- Revision
- 200785
- Author
- [email protected]
- Date
- 2016-05-12 12:14:48 -0700 (Thu, 12 May 2016)
Log Message
Use SecTask SPI to retrieve code signing identifier for user directory suffix
https://bugs.webkit.org/show_bug.cgi?id=157570
Source/WebKit2:
<rdar://problem/25706517>
Reviewed by Darin Adler.
It is sufficient to make use of the SecTask SPI to retrieve the code signing
identifier of the embedding client for use in the user directory suffix. This
avoids the need to allow Code Signing Services to have access to the bundle
of the embedding client.
* Shared/mac/ChildProcessMac.mm:
(WebKit::ChildProcess::initializeSandbox): Use the code signing identifier of the
embedding client as part of the user directory suffix if available.
* Shared/mac/CodeSigning.h: Update comment and include header wtf/spi/darwin/XPCSPI.h
for the definition of xpc_connection_t. Renamed codeSigningIdentifier() to codeSigningIdentifierForCurrentProcess()
to convey that it returns the code signing identifier for the current process. Repurposed
the name codeSigningIdentifier for the variant of this function that takes a xpc_connection_t.
* Shared/mac/CodeSigning.mm:
(WebKit::codeSigningIdentifier): Added. Uses the audit token associated with the specified
XPC connection to get the code signing identifier for the embedding client.
(WebKit::codeSigningIdentifierForCurrentProcess): Renamed; formerly named codeSigningIdentifier.
Implemented in terms of the SecTask API.
(WebKit::secCodeForCurrentProcess): Deleted.
(WebKit::secCodeForProcess): Deleted.
(WebKit::secCodeSigningInformation): Deleted.
(WebKit::appleSignedOrMacAppStoreSignedOrAppleDeveloperSignedRequirement): Deleted.
(WebKit::secCodeSigningIdentifier): Deleted.
(WebKit::codeSigningIdentifierForProcess): Deleted.
* UIProcess/Launcher/mac/ProcessLauncherMac.mm:
(WebKit::connectToService): Update code due to renaming.
Source/WTF:
Reviewed by Darin Adler.
<rdar://problem/25706517>
Forward declare SPI SecTaskCopySigningIdentifier().
* wtf/spi/cocoa/SecuritySPI.h:
Modified Paths
Diff
Modified: trunk/Source/WTF/ChangeLog (200784 => 200785)
--- trunk/Source/WTF/ChangeLog 2016-05-12 19:13:57 UTC (rev 200784)
+++ trunk/Source/WTF/ChangeLog 2016-05-12 19:14:48 UTC (rev 200785)
@@ -1,3 +1,15 @@
+2016-05-12 Daniel Bates <[email protected]>
+
+ Use SecTask SPI to retrieve code signing identifier for user directory suffix
+ https://bugs.webkit.org/show_bug.cgi?id=157570
+
+ Reviewed by Darin Adler.
+ <rdar://problem/25706517>
+
+ Forward declare SPI SecTaskCopySigningIdentifier().
+
+ * wtf/spi/cocoa/SecuritySPI.h:
+
2016-05-12 Csaba Osztrogonác <[email protected]>
Remove ENABLE(ES6_ARROWFUNCTION_SYNTAX) guards
Modified: trunk/Source/WTF/wtf/spi/cocoa/SecuritySPI.h (200784 => 200785)
--- trunk/Source/WTF/wtf/spi/cocoa/SecuritySPI.h 2016-05-12 19:13:57 UTC (rev 200784)
+++ trunk/Source/WTF/wtf/spi/cocoa/SecuritySPI.h 2016-05-12 19:14:48 UTC (rev 200785)
@@ -58,6 +58,10 @@
EXTERN_C SecTaskRef SecTaskCreateFromSelf(CFAllocatorRef);
EXTERN_C CFTypeRef SecTaskCopyValueForEntitlement(SecTaskRef, CFStringRef entitlement, CFErrorRef *);
+#if PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101200
+EXTERN_C CFStringRef SecTaskCopySigningIdentifier(SecTaskRef, CFErrorRef *);
+#endif
+
#if HAVE(SEC_TRUST_SERIALIZATION)
EXTERN_C CF_RETURNS_RETAINED CFDataRef SecTrustSerialize(SecTrustRef, CFErrorRef *);
EXTERN_C CF_RETURNS_RETAINED SecTrustRef SecTrustDeserialize(CFDataRef serializedTrust, CFErrorRef *);
Modified: trunk/Source/WebKit2/ChangeLog (200784 => 200785)
--- trunk/Source/WebKit2/ChangeLog 2016-05-12 19:13:57 UTC (rev 200784)
+++ trunk/Source/WebKit2/ChangeLog 2016-05-12 19:14:48 UTC (rev 200785)
@@ -1,3 +1,37 @@
+2016-05-12 Daniel Bates <[email protected]>
+
+ Use SecTask SPI to retrieve code signing identifier for user directory suffix
+ https://bugs.webkit.org/show_bug.cgi?id=157570
+ <rdar://problem/25706517>
+
+ Reviewed by Darin Adler.
+
+ It is sufficient to make use of the SecTask SPI to retrieve the code signing
+ identifier of the embedding client for use in the user directory suffix. This
+ avoids the need to allow Code Signing Services to have access to the bundle
+ of the embedding client.
+
+ * Shared/mac/ChildProcessMac.mm:
+ (WebKit::ChildProcess::initializeSandbox): Use the code signing identifier of the
+ embedding client as part of the user directory suffix if available.
+ * Shared/mac/CodeSigning.h: Update comment and include header wtf/spi/darwin/XPCSPI.h
+ for the definition of xpc_connection_t. Renamed codeSigningIdentifier() to codeSigningIdentifierForCurrentProcess()
+ to convey that it returns the code signing identifier for the current process. Repurposed
+ the name codeSigningIdentifier for the variant of this function that takes a xpc_connection_t.
+ * Shared/mac/CodeSigning.mm:
+ (WebKit::codeSigningIdentifier): Added. Uses the audit token associated with the specified
+ XPC connection to get the code signing identifier for the embedding client.
+ (WebKit::codeSigningIdentifierForCurrentProcess): Renamed; formerly named codeSigningIdentifier.
+ Implemented in terms of the SecTask API.
+ (WebKit::secCodeForCurrentProcess): Deleted.
+ (WebKit::secCodeForProcess): Deleted.
+ (WebKit::secCodeSigningInformation): Deleted.
+ (WebKit::appleSignedOrMacAppStoreSignedOrAppleDeveloperSignedRequirement): Deleted.
+ (WebKit::secCodeSigningIdentifier): Deleted.
+ (WebKit::codeSigningIdentifierForProcess): Deleted.
+ * UIProcess/Launcher/mac/ProcessLauncherMac.mm:
+ (WebKit::connectToService): Update code due to renaming.
+
2016-05-12 Konstantin Tokarev <[email protected]>
Use reference instead of pointer in FrameLoaderClient::saveViewStateToItem.
Modified: trunk/Source/WebKit2/Shared/mac/ChildProcessMac.mm (200784 => 200785)
--- trunk/Source/WebKit2/Shared/mac/ChildProcessMac.mm 2016-05-12 19:13:57 UTC (rev 200784)
+++ trunk/Source/WebKit2/Shared/mac/ChildProcessMac.mm 2016-05-12 19:14:48 UTC (rev 200785)
@@ -83,14 +83,15 @@
NSBundle *webkit2Bundle = [NSBundle bundleForClass:NSClassFromString(@"WKView")];
String defaultProfilePath = [webkit2Bundle pathForResource:[[NSBundle mainBundle] bundleIdentifier] ofType:@"sb"];
- bool willUseUserDirectorySuffixInitializationParameter = false;
if (sandboxParameters.userDirectorySuffix().isNull()) {
auto userDirectorySuffix = parameters.extraInitializationData.find("user-directory-suffix");
- if (userDirectorySuffix != parameters.extraInitializationData.end()) {
- willUseUserDirectorySuffixInitializationParameter = true;
+ if (userDirectorySuffix != parameters.extraInitializationData.end())
sandboxParameters.setUserDirectorySuffix([makeString(userDirectorySuffix->value, '/', String([[NSBundle mainBundle] bundleIdentifier])) fileSystemRepresentation]);
- } else {
- String defaultUserDirectorySuffix = makeString(String([[NSBundle mainBundle] bundleIdentifier]), '+', parameters.clientIdentifier);
+ else {
+ String clientIdentifier = codeSigningIdentifier(parameters.connectionIdentifier.xpcConnection.get());
+ if (clientIdentifier.isNull())
+ clientIdentifier = parameters.clientIdentifier;
+ String defaultUserDirectorySuffix = makeString(String([[NSBundle mainBundle] bundleIdentifier]), '+', clientIdentifier);
sandboxParameters.setUserDirectorySuffix(defaultUserDirectorySuffix);
}
}
@@ -174,15 +175,6 @@
WTFLogAlways("%s: Couldn't enable sandbox style file quarantine: %ld\n", getprogname(), static_cast<long>(error));
exit(EX_NOPERM);
}
-
- if (willUseUserDirectorySuffixInitializationParameter)
- return;
- String clientCodeSigningIdentifier = codeSigningIdentifierForProcess(xpc_connection_get_pid(parameters.connectionIdentifier.xpcConnection.get()));
- bool isClientCodeSigned = !clientCodeSigningIdentifier.isNull();
- if (isClientCodeSigned && clientCodeSigningIdentifier != parameters.clientIdentifier) {
- WTFLogAlways("%s: Code signing identifier of client differs from passed client identifier.\n", getprogname());
- exit(EX_NOPERM);
- }
}
#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101100
Modified: trunk/Source/WebKit2/Shared/mac/CodeSigning.h (200784 => 200785)
--- trunk/Source/WebKit2/Shared/mac/CodeSigning.h 2016-05-12 19:13:57 UTC (rev 200784)
+++ trunk/Source/WebKit2/Shared/mac/CodeSigning.h 2016-05-12 19:14:48 UTC (rev 200785)
@@ -26,11 +26,12 @@
#pragma once
#include <wtf/Forward.h>
+#include <wtf/spi/darwin/XPCSPI.h>
namespace WebKit {
-// These functions return a null string if the process is either unsigned or signed by a third-party.
-String codeSigningIdentifier();
-String codeSigningIdentifierForProcess(pid_t);
+// These functions return a null string if the process is unsigned.
+String codeSigningIdentifierForCurrentProcess();
+String codeSigningIdentifier(xpc_connection_t);
} // namespace WebKit
Modified: trunk/Source/WebKit2/Shared/mac/CodeSigning.mm (200784 => 200785)
--- trunk/Source/WebKit2/Shared/mac/CodeSigning.mm 2016-05-12 19:13:57 UTC (rev 200784)
+++ trunk/Source/WebKit2/Shared/mac/CodeSigning.mm 2016-05-12 19:14:48 UTC (rev 200785)
@@ -28,81 +28,40 @@
#if PLATFORM(MAC)
-#include <Security/Security.h>
#include <wtf/RetainPtr.h>
-#include <wtf/cf/TypeCastsCF.h>
+#include <wtf/spi/cocoa/SecuritySPI.h>
#include <wtf/text/WTFString.h>
namespace WebKit {
-static RetainPtr<SecCodeRef> secCodeForCurrentProcess()
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101200
+static String codeSigningIdentifier(SecTaskRef task)
{
- SecCodeRef code = nullptr;
- RELEASE_ASSERT(!SecCodeCopySelf(kSecCSDefaultFlags, &code));
- return adoptCF(code);
+ return adoptCF(SecTaskCopySigningIdentifier(task, nullptr)).get();
}
+#endif
-static RetainPtr<SecCodeRef> secCodeForProcess(pid_t pid)
+String codeSigningIdentifierForCurrentProcess()
{
- RetainPtr<CFNumberRef> pidCFNumber = adoptCF(CFNumberCreate(kCFAllocatorDefault, kCFNumberIntType, &pid));
- const void* keys[] = { kSecGuestAttributePid };
- const void* values[] = { pidCFNumber.get() };
- RetainPtr<CFDictionaryRef> attributes = adoptCF(CFDictionaryCreate(kCFAllocatorDefault, keys, values, WTF_ARRAY_LENGTH(keys), &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks));
- SecCodeRef code = nullptr;
- OSStatus errorCode = noErr;
- // FIXME: We should RELEASE_ASSERT() that SecCodeCopyGuestWithAttributes() returns without error. See <rdar://problem/25706517>.
- if ((errorCode = SecCodeCopyGuestWithAttributes(nullptr, attributes.get(), kSecCSDefaultFlags, &code))) {
- WTFLogAlways("SecCodeCopyGuestWithAttributes() failed with error: %ld\n", static_cast<long>(errorCode));
- return nullptr;
- }
- return adoptCF(code);
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101200
+ return codeSigningIdentifier(adoptCF(SecTaskCreateFromSelf(kCFAllocatorDefault)).get());
+#else
+ return { };
+#endif
}
-static RetainPtr<CFDictionaryRef> secCodeSigningInformation(SecCodeRef code)
+String codeSigningIdentifier(xpc_connection_t connection)
{
- CFDictionaryRef signingInfo = nullptr;
- RELEASE_ASSERT(!SecCodeCopySigningInformation(code, kSecCSDefaultFlags, &signingInfo));
- return adoptCF(signingInfo);
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101200
+ audit_token_t auditToken;
+ xpc_connection_get_audit_token(connection, &auditToken);
+ return codeSigningIdentifier(adoptCF(SecTaskCreateWithAuditToken(kCFAllocatorDefault, auditToken)).get());
+#else
+ UNUSED_PARAM(connection);
+ return { };
+#endif
}
-static RetainPtr<SecRequirementRef> appleSignedOrMacAppStoreSignedOrAppleDeveloperSignedRequirement()
-{
- CFStringRef requirement = CFSTR("(anchor apple) or (anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9]) or (anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13])");
- SecRequirementRef signingRequirement = nullptr;
- RELEASE_ASSERT(!SecRequirementCreateWithString(requirement, kSecCSDefaultFlags, &signingRequirement));
- return adoptCF(signingRequirement);
-}
-
-static String secCodeSigningIdentifier(SecCodeRef code)
-{
- RetainPtr<SecRequirementRef> signingRequirement = appleSignedOrMacAppStoreSignedOrAppleDeveloperSignedRequirement();
- OSStatus errorCode = SecCodeCheckValidity(code, kSecCSDefaultFlags, signingRequirement.get());
- if (errorCode == errSecCSUnsigned || errorCode == errSecCSReqFailed)
- return String(); // Unsigned or signed by a third-party
- RELEASE_ASSERT_WITH_MESSAGE(!errorCode, "SecCodeCheckValidity() failed with error: %ld", static_cast<long>(errorCode));
- String codeSigningIdentifier;
- RetainPtr<CFDictionaryRef> signingInfo = secCodeSigningInformation(code);
- if (CFDictionaryRef plist = dynamic_cf_cast<CFDictionaryRef>(CFDictionaryGetValue(signingInfo.get(), kSecCodeInfoPList)))
- codeSigningIdentifier = dynamic_cf_cast<CFStringRef>(CFDictionaryGetValue(plist, kCFBundleIdentifierKey));
- else
- codeSigningIdentifier = dynamic_cf_cast<CFStringRef>(CFDictionaryGetValue(signingInfo.get(), kSecCodeInfoIdentifier));
- RELEASE_ASSERT(!codeSigningIdentifier.isEmpty());
- return codeSigningIdentifier;
-}
-
-String codeSigningIdentifier()
-{
- return secCodeSigningIdentifier(secCodeForCurrentProcess().get());
-}
-
-String codeSigningIdentifierForProcess(pid_t pid)
-{
- auto code = secCodeForProcess(pid);
- if (!code)
- return String();
- return secCodeSigningIdentifier(code.get());
-}
-
} // namespace WebKit
#endif // PLATFORM(MAC)
Modified: trunk/Source/WebKit2/UIProcess/Launcher/mac/ProcessLauncherMac.mm (200784 => 200785)
--- trunk/Source/WebKit2/UIProcess/Launcher/mac/ProcessLauncherMac.mm 2016-05-12 19:13:57 UTC (rev 200784)
+++ trunk/Source/WebKit2/UIProcess/Launcher/mac/ProcessLauncherMac.mm 2016-05-12 19:14:48 UTC (rev 200785)
@@ -142,7 +142,7 @@
String clientIdentifier;
#if PLATFORM(MAC)
- clientIdentifier = codeSigningIdentifier();
+ clientIdentifier = codeSigningIdentifierForCurrentProcess();
#endif
if (clientIdentifier.isNull())
clientIdentifier = [[NSBundle mainBundle] bundleIdentifier];
