Modified: trunk/Source/WebKit/ChangeLog (271709 => 271710)
--- trunk/Source/WebKit/ChangeLog 2021-01-21 20:25:38 UTC (rev 271709)
+++ trunk/Source/WebKit/ChangeLog 2021-01-21 20:35:03 UTC (rev 271710)
@@ -1,3 +1,19 @@
+2021-01-21 Per Arne Vollan <pvol...@apple.com>
+
+ [macOS] The development WebContent XPC service crashes under WebKit::AuxiliaryProcess::initializeSandbox
+ https://bugs.webkit.org/show_bug.cgi?id=220777
+ <rdar://problem/73382584>
+
+ Reviewed by Brent Fulgham.
+
+ This happens because the development XPC service does not have the required private entitlement to enable message filtering in the sandbox,
+ and therefore fails to apply the sandbox. The existing runtime switching to enable message filtering based on the presence of the entitlement
+ is not working correctly. The 'if' clause checking the sandbox parameter in the sandbox cannot be nested inside an 'allow' clause, it appears.
+
+ * WebProcess/cocoa/WebProcessCocoa.mm:
+ (WebKit::WebProcess::initializeSandbox):
+ * WebProcess/com.apple.WebProcess.sb.in:
+
2021-01-21 Sam Weinig <wei...@apple.com>
Add experimental support for separated layers
Modified: trunk/Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm (271709 => 271710)
--- trunk/Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm 2021-01-21 20:25:38 UTC (rev 271709)
+++ trunk/Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm 2021-01-21 20:35:03 UTC (rev 271710)
@@ -686,8 +686,11 @@
sandboxParameters.setOverrideSandboxProfilePath(makeString(String([webKitBundle resourcePath]), "/com.apple.WebProcess.sb"));
- auto hasMessageFilterEntitlement = WTF::processHasEntitlement("com.apple.private.security.message-filter");
- sandboxParameters.addParameter("ENABLE_SANDBOX_MESSAGE_FILTER", hasMessageFilterEntitlement ? "YES" : "NO");
+ bool enableMessageFilter = false;
+#if HAVE(SANDBOX_MESSAGE_FILTERING)
+ enableMessageFilter = WTF::processHasEntitlement("com.apple.private.security.message-filter");
+#endif
+ sandboxParameters.addParameter("ENABLE_SANDBOX_MESSAGE_FILTER", enableMessageFilter ? "YES" : "NO");
AuxiliaryProcess::initializeSandbox(parameters, sandboxParameters);
#endif
Modified: trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (271709 => 271710)
--- trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2021-01-21 20:25:38 UTC (rev 271709)
+++ trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2021-01-21 20:35:03 UTC (rev 271710)
@@ -116,11 +116,10 @@
(prefix "/private/var/db/CVMS/cvmsCodeSignObj"))
#endif
;; OpenCL
- (allow iokit-open
- (iokit-connection "IOAccelerator")
-#if HAVE(SANDBOX_MESSAGE_FILTERING)
- (with telemetry-backtrace)
- (if (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES")
+ (if (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES")
+ (allow iokit-open
+ (iokit-connection "IOAccelerator")
+ (with telemetry-backtrace)
(apply-message-filter
(allow
iokit-async-external-method
@@ -131,13 +130,15 @@
)
)
)
-#endif
+ ; else
+ (allow iokit-open
+ (iokit-connection "IOAccelerator")
+ )
)
- (allow iokit-open
- (iokit-registry-entry-class "IOAccelerationUserClient")
-#if HAVE(SANDBOX_MESSAGE_FILTERING)
- (with telemetry-backtrace)
- (if (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES")
+ (if (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES")
+ (allow iokit-open
+ (iokit-registry-entry-class "IOAccelerationUserClient")
+ (with telemetry-backtrace)
(apply-message-filter
(allow (with telemetry)
iokit-async-external-method
@@ -146,13 +147,15 @@
)
)
)
-#endif
+ ; else
+ (allow iokit-open
+ (iokit-registry-entry-class "IOAccelerationUserClient")
+ )
)
- (allow iokit-open
- (iokit-registry-entry-class "IOSurfaceRootUserClient")
-#if HAVE(SANDBOX_MESSAGE_FILTERING)
- (with telemetry-backtrace)
- (if (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES")
+ (if (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES")
+ (allow iokit-open
+ (iokit-registry-entry-class "IOSurfaceRootUserClient")
+ (with telemetry-backtrace)
(apply-message-filter
(allow
iokit-async-external-method
@@ -163,13 +166,15 @@
)
)
)
-#endif
+ ; else
+ (allow iokit-open
+ (iokit-registry-entry-class "IOSurfaceRootUserClient")
+ )
)
- (allow iokit-open
- (iokit-registry-entry-class "IOSurfaceSendRight")
-#if HAVE(SANDBOX_MESSAGE_FILTERING)
- (with telemetry-backtrace)
- (if (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES")
+ (if (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES")
+ (allow iokit-open
+ (iokit-registry-entry-class "IOSurfaceSendRight")
+ (with telemetry-backtrace)
(apply-message-filter
(allow (with telemetry)
iokit-async-external-method
@@ -178,7 +183,10 @@
)
)
)
-#endif
+ ; else
+ (allow iokit-open
+ (iokit-registry-entry-class "IOSurfaceSendRight")
+ )
)
#if __MAC_OS_X_VERSION_MIN_REQUIRED < 110000
;; CoreVideo CVCGDisplayLink
@@ -187,14 +195,13 @@
#endif
;; This is needed for Encrypted Media on some hardware (MacMini8,1 for example)
- (allow iokit-open
- (require-all
- (extension "com.apple.webkit.extension.iokit")
- (iokit-registry-entry-class "AppleIntelMEUserClient")
- )
-#if HAVE(SANDBOX_MESSAGE_FILTERING)
- (with telemetry-backtrace)
- (if (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES")
+ (if (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES")
+ (allow iokit-open
+ (require-all
+ (extension "com.apple.webkit.extension.iokit")
+ (iokit-registry-entry-class "AppleIntelMEUserClient")
+ )
+ (with telemetry-backtrace)
(apply-message-filter
(allow
iokit-external-method
@@ -205,18 +212,23 @@
)
)
)
-#endif
+ ; else
+ (allow iokit-open
+ (require-all
+ (extension "com.apple.webkit.extension.iokit")
+ (iokit-registry-entry-class "AppleIntelMEUserClient")
+ )
+ )
)
;; This is needed for Encrypted Media on some hardware (MacMini8,1 for example)
- (allow iokit-open
- (require-all
- (extension "com.apple.webkit.extension.iokit")
- (iokit-registry-entry-class "AppleSNBFBUserClient")
- )
-#if HAVE(SANDBOX_MESSAGE_FILTERING)
- (with telemetry-backtrace)
- (if (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES")
+ (if (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES")
+ (allow iokit-open
+ (require-all
+ (extension "com.apple.webkit.extension.iokit")
+ (iokit-registry-entry-class "AppleSNBFBUserClient")
+ )
+ (with telemetry-backtrace)
(apply-message-filter
(allow
iokit-external-method
@@ -227,15 +239,20 @@
)
)
)
-#endif
+ ; else
+ (allow iokit-open
+ (require-all
+ (extension "com.apple.webkit.extension.iokit")
+ (iokit-registry-entry-class "AppleSNBFBUserClient")
+ )
+ )
)
;; QuartzCore
- (allow iokit-open
- (iokit-registry-entry-class "AGPMClient")
-#if HAVE(SANDBOX_MESSAGE_FILTERING)
- (with telemetry-backtrace)
- (if (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES")
+ (if (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES")
+ (allow iokit-open
+ (iokit-registry-entry-class "AGPMClient")
+ (with telemetry-backtrace)
(apply-message-filter
(allow (with telemetry)
iokit-async-external-method
@@ -244,13 +261,15 @@
)
)
)
-#endif
+ ; else
+ (allow iokit-open
+ (iokit-registry-entry-class "AGPMClient")
+ )
)
- (allow iokit-open
- (iokit-registry-entry-class "AppleGraphicsControlClient")
-#if HAVE(SANDBOX_MESSAGE_FILTERING)
- (with telemetry-backtrace)
- (if (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES")
+ (if (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES")
+ (allow iokit-open
+ (iokit-registry-entry-class "AppleGraphicsControlClient")
+ (with telemetry-backtrace)
(apply-message-filter
(allow
iokit-async-external-method
@@ -261,13 +280,15 @@
)
)
)
-#endif
+ ; else
+ (allow iokit-open
+ (iokit-registry-entry-class "AppleGraphicsControlClient")
+ )
)
- (allow iokit-open
- (iokit-registry-entry-class "AppleGraphicsPolicyClient")
-#if HAVE(SANDBOX_MESSAGE_FILTERING)
- (with telemetry-backtrace)
- (if (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES")
+ (if (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES")
+ (allow iokit-open
+ (iokit-registry-entry-class "AppleGraphicsPolicyClient")
+ (with telemetry-backtrace)
(apply-message-filter
(allow (with telemetry)
iokit-async-external-method
@@ -276,14 +297,16 @@
)
)
)
-#endif
+ ; else
+ (allow iokit-open
+ (iokit-registry-entry-class "AppleGraphicsPolicyClient")
+ )
)
;; OpenGL
- (allow iokit-open
- (iokit-registry-entry-class "AppleMGPUPowerControlClient")
-#if HAVE(SANDBOX_MESSAGE_FILTERING)
- (with telemetry-backtrace)
- (if (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES")
+ (if (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES")
+ (allow iokit-open
+ (iokit-registry-entry-class "AppleMGPUPowerControlClient")
+ (with telemetry-backtrace)
(apply-message-filter
(allow (with telemetry)
iokit-async-external-method
@@ -292,7 +315,10 @@
)
)
)
-#endif
+ ; else
+ (allow iokit-open
+ (iokit-registry-entry-class "AppleMGPUPowerControlClient")
+ )
)
;; GPU bundles
(allow file-read*
@@ -868,11 +894,10 @@
)
#endif
-(allow iokit-open
- (iokit-user-client-class "AppleUpstreamUserClient")
-#if HAVE(SANDBOX_MESSAGE_FILTERING)
- (with telemetry-backtrace)
- (if (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES")
+(if (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES")
+ (allow iokit-open
+ (iokit-user-client-class "AppleUpstreamUserClient")
+ (with telemetry-backtrace)
(apply-message-filter
(allow (with telemetry)
iokit-async-external-method
@@ -881,17 +906,19 @@
)
)
)
-#endif
+ ; else
+ (allow iokit-open
+ (iokit-user-client-class "AppleUpstreamUserClient")
+ )
)
-(allow iokit-open
- (require-all
- (extension "com.apple.webkit.extension.iokit")
- (iokit-user-client-class "RootDomainUserClient") ;; Needed by Media playback
- )
-#if HAVE(SANDBOX_MESSAGE_FILTERING)
- (with telemetry-backtrace)
- (if (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES")
+(if (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES")
+ (allow iokit-open
+ (require-all
+ (extension "com.apple.webkit.extension.iokit")
+ (iokit-user-client-class "RootDomainUserClient") ;; Needed by Media playback
+ )
+ (with telemetry-backtrace)
(apply-message-filter
(allow (with telemetry)
iokit-async-external-method
@@ -900,14 +927,20 @@
)
)
)
-#endif
+ ; else
+ (allow iokit-open
+ (require-all
+ (extension "com.apple.webkit.extension.iokit")
+ (iokit-user-client-class "RootDomainUserClient") ;; Needed by Media playback
+ )
+ )
)
-(allow iokit-open
- (iokit-user-client-class "AudioAUUC") ;; <rdar://problem/10427451> && <rdar://problem/10808817>
-#if HAVE(SANDBOX_MESSAGE_FILTERING)
- (with telemetry-backtrace)
- (if (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES")
+;; <rdar://problem/10427451> && <rdar://problem/10808817>
+(if (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES")
+ (allow iokit-open
+ (iokit-user-client-class "AudioAUUC")
+ (with telemetry-backtrace)
(apply-message-filter
(allow (with telemetry)
iokit-async-external-method
@@ -916,14 +949,16 @@
)
)
)
-#endif
+ ; else
+ (allow iokit-open
+ (iokit-user-client-class "AudioAUUC")
+ )
)
-(allow iokit-open
- (iokit-user-client-class "IOAudioControlUserClient")
-#if HAVE(SANDBOX_MESSAGE_FILTERING)
- (with telemetry-backtrace)
- (if (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES")
+(if (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES")
+ (allow iokit-open
+ (iokit-user-client-class "IOAudioControlUserClient")
+ (with telemetry-backtrace)
(apply-message-filter
(allow (with telemetry)
iokit-async-external-method
@@ -932,14 +967,16 @@
)
)
)
-#endif
+ ; else
+ (allow iokit-open
+ (iokit-user-client-class "IOAudioControlUserClient")
+ )
)
-(allow iokit-open
- (iokit-user-client-class "IOAudioEngineUserClient")
-#if HAVE(SANDBOX_MESSAGE_FILTERING)
- (with telemetry-backtrace)
- (if (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES")
+(if (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES")
+ (allow iokit-open
+ (iokit-user-client-class "IOAudioEngineUserClient")
+ (with telemetry-backtrace)
(apply-message-filter
(allow (with telemetry)
iokit-async-external-method
@@ -948,7 +985,10 @@
)
)
)
-#endif
+ ; else
+ (allow iokit-open
+ (iokit-user-client-class "IOAudioEngineUserClient")
+ )
)
;; <rdar://problem/60088861>
@@ -1259,12 +1299,11 @@
(extension "com.apple.webkit.extension.mach")
(global-name "com.apple.applecamerad")
))
- (allow iokit-open
- ;; QuickTimeUSBVDCDigitizer
- (iokit-user-client-class "IOUSBDeviceUserClientV2")
-#if HAVE(SANDBOX_MESSAGE_FILTERING)
- (with telemetry-backtrace)
- (if (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES")
+ ;; QuickTimeUSBVDCDigitizer
+ (if (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES")
+ (allow iokit-open
+ (iokit-user-client-class "IOUSBDeviceUserClientV2")
+ (with telemetry-backtrace)
(apply-message-filter
(allow (with telemetry)
iokit-async-external-method
@@ -1273,13 +1312,16 @@
)
)
)
-#endif
+ ; else
+ (allow iokit-open
+ (iokit-user-client-class "IOUSBDeviceUserClientV2")
+ )
)
- (allow iokit-open
- (iokit-user-client-class "IOUSBInterfaceUserClientV2")
-#if HAVE(SANDBOX_MESSAGE_FILTERING)
- (with telemetry-backtrace)
- (if (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES")
+
+ (if (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES")
+ (allow iokit-open
+ (iokit-user-client-class "IOUSBInterfaceUserClientV2")
+ (with telemetry-backtrace)
(apply-message-filter
(allow (with telemetry)
iokit-async-external-method
@@ -1288,8 +1330,12 @@
)
)
)
-#endif
+ ; else
+ (allow iokit-open
+ (iokit-user-client-class "IOUSBInterfaceUserClientV2")
+ )
)
+
(allow device-camera))
#endif // PLATFORM(MAC)
@@ -1638,7 +1684,7 @@
(if (and (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES") (defined? 'syscall-mach))
(deny syscall-mach (with telemetry))
)
-
+
(if (and (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES") (defined? 'syscall-mach))
(allow syscall-mach (machtrap-number
MSC__kernelrpc_mach_port_allocate_trap
