Changeset 258915 in webkit

Timestamp:

Mar 24, 2020 10:14:43 AM (4 years ago)

Author:

pvollan@apple.com

Message:

[Cocoa] Deny access to database mapping service
​https://bugs.webkit.org/show_bug.cgi?id=209339
Source/WebKit:

<rdar://problem/56966010>

Reviewed by Brent Fulgham.

In order for the WebContent process to not have permantent access to the database mapping service,
this patch creates an extension for the service in the UI process, sends it to the WebContent
process, where it is consumed. Then, an API call is made which will map the database, and next the
WebContent process will revoke the extension. The WebContent process has then mapped the database,
and access to the database mapping service is no longer needed.

Tested by: fast/sandbox/ios/sandbox-mach-lookup.html

• Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
• Shared/WebProcessCreationParameters.cpp:

(WebKit::WebProcessCreationParameters::encode const):
(WebKit::WebProcessCreationParameters::decode):

• Shared/WebProcessCreationParameters.h:
• UIProcess/Cocoa/WebProcessPoolCocoa.mm:

(WebKit::WebProcessPool::platformInitializeWebProcess):

• WebProcess/cocoa/WebProcessCocoa.mm:

(WebKit::WebProcess::platformInitializeWebProcess):

• WebProcess/com.apple.WebProcess.sb.in:

Source/WTF:

<rdar://problem/56966010>

Reviewed by Brent Fulgham.

Disable the use of UTTypeRecord swizzling, since this is not needed with the new approach
of denying the database mapping service in this patch.

• wtf/PlatformUse.h:

LayoutTests:

Reviewed by Brent Fulgham.

• fast/sandbox/ios/sandbox-mach-lookup-expected.txt:
• fast/sandbox/ios/sandbox-mach-lookup.html:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-expected.txt (modified) (1 diff)
• LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html (modified) (1 diff)
• Source/WTF/ChangeLog (modified) (1 diff)
• Source/WTF/wtf/PlatformUse.h (modified) (1 diff)
• Source/WebKit/ChangeLog (modified) (1 diff)
• Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb (modified) (2 diffs)
• Source/WebKit/Shared/WebProcessCreationParameters.cpp (modified) (2 diffs)
• Source/WebKit/Shared/WebProcessCreationParameters.h (modified) (1 diff)
• Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm (modified) (2 diffs)
• Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm (modified) (2 diffs)
• Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2020-03-24  Per Arne Vollan  <pvollan@apple.com>
+
+        [Cocoa] Deny access to database mapping service
+        https://bugs.webkit.org/show_bug.cgi?id=209339
+
+        Reviewed by Brent Fulgham.
+
+        * fast/sandbox/ios/sandbox-mach-lookup-expected.txt:
+        * fast/sandbox/ios/sandbox-mach-lookup.html:
+
 2020-03-24  Antoine Quint  <graouts@apple.com>
 

trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-expected.txt

@@ -26 +26 @@
 PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.mobileassetd.v2") is false
 PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.iconservices") is false
+PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.lsd.mapdb") is false

trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html

@@ -29 +29 @@
     shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.mobileassetd.v2\")");
     shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.iconservices\")");
+    shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.lsd.mapdb\")");
 }
 </script>

trunk/Source/WTF/ChangeLog

@@ +1 @@
+2020-03-24  Per Arne Vollan  <pvollan@apple.com>
+
+        [Cocoa] Deny access to database mapping service
+        https://bugs.webkit.org/show_bug.cgi?id=209339
+        <rdar://problem/56966010>
+
+        Reviewed by Brent Fulgham.
+
+        Disable the use of UTTypeRecord swizzling, since this is not needed with the new approach
+        of denying the database mapping service in this patch.
+
+        * wtf/PlatformUse.h:
+
 2020-03-23  Commit Queue  <commit-queue@webkit.org>
 

trunk/Source/WTF/wtf/PlatformUse.h

@@ -322 +322 @@
 #endif
 
-#if PLATFORM(IOS) && __IPHONE_OS_VERSION_MIN_REQUIRED >= 140000
-#define USE_UTTYPE_SWIZZLER 1
-#endif
+#define USE_UTTYPE_SWIZZLER 0

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2020-03-24  Per Arne Vollan  <pvollan@apple.com>
+
+        [Cocoa] Deny access to database mapping service
+        https://bugs.webkit.org/show_bug.cgi?id=209339
+        <rdar://problem/56966010>
+
+        Reviewed by Brent Fulgham.
+
+        In order for the WebContent process to not have permantent access to the database mapping service,
+        this patch creates an extension for the service in the UI process, sends it to the WebContent
+        process, where it is consumed. Then, an API call is made which will map the database, and next the
+        WebContent process will revoke the extension. The WebContent process has then mapped the database,
+        and access to the database mapping service is no longer needed.
+
+        Tested by: fast/sandbox/ios/sandbox-mach-lookup.html
+
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+        * Shared/WebProcessCreationParameters.cpp:
+        (WebKit::WebProcessCreationParameters::encode const):
+        (WebKit::WebProcessCreationParameters::decode):
+        * Shared/WebProcessCreationParameters.h:
+        * UIProcess/Cocoa/WebProcessPoolCocoa.mm:
+        (WebKit::WebProcessPool::platformInitializeWebProcess):
+        * WebProcess/cocoa/WebProcessCocoa.mm:
+        (WebKit::WebProcess::platformInitializeWebProcess):
+        * WebProcess/com.apple.WebProcess.sb.in:
+
 2020-03-24  Alex Christensen  <achristensen@webkit.org>
 

trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb

@@ -538 +538 @@
 )
 
-(deny mach-lookup (with telemetry)
+(deny mach-lookup (with telemetry-backtrace)
     (global-name "com.apple.distributed_notifications@1v3"))
 
@@ -544 +544 @@
        (ipc-posix-name-prefix "apple.cfprefs."))
  
-(allow mach-lookup (with telemetry-backtrace)
+(deny mach-lookup (with telemetry-backtrace)
     (global-name "com.apple.lsd.mapdb"))
 

trunk/Source/WebKit/Shared/WebProcessCreationParameters.cpp

@@ -170 +170 @@
     encoder << neHelperExtensionHandle;
     encoder << neSessionManagerExtensionHandle;
+    encoder << mapDBExtensionHandle;
     encoder << systemHasBattery;
     encoder << mimeTypesMap;
@@ -457 +458 @@
     parameters.neSessionManagerExtensionHandle = WTFMove(*neSessionManagerExtensionHandle);
 
+    Optional<Optional<SandboxExtension::Handle>> mapDBExtensionHandle;
+    decoder >> mapDBExtensionHandle;
+    if (!mapDBExtensionHandle)
+        return false;
+    parameters.mapDBExtensionHandle = WTFMove(*mapDBExtensionHandle);
+
     Optional<bool> systemHasBattery;
     decoder >> systemHasBattery;

trunk/Source/WebKit/Shared/WebProcessCreationParameters.h

@@ -214 +214 @@
     Optional<SandboxExtension::Handle> neHelperExtensionHandle;
     Optional<SandboxExtension::Handle> neSessionManagerExtensionHandle;
+    Optional<SandboxExtension::Handle> mapDBExtensionHandle;
     bool systemHasBattery { false };
     Optional<HashMap<String, Vector<String>, ASCIICaseInsensitiveHash>> mimeTypesMap;

trunk/Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm

@@ -381 +381 @@
         static const char* services[] = {
             "com.apple.lsd.open",
-            "com.apple.lsd.mapdb",
             "com.apple.mobileassetd",
             "com.apple.iconservices",
@@ -436 +435 @@
         parameters.vectorOfUTTypeItem = createVectorOfUTTypeItem();
 #endif
+
+    SandboxExtension::Handle mapDBHandle;
+    SandboxExtension::createHandleForMachLookup("com.apple.lsd.mapdb", WTF::nullopt, mapDBHandle, SandboxExtension::Flags::NoReport);
+    parameters.mapDBExtensionHandle = WTFMove(mapDBHandle);
 #endif
     

trunk/Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm

@@ -105 +105 @@
 #import "UserInterfaceIdiom.h"
 #import "WKAccessibilityWebPageObjectIOS.h"
+#import <MobileCoreServices/MobileCoreServices.h>
 #import <UIKit/UIAccessibility.h>
 #import <WebCore/UTTypeRecordSwizzler.h>
@@ -275 +276 @@
         SandboxExtension::consumePermanently(*parameters.neSessionManagerExtensionHandle);
     NetworkExtensionContentFilter::setHasConsumedSandboxExtensions(parameters.neHelperExtensionHandle.hasValue() && parameters.neSessionManagerExtensionHandle.hasValue());
+
+    if (parameters.mapDBExtensionHandle) {
+        auto extension = SandboxExtension::create(WTFMove(*parameters.mapDBExtensionHandle));
+        bool ok = extension->consume();
+        ASSERT_UNUSED(ok, ok);
+        // Perform API calls which will communicate with the database mapping service, and map the database.
+        auto uti = adoptCF(UTTypeCreatePreferredIdentifierForTag(kUTTagClassMIMEType, CFSTR("text/html"), 0));
+        ok = extension->revoke();
+        ASSERT_UNUSED(ok, ok);
+    }
+
     setSystemHasBattery(parameters.systemHasBattery);
 

trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in

@@ -888 +888 @@
             "com.apple.cfprefsd.daemon"
             "com.apple.tccd"
+            "com.apple.lsd.mapdb"
 
             ;;; FIXME(207716): The following should be removed when the GPU process is complete