Changeset 253351 in webkit
- Timestamp:
- Dec 10, 2019 3:21:41 PM (4 years ago)
- Location:
- trunk/Source
- Files:
-
- 11 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebCore/ChangeLog
r253344 r253351 1 2019-12-10 Per Arne Vollan <pvollan@apple.com> 2 3 [iOS] Deny mach lookup access to network extension services in the WebContent sandbox 4 https://bugs.webkit.org/show_bug.cgi?id=203929 5 6 Reviewed by Brent Fulgham. 7 8 Add a global flag to NetworkExtensionContentFilter to indicate whether network extension sandbox extensions have 9 been consumed. If the flag has been set, there is no need to check NEFilterSource.filterRequired, since the flag 10 will tell if filtering is required. Checking NEFilterSource.filterRequired will lead to other mach lookups which 11 we are trying to avoid. 12 13 The test ContentFiltering.LazilyLoadPlatformFrameworks has been modified. 14 15 * WebCore.xcodeproj/project.pbxproj: 16 * platform/cocoa/NetworkExtensionContentFilter.h: 17 * platform/cocoa/NetworkExtensionContentFilter.mm: 18 (WebCore::NetworkExtensionContentFilter::enabled): 19 1 20 2019-12-10 Commit Queue <commit-queue@webkit.org> 2 21 -
trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj
r253308 r253351 2973 2973 A1491DA31F859D870095F5D4 /* PaymentSession.h in Headers */ = {isa = PBXBuildFile; fileRef = A1491DA21F859D870095F5D4 /* PaymentSession.h */; }; 2974 2974 A149786F1ABAF33800CEF7E4 /* ContentFilter.h in Headers */ = {isa = PBXBuildFile; fileRef = A149786D1ABAF33800CEF7E4 /* ContentFilter.h */; }; 2975 A14978711ABAF3A500CEF7E4 /* PlatformContentFilter.h in Headers */ = {isa = PBXBuildFile; fileRef = A14978701ABAF3A500CEF7E4 /* PlatformContentFilter.h */; };2975 A14978711ABAF3A500CEF7E4 /* PlatformContentFilter.h in Headers */ = {isa = PBXBuildFile; fileRef = A14978701ABAF3A500CEF7E4 /* PlatformContentFilter.h */; settings = {ATTRIBUTES = (Private, ); }; }; 2976 2976 A14BB0A01F9813B800605A35 /* MockPayment.h in Headers */ = {isa = PBXBuildFile; fileRef = A14BB09E1F9813B800605A35 /* MockPayment.h */; }; 2977 2977 A15D75161E68F7C800A35FBC /* BlobCallback.h in Headers */ = {isa = PBXBuildFile; fileRef = A15D75131E68F7B100A35FBC /* BlobCallback.h */; }; … … 3002 3002 A19AEA211AAA808600B52B25 /* JSMockContentFilterSettings.h in Headers */ = {isa = PBXBuildFile; fileRef = A19AEA1E1AAA806E00B52B25 /* JSMockContentFilterSettings.h */; }; 3003 3003 A19AEA221AAA808A00B52B25 /* JSMockContentFilterSettings.cpp in Sources */ = {isa = PBXBuildFile; fileRef = A19AEA1D1AAA806E00B52B25 /* JSMockContentFilterSettings.cpp */; }; 3004 A19D934B1AA11B1E00B46C24 /* NetworkExtensionContentFilter.h in Headers */ = {isa = PBXBuildFile; fileRef = A19D93491AA11B1E00B46C24 /* NetworkExtensionContentFilter.h */; };3004 A19D934B1AA11B1E00B46C24 /* NetworkExtensionContentFilter.h in Headers */ = {isa = PBXBuildFile; fileRef = A19D93491AA11B1E00B46C24 /* NetworkExtensionContentFilter.h */; settings = {ATTRIBUTES = (Private, ); }; }; 3005 3005 A1AA9AB91D23911500FEADB3 /* ContentFilterBlockedPage.html in Resources */ = {isa = PBXBuildFile; fileRef = A1AA9AB81D23911500FEADB3 /* ContentFilterBlockedPage.html */; }; 3006 3006 A1ADAF7D2360FD3E009CB776 /* PreviewConverterClient.h in Headers */ = {isa = PBXBuildFile; fileRef = A1ADAF7B2360FD3D009CB776 /* PreviewConverterClient.h */; }; … … 16748 16748 E4FB4B35239BEB10003C336A /* DisplayInlineContent.cpp */, 16749 16749 E451C6332394058E00993190 /* DisplayInlineContent.h */, 16750 112FB350239C23C40087054A /* DisplayInlineRect.h */, 16750 16751 6FB47E612277425A00C7BCB0 /* DisplayLineBox.h */, 16751 16752 6F77868523491AC6004D9636 /* DisplayPainter.cpp */, 16752 16753 6F77868723491AD7004D9636 /* DisplayPainter.h */, 16753 16754 6FD9CD52227E21C800E53957 /* DisplayRect.h */, 16754 112FB350239C23C40087054A /* DisplayInlineRect.h */,16755 16755 6FCE1A1822618AB3004F0343 /* DisplayRun.h */, 16756 16756 ); … … 29607 29607 1199FA5B208E3C7F002358CC /* DisplayBox.h in Headers */, 29608 29608 E451C6342394058F00993190 /* DisplayInlineContent.h in Headers */, 29609 112FB352239C23C40087054A /* DisplayInlineRect.h in Headers */, 29610 6FB47E632277425A00C7BCB0 /* DisplayLineBox.h in Headers */, 29609 29611 0FE5FBD31C3DD51E0007A2CA /* DisplayList.h in Headers */, 29610 29612 0FE5FBD51C3DD51E0007A2CA /* DisplayListItems.h in Headers */, … … 30266 30268 6FE7CFA22177EEF2005B1573 /* InlineItem.h in Headers */, 30267 30269 BCE789161120D6080060ECE5 /* InlineIterator.h in Headers */, 30268 6FB47E632277425A00C7BCB0 /* DisplayLineBox.h in Headers */,30269 30270 6FE198172178397C00446F08 /* InlineLineBreaker.h in Headers */, 30270 30271 6F0CD695229ED32700C5994E /* InlineLineBuilder.h in Headers */, … … 31928 31929 436708C112D9CA4B00044234 /* RenderSVGBlock.h in Headers */, 31929 31930 436708C312D9CA4B00044234 /* RenderSVGContainer.h in Headers */, 31930 112FB352239C23C40087054A /* DisplayInlineRect.h in Headers */,31931 31931 2B365C841525119E0091D27B /* RenderSVGEllipse.h in Headers */, 31932 31932 43C092BC12D9E4EE00A989C3 /* RenderSVGForeignObject.h in Headers */, -
trunk/Source/WebCore/platform/cocoa/NetworkExtensionContentFilter.h
r238771 r253351 54 54 #endif 55 55 56 WEBCORE_EXPORT static void setHasConsumedSandboxExtensions(bool); 57 56 58 private: 57 59 static bool enabled(); … … 61 63 void handleDecision(NEFilterSourceStatus, NSData *replacementData); 62 64 65 enum class SandboxExtensionsState : uint8_t { 66 Consumed, 67 NotConsumed, 68 NotSet 69 }; 70 71 WEBCORE_EXPORT static SandboxExtensionsState m_sandboxExtensionsState; 72 63 73 OSObjectPtr<dispatch_queue_t> m_queue; 64 74 RetainPtr<NSData> m_replacementData; -
trunk/Source/WebCore/platform/cocoa/NetworkExtensionContentFilter.mm
r250309 r253351 52 52 namespace WebCore { 53 53 54 NetworkExtensionContentFilter::SandboxExtensionsState NetworkExtensionContentFilter::m_sandboxExtensionsState = SandboxExtensionsState::NotSet; 55 54 56 bool NetworkExtensionContentFilter::enabled() 55 57 { 56 bool enabled = [getNEFilterSourceClass() filterRequired]; 58 bool enabled = false; 59 switch (m_sandboxExtensionsState) { 60 case SandboxExtensionsState::Consumed: 61 enabled = true; 62 break; 63 case SandboxExtensionsState::NotConsumed: 64 enabled = false; 65 break; 66 case SandboxExtensionsState::NotSet: 67 enabled = [getNEFilterSourceClass() filterRequired]; 68 break; 69 } 57 70 LOG(ContentFiltering, "NetworkExtensionContentFilter is %s.\n", enabled ? "enabled" : "not enabled"); 58 71 return enabled; … … 216 229 } 217 230 231 void NetworkExtensionContentFilter::setHasConsumedSandboxExtensions(bool hasConsumedSandboxExtensions) 232 { 233 m_sandboxExtensionsState = (hasConsumedSandboxExtensions ? SandboxExtensionsState::Consumed : SandboxExtensionsState::NotConsumed); 234 } 235 218 236 } // namespace WebCore 219 237 -
trunk/Source/WebKit/ChangeLog
r253346 r253351 1 2019-12-10 Per Arne Vollan <pvollan@apple.com> 2 3 [iOS] Deny mach lookup access to network extension services in the WebContent sandbox 4 https://bugs.webkit.org/show_bug.cgi?id=203929 5 6 Reviewed by Brent Fulgham. 7 8 Mach lookup access to network extension services in the WebContent process is only needed if 9 NEFilterSource.filterRequired is true. If this is the case, issue the needed mach lookup 10 sandbox extensions to the WebContent process, where they will be consumed. Eventually, all 11 the content filtering code should be moved to the Networking process, but since this is a 12 bigger undertaking, we can issue extensions in the meantime to strengthen the sandbox. 13 14 * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb: 15 * Shared/WebProcessCreationParameters.cpp: 16 (WebKit::WebProcessCreationParameters::encode const): 17 (WebKit::WebProcessCreationParameters::decode): 18 * Shared/WebProcessCreationParameters.h: 19 * UIProcess/Cocoa/WebProcessPoolCocoa.mm: 20 (WebKit::WebProcessPool::platformInitializeWebProcess): 21 * WebProcess/cocoa/WebProcessCocoa.mm: 22 (WebKit::WebProcess::platformInitializeWebProcess): 23 * WebProcess/com.apple.WebProcess.sb.in: 24 1 25 2019-12-10 Chris Dumez <cdumez@apple.com> 2 26 -
trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb
r253127 r253351 478 478 (define-once (network-extensions-support) 479 479 ;; Network Extensions / VPN helper. 480 (allow mach-lookup 480 (allow mach-lookup (with report) (with telemetry) 481 481 (global-name "com.apple.nehelper") 482 482 (global-name "com.apple.nesessionmanager.content-filter")) ;; <rdar://problem/48442387> … … 967 967 (require-all 968 968 (extension "com.apple.webkit.extension.mach") 969 (global-name "com.apple.iphone.axserver-systemwide" "com.apple.tccd" "com.apple.AGXCompilerService" )))969 (global-name "com.apple.iphone.axserver-systemwide" "com.apple.tccd" "com.apple.AGXCompilerService" "com.apple.nehelper" "com.apple.nesessionmanager.content-filter"))) 970 970 971 971 (media-capture-support) -
trunk/Source/WebKit/Shared/WebProcessCreationParameters.cpp
r253288 r253351 164 164 encoder << compilerServiceExtensionHandle; 165 165 #endif 166 167 #if PLATFORM(COCOA) 168 encoder << neHelperExtensionHandle; 169 encoder << neSessionManagerExtensionHandle; 170 #endif 166 171 } 167 172 … … 404 409 #endif 405 410 411 #if PLATFORM(COCOA) 412 Optional<Optional<SandboxExtension::Handle>> neHelperExtensionHandle; 413 decoder >> neHelperExtensionHandle; 414 if (!neHelperExtensionHandle) 415 return false; 416 parameters.neHelperExtensionHandle = WTFMove(*neHelperExtensionHandle); 417 418 Optional<Optional<SandboxExtension::Handle>> neSessionManagerExtensionHandle; 419 decoder >> neSessionManagerExtensionHandle; 420 if (!neSessionManagerExtensionHandle) 421 return false; 422 parameters.neSessionManagerExtensionHandle = WTFMove(*neSessionManagerExtensionHandle); 423 #endif 424 406 425 return true; 407 426 } -
trunk/Source/WebKit/Shared/WebProcessCreationParameters.h
r253288 r253351 202 202 Optional<SandboxExtension::Handle> compilerServiceExtensionHandle; 203 203 #endif 204 205 #if PLATFORM(COCOA) 206 Optional<SandboxExtension::Handle> neHelperExtensionHandle; 207 Optional<SandboxExtension::Handle> neSessionManagerExtensionHandle; 208 #endif 204 209 }; 205 210 -
trunk/Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm
r253292 r253351 73 73 #endif 74 74 75 #if PLATFORM(COCOA) 76 #import <pal/spi/cocoa/NEFilterSourceSPI.h> 77 78 SOFT_LINK_FRAMEWORK_OPTIONAL(NetworkExtension); 79 SOFT_LINK_CLASS_OPTIONAL(NetworkExtension, NEFilterSource); 80 #endif 81 75 82 NSString *WebServiceWorkerRegistrationDirectoryDefaultsKey = @"WebServiceWorkerRegistrationDirectory"; 76 83 NSString *WebKitLocalCacheDefaultsKey = @"WebKitLocalCache"; … … 296 303 } 297 304 #endif 305 306 #if PLATFORM(COCOA) 307 if ([getNEFilterSourceClass() filterRequired]) { 308 SandboxExtension::Handle handle; 309 SandboxExtension::createHandleForMachLookup("com.apple.nehelper", WTF::nullopt, handle); 310 parameters.neHelperExtensionHandle = WTFMove(handle); 311 SandboxExtension::createHandleForMachLookup("com.apple.nesessionmanager.content-filter", WTF::nullopt, handle); 312 parameters.neSessionManagerExtensionHandle = WTFMove(handle); 313 } 314 #endif 298 315 } 299 316 -
trunk/Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm
r253127 r253351 117 117 #endif 118 118 119 #if PLATFORM(COCOA) 120 #import <WebCore/NetworkExtensionContentFilter.h> 121 #endif 122 119 123 #if HAVE(CSCHECKFIXDISABLE) 120 124 extern "C" void _CSCheckFixDisable(); … … 226 230 if (parameters.compilerServiceExtensionHandle) 227 231 SandboxExtension::consumePermanently(*parameters.compilerServiceExtensionHandle); 232 #endif 233 234 #if PLATFORM(COCOA) 235 if (parameters.neHelperExtensionHandle) 236 SandboxExtension::consumePermanently(*parameters.neHelperExtensionHandle); 237 if (parameters.neSessionManagerExtensionHandle) 238 SandboxExtension::consumePermanently(*parameters.neSessionManagerExtensionHandle); 239 NetworkExtensionContentFilter::setHasConsumedSandboxExtensions(parameters.neHelperExtensionHandle.hasValue() && parameters.neSessionManagerExtensionHandle.hasValue()); 228 240 #endif 229 241 } -
trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in
r253274 r253351 834 834 #endif // PLATFORM(MAC) 835 835 836 (allow mach-lookup 837 (require-all 838 (extension "com.apple.webkit.extension.mach") 839 (global-name "com.apple.nehelper" "com.apple.nesessionmanager.content-filter"))) 840 836 841 (when (defined? 'syscall-unix) 837 842 (deny syscall-unix (with send-signal SIGKILL))
Note: See TracChangeset
for help on using the changeset viewer.