Changeset 256455 in webkit

Timestamp:

Feb 12, 2020 10:49:42 AM (4 years ago)

Author:

pvollan@apple.com

Message:

Source/WebKit:
Pages that trigger a redirect will sometimes be left blank
​https://bugs.webkit.org/show_bug.cgi?id=207614
rdar://problem/59077740

Patch by Simon Fraser <Simon Fraser> on 2020-02-12
Reviewed by Tim Horton.

TiledCoreAnimationDrawingArea::setRootCompositingGraphicsLayer() can be called when the layer tree
is frozen, in which case we stash away the layer in m_pendingRootLayer to be parented later at flush
time. However, this sequence of calls had a bug:

setRootCompositingGraphicsLayer() when frozen

-> stash in m_pendingRootLayer

setRootCompositingGraphicsLayer() when not frozen

-> set the root layer

flushLayers()

-> set the root layer to the (old) m_pendingRootLayer

So we need to clear m_pendingRootLayer at step 2.

Very timing dependent, hard to test.

• WebProcess/WebPage/mac/TiledCoreAnimationDrawingArea.mm:

(WebKit::TiledCoreAnimationDrawingArea::setRootCompositingLayer):

LayoutTests:
[iOS] Deny mach lookup access to analytics service in the WebContent process
​https://bugs.webkit.org/show_bug.cgi?id=207482

Reviewed by Darin Adler.

• fast/sandbox/ios/sandbox-mach-lookup-expected.txt:
• fast/sandbox/ios/sandbox-mach-lookup.html:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-expected.txt (modified) (1 diff)
• LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html (modified) (1 diff)
• Source/WebKit/ChangeLog (modified) (1 diff)
• Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2020-02-12  Per Arne Vollan  <pvollan@apple.com>
+
+        [iOS] Deny mach lookup access to analytics service in the WebContent process
+        https://bugs.webkit.org/show_bug.cgi?id=207482
+
+        Reviewed by Darin Adler.
+
+        * fast/sandbox/ios/sandbox-mach-lookup-expected.txt:
+        * fast/sandbox/ios/sandbox-mach-lookup.html:
+
 2020-02-12  Jacob Uphoff  <jacob_uphoff@apple.com>
 

trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-expected.txt

@@ -20 +20 @@
 PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.tccd") is false
 PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.uikit.viewservice") is false
+PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.analyticsd") is false

trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html

@@ -23 +23 @@
     shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.tccd\")");
     shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.uikit.viewservice\")");
+    shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.analyticsd\")");
 }
 </script>

trunk/Source/WebKit/ChangeLog

@@ -24 +24 @@
         * WebProcess/WebPage/mac/TiledCoreAnimationDrawingArea.mm:
         (WebKit::TiledCoreAnimationDrawingArea::setRootCompositingLayer):
+
+2020-02-12  Per Arne Vollan  <pvollan@apple.com>
+
+        [iOS] Deny mach lookup access to analytics service in the WebContent process
+        https://bugs.webkit.org/show_bug.cgi?id=207482
+
+        Reviewed by Darin Adler.
+
+        As part of sandbox hardening work, this service should be denied in the WebContent process' sandbox.
+
+        Test: fast/sandbox/ios/sandbox-mach-lookup.html
+
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
 
 2020-02-12  Per Arne Vollan  <pvollan@apple.com>

trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb

@@ -897 +897 @@
 (allow mach-lookup
        (global-name "com.apple.webinspector"))
-
-;; Various services required by CFNetwork and other frameworks
-(allow mach-lookup
-    (global-name "com.apple.analyticsd"))
 
 (allow mach-lookup (with report) (with telemetry)