[webkit-changes] [257956] trunk/Source/WebKit

Thu, 05 Mar 2020 16:08:02 -0800

Title: [257956] trunk/Source/WebKit
Revision
257956
Author
bfulg...@apple.com
Date
2020-03-05 16:06:53 -0800 (Thu, 05 Mar 2020)

Log Message

[macOS] Create sandbox extension for "com.apple.tccd"
https://bugs.webkit.org/show_bug.cgi?id=208660
<rdar://problem/57666569>

Reviewed by Per Arne Vollan.

Make the same changes for macOS as we did for iOS in Bug 204367. Specifically, remove the
blanket mach-lookup permission for 'com.apple.tccd', and instead make a dynamic extension
only when a camera or microphone request is made.

* UIProcess/UserMediaPermissionRequestManagerProxy.cpp:
(WebKit::UserMediaPermissionRequestManagerProxy::finishGrantingRequest): Update to create the
extensions on macOS, too.
* UIProcess/UserMediaPermissionRequestManagerProxy.h:
* WebProcess/com.apple.WebProcess.sb.in: Remove blanket access permissions and move them to
the dynamic access permissions section of the sandbox.

Modified Paths

Diff

Modified: trunk/Source/WebKit/ChangeLog (257955 => 257956)


--- trunk/Source/WebKit/ChangeLog	2020-03-06 00:02:48 UTC (rev 257955)
+++ trunk/Source/WebKit/ChangeLog	2020-03-06 00:06:53 UTC (rev 257956)
@@ -1,3 +1,22 @@
+2020-03-05  Brent Fulgham  <bfulg...@apple.com>
+
+        [macOS] Create sandbox extension for "com.apple.tccd"
+        https://bugs.webkit.org/show_bug.cgi?id=208660
+        <rdar://problem/57666569>
+
+        Reviewed by Per Arne Vollan.
+
+        Make the same changes for macOS as we did for iOS in Bug 204367. Specifically, remove the
+        blanket mach-lookup permission for 'com.apple.tccd', and instead make a dynamic extension
+        only when a camera or microphone request is made.
+
+        * UIProcess/UserMediaPermissionRequestManagerProxy.cpp:
+        (WebKit::UserMediaPermissionRequestManagerProxy::finishGrantingRequest): Update to create the
+        extensions on macOS, too.
+        * UIProcess/UserMediaPermissionRequestManagerProxy.h:
+        * WebProcess/com.apple.WebProcess.sb.in: Remove blanket access permissions and move them to
+        the dynamic access permissions section of the sandbox.
+
 2020-03-05  Jiewen Tan  <jiewen_...@apple.com>
 
         [WebAuthn] Implement SPI -[_WKWebAuthenticationPanelDelegate panel:selectAssertionResponse:source:completionHandler:]

Modified: trunk/Source/WebKit/UIProcess/UserMediaPermissionRequestManagerProxy.cpp (257955 => 257956)


--- trunk/Source/WebKit/UIProcess/UserMediaPermissionRequestManagerProxy.cpp	2020-03-06 00:02:48 UTC (rev 257955)
+++ trunk/Source/WebKit/UIProcess/UserMediaPermissionRequestManagerProxy.cpp	2020-03-06 00:06:53 UTC (rev 257956)
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2014 Igalia S.L.
- * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2020 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
  *  modify it under the terms of the GNU Lesser General Public
@@ -247,7 +247,7 @@
     ++m_hasPendingCapture;
 
     SandboxExtension::Handle handle;
-#if PLATFORM(IOS)
+#if PLATFORM(COCOA)
     if (!m_hasCreatedSandboxExtensionForTCCD) {
         SandboxExtension::createHandleForMachLookup("com.apple.tccd", m_page.process().connection()->getAuditToken(), handle);
         m_hasCreatedSandboxExtensionForTCCD = true;

Modified: trunk/Source/WebKit/UIProcess/UserMediaPermissionRequestManagerProxy.h (257955 => 257956)


--- trunk/Source/WebKit/UIProcess/UserMediaPermissionRequestManagerProxy.h	2020-03-06 00:02:48 UTC (rev 257955)
+++ trunk/Source/WebKit/UIProcess/UserMediaPermissionRequestManagerProxy.h	2020-03-06 00:06:53 UTC (rev 257956)
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2014 Igalia S.L.
- * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2020 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
  *  modify it under the terms of the GNU Lesser General Public
@@ -154,7 +154,7 @@
     const void* m_logIdentifier;
 #endif
     bool m_hasFilteredDeviceList { false };
-#if PLATFORM(IOS)
+#if PLATFORM(COCOA)
     bool m_hasCreatedSandboxExtensionForTCCD { false };
 #endif
     uint64_t m_hasPendingCapture { 0 };

Modified: trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (257955 => 257956)


--- trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in	2020-03-06 00:02:48 UTC (rev 257955)
+++ trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in	2020-03-06 00:06:53 UTC (rev 257956)
@@ -647,11 +647,16 @@
     (global-name "com.apple.cfprefsd.daemon")
     (global-name "com.apple.coreservices.launchservicesd")
     (global-name "com.apple.lsd.mapdb")
-    (global-name "com.apple.tccd")
-    (global-name "com.apple.tccd.system")
     (global-name "com.apple.trustd.agent")
 )
 
+(allow mach-lookup
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101500
+    (with telemetry)
+#endif
+    (global-name "com.apple.tccd.system")
+)
+
 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101400 || PLATFORM(MACCATALYST)
 ;; <rdar://problem/47268166>
 (allow mach-lookup (xpc-service-name "com.apple.MTLCompilerService"))
@@ -848,6 +853,7 @@
 #endif
             "com.apple.webinspector"
             "com.apple.cfprefsd.daemon"
+            "com.apple.tccd"
 
             ;;; FIXME(207716): The following should be removed when the GPU process is complete
             "com.apple.audio.AudioComponentRegistrar" "com.apple.coremedia.endpoint.xpc" "com.apple.coremedia.endpointstream.xpc"

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to