Title: [286865] trunk/Source/WebKit
- Revision
- 286865
- Author
- pvol...@apple.com
- Date
- 2021-12-10 11:34:01 -0800 (Fri, 10 Dec 2021)
Log Message
[WP] Block access to container manager service for Mail
https://bugs.webkit.org/show_bug.cgi?id=234080
<rdar://problem/86269784>
Reviewed by Brent Fulgham.
Local testing is not showing access to this daemon when running Mail.
* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:
* Shared/WebProcessCreationParameters.cpp:
(WebKit::WebProcessCreationParameters::encode const):
(WebKit::WebProcessCreationParameters::decode):
* Shared/WebProcessCreationParameters.h:
* UIProcess/Cocoa/WebProcessPoolCocoa.mm:
(WebKit::WebProcessPool::platformInitializeWebProcess):
* WebProcess/cocoa/WebProcessCocoa.mm:
(WebKit::WebProcess::platformInitializeWebProcess):
* WebProcess/com.apple.WebProcess.sb.in:
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (286864 => 286865)
--- trunk/Source/WebKit/ChangeLog 2021-12-10 19:26:37 UTC (rev 286864)
+++ trunk/Source/WebKit/ChangeLog 2021-12-10 19:34:01 UTC (rev 286865)
@@ -1,3 +1,24 @@
+2021-12-10 Per Arne Vollan <pvol...@apple.com>
+
+ [WP] Block access to container manager service for Mail
+ https://bugs.webkit.org/show_bug.cgi?id=234080
+ <rdar://problem/86269784>
+
+ Reviewed by Brent Fulgham.
+
+ Local testing is not showing access to this daemon when running Mail.
+
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:
+ * Shared/WebProcessCreationParameters.cpp:
+ (WebKit::WebProcessCreationParameters::encode const):
+ (WebKit::WebProcessCreationParameters::decode):
+ * Shared/WebProcessCreationParameters.h:
+ * UIProcess/Cocoa/WebProcessPoolCocoa.mm:
+ (WebKit::WebProcessPool::platformInitializeWebProcess):
+ * WebProcess/cocoa/WebProcessCocoa.mm:
+ (WebKit::WebProcess::platformInitializeWebProcess):
+ * WebProcess/com.apple.WebProcess.sb.in:
+
2021-12-10 Said Abou-Hallawa <s...@apple.com>
[GPU Process] [Filters] Make FilterEffectVector a Vector of Ref<FilterEffect>
Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in (286864 => 286865)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in 2021-12-10 19:26:37 UTC (rev 286864)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in 2021-12-10 19:34:01 UTC (rev 286865)
@@ -644,7 +644,7 @@
(allow iokit-get-properties
(iokit-property "IORegistryEntryPropertyKeys"))
-(allow ipc-posix-sem-open
+(allow ipc-posix-sem-open (with telemetry)
(ipc-posix-name "containermanagerd.fb_check"))
(with-filter (ipc-posix-name "purplebuddy.sentinel")
@@ -1084,7 +1084,6 @@
(global-name
"com.apple.cfprefsd.agent"
"com.apple.cfprefsd.daemon"
- "com.apple.containermanagerd"
"com.apple.iphone.axserver-systemwide"
"com.apple.mobileassetd.v2"
"com.apple.mobilegestalt.xpc"
Modified: trunk/Source/WebKit/Shared/WebProcessCreationParameters.cpp (286864 => 286865)
--- trunk/Source/WebKit/Shared/WebProcessCreationParameters.cpp 2021-12-10 19:26:37 UTC (rev 286864)
+++ trunk/Source/WebKit/Shared/WebProcessCreationParameters.cpp 2021-12-10 19:34:01 UTC (rev 286865)
@@ -162,7 +162,6 @@
encoder << compilerServiceExtensionHandles;
#endif
- encoder << containerManagerExtensionHandle;
encoder << mobileGestaltExtensionHandle;
encoder << launchServicesExtensionHandle;
@@ -457,12 +456,6 @@
parameters.compilerServiceExtensionHandles = WTFMove(*compilerServiceExtensionHandles);
#endif
- std::optional<std::optional<SandboxExtension::Handle>> containerManagerExtensionHandle;
- decoder >> containerManagerExtensionHandle;
- if (!containerManagerExtensionHandle)
- return false;
- parameters.containerManagerExtensionHandle = WTFMove(*containerManagerExtensionHandle);
-
std::optional<std::optional<SandboxExtension::Handle>> mobileGestaltExtensionHandle;
decoder >> mobileGestaltExtensionHandle;
if (!mobileGestaltExtensionHandle)
Modified: trunk/Source/WebKit/Shared/WebProcessCreationParameters.h (286864 => 286865)
--- trunk/Source/WebKit/Shared/WebProcessCreationParameters.h 2021-12-10 19:26:37 UTC (rev 286864)
+++ trunk/Source/WebKit/Shared/WebProcessCreationParameters.h 2021-12-10 19:34:01 UTC (rev 286865)
@@ -201,7 +201,6 @@
Vector<SandboxExtension::Handle> compilerServiceExtensionHandles;
#endif
- std::optional<SandboxExtension::Handle> containerManagerExtensionHandle;
std::optional<SandboxExtension::Handle> mobileGestaltExtensionHandle;
std::optional<SandboxExtension::Handle> launchServicesExtensionHandle;
#if HAVE(VIDEO_RESTRICTED_DECODING)
Modified: trunk/Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm (286864 => 286865)
--- trunk/Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm 2021-12-10 19:26:37 UTC (rev 286864)
+++ trunk/Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm 2021-12-10 19:34:01 UTC (rev 286865)
@@ -291,17 +291,6 @@
#endif
}
-static bool requiresContainerManagerAccess()
-{
-#if PLATFORM(MAC)
- return WebCore::MacApplication::isAppleMail();
-#elif PLATFORM(IOS)
- return WebCore::IOSApplication::isMobileMail();
-#else
- return false;
-#endif
-}
-
void WebProcessPool::platformInitializeWebProcess(const WebProcessProxy& process, WebProcessCreationParameters& parameters)
{
parameters.mediaMIMETypes = process.mediaMIMETypes();
@@ -427,11 +416,6 @@
parameters.systemHasBattery = systemHasBattery();
parameters.systemHasAC = cachedSystemHasAC().value_or(true);
- if (requiresContainerManagerAccess()) {
- if (auto handle = SandboxExtension::createHandleForMachLookup("com.apple.containermanagerd"_s, std::nullopt))
- parameters.containerManagerExtensionHandle = WTFMove(*handle);
- }
-
#if PLATFORM(IOS_FAMILY)
parameters.currentUserInterfaceIdiomIsSmallScreen = currentUserInterfaceIdiomIsSmallScreen();
parameters.supportsPictureInPicture = supportsPictureInPicture();
Modified: trunk/Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm (286864 => 286865)
--- trunk/Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm 2021-12-10 19:26:37 UTC (rev 286864)
+++ trunk/Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm 2021-12-10 19:34:01 UTC (rev 286865)
@@ -409,9 +409,6 @@
SandboxExtension::consumePermanently(parameters.compilerServiceExtensionHandles);
#endif
- if (parameters.containerManagerExtensionHandle)
- SandboxExtension::consumePermanently(*parameters.containerManagerExtensionHandle);
-
#if PLATFORM(IOS_FAMILY)
SandboxExtension::consumePermanently(parameters.dynamicIOKitExtensionHandles);
#endif
Modified: trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (286864 => 286865)
--- trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2021-12-10 19:26:37 UTC (rev 286864)
+++ trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2021-12-10 19:34:01 UTC (rev 286865)
@@ -1762,7 +1762,6 @@
"com.apple.webinspector"
"com.apple.cfprefsd.agent"
"com.apple.cfprefsd.daemon"
- "com.apple.containermanagerd"
"com.apple.coreservices.launchservicesd"
"com.apple.iconservices"
"com.apple.iconservices.store"
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes