnostic pop 191 WTFLogAlways("%s: Couldn't initialize sandbox profile [%s], error '%s'\n", getprogname(), profilePath.data(), errorBuf); 192 for (size_t i = 0, count = sandboxParameters.count(); i != count; ++i) 193 WTFLogAlways("%s=%s\n", sandboxParameters.name(i), sandboxParameters.value(i)); 194 exit(EX_NOPERM); 195 } 196 } 197 198 break; 199 } 200 case SandboxInitializationParameters::UseSandboxProfile: { 201 char* errorBuf; 202 #pragma clang diagnostic push 203 #pragma clang diagnostic ignored "-Wdeprecated-declarations" 204 if (sandbox_init_with_parameters(sandboxParameters.sandboxProfile().utf8().data(), 0, sandboxParameters.namedParameterArray(), &errorBuf)) { 205 #pragma clang diagnostic pop 206 WTFLogAlways("%s: Couldn't initialize sandbox profile, error '%s'\n", getprogname(), errorBuf); 207 for (size_t i = 0, count = sandboxParameters.count(); i != count; ++i) 208 WTFLogAlways("%s=%s\n", sandboxParameters.name(i), sandboxParameters.value(i)); 209 exit(EX_NOPERM); 210 } 211 212 break; 213 } 653 214 } 654 215 -
trunk/Source/WebKit/Shared/mac/SandboxInitialiationParametersMac.mm
r234121 r234167 30 30 31 31 SandboxInitializationParameters::SandboxInitializationParameters() 32 : m_profileSelectionMode( ProfileSelectionMode::UseDefaultSandboxProfilePath)32 : m_profileSelectionMode(UseDefaultSandboxProfilePath) 33 33 { 34 34 } -
trunk/Source/WebKit/StorageProcess/StorageProcess.h
r234121 r234167 72 72 public: 73 73 static StorageProcess& singleton(); 74 static constexpr ProcessType processType = ProcessType::Storage;75 76 74 ~StorageProcess(); 77 75 -
trunk/Source/WebKit/WebKit.xcodeproj/project.pbxproj
r234121 r234167 3413 3413 411A8DDA20DDB6050060D34F /* WKMockMediaDevice.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = WKMockMediaDevice.cpp; sourceTree = "<group>"; }; 3414 3414 411B22621E371244004F7363 /* LibWebRTCNetwork.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = LibWebRTCNetwork.h; path = Network/webrtc/LibWebRTCNetwork.h; sourceTree = "<group>"; }; 3415 41303BC920E2F0FD005827BA /* process-plugin-entitlements.sh */ = {isa = PBXFileReference; lastKnownFileType = text.script.sh; path = "process-plugin-entitlements.sh"; sourceTree = "<group>"; };3416 41303BCA20E2F248005827BA /* Plugin-OSX-sandbox.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = "Plugin-OSX-sandbox.entitlements"; sourceTree = "<group>"; };3417 3415 413075981DE84FB00039EC69 /* NetworkRTCSocket.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = NetworkRTCSocket.cpp; path = NetworkProcess/webrtc/NetworkRTCSocket.cpp; sourceTree = "<group>"; }; 3418 3416 413075991DE84FB00039EC69 /* NetworkRTCSocket.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = NetworkRTCSocket.h; path = NetworkProcess/webrtc/NetworkRTCSocket.h; sourceTree = "<group>"; }; … … 3464 3462 41B7ED71206965900087D853 /* NetworkMDNSRegister.messages.in */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; name = NetworkMDNSRegister.messages.in; path = NetworkProcess/webrtc/NetworkMDNSRegister.messages.in; sourceTree = "<group>"; }; 3465 3463 41C858191F510DEE0065E085 /* CacheStorageEngineCache.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = CacheStorageEngineCache.cpp; sourceTree = "<group>"; }; 3466 41D0FC7820E438DD00076AE8 /* WebContent-OSX-sandbox.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = "WebContent-OSX-sandbox.entitlements"; sourceTree = "<group>"; };3467 41D0FC7920E439AD00076AE8 /* process-network-entitlements.sh */ = {isa = PBXFileReference; lastKnownFileType = text.script.sh; path = "process-network-entitlements.sh"; sourceTree = "<group>"; };3468 41D0FC7C20E43A5100076AE8 /* Storage-OSX-sandbox.entitlements */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.entitlements; path = "Storage-OSX-sandbox.entitlements"; sourceTree = "<group>"; };3469 41D0FC7D20E43A5100076AE8 /* Network-OSX-sandbox.entitlements */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.entitlements; path = "Network-OSX-sandbox.entitlements"; sourceTree = "<group>"; };3470 3464 41D129D91F3D101400D15E47 /* WebCacheStorageProvider.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = WebCacheStorageProvider.h; sourceTree = "<group>"; }; 3471 3465 41DC45941E3D6E1E00B11F51 /* NetworkRTCProvider.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = NetworkRTCProvider.h; path = NetworkProcess/webrtc/NetworkRTCProvider.h; sourceTree = "<group>"; }; … … 5191 5185 37119A7D20CCB64E002C6DC9 /* Network-iOS-minimalsimulator.entitlements */, 5192 5186 7C0BB9A918DCDF5A0006C086 /* Network-iOS.entitlements */, 5193 41D0FC7D20E43A5100076AE8 /* Network-OSX-sandbox.entitlements */,5194 5187 BC8283AB16B4BEAD00A278FE /* NetworkService.xcconfig */, 5195 41303BCA20E2F248005827BA /* Plugin-OSX-sandbox.entitlements */,5196 5188 A1EDD2DB1884B96400BBFE98 /* PluginProcessShim.xcconfig */, 5197 5189 BC8283F216B4FC5300A278FE /* PluginService.32.xcconfig */, … … 5201 5193 A1EDD2DC1884B9B500BBFE98 /* SecItemShim.xcconfig */, 5202 5194 5183B3931379F85C00E8754E /* Shim.xcconfig */, 5203 41D0FC7C20E43A5100076AE8 /* Storage-OSX-sandbox.entitlements */,5204 5195 51A60B29180CCD9000F3BF50 /* StorageService.xcconfig */, 5205 5196 1A4F976E100E7B6600637A18 /* Version.xcconfig */, … … 5207 5198 7C0BB9A818DCDE890006C086 /* WebContent-iOS.entitlements */, 5208 5199 37B418EB1C9624F20031E63B /* WebContent-OSX-restricted.entitlements */, 5209 41D0FC7820E438DD00076AE8 /* WebContent-OSX-sandbox.entitlements */,5210 5200 7AF66E1120C07CB6007828EA /* WebContent-OSX.entitlements */, 5211 5201 372EBB4A2017E76000085064 /* WebContentService.Development.xcconfig */, … … 8654 8644 0FC08570187CE0A900780D86 /* model.py */, 8655 8645 0FC08571187CE0A900780D86 /* parser.py */, 8656 41D0FC7920E439AD00076AE8 /* process-network-entitlements.sh */,8657 41303BC920E2F0FD005827BA /* process-plugin-entitlements.sh */,8658 8646 7ACFAAD820B88D4F00C53203 /* process-webcontent-entitlements.sh */, 8659 8647 ); … … 10152 10140 buildConfigurationList = BC8283BD16B4BF7700A278FE /* Build configuration list for PBXNativeTarget "Networking" */; 10153 10141 buildPhases = ( 10154 41D0FC7F20E43B0B00076AE8 /* Remove stale entitlements file */,10155 10142 BC8283AD16B4BF7700A278FE /* Sources */, 10156 10143 BC8283AE16B4BF7700A278FE /* Frameworks */, 10157 10144 BC8283AF16B4BF7700A278FE /* Resources */, 10158 41D0FC8020E43B4500076AE8 /* Unlock keychain */,10159 41D0FC8120E43B7000076AE8 /* Process Network entitlements */,10160 10145 ); 10161 10146 buildRules = ( … … 10174 10159 buildConfigurationList = BC82840416B4FDDE00A278FE /* Build configuration list for PBXNativeTarget "Plugin.32" */; 10175 10160 buildPhases = ( 10176 41303BC320E2EC67005827BA /* Remove stale entitlement file */,10177 10161 BC8283F516B4FDDE00A278FE /* Sources */, 10178 10162 BC8283F616B4FDDE00A278FE /* Frameworks */, 10179 10163 BC8283F716B4FDDE00A278FE /* Resources */, 10180 41303BC420E2ED41005827BA /* Unlock keychain */,10181 41303BC520E2ED54005827BA /* Process Plugin entitlements */,10182 10164 ); 10183 10165 buildRules = ( … … 10196 10178 buildConfigurationList = BC82842A16B4FDF700A278FE /* Build configuration list for PBXNativeTarget "Plugin.64" */; 10197 10179 buildPhases = ( 10198 41303BC620E2EFDF005827BA /* Remove stale entitlement file */,10199 10180 BC82841B16B4FDF600A278FE /* Sources */, 10200 10181 BC82841C16B4FDF600A278FE /* Frameworks */, 10201 10182 BC82841D16B4FDF600A278FE /* Resources */, 10202 41303BC720E2F016005827BA /* Unlock keychain */,10203 41303BC820E2F047005827BA /* Process Plugin entitlements */,10204 10183 ); 10205 10184 buildRules = ( … … 10420 10399 runOnlyForDeploymentPostprocessing = 0; 10421 10400 shellPath = /bin/sh; 10422 shellScript = "set -e\n\nRELATIVE_SOURCE_PATH=\"usr/local/include/WebKitAdditions/WebKit/AdditionalResources\"\nSOURCE_PATH=\"$BUILT_PRODUCTS_DIR/$RELATIVE_SOURCE_PATH\"\n\nif [[ ! -d \"$SOURCE_PATH\" ]]; then\n SOURCE_PATH=\"$SDK_DIR/$RELATIVE_SOURCE_PATH\"\nfi\n\nif [[ -d \"$SOURCE_PATH\" ]]; then\n ditto $SOURCE_PATH \"$BUILT_PRODUCTS_DIR/$UNLOCALIZED_RESOURCES_FOLDER_PATH\"\nfi \n";10401 shellScript = "set -e\n\nRELATIVE_SOURCE_PATH=\"usr/local/include/WebKitAdditions/WebKit/AdditionalResources\"\nSOURCE_PATH=\"$BUILT_PRODUCTS_DIR/$RELATIVE_SOURCE_PATH\"\n\nif [[ ! -d \"$SOURCE_PATH\" ]]; then\n SOURCE_PATH=\"$SDK_DIR/$RELATIVE_SOURCE_PATH\"\nfi\n\nif [[ -d \"$SOURCE_PATH\" ]]; then\n ditto $SOURCE_PATH \"$BUILT_PRODUCTS_DIR/$UNLOCALIZED_RESOURCES_FOLDER_PATH\"\nfi"; 10423 10402 }; 10424 10403 3713F0231429063D0036387F /* Check For Inappropriate Objective-C Class Names */ = { … … 10459 10438 runOnlyForDeploymentPostprocessing = 0; 10460 10439 shellPath = /bin/sh; 10461 shellScript = "if [[ \"${WK_MANUAL_SANDBOXING_ENABLED}\" != \"YES\" || \"${WK_PLATFORM_NAME}\" == \"macosx\" ]]; then\n exit\nfi\n\nif [[ \"${ACTION}\" == \"build\" || \"${ACTION}\" == \"install\" ]]; then\n for ((i = 0; i < ${SCRIPT_INPUT_FILE_COUNT}; ++i)); do\n eval ENTITLEMENTS=\\${SCRIPT_INPUT_FILE_${i}}\n ENTITLEMENTS_BASE=${ENTITLEMENTS##*/}\n ENTITLEMENTS_BASE=${ENTITLEMENTS_BASE%.entitlements}\n plutil -remove seatbelt-profiles -o \"${BUILT_PRODUCTS_DIR}/DerivedSources/WebKit2/${ENTITLEMENTS_BASE}-no-sandbox.entitlements\" \"${ENTITLEMENTS}\"\n done\nfi \n";10440 shellScript = "if [[ \"${WK_MANUAL_SANDBOXING_ENABLED}\" != \"YES\" || \"${WK_PLATFORM_NAME}\" == \"macosx\" ]]; then\n exit\nfi\n\nif [[ \"${ACTION}\" == \"build\" || \"${ACTION}\" == \"install\" ]]; then\n for ((i = 0; i < ${SCRIPT_INPUT_FILE_COUNT}; ++i)); do\n eval ENTITLEMENTS=\\${SCRIPT_INPUT_FILE_${i}}\n ENTITLEMENTS_BASE=${ENTITLEMENTS##*/}\n ENTITLEMENTS_BASE=${ENTITLEMENTS_BASE%.entitlements}\n plutil -remove seatbelt-profiles -o \"${BUILT_PRODUCTS_DIR}/DerivedSources/WebKit2/${ENTITLEMENTS_BASE}-no-sandbox.entitlements\" \"${ENTITLEMENTS}\"\n done\nfi"; 10462 10441 }; 10463 10442 375A248817E5048E00C9A086 /* Postprocess WKBase.h */ = { … … 10492 10471 shellPath = /bin/sh; 10493 10472 shellScript = "if [[ \"${WK_MANUAL_SANDBOXING_ENABLED}\" != \"YES\" || \"${WK_PLATFORM_NAME}\" == \"macosx\" || \"${WK_PLATFORM_NAME}\" == \"iosmac\" ]]; then\n exit\nfi\n\nif [[ \"${ACTION}\" == \"build\" || \"${ACTION}\" == \"install\" ]]; then\n for ((i = 0; i < ${SCRIPT_INPUT_FILE_COUNT}; ++i)); do\n eval SANDBOX_PROFILE=\\${SCRIPT_INPUT_FILE_${i}}\n ditto \"${SANDBOX_PROFILE}\" \"${TARGET_BUILD_DIR}/${UNLOCALIZED_RESOURCES_FOLDER_PATH}/${SANDBOX_PROFILE##*/}\"\n done\nfi\n"; 10494 };10495 41303BC320E2EC67005827BA /* Remove stale entitlement file */ = {10496 isa = PBXShellScriptBuildPhase;10497 buildActionMask = 2147483647;10498 files = (10499 );10500 inputFileListPaths = (10501 );10502 inputPaths = (10503 );10504 name = "Remove stale entitlement file";10505 outputFileListPaths = (10506 );10507 outputPaths = (10508 );10509 runOnlyForDeploymentPostprocessing = 0;10510 shellPath = /bin/sh;10511 shellScript = "# We autogenerate this file, so don't want to retain an old copy during builds.\nrm -f ${TEMP_FILE_DIR}/${FULL_PRODUCT_NAME}.xcent\n";10512 };10513 41303BC420E2ED41005827BA /* Unlock keychain */ = {10514 isa = PBXShellScriptBuildPhase;10515 buildActionMask = 2147483647;10516 files = (10517 );10518 inputFileListPaths = (10519 );10520 inputPaths = (10521 );10522 name = "Unlock keychain";10523 outputFileListPaths = (10524 );10525 outputPaths = (10526 );10527 runOnlyForDeploymentPostprocessing = 0;10528 shellPath = /bin/sh;10529 shellScript = "UNLOCK_SCRIPT_PATH=\"${SRCROOT}/../../../Internal/Tools/Scripts/unlock-safari-engineering-keychain-if-needed\"\n\n[[ -x \"${UNLOCK_SCRIPT_PATH}\" ]] && exec \"${UNLOCK_SCRIPT_PATH}\"\n\nexit 0\n";10530 };10531 41303BC520E2ED54005827BA /* Process Plugin entitlements */ = {10532 isa = PBXShellScriptBuildPhase;10533 buildActionMask = 2147483647;10534 files = (10535 );10536 inputFileListPaths = (10537 );10538 inputPaths = (10539 "$(TEMP_FILE_DIR)/$(FULL_PRODUCT_NAME).xcent",10540 );10541 name = "Process Plugin entitlements";10542 outputFileListPaths = (10543 );10544 outputPaths = (10545 );10546 runOnlyForDeploymentPostprocessing = 0;10547 shellPath = /bin/sh;10548 shellScript = "Scripts/process-plugin-entitlements.sh\n";10549 };10550 41303BC620E2EFDF005827BA /* Remove stale entitlement file */ = {10551 isa = PBXShellScriptBuildPhase;10552 buildActionMask = 2147483647;10553 files = (10554 );10555 inputFileListPaths = (10556 );10557 inputPaths = (10558 );10559 name = "Remove stale entitlement file";10560 outputFileListPaths = (10561 );10562 outputPaths = (10563 );10564 runOnlyForDeploymentPostprocessing = 0;10565 shellPath = /bin/sh;10566 shellScript = "# We autogenerate this file, so don't want to retain an old copy during builds.\nrm -f ${TEMP_FILE_DIR}/${FULL_PRODUCT_NAME}.xcent\n";10567 };10568 41303BC720E2F016005827BA /* Unlock keychain */ = {10569 isa = PBXShellScriptBuildPhase;10570 buildActionMask = 2147483647;10571 files = (10572 );10573 inputFileListPaths = (10574 );10575 inputPaths = (10576 );10577 name = "Unlock keychain";10578 outputFileListPaths = (10579 );10580 outputPaths = (10581 );10582 runOnlyForDeploymentPostprocessing = 0;10583 shellPath = /bin/sh;10584 shellScript = "UNLOCK_SCRIPT_PATH=\"${SRCROOT}/../../../Internal/Tools/Scripts/unlock-safari-engineering-keychain-if-needed\"\n\n[[ -x \"${UNLOCK_SCRIPT_PATH}\" ]] && exec \"${UNLOCK_SCRIPT_PATH}\"\n\nexit 0\n";10585 };10586 41303BC820E2F047005827BA /* Process Plugin entitlements */ = {10587 isa = PBXShellScriptBuildPhase;10588 buildActionMask = 2147483647;10589 files = (10590 );10591 inputFileListPaths = (10592 );10593 inputPaths = (10594 "$(TEMP_FILE_DIR)/$(FULL_PRODUCT_NAME).xcent",10595 );10596 name = "Process Plugin entitlements";10597 outputFileListPaths = (10598 );10599 outputPaths = (10600 );10601 runOnlyForDeploymentPostprocessing = 0;10602 shellPath = /bin/sh;10603 shellScript = "Scripts/process-plugin-entitlements.sh\n";10604 };10605 41D0FC7F20E43B0B00076AE8 /* Remove stale entitlements file */ = {10606 isa = PBXShellScriptBuildPhase;10607 buildActionMask = 2147483647;10608 files = (10609 );10610 inputFileListPaths = (10611 );10612 inputPaths = (10613 );10614 name = "Remove stale entitlements file";10615 outputFileListPaths = (10616 );10617 outputPaths = (10618 );10619 runOnlyForDeploymentPostprocessing = 0;10620 shellPath = /bin/sh;10621 shellScript = "# We autogenerate this file, so don't want to retain an old copy during builds.\nrm -f ${TEMP_FILE_DIR}/${FULL_PRODUCT_NAME}.xcent\n";10622 };10623 41D0FC8020E43B4500076AE8 /* Unlock keychain */ = {10624 isa = PBXShellScriptBuildPhase;10625 buildActionMask = 2147483647;10626 files = (10627 );10628 inputFileListPaths = (10629 );10630 inputPaths = (10631 );10632 name = "Unlock keychain";10633 outputFileListPaths = (10634 );10635 outputPaths = (10636 );10637 runOnlyForDeploymentPostprocessing = 0;10638 shellPath = /bin/sh;10639 shellScript = "UNLOCK_SCRIPT_PATH=\"${SRCROOT}/../../../Internal/Tools/Scripts/unlock-safari-engineering-keychain-if-needed\"\n\n[[ -x \"${UNLOCK_SCRIPT_PATH}\" ]] && exec \"${UNLOCK_SCRIPT_PATH}\"\n\nexit 0\n";10640 };10641 41D0FC8120E43B7000076AE8 /* Process Network entitlements */ = {10642 isa = PBXShellScriptBuildPhase;10643 buildActionMask = 2147483647;10644 files = (10645 );10646 inputFileListPaths = (10647 );10648 inputPaths = (10649 "$(TEMP_FILE_DIR)/$(FULL_PRODUCT_NAME).xcent",10650 );10651 name = "Process Network entitlements";10652 outputFileListPaths = (10653 );10654 outputPaths = (10655 );10656 runOnlyForDeploymentPostprocessing = 0;10657 shellPath = /bin/sh;10658 shellScript = "Scripts/process-network-entitlements.sh\n";10659 10473 }; 10660 10474 5DF408C5131DD46700130071 /* Check For Weak VTables and Externals */ = { -
trunk/Source/WebKit/WebProcess/WebProcess.h
r234121 r234167 110 110 public: 111 111 static WebProcess& singleton(); 112 static constexpr ProcessType processType = ProcessType::WebContent;113 112 114 113 template <typename T> -
trunk/Tools/ChangeLog
r234150 r234167 1 2018-07-24 Ryan Haddad <ryanhaddad@apple.com> 2 3 Unreviewed, rolling out r234121. 4 5 Caused perf test failures. 6 7 Reverted changeset: 8 9 "We should cache the compiled sandbox profile in a data vault" 10 https://bugs.webkit.org/show_bug.cgi?id=184991 11 https://trac.webkit.org/changeset/234121 12 1 13 2018-07-24 Thibault Saunier <tsaunier@igalia.com> 2 14 -
trunk/Tools/Tracing/SystemTracePoints.plist
r234121 r234167 301 301 <string>14004</string> 302 302 </dict> 303 <dict>304 <key>Name</key>305 <string>Initialize Sandbox</string>306 <key>Type</key>307 <string>Interval</string>308 <key>Component</key>309 <string>47</string>310 <key>CodeBegin</key>311 <string>14005</string>312 <key>CodeEnd</key>313 <string>14006</string>314 </dict>315 303 </array> 316 304 </dict>
Note: See TracChangeset
for help on using the changeset viewer.