WebKit Bugzilla
Attachment 340728 Details for
Bug 185526
: [macOS] WebProcess needs TCC entitlements for media capture (Take 2)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-185526-20180518122804.patch (text/plain), 12.08 KB, created by
Brent Fulgham
on 2018-05-18 12:28:04 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Brent Fulgham
Created:
2018-05-18 12:28:04 PDT
Size:
12.08 KB
patch
obsolete
>Subversion Revision: 231977 >diff --git a/Source/WebKit/ChangeLog b/Source/WebKit/ChangeLog >index f910418941a94954fb10cfd335603cd4197e5465..0f7a67a91e4d39605d64f28d5c5ca4fa4f61c495 100644 >--- a/Source/WebKit/ChangeLog >+++ b/Source/WebKit/ChangeLog >@@ -1,3 +1,49 @@ >+2018-05-18 Brent Fulgham <bfulgham@apple.com> >+ >+ [macOS] WebProcess needs TCC entitlements for media capture (Take 2) >+ https://bugs.webkit.org/show_bug.cgi?id=185526 >+ <rdar://problem/36674649> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ In Bug 181995 I added TCC entitlements for media capture to the macOS entitlements used for >+ relocatable builds. These changes also need to apply to system builds of WebKit. >+ >+ Previously we had not needed an entitlements file for system builds of WebKit, so only provided >+ an entitlements file for our relocatable build targets. Now we need entitlements when building >+ on recent macOS targets using internal SDKs. >+ >+ When we are not building with internal SDKs, we should revise the sandbox to allow media access >+ so that Open Source developers using public SDK's can build WebKit with media access. >+ >+ This patch does the following: >+ >+ 1. Copies the "WebContent-OSX.entitlements" to "WebContent-Relocatable-OSX.entitlements" >+ 2. Updates the "WebContent.Development.entitlements" to include the TCC entitlements for media capture. >+ 3. Removes the unneeded "com.apple.private.xpc.domain-extension" from WebContent-OSX.entitlement now that >+ it is used for system WebKit, not relocatable WebKit. >+ 4. Updates WebContentService.xcconfig so that CODE_SIGN_ENTITLEMENTS_OSX_WITH_XPC_DOMAIN_EXTENSION_YES >+ points to the new "WebContent-Relocatable-OSX.entitlements" file. >+ 5. Adds a new CODE_SIGN_ENTITLEMENTS_OSX_WITH_XPC_DOMAIN_EXTENSION_NO definition to conditionally use the >+ WebContentService.xcconfig that points to the revised "WebContent-OSX.entitlements" file. >+ 6. Revises the WebContent process sandbox to allow camera and microphone access without needing TCC >+ entitlements, since those cannot be applied without an internal SDK. >+ 7. Revises the UserMediaProcessManager to not pass dynamic sandbox extensions to the WebContent process >+ when building with the public SDK since those entitlements cannot be added or consumed in Open >+ Source builds. >+ >+ We want to use the TCC entitlements when building with the internal SDK on recent macOS builds. >+ >+ * Configurations/WebContent-OSX.entitlements: >+ * Configurations/WebContent-Relocatable-OSX.entitlements: Copied from Source/WebKit/Configurations/WebContent-OSX.entitlements. >+ * Configurations/WebContent.Development.entitlements: >+ * Configurations/WebContentService.xcconfig: >+ * UIProcess/UserMediaProcessManager.cpp: >+ (WebKit::UserMediaProcessManager::willCreateMediaStream): Don't bother creating and sending sandbox extensions for >+ camera and microphone control for builds that cannot support them. >+ * WebKit/WebKit.xcodeproj/project.pbxproj: >+ * WebKit/WebProcess/com.apple.WebProcess.sb.in: >+ > 2018-05-18 Antoine Quint <graouts@apple.com> > > [Web Animations] Turn Web Animations with CSS integration on for test runners >diff --git a/Source/WebKit/Configurations/WebContent-OSX.entitlements b/Source/WebKit/Configurations/WebContent-OSX.entitlements >index b492de534916bc944e8a30a4345d6d0bb10793df..2ad5067206a74c1df35151d9ff13b5635cf282a2 100644 >--- a/Source/WebKit/Configurations/WebContent-OSX.entitlements >+++ b/Source/WebKit/Configurations/WebContent-OSX.entitlements >@@ -7,7 +7,5 @@ > <string>kTCCServiceCamera</string> > <string>kTCCServiceMicrophone</string> > </array> >- <key>com.apple.private.xpc.domain-extension</key> >- <true/> > </dict> > </plist> >diff --git a/Source/WebKit/Configurations/WebContent-Relocatable-OSX.entitlements b/Source/WebKit/Configurations/WebContent-Relocatable-OSX.entitlements >new file mode 100644 >index 0000000000000000000000000000000000000000..098e1511f0b84a4d4388173c6d4f15a1f3fc4d45 >--- /dev/null >+++ b/Source/WebKit/Configurations/WebContent-Relocatable-OSX.entitlements >@@ -0,0 +1,13 @@ >+<?xml version="1.0" encoding="UTF-8"?> >+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> >+<plist version="1.0"> >+<dict> >+ <key>com.apple.tcc.delegated-services</key> >+ <array> >+ <string>kTCCServiceCamera</string> >+ <string>kTCCServiceMicrophone</string> >+ </array> >+ <key>com.apple.private.xpc.domain-extension</key> >+ <true/> >+</dict> >+</plist> >diff --git a/Source/WebKit/Configurations/WebContent.Development.entitlements b/Source/WebKit/Configurations/WebContent.Development.entitlements >index 8cc185af8d78a28646222a3910417f35845727ed..350908647e9465a18aa70eeffb73468da8fc64f4 100644 >--- a/Source/WebKit/Configurations/WebContent.Development.entitlements >+++ b/Source/WebKit/Configurations/WebContent.Development.entitlements >@@ -2,6 +2,11 @@ > <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> > <plist version="1.0"> > <dict> >+ <key>com.apple.tcc.delegated-services</key> >+ <array> >+ <string>kTCCServiceCamera</string> >+ <string>kTCCServiceMicrophone</string> >+ </array> > <key>com.apple.security.cs.disable-library-validation</key> > <true/> > </dict> >diff --git a/Source/WebKit/Configurations/WebContentService.xcconfig b/Source/WebKit/Configurations/WebContentService.xcconfig >index 294d419702947ea8495fdeaef0958356e9f92cd1..83c872255d7ed34e639e08b2b0c5b177c9d2eb8f 100644 >--- a/Source/WebKit/Configurations/WebContentService.xcconfig >+++ b/Source/WebKit/Configurations/WebContentService.xcconfig >@@ -32,8 +32,17 @@ WK_XPC_SERVICE_IOS_ENTITLEMENTS_BASE_appletvos = WebContent-iOS; > WK_XPC_SERVICE_IOS_ENTITLEMENTS_BASE_appletvsimulator = WebContent-iOS; > WK_XPC_SERVICE_IOS_ENTITLEMENTS_BASE_iphoneminimalsimulator = WebContent-iOS-minimalsimulator; > >+CODE_SIGN_IDENTITY[sdk=macosx*] = $(CODE_SIGN_IDENTITY$(WK_MACOS_1014)_$(USE_INTERNAL_SDK)) >+CODE_SIGN_IDENTITY_BEFORE_1014_YES = -; >+CODE_SIGN_IDENTITY_BEFORE_1014_NO = -; >+CODE_SIGN_IDENTITY_MACOS_SINCE_1014_YES = Safari Engineering; >+CODE_SIGN_IDENTITY_MACOS_SINCE_1014_NO = -; >+ > CODE_SIGN_ENTITLEMENTS_COCOA_TOUCH_NO = $(CODE_SIGN_ENTITLEMENTS_OSX_WITH_XPC_DOMAIN_EXTENSION_$(WK_WEBCONTENT_SERVICE_NEEDS_XPC_DOMAIN_EXTENSION_ENTITLEMENT)); >-CODE_SIGN_ENTITLEMENTS_OSX_WITH_XPC_DOMAIN_EXTENSION_YES = Configurations/WebContent-OSX.entitlements; >+CODE_SIGN_ENTITLEMENTS_OSX_WITH_XPC_DOMAIN_EXTENSION_YES = Configurations/WebContent-Relocatable-OSX.entitlements; >+CODE_SIGN_ENTITLEMENTS_OSX_WITH_XPC_DOMAIN_EXTENSION_NO = $(CODE_SIGN_ENTITLEMENTS_OSX_WITH_XPC_DOMAIN_EXTENSION_NO$(WK_MACOS_1014)_$(USE_INTERNAL_SDK)); >+CODE_SIGN_ENTITLEMENTS_OSX_WITH_XPC_DOMAIN_EXTENSION_NO_MACOS_SINCE_1014_YES = Configurations/WebContent-OSX.entitlements; >+ > OTHER_CODE_SIGN_FLAGS = $(WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS); > > PRODUCT_NAME = $(PRODUCT_NAME_$(WK_XPC_SERVICE_VARIANT)); >diff --git a/Source/WebKit/UIProcess/UserMediaProcessManager.cpp b/Source/WebKit/UIProcess/UserMediaProcessManager.cpp >index 89224c42df0f0f0a453ed9ed106689cb61fce9de..a87d6251ca237e5233dd34f6a15b0462e24e8517 100644 >--- a/Source/WebKit/UIProcess/UserMediaProcessManager.cpp >+++ b/Source/WebKit/UIProcess/UserMediaProcessManager.cpp >@@ -128,7 +128,7 @@ void UserMediaProcessManager::muteCaptureMediaStreamsExceptIn(WebPageProxy& page > > void UserMediaProcessManager::willCreateMediaStream(UserMediaPermissionRequestManagerProxy& proxy, bool withAudio, bool withVideo) > { >-#if ENABLE(SANDBOX_EXTENSIONS) >+#if ENABLE(SANDBOX_EXTENSIONS) && USE(APPLE_INTERNAL_SDK) > auto& processStartingCapture = proxy.page().process(); > > ASSERT(stateMap().contains(&processStartingCapture)); >@@ -174,6 +174,10 @@ void UserMediaProcessManager::willCreateMediaStream(UserMediaPermissionRequestMa > state.setSandboxExtensionsGranted(currentExtensions); > processStartingCapture.send(Messages::WebPage::GrantUserMediaDeviceSandboxExtensions(MediaDeviceSandboxExtensions(ids, WTFMove(handles))), proxy.page().pageID()); > } >+#else >+ UNUSED_PARAM(proxy); >+ UNUSED_PARAM(withAudio); >+ UNUSED_PARAM(withVideo); > #endif > } > >diff --git a/Source/WebKit/WebKit.xcodeproj/project.pbxproj b/Source/WebKit/WebKit.xcodeproj/project.pbxproj >index f175622fb5e495fe8980a7462b83613af3a359d4..7e308b75bcdf0a077dd6e6ab6cadbdd2f20c02cd 100644 >--- a/Source/WebKit/WebKit.xcodeproj/project.pbxproj >+++ b/Source/WebKit/WebKit.xcodeproj/project.pbxproj >@@ -3768,6 +3768,7 @@ > 7A1E2A841EEFE88A0037A0E0 /* APINotificationProvider.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = APINotificationProvider.h; sourceTree = "<group>"; }; > 7A3ACE1A1EEEF78C00A864A4 /* APIInjectedBundlePageLoaderClient.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = APIInjectedBundlePageLoaderClient.h; sourceTree = "<group>"; }; > 7A5E39491D5BD8A700B4B7CE /* com.macromedia.Flash Player ESR.plugin.sb */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = "com.macromedia.Flash Player ESR.plugin.sb"; sourceTree = "<group>"; }; >+ 7A6353FA20AE245800EE36F4 /* WebContent-Relocatable-OSX.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = "WebContent-Relocatable-OSX.entitlements"; sourceTree = "<group>"; }; > 7A791EF81C7CFB1000C4C52B /* WebResourceLoadStatisticsStoreMessages.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WebResourceLoadStatisticsStoreMessages.h; sourceTree = "<group>"; }; > 7A791EF91C7CFB3700C4C52B /* WebResourceLoadStatisticsStoreMessageReceiver.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = WebResourceLoadStatisticsStoreMessageReceiver.cpp; sourceTree = "<group>"; }; > 7A821F491E2F65DD00604577 /* LegacyCustomProtocolManagerProxy.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = LegacyCustomProtocolManagerProxy.cpp; path = CustomProtocols/LegacyCustomProtocolManagerProxy.cpp; sourceTree = "<group>"; }; >@@ -5051,6 +5052,7 @@ > 1A4F976E100E7B6600637A18 /* Version.xcconfig */, > 7C0BB9A818DCDE890006C086 /* WebContent-iOS.entitlements */, > 37B418EB1C9624F20031E63B /* WebContent-OSX.entitlements */, >+ 7A6353FA20AE245800EE36F4 /* WebContent-Relocatable-OSX.entitlements */, > 37209CAB2079D4BA0009E25B /* WebContent.Development.entitlements */, > 372EBB4A2017E76000085064 /* WebContentService.Development.xcconfig */, > BCACC40E16B0B8A800B6E092 /* WebContentService.xcconfig */, >diff --git a/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in b/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in >index e335aa051e3c794e12ed487fc2acb66cdb0f8fc8..c4ad6eceadaa35cf1f74bec664c5f47b7d9a0ae9 100644 >--- a/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in >+++ b/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in >@@ -793,12 +793,7 @@ > (home-library-preferences-regex (string-append #"/ByHost/" (regex-quote domain) #"\..*\.plist$"))))) > domains)) > >-;; Media capture, microphone access >-(with-filter (extension "com.apple.webkit.microphone") >- (allow device-microphone)) >- >-;; Media capture, camera access >-(with-filter (extension "com.apple.webkit.camera") >+(define (allow-camera) > (shared-preferences-read "com.apple.coremedia") > (allow file-read* (subpath "/Library/CoreMediaIO/Plug-Ins/DAL")) > (allow mach-lookup (extension "com.apple.app-sandbox.mach")) >@@ -815,4 +810,21 @@ > (iokit-user-client-class "IOUSBDeviceUserClientV2") > (iokit-user-client-class "IOUSBInterfaceUserClientV2")) > (allow device-camera)) >+ >+#if USE(APPLE_INTERNAL_SDK) >+;; Media capture, microphone access >+(with-filter (extension "com.apple.webkit.microphone") >+ (allow device-microphone)) >+ >+;; Media capture, camera access >+(with-filter (extension "com.apple.webkit.camera") >+ (allow-camera)) >+#else >+;; Media capture, microphone access >+(allow device-microphone) >+ >+;; Media capture, camera access >+(allow-camera) >+#endif >+ > #endif // PLATFORM(MAC)
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=340728">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 185526
:
340118
|
340120
|
340134
|
340645
|
340728
|
341313
|
341363
|
341491
|
341591
|
341617