Changeset 270381 in webkit


Ignore:
Timestamp:
Dec 2, 2020 5:40:53 PM (3 years ago)
Author:
Brent Fulgham
Message:

[macOS] WebContent sandbox; remove AppleIntelMEUserClient
https://bugs.webkit.org/show_bug.cgi?id=219012
<rdar://problem/70462796>

Reviewed by Eric Carlson.

Source/WebKit:

Instead of globally extending access to the AppleIntelMEUserClient IOKit class,
only extend it when the GPU process is not in use.

  • UIProcess/WebPageProxy.cpp:

(WebKit::gpuIOKitClasses): Add 'AppleIntelMEUserClient' as a dynamically-extended
IOKit class.

  • WebProcess/com.apple.WebProcess.sb.in: Only allow 'AppleIntelMEUserClient' if it

was dynamically extended.

Tools:

Update the various sandboxes to allow the UIProcess to extend IOKit classes
to child processes on macOS. We already do this on iOS.

  • MiniBrowser/MiniBrowser.entitlements:
  • TestWebKitAPI/Configurations/TestWebKitAPI-macOS-internal.entitlements:
  • TestWebKitAPI/Configurations/TestWebKitAPI-macOS.entitlements:
  • WebKitTestRunner/Configurations/WebKitTestRunner.entitlements:
Location:
trunk
Files:
8 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/WebKit/ChangeLog

    r270364 r270381  
     12020-12-02  Brent Fulgham  <bfulgham@apple.com>
     2
     3        [macOS] WebContent sandbox; remove AppleIntelMEUserClient
     4        https://bugs.webkit.org/show_bug.cgi?id=219012
     5        <rdar://problem/70462796>
     6
     7        Reviewed by Eric Carlson.
     8
     9        Instead of globally extending access to the AppleIntelMEUserClient IOKit class,
     10        only extend it when the GPU process is not in use.
     11
     12        * UIProcess/WebPageProxy.cpp:
     13        (WebKit::gpuIOKitClasses): Add 'AppleIntelMEUserClient' as a dynamically-extended
     14        IOKit class.
     15        * WebProcess/com.apple.WebProcess.sb.in: Only allow 'AppleIntelMEUserClient' if it
     16        was dynamically extended.
     17
    1182020-12-02  Wenson Hsieh  <wenson_hsieh@apple.com>
    219
  • trunk/Source/WebKit/UIProcess/WebPageProxy.cpp

    r270362 r270381  
    77407740        "IOSurfaceRootUserClient"_s,
    77417741#endif
     7742#if PLATFORM(MAC) || PLATFORM(MACCATALYST)
     7743        "AppleIntelMEUserClient"_s,
     7744#endif
    77427745    });
    77437746    return services;
  • trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in

    r270326 r270381  
    181181    ;; This is needed for Encrypted Media on some hardware (MacMini8,1 for example)
    182182    (allow iokit-open
    183         (iokit-registry-entry-class "AppleIntelMEUserClient")
     183        (require-all
     184            (extension "com.apple.webkit.extension.iokit")
     185            (iokit-registry-entry-class "AppleIntelMEUserClient")
     186        )
    184187#if HAVE(SANDBOX_MESSAGE_FILTERING)
    185188        (with telemetry-backtrace)
     
    16071610    )
    16081611)
     1612
     1613;; FIXME: This is just for logging. Remove when the GPU process is enabled by default.
     1614;; These should only be accessed through an iokit-extension, so log if they are not.
     1615(allow iokit-open (with report) (with telemetry-backtrace)
     1616    (require-all
     1617        (require-not (extension "com.apple.webkit.extension.iokit"))
     1618        (iokit-registry-entry-class
     1619            "AppleIntelMEUserClient"
     1620        )
     1621    )
     1622)
     1623
    16091624#endif // HAVE(SANDBOX_MESSAGE_FILTERING)
  • trunk/Tools/ChangeLog

    r270378 r270381  
     12020-12-02  Brent Fulgham  <bfulgham@apple.com>
     2
     3        [macOS] WebContent sandbox; remove AppleIntelMEUserClient
     4        https://bugs.webkit.org/show_bug.cgi?id=219012
     5        <rdar://problem/70462796>
     6
     7        Reviewed by Eric Carlson.
     8
     9        Update the various sandboxes to allow the UIProcess to extend IOKit classes
     10        to child processes on macOS. We already do this on iOS.
     11
     12        * MiniBrowser/MiniBrowser.entitlements:
     13        * TestWebKitAPI/Configurations/TestWebKitAPI-macOS-internal.entitlements:
     14        * TestWebKitAPI/Configurations/TestWebKitAPI-macOS.entitlements:
     15        * WebKitTestRunner/Configurations/WebKitTestRunner.entitlements:
     16
    1172020-12-02  Jonathan Bedard  <jbedard@apple.com>
    218
  • trunk/Tools/MiniBrowser/MiniBrowser.entitlements

    r270035 r270381  
    2222        <array>
    2323                <string>(allow mach-issue-extension (require-all (extension-class &quot;com.apple.webkit.extension.mach&quot;)))</string>
     24                <string>(allow iokit-issue-extension (require-all (extension-class &quot;com.apple.webkit.extension.iokit&quot;)))</string>
    2425        </array>
    2526        <key>com.apple.security.device.camera</key>
  • trunk/Tools/TestWebKitAPI/Configurations/TestWebKitAPI-macOS-internal.entitlements

    r264769 r270381  
    1414        <array>
    1515                <string>(allow mach-issue-extension (require-all (extension-class &quot;com.apple.webkit.extension.mach&quot;)))</string>
     16                <string>(allow iokit-issue-extension (require-all (extension-class &quot;com.apple.webkit.extension.iokit&quot;)))</string>
    1617        </array>
    1718</dict>
  • trunk/Tools/TestWebKitAPI/Configurations/TestWebKitAPI-macOS.entitlements

    r257269 r270381  
    1010        <array>
    1111                <string>(allow mach-issue-extension (require-all (extension-class &quot;com.apple.webkit.extension.mach&quot;)))</string>
     12                <string>(allow iokit-issue-extension (require-all (extension-class &quot;com.apple.webkit.extension.iokit&quot;)))</string>
    1213        </array>
    1314</dict>
  • trunk/Tools/WebKitTestRunner/Configurations/WebKitTestRunner.entitlements

    r256777 r270381  
    22<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    33<plist version="1.0">
    4     <dict>
    5         <key>keychain-access-groups</key>
    6         <array>
    7             <string>com.apple.WebKitTestRunner</string>
    8         </array>
    9         <key>com.apple.security.temporary-exception.sbpl</key>
    10         <array>
    11                 <string>(allow mach-issue-extension (require-all (extension-class &quot;com.apple.webkit.extension.mach&quot;)))</string>
    12         </array>
    13     </dict>
     4<dict>
     5        <key>keychain-access-groups</key>
     6        <array>
     7                <string>com.apple.WebKitTestRunner</string>
     8        </array>
     9        <key>com.apple.security.temporary-exception.sbpl</key>
     10        <array>
     11                <string>(allow mach-issue-extension (require-all (extension-class &quot;com.apple.webkit.extension.mach&quot;)))</string>
     12                <string>(allow iokit-issue-extension (require-all (extension-class &quot;com.apple.webkit.extension.iokit&quot;)))</string>
     13        </array>
     14</dict>
    1415</plist>
Note: See TracChangeset for help on using the changeset viewer.