WebKit Bugzilla
Attachment 343771 Details for
Bug 184991
: We should cache the compiled sandbox profile in a data vault
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-184991-20180627165455.patch (text/plain), 67.31 KB, created by
Ben Richards
on 2018-06-27 16:54:56 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Ben Richards
Created:
2018-06-27 16:54:56 PDT
Size:
67.31 KB
patch
obsolete
>Subversion Revision: 233277 >diff --git a/Source/WTF/ChangeLog b/Source/WTF/ChangeLog >index 326ba6f5c269be2b9cffb09b441d2ac8f6a3ea34..0adb9ec8460b415cb3d6322c0f28413ab26f0641 100644 >--- a/Source/WTF/ChangeLog >+++ b/Source/WTF/ChangeLog >@@ -1,3 +1,15 @@ >+2018-06-27 Ben Richards <benton_richards@apple.com> >+ >+ We should cache the compiled sandbox profile in a data vault >+ https://bugs.webkit.org/show_bug.cgi?id=184991 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Added trace points for sandbox initialization and exposed functions needed for sandbox caching >+ >+ * wtf/SystemTracing.h: >+ * wtf/spi/darwin/SandboxSPI.h: >+ > 2018-06-27 Jonathan Bedard <jbedard@apple.com> > > Enable WebKit iOS 12 build >diff --git a/Source/WebKit/ChangeLog b/Source/WebKit/ChangeLog >index 77a390c469fe6695676fb2dd8b4c9daae0240ad8..9235703ed580d5bc1a7d9313a69929468a352038 100644 >--- a/Source/WebKit/ChangeLog >+++ b/Source/WebKit/ChangeLog >@@ -1,3 +1,65 @@ >+2018-06-27 Ben Richards <benton_richards@apple.com> >+ >+ We should cache the compiled sandbox profile in a data vault >+ https://bugs.webkit.org/show_bug.cgi?id=184991 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ This patch changes a few things (note: data vaults and sandbox entitlements are only used in internal builds): >+ (1) Instead of compiling a sandbox every time a process is launched, processes now look for a cached sandbox >+ in a process specific data vault on macOS platforms. (ChildProcessMac.mm) >+ (2) If a valid cached sandbox is not found, a process will create the data vault (or ensure that it exists), >+ compile a sandbox, and cache it. >+ (3) In order to to create process specific data vaults, each process now has their own <process name>-OSX-sandbox.entitlements >+ file which contains an entitlement with a process specific "storage class" which ensures that each process >+ can only ever access its own data vault. (See the article on confluence "Data Vaults and Restricted Files" for more info) >+ (4) The sandbox entitlements file for the Network, WebContent and Plugin services are loaded dynamically >+ through Scripts/<process name>-process-entitlements.sh which is triggered in a new build phase for each service. >+ The Storage process sandbox entitlements are loaded directly in Configurations/StorageService.xcconfig. >+ >+ * Configurations/Network-OSX-sandbox.entitlements: Added. >+ * Configurations/Plugin-OSX-sandbox.entitlements: Added. >+ * Configurations/Storage-OSX-sandbox.entitlements: Added. >+ * Configurations/StorageService.xcconfig: >+ * Configurations/WebContent-OSX-sandbox.entitlements: Added. >+ * Configurations/WebKit.xcconfig: >+ * NetworkProcess/NetworkProcess.h: >+ * PluginProcess/PluginProcess.h: >+ * Scripts/process-network-entitlements.sh: Added. >+ * Scripts/process-plugin-entitlements.sh: Added. >+ * Scripts/process-webcontent-entitlements.sh: >+ * Shared/ChildProcess.h: >+ * Shared/EntryPointUtilities/mac/XPCService/XPCServiceEntryPoint.h: >+ (WebKit::XPCServiceInitializer): >+ * Shared/SandboxInitializationParameters.h: >+ (WebKit::SandboxInitializationParameters::setOverrideSandboxProfilePath): >+ (WebKit::SandboxInitializationParameters::overrideSandboxProfilePath const): >+ (WebKit::SandboxInitializationParameters::setSandboxProfile): >+ (WebKit::SandboxInitializationParameters::sandboxProfile const): >+ (): Deleted. >+ * Shared/mac/ChildProcessMac.mm: >+ (WebKit::SandboxInfo::SandboxInfo): >+ (WebKit::fileContents): >+ (WebKit::processStorageClass): >+ (WebKit::sandboxHeader): >+ (WebKit::sandboxParentDirectory): >+ (WebKit::sandboxDirectory): >+ (WebKit::sandboxFilePath): >+ (WebKit::randomString): >+ (WebKit::ensureSandboxCacheDirectory): >+ (WebKit::compileAndCacheSandboxProfile): >+ (WebKit::applyCachedSandbox): >+ (WebKit::webKit2Bundle): >+ (WebKit::sandboxProfilePath): >+ (WebKit::applySandbox): >+ (WebKit::initializeSandboxParameters): >+ (WebKit::ChildProcess::initializeSandbox): >+ * Shared/mac/SandboxInitialiationParametersMac.mm: >+ (WebKit::SandboxInitializationParameters::SandboxInitializationParameters): >+ * StorageProcess/StorageProcess.h: >+ * WebKit.xcodeproj/project.pbxproj: >+ * WebProcess/WebProcess.h: >+ > 2018-06-27 Youenn Fablet <youenn@apple.com> > > NetworkLoadChecker should not need to hard ref NetworkConnectionToWebProcess >diff --git a/Source/WTF/wtf/SystemTracing.h b/Source/WTF/wtf/SystemTracing.h >index b52be8d38682fa59bbd6619573b77ec0bd34f112..105196ec48735fab52b3931511e00ed0c14fe15f 100644 >--- a/Source/WTF/wtf/SystemTracing.h >+++ b/Source/WTF/wtf/SystemTracing.h >@@ -96,6 +96,8 @@ enum TracePointCode { > CommitLayerTreeEnd, > ProcessLaunchStart, > ProcessLaunchEnd, >+ InitializeSandboxStart, >+ InitializeSandboxEnd, > }; > > #ifdef __cplusplus >diff --git a/Source/WTF/wtf/spi/darwin/SandboxSPI.h b/Source/WTF/wtf/spi/darwin/SandboxSPI.h >index fa18c9ea639264db76d3d2bb70c2f5f44852ac7f..1c3c59523d9d94419275495c2408eef00950d256 100644 >--- a/Source/WTF/wtf/spi/darwin/SandboxSPI.h >+++ b/Source/WTF/wtf/spi/darwin/SandboxSPI.h >@@ -42,6 +42,18 @@ enum sandbox_filter_type { > > WTF_EXTERN_C_BEGIN > >+typedef struct { >+ char* builtin; >+ unsigned char* data; >+ size_t size; >+} *sandbox_profile_t; >+ >+typedef struct { >+ const char **params; >+ size_t size; >+ size_t available; >+} *sandbox_params_t; >+ > extern const char *const APP_SANDBOX_READ; > extern const char *const APP_SANDBOX_READ_WRITE; > extern const enum sandbox_filter_type SANDBOX_CHECK_NO_REPORT; >@@ -54,6 +66,12 @@ int sandbox_container_path_for_pid(pid_t, char *buffer, size_t bufsize); > int sandbox_extension_release(int64_t extension_handle); > int sandbox_init_with_parameters(const char *profile, uint64_t flags, const char *const parameters[], char **errorbuf); > int64_t sandbox_extension_consume(const char *extension_token); >+sandbox_params_t sandbox_create_params(void); >+int sandbox_set_param(sandbox_params_t, const char *key, const char *value); >+void sandbox_free_params(sandbox_params_t); >+sandbox_profile_t sandbox_compile_file(const char *path, sandbox_params_t, char **error); >+void sandbox_free_profile(sandbox_profile_t); >+int sandbox_apply(sandbox_profile_t); > > WTF_EXTERN_C_END > >diff --git a/Source/WebKit/Configurations/Network-OSX-sandbox.entitlements b/Source/WebKit/Configurations/Network-OSX-sandbox.entitlements >new file mode 100644 >index 0000000000000000000000000000000000000000..03270566fc5437bd7d8911179dd517c5febd42ab >--- /dev/null >+++ b/Source/WebKit/Configurations/Network-OSX-sandbox.entitlements >@@ -0,0 +1,8 @@ >+<?xml version="1.0" encoding="UTF-8"?> >+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> >+<plist version="1.0"> >+<dict> >+ <key>com.apple.rootless.storage.WebKitNetworkingSandbox</key> >+ <true/> >+</dict> >+</plist> >diff --git a/Source/WebKit/Configurations/Plugin-OSX-sandbox.entitlements b/Source/WebKit/Configurations/Plugin-OSX-sandbox.entitlements >new file mode 100644 >index 0000000000000000000000000000000000000000..d653b21cdb2c708fbf72b677513d0778281f0ee4 >--- /dev/null >+++ b/Source/WebKit/Configurations/Plugin-OSX-sandbox.entitlements >@@ -0,0 +1,8 @@ >+<?xml version="1.0" encoding="UTF-8"?> >+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> >+<plist version="1.0"> >+<dict> >+ <key>com.apple.rootless.storage.WebKitPluginSandbox</key> >+ <true/> >+</dict> >+</plist> >diff --git a/Source/WebKit/Configurations/Storage-OSX-sandbox.entitlements b/Source/WebKit/Configurations/Storage-OSX-sandbox.entitlements >new file mode 100644 >index 0000000000000000000000000000000000000000..bbb392e80f95671e8f90889e0c869e1686347998 >--- /dev/null >+++ b/Source/WebKit/Configurations/Storage-OSX-sandbox.entitlements >@@ -0,0 +1,8 @@ >+<?xml version="1.0" encoding="UTF-8"?> >+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> >+<plist version="1.0"> >+<dict> >+ <key>com.apple.rootless.storage.WebKitStorageSandbox</key> >+ <true/> >+</dict> >+</plist> >diff --git a/Source/WebKit/Configurations/StorageService.xcconfig b/Source/WebKit/Configurations/StorageService.xcconfig >index 75761d808af04253a6dd7d3fadad1835ba8af5e3..5d51209d7176d71f4edcd88d9ea6d25d1a443983 100644 >--- a/Source/WebKit/Configurations/StorageService.xcconfig >+++ b/Source/WebKit/Configurations/StorageService.xcconfig >@@ -25,6 +25,10 @@ > > WK_XPC_SERVICE_IOS_ENTITLEMENTS_BASE = Databases-iOS; > >+WK_STORAGE_ENTITLEMENTS_RESTRICTED_NO = ; >+WK_STORAGE_ENTITLEMENTS_RESTRICTED_YES = Configurations/Storage-OSX-sandbox.entitlements; >+ >+CODE_SIGN_ENTITLEMENTS_COCOA_TOUCH_NO = $(WK_STORAGE_ENTITLEMENTS_RESTRICTED_$(WK_USE_RESTRICTED_ENTITLEMENTS)); > OTHER_CODE_SIGN_FLAGS = $(WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS); > > PRODUCT_NAME = $(WK_STORAGE_SERVICE_PRODUCT_NAME); >diff --git a/Source/WebKit/Configurations/WebContent-OSX-sandbox.entitlements b/Source/WebKit/Configurations/WebContent-OSX-sandbox.entitlements >new file mode 100644 >index 0000000000000000000000000000000000000000..c34363adfe73a3c7af985d3cb6c464e900015ad5 >--- /dev/null >+++ b/Source/WebKit/Configurations/WebContent-OSX-sandbox.entitlements >@@ -0,0 +1,8 @@ >+<?xml version="1.0" encoding="UTF-8"?> >+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> >+<plist version="1.0"> >+<dict> >+ <key>com.apple.rootless.storage.WebKitWebContentSandbox</key> >+ <true/> >+</dict> >+</plist> >diff --git a/Source/WebKit/Configurations/WebKit.xcconfig b/Source/WebKit/Configurations/WebKit.xcconfig >index e19aced0ca755179f1e6a2585514688bdfe514c8..f8f4bbb4f3f7d59b827533c2ce61072bac833dc4 100644 >--- a/Source/WebKit/Configurations/WebKit.xcconfig >+++ b/Source/WebKit/Configurations/WebKit.xcconfig >@@ -82,6 +82,9 @@ WK_MOBILE_CORE_SERVICES_LDFLAGS_cocoatouch = -framework MobileCoreServices; > WK_MOBILE_GESTALT_LDFLAGS = $(WK_MOBILE_GESTALT_LDFLAGS_$(WK_COCOA_TOUCH)); > WK_MOBILE_GESTALT_LDFLAGS_cocoatouch = -lMobileGestalt; > >+WK_LIBSANDBOX_LDFLAGS = $(WK_LIBSANDBOX_LDFLAGS_$(WK_PLATFORM_NAME)); >+WK_LIBSANDBOX_LDFLAGS_macosx = -lsandbox; >+ > WK_OPENGL_LDFLAGS = $(WK_OPENGL_LDFLAGS_$(WK_PLATFORM_NAME)); > WK_OPENGL_LDFLAGS_iphoneos = -framework OpenGLES; > WK_OPENGL_LDFLAGS_iphoneminimalsimulator = -framework OpenGL; >@@ -112,7 +115,7 @@ WK_UIKIT_LDFLAGS_cocoatouch = -framework UIKit; > WK_URL_FORMATTING_LDFLAGS = $(WK_URL_FORMATTING_LDFLAGS_$(WK_HAVE_URL_FORMATTING)); > WK_URL_FORMATTING_LDFLAGS_YES = -framework URLFormatting; > >-FRAMEWORK_AND_LIBRARY_LDFLAGS = -lobjc -framework CFNetwork -framework CoreAudio -framework CoreFoundation -framework CoreGraphics -framework CoreText -framework Foundation -framework ImageIO -framework IOKit -framework WebKitLegacy -lnetwork $(WK_ACCESSIBILITY_LDFLAGS) $(WK_APPKIT_LDFLAGS) $(WK_ASSERTION_SERVICES_LDFLAGS) $(WK_CARBON_LDFLAGS) $(WK_CORE_PDF_LDFLAGS) $(WK_CORE_PREDICTION_LDFLAGS) $(WK_CORE_SERVICES_LDFLAGS) $(WK_GRAPHICS_SERVICES_LDFLAGS) $(WK_IOSURFACE_LDFLAGS) $(WK_LIBWEBRTC_LDFLAGS) $(WK_MOBILE_CORE_SERVICES_LDFLAGS) $(WK_MOBILE_GESTALT_LDFLAGS) $(WK_OPENGL_LDFLAGS) $(WK_PDFKIT_LDFLAGS) $(WK_SAFE_BROWSING_LDFLAGS) $(WK_UIKIT_LDFLAGS) $(WK_URL_FORMATTING_LDFLAGS); >+FRAMEWORK_AND_LIBRARY_LDFLAGS = -lobjc -framework CFNetwork -framework CoreAudio -framework CoreFoundation -framework CoreGraphics -framework CoreText -framework Foundation -framework ImageIO -framework IOKit -framework WebKitLegacy -lnetwork $(WK_ACCESSIBILITY_LDFLAGS) $(WK_APPKIT_LDFLAGS) $(WK_ASSERTION_SERVICES_LDFLAGS) $(WK_CARBON_LDFLAGS) $(WK_CORE_PDF_LDFLAGS) $(WK_CORE_PREDICTION_LDFLAGS) $(WK_CORE_SERVICES_LDFLAGS) $(WK_GRAPHICS_SERVICES_LDFLAGS) $(WK_IOSURFACE_LDFLAGS) $(WK_LIBSANDBOX_LDFLAGS) $(WK_LIBWEBRTC_LDFLAGS) $(WK_MOBILE_CORE_SERVICES_LDFLAGS) $(WK_MOBILE_GESTALT_LDFLAGS) $(WK_OPENGL_LDFLAGS) $(WK_PDFKIT_LDFLAGS) $(WK_SAFE_BROWSING_LDFLAGS) $(WK_UIKIT_LDFLAGS) $(WK_URL_FORMATTING_LDFLAGS); > > // Prevent C++ standard library basic_stringstream, operator new, delete and their related exception types from being exported as weak symbols. > UNEXPORTED_SYMBOL_LDFLAGS = -Wl,-unexported_symbol -Wl,__ZTISt9bad_alloc -Wl,-unexported_symbol -Wl,__ZTISt9exception -Wl,-unexported_symbol -Wl,__ZTSSt9bad_alloc -Wl,-unexported_symbol -Wl,__ZTSSt9exception -Wl,-unexported_symbol -Wl,__ZdlPvS_ -Wl,-unexported_symbol -Wl,__ZnwmPv -Wl,-unexported_symbol -Wl,__Znwm -Wl,-unexported_symbol -Wl,__ZNSt3__18functionIFvN7WebCore12PolicyActionEEEC2EOS4_ -Wl,-unexported_symbol -Wl,__ZNSt3__18functionIFvN7WebCore12PolicyActionEEEC1EOS4_ -Wl,-unexported_symbol -Wl,__ZNSt3__18functionIFvN7WebCore12PolicyActionEEEaSEDn -Wl,-unexported_symbol -Wl,__ZNKSt3__18functionIFvN7WebCore12PolicyActionEEEclES2_ -Wl,-unexported_symbol -Wl,__ZNSt3__18functionIFvN7WebCore12PolicyActionEEE4swapERS4_ -Wl,-unexported_symbol -Wl,__ZNSt3__18functionIFvN7WebCore12PolicyActionEEEC1ERKS4_ -Wl,-unexported_symbol -Wl,__ZNSt3__18functionIFvN7WebCore12PolicyActionEEEC2ERKS4_ -Wl,-unexported_symbol -Wl,__ZNSt3__18functionIFvN7WebCore12PolicyActionEEED1Ev -Wl,-unexported_symbol -Wl,__ZNSt3__18functionIFvN7WebCore12PolicyActionEEED2Ev -Wl,-unexported_symbol -Wl,__ZNSt3__18functionIFvN7WebCore12PolicyActionEEEaSERKS4_ -Wl,-unexported_symbol -Wl,__ZTVNSt3__117bad_function_callE -Wl,-unexported_symbol -Wl,__ZTCNSt3__118basic_stringstreamIcNS_11char_traitsIcEENS_9allocatorIcEEEE0_NS_13basic_istreamIcS2_EE -Wl,-unexported_symbol -Wl,__ZTCNSt3__118basic_stringstreamIcNS_11char_traitsIcEENS_9allocatorIcEEEE0_NS_14basic_iostreamIcS2_EE -Wl,-unexported_symbol -Wl,__ZTCNSt3__118basic_stringstreamIcNS_11char_traitsIcEENS_9allocatorIcEEEE16_NS_13basic_ostreamIcS2_EE -Wl,-unexported_symbol -Wl,__ZTTNSt3__118basic_stringstreamIcNS_11char_traitsIcEENS_9allocatorIcEEEE -Wl,-unexported_symbol -Wl,__ZTVNSt3__115basic_stringbufIcNS_11char_traitsIcEENS_9allocatorIcEEEE -Wl,-unexported_symbol -Wl,__ZTVNSt3__118basic_stringstreamIcNS_11char_traitsIcEENS_9allocatorIcEEEE -Wl,-unexported_symbol -Wl,__ZTCNSt3__118basic_stringstreamIcNS_11char_traitsIcEENS_9allocatorIcEEEE8_NS_13basic_ostreamIcS2_EE; >diff --git a/Source/WebKit/NetworkProcess/NetworkProcess.h b/Source/WebKit/NetworkProcess/NetworkProcess.h >index 97e2f5f52fceee3b8d471765f00d1210a51b0f7a..2189edf026be460628b67777957d6154b0066404 100644 >--- a/Source/WebKit/NetworkProcess/NetworkProcess.h >+++ b/Source/WebKit/NetworkProcess/NetworkProcess.h >@@ -80,6 +80,7 @@ class NetworkProcess : public ChildProcess, private DownloadManager::Client { > friend NeverDestroyed<DownloadManager>; > public: > static NetworkProcess& singleton(); >+ static constexpr ProcessType processType = ProcessType::NetworkType; > > template <typename T> > T* supplement() >diff --git a/Source/WebKit/PluginProcess/PluginProcess.h b/Source/WebKit/PluginProcess/PluginProcess.h >index d5081b061cdf7936a06c94039dd92623843ccf95..9a8812d9f981e3c2fadcfa63958cc09fd8942daa 100644 >--- a/Source/WebKit/PluginProcess/PluginProcess.h >+++ b/Source/WebKit/PluginProcess/PluginProcess.h >@@ -49,6 +49,7 @@ class PluginProcess : public ChildProcess > > public: > static PluginProcess& singleton(); >+ static constexpr ProcessType processType = ProcessType::PluginType; > > void removeWebProcessConnection(WebProcessConnection*); > >diff --git a/Source/WebKit/Scripts/process-network-entitlements.sh b/Source/WebKit/Scripts/process-network-entitlements.sh >new file mode 100755 >index 0000000000000000000000000000000000000000..644f0553c30fe80e8de21cbc80f0d89e3ffdf916 >--- /dev/null >+++ b/Source/WebKit/Scripts/process-network-entitlements.sh >@@ -0,0 +1,14 @@ >+#!/bin/sh >+set -e >+ >+PROCESSED_XCENT_FILE="${TEMP_FILE_DIR}/${FULL_PRODUCT_NAME}.xcent" >+ >+if [[ ${WK_PLATFORM_NAME} == "macosx" ]]; then >+ >+ if [[ ${WK_USE_RESTRICTED_ENTITLEMENTS} == "YES" ]]; then >+ echo "Processing restricted entitlements for Internal SDK"; >+ >+ echo "Adding sandbox entitlements."; >+ /usr/libexec/PlistBuddy -c "Merge Configurations/Network-OSX-sandbox.entitlements" "${PROCESSED_XCENT_FILE}"; >+ fi >+fi >diff --git a/Source/WebKit/Scripts/process-plugin-entitlements.sh b/Source/WebKit/Scripts/process-plugin-entitlements.sh >new file mode 100755 >index 0000000000000000000000000000000000000000..98d2ac9636a158a32796175b43ea876c5e8f44f8 >--- /dev/null >+++ b/Source/WebKit/Scripts/process-plugin-entitlements.sh >@@ -0,0 +1,14 @@ >+#!/bin/sh >+set -e >+ >+PROCESSED_XCENT_FILE="${TEMP_FILE_DIR}/${FULL_PRODUCT_NAME}.xcent" >+ >+if [[ ${WK_PLATFORM_NAME} == "macosx" ]]; then >+ >+ if [[ ${WK_USE_RESTRICTED_ENTITLEMENTS} == "YES" ]]; then >+ echo "Processing restricted entitlements for Internal SDK"; >+ >+ echo "Adding sandbox entitlements."; >+ /usr/libexec/PlistBuddy -c "Merge Configurations/Plugin-OSX-sandbox.entitlements" "${PROCESSED_XCENT_FILE}"; >+ fi >+fi >diff --git a/Source/WebKit/Scripts/process-webcontent-entitlements.sh b/Source/WebKit/Scripts/process-webcontent-entitlements.sh >index 2930fe68c8cfd64e875b9f60903d3ad55be7899d..7676fed22c4cfc7724895af1bf553d0eeb278d80 100755 >--- a/Source/WebKit/Scripts/process-webcontent-entitlements.sh >+++ b/Source/WebKit/Scripts/process-webcontent-entitlements.sh >@@ -8,6 +8,9 @@ if [[ ${WK_PLATFORM_NAME} == "macosx" ]]; then > if [[ ${WK_USE_RESTRICTED_ENTITLEMENTS} == "YES" ]]; then > echo "Processing restricted entitlements for Internal SDK"; > >+ echo "Adding sandbox entitlements."; >+ /usr/libexec/PlistBuddy -c "Merge Configurations/WebContent-OSX-sandbox.entitlements" "${PROCESSED_XCENT_FILE}"; >+ > if (( ${TARGET_MAC_OS_X_VERSION_MAJOR} >= 101400 )); then > echo "Adding macOS platform entitlements."; > /usr/libexec/PlistBuddy -c "Merge Configurations/WebContent-OSX-restricted.entitlements" "${PROCESSED_XCENT_FILE}"; >diff --git a/Source/WebKit/Shared/ChildProcess.h b/Source/WebKit/Shared/ChildProcess.h >index b35c9f2e3f3fa87e2dfbee1b0afc979b98a2f8f1..4f3f794ed64dcfc933a08fc430ea92879e7d9d4b 100644 >--- a/Source/WebKit/Shared/ChildProcess.h >+++ b/Source/WebKit/Shared/ChildProcess.h >@@ -39,22 +39,19 @@ > namespace WebKit { > > class SandboxInitializationParameters; >- >-struct ChildProcessInitializationParameters { >- String uiProcessName; >- String clientIdentifier; >- std::optional<WebCore::ProcessIdentifier> processIdentifier; >- IPC::Connection::Identifier connectionIdentifier; >- HashMap<String, String> extraInitializationData; >-#if PLATFORM(COCOA) >- OSObjectPtr<xpc_object_t> priorityBoostMessage; >-#endif >-}; >+struct ChildProcessInitializationParameters; > > class ChildProcess : protected IPC::Connection::Client, public IPC::MessageSender { > WTF_MAKE_NONCOPYABLE(ChildProcess); > > public: >+ enum class ProcessType { >+ WebContentType, >+ NetworkType, >+ StorageType, >+ PluginType >+ }; >+ > void initialize(const ChildProcessInitializationParameters&); > > // disable and enable termination of the process. when disableTermination is called, the >@@ -147,6 +144,18 @@ private: > #endif > }; > >+struct ChildProcessInitializationParameters { >+ String uiProcessName; >+ String clientIdentifier; >+ std::optional<WebCore::ProcessIdentifier> processIdentifier; >+ IPC::Connection::Identifier connectionIdentifier; >+ HashMap<String, String> extraInitializationData; >+ ChildProcess::ProcessType processType; >+#if PLATFORM(COCOA) >+ OSObjectPtr<xpc_object_t> priorityBoostMessage; >+#endif >+}; >+ > } // namespace WebKit > > #endif // ChildProcess_h >diff --git a/Source/WebKit/Shared/EntryPointUtilities/mac/XPCService/XPCServiceEntryPoint.h b/Source/WebKit/Shared/EntryPointUtilities/mac/XPCService/XPCServiceEntryPoint.h >index 5e7ca9ec942f92c2a999d8ca8a5c429fbb9dc7f3..f5e95648418e02e5eb7264733cec2ba32a34fb1a 100644 >--- a/Source/WebKit/Shared/EntryPointUtilities/mac/XPCService/XPCServiceEntryPoint.h >+++ b/Source/WebKit/Shared/EntryPointUtilities/mac/XPCService/XPCServiceEntryPoint.h >@@ -112,6 +112,8 @@ void XPCServiceInitializer(OSObjectPtr<xpc_connection_t> connection, xpc_object_ > Thread::setGlobalMaxQOSClass(QOS_CLASS_UTILITY); > #endif > >+ parameters.processType = XPCServiceType::processType; >+ > XPCServiceType::singleton().initialize(parameters); > } > >diff --git a/Source/WebKit/Shared/SandboxInitializationParameters.h b/Source/WebKit/Shared/SandboxInitializationParameters.h >index a619b7004239d825619256bc90bb56b8db0ae340..0395c2fdd306ab727746c8dab49e36eaf641d9b2 100644 >--- a/Source/WebKit/Shared/SandboxInitializationParameters.h >+++ b/Source/WebKit/Shared/SandboxInitializationParameters.h >@@ -54,7 +54,7 @@ public: > const char* name(size_t index) const; > const char* value(size_t index) const; > >- enum ProfileSelectionMode { >+ enum class ProfileSelectionMode { > UseDefaultSandboxProfilePath, > UseOverrideSandboxProfilePath, > UseSandboxProfile >@@ -64,25 +64,25 @@ public: > > void setOverrideSandboxProfilePath(const String& path) > { >- m_profileSelectionMode = UseOverrideSandboxProfilePath; >+ m_profileSelectionMode = ProfileSelectionMode::UseOverrideSandboxProfilePath; > m_overrideSandboxProfilePathOrSandboxProfile = path; > } > > const String& overrideSandboxProfilePath() const > { >- ASSERT(m_profileSelectionMode == UseOverrideSandboxProfilePath); >+ ASSERT(m_profileSelectionMode == ProfileSelectionMode::UseOverrideSandboxProfilePath); > return m_overrideSandboxProfilePathOrSandboxProfile; > } > > void setSandboxProfile(const String& profile) > { >- m_profileSelectionMode = UseSandboxProfile; >+ m_profileSelectionMode = ProfileSelectionMode::UseSandboxProfile; > m_overrideSandboxProfilePathOrSandboxProfile = profile; > } > > const String& sandboxProfile() const > { >- ASSERT(m_profileSelectionMode == UseSandboxProfile); >+ ASSERT(m_profileSelectionMode == ProfileSelectionMode::UseSandboxProfile); > return m_overrideSandboxProfilePathOrSandboxProfile; > } > >diff --git a/Source/WebKit/Shared/mac/ChildProcessMac.mm b/Source/WebKit/Shared/mac/ChildProcessMac.mm >index aed5b9fd70960fe170d5026cc20e267a516f0204..83b708d9fa371d79787f91e02a2fc9ce8e9c2376 100644 >--- a/Source/WebKit/Shared/mac/ChildProcessMac.mm >+++ b/Source/WebKit/Shared/mac/ChildProcessMac.mm >@@ -31,21 +31,32 @@ > #import "CodeSigning.h" > #import "QuarantineSPI.h" > #import "SandboxInitializationParameters.h" >+#import "SandboxUtilities.h" > #import "WKFoundation.h" > #import "XPCServiceEntryPoint.h" > #import <WebCore/FileSystem.h> > #import <WebCore/SystemVersion.h> > #import <mach/mach.h> > #import <mach/task.h> >+#import <pal/crypto/CryptoDigest.h> > #import <pwd.h> > #import <stdlib.h> >+#import <sys/sysctl.h> > #import <sysexits.h> >+#import <wtf/DataLog.h> > #import <wtf/Scope.h> >+#import <wtf/SystemTracing.h> >+#import <wtf/WallTime.h> > #import <wtf/spi/darwin/SandboxSPI.h> >+#import <wtf/text/Base64.h> >+#import <wtf/text/StringBuilder.h> > > #if USE(APPLE_INTERNAL_SDK) >+#import <rootless.h> > #include <HIServices/ProcessesPriv.h> >-#endif >+#endif // USE(APPLE_INTERNAL_SDK) >+ >+#define VERBOSE_LOGGING false > > typedef bool (^LSServerConnectionAllowedBlock) ( CFDictionaryRef optionsRef ); > extern "C" void _LSSetApplicationLaunchServicesServerConnectionStatus(uint64_t flags, LSServerConnectionAllowedBlock block); >@@ -57,6 +68,40 @@ using namespace WebCore; > > namespace WebKit { > >+using SandboxProfile = typename std::remove_pointer<sandbox_profile_t>::type; >+ >+struct CachedSandboxHeader { >+ uint32_t versionNumber; >+ char osVersion[10]; >+ uint32_t headerSize; >+ uint32_t builtinSize; // If a builtin doesn't exist, this is UINT_MAX >+ uint32_t dataSize; >+}; >+// The file is layed out on disk like: >+// byte 0 >+// CachedSandboxHeader <- sizeof(CachedSandboxHeader) bytes >+// SandboxHeader <- CachedSandboxHeader::sandboxHeaderSize bytes >+// [SandboxBuiltin] optional. Present if CachedSandboxHeader::sanboxBuiltinSize is not UINT_MAX. If present, sandboxBuiltinSize bytes (including null termination). >+// SandboxData <- CachedSandboxHeader::sandboxDataSize bytes >+// byte N >+ >+struct SandboxInfo { >+ String directoryPath; >+ String filePath; >+ String profilePath; >+ sandbox_params_t sandboxParameters; >+ Vector<uint8_t> header; >+ ChildProcess::ProcessType processType; >+ const SandboxInitializationParameters &initializationParameters; >+ >+ SandboxInfo(const SandboxInitializationParameters ¶meters) >+ : initializationParameters(parameters) >+ { >+ } >+}; >+ >+static constexpr uint32_t CachedSandboxVersionNumber = 0; >+ > static void initializeTimerCoalescingPolicy() > { > // Set task_latency and task_throughput QOS tiers as appropriate for a visible application. >@@ -110,15 +155,470 @@ static OSStatus enableSandboxStyleFileQuarantine() > #endif > } > >-void ChildProcess::initializeSandbox(const ChildProcessInitializationParameters& parameters, SandboxInitializationParameters& sandboxParameters) >+static std::optional<Vector<char>> fileContents(const String& path) >+{ >+ FileSystem::PlatformFileHandle handle = openFile(path, FileSystem::FileOpenMode::Read); >+ >+ if (handle == FileSystem::invalidPlatformFileHandle) >+ return std::nullopt; >+ >+ auto closeFileOnExit = makeScopeExit([&] { >+ FileSystem::closeFile(handle); >+ }); >+ >+ long long fileSize; >+ if (!FileSystem::getFileSize(handle, fileSize)) >+ return std::nullopt; >+ >+ RELEASE_ASSERT(fileSize >= 0); >+ >+ Vector<char> contents(safeCast<size_t>(fileSize)); >+ int bytesRead = FileSystem::readFromFile(handle, contents.data(), safeCast<size_t>(fileSize)); >+ if (safeCast<int>(fileSize) != bytesRead) >+ return std::nullopt; >+ >+ return WTFMove(contents); >+} >+ >+#if USE(APPLE_INTERNAL_SDK) >+// These strings must match the last segment of the "com.apple.rootless.storage.<this part must match>" entry in each >+// process's restricted entitlements file (ex. Configurations/Networking-OSX-restricted.entitlements). >+constexpr const char* processStorageClass(ChildProcess::ProcessType type) >+{ >+ switch (type) { >+ case ChildProcess::ProcessType::WebContentType: >+ return "WebKitWebContentSandbox"; >+ case ChildProcess::ProcessType::NetworkType: >+ return "WebKitNetworkingSandbox"; >+ case ChildProcess::ProcessType::StorageType: >+ return "WebKitStorageSandbox"; >+ case ChildProcess::ProcessType::PluginType: >+ return "WebKitPluginSandbox"; >+ } >+} >+#endif // USE(APPLE_INTERNAL_SDK) >+ >+static std::optional<Vector<uint8_t>> sandboxHeader(const SandboxInitializationParameters& initializationParameters, const SandboxInfo& info) >+{ >+ // Compute the sandbox header size. >+ Vector<CString> headerPieces; >+ Checked<size_t> headerSize = 0; >+ for (size_t i = 0; i < initializationParameters.count(); ++i) { >+ CString name = initializationParameters.name(i); >+ CString value = initializationParameters.value(i); >+ >+ if (name.isNull() || value.isNull()) >+ return std::nullopt; >+ if (sandbox_set_param(info.sandboxParameters, name.data(), value.data())) { >+ WTFLogAlways("%s: Couldn't set sandbox parameter, errno: %d\n", getprogname(), errno); >+ CRASH(); >+ } >+ >+ headerSize += name.length() + 1; >+ headerSize += value.length() + 1; >+ >+ headerPieces.append(WTFMove(name)); >+ headerPieces.append(WTFMove(value)); >+ } >+ >+ Vector<char> profileContents; >+ if (auto contents = fileContents(info.profilePath)) >+ profileContents = WTFMove(*contents); >+ else >+ return std::nullopt; >+ headerSize += profileContents.size(); >+ >+ // Write out the sandbox header. >+ Vector<uint8_t> header(headerSize.unsafeGet()); >+ for (auto& piece : headerPieces) { >+ header.append(piece.data(), piece.length()); >+ header.append(':'); >+ } >+ header.append(bitwise_cast<uint8_t *>(profileContents.data()), profileContents.size()); >+ >+ return WTFMove(header); >+} >+ >+static inline String sandboxParentDirectory() >+{ >+ char darwinUserCacheDir[PATH_MAX + 1]; >+ { >+ char temp[PATH_MAX + 1]; >+ if (!confstr(_CS_DARWIN_USER_CACHE_DIR, temp, sizeof(temp))) { >+ WTFLogAlways("%s: couldn't retrieve private cache directory path: %d\n", getprogname(), errno); >+ exit(EX_NOPERM); >+ } >+ if (!realpath(temp, darwinUserCacheDir)) >+ CRASH(); >+ } >+ >+ return darwinUserCacheDir; >+} >+ >+static inline String sandboxDirectory(ChildProcess::ProcessType processType) >+{ >+ String directory = sandboxParentDirectory(); >+ switch (processType) { >+ case ChildProcess::ProcessType::WebContentType: >+ directory.append("/com.apple.WebKit.WebContent.Sandbox"); >+ break; >+ case ChildProcess::ProcessType::NetworkType: >+ directory.append("/com.apple.WebKit.Networking.Sandbox"); >+ break; >+ case ChildProcess::ProcessType::StorageType: >+ directory.append("/com.apple.WebKit.Storage.Sandbox"); >+ break; >+ case ChildProcess::ProcessType::PluginType: >+ directory.append("/com.apple.WebKit.Plugin.Sandbox"); >+ break; >+ } >+ >+#if !(USE(APPLE_INTERNAL_SDK)) >+ // Add .OpenSource suffix so that non-internal builds don't try to access a data vault used by system Safari >+ directory.append(".OpenSource"); >+#endif // USE(APPLE_INTERNAL_SDK) >+ >+ return directory; >+} >+ >+static inline String sandboxFilePath(const SandboxInfo& info) >+{ >+ String sandboxFile = info.directoryPath; >+ sandboxFile.append("/CompiledSandbox+"); >+ >+ // Make the filename semi-unique based on the contents of the header >+ auto crypto = PAL::CryptoDigest::create(PAL::CryptoDigest::Algorithm::SHA_1); >+ crypto->addBytes(info.header.data(), info.header.size()); >+ Vector<uint8_t> hash = crypto->computeHash(); >+ String readableHash = base64Encode(hash, WTF::Base64URLPolicy); >+ readableHash.replace('/', '_'); >+ >+ sandboxFile.append(readableHash); >+ return sandboxFile; >+} >+ >+#if USE(APPLE_INTERNAL_SDK) >+static String randomString(unsigned length = 20) >+{ >+ constexpr char alphaNum[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; >+ constexpr size_t alphaNumRange = sizeof(alphaNum) - 1; >+ String string; >+ >+ for (size_t i = 0; i < length; ++i) >+ string.append(alphaNum[rand() % alphaNumRange]); >+ >+ return string; >+} >+#endif // USE(APPLE_INTERNAL_SDK) >+ >+static bool ensureSandboxCacheDirectory(const SandboxInfo& info) >+{ >+ // First we need to ensure that at least the parent directory exists >+ String parentDirectory = sandboxParentDirectory(); >+ if (!FileSystem::fileIsDirectory(parentDirectory, FileSystem::ShouldFollowSymbolicLinks::Yes)) { >+ FileSystem::makeAllDirectories(parentDirectory); >+ if (!FileSystem::fileIsDirectory(parentDirectory, FileSystem::ShouldFollowSymbolicLinks::Yes)) { >+ WTFLogAlways("%s: Couldn't create sandbox directory", getprogname()); >+ return false; >+ } >+ } >+ >+#if USE(APPLE_INTERNAL_SDK) >+ const char* storageClass = processStorageClass(info.processType); >+ CString directoryPath = FileSystem::fileSystemRepresentation(info.directoryPath); >+ if (directoryPath.isNull()) >+ return false; >+ >+ // First just try to make the data vault >+ if (!rootless_mkdir_datavault(directoryPath.data(), 0700, storageClass)) { >+ // We successfully made the data vault so we're good to go >+ return true; >+ } >+ >+ // Check to see why it failed >+ if (errno == EEXIST) { >+ // Ok the directory already exists, we need to make sure we're the one's who created it >+ if (!rootless_check_datavault_flag(directoryPath.data(), storageClass)) { >+ // Good to go, we're the ones who created the data vault >+ return true; >+ } >+ >+ // Let's convert it to a data vault then move out their files >+ if (rootless_convert_to_datavault(directoryPath.data(), storageClass)) { >+ WTFLogAlways("%s: Sandbox directory couldn't be created, errno: %d", getprogname(), errno); >+ return false; >+ } >+ >+ // Create a new directory to move old files to >+ WTFLogAlways("%s: \"%s\" is using a reserved path. Attempting to move it.", getprogname(), directoryPath.data(), directoryPath.data()); >+ String movedDirectory = info.directoryPath + ".Old"; >+ while (FileSystem::fileIsDirectory(movedDirectory, FileSystem::ShouldFollowSymbolicLinks::No)) { >+ // Keep trying until we create the directory >+ movedDirectory = info.directoryPath + ".Old+" + randomString(); >+ } >+ FileSystem::makeAllDirectories(movedDirectory); >+ >+ // Now let's move everything to the new directory >+ Vector<String> directoryContents = FileSystem::listDirectory(info.directoryPath, "*"); >+ for (const auto& file : directoryContents) { >+ String fileName = FileSystem::pathGetFileName(file); >+ String newPath = FileSystem::pathByAppendingComponent(movedDirectory, fileName); >+ if (!FileSystem::moveFile(file, newPath)) { >+ WTFLogAlways("%s: \"%s\" could not be moved and must be deleted", getprogname(), FileSystem::fileSystemRepresentation(file).data()); >+ FileSystem::deleteFile(file); >+ } >+ } >+ } else { >+ WTFLogAlways("Sandbox directory couldn't be created, errno: %d", errno); >+ return false; >+ } >+#else >+ bool hasSandboxDirectory = FileSystem::fileIsDirectory(info.directoryPath, FileSystem::ShouldFollowSymbolicLinks::Yes); >+ if (!hasSandboxDirectory) { >+ if (FileSystem::makeAllDirectories(info.directoryPath)) { >+ ASSERT(FileSystem::fileIsDirectory(info.directoryPath, FileSystem::ShouldFollowSymbolicLinks::Yes)); >+ hasSandboxDirectory = true; >+ } else { >+ // We may have raced with someone else making it. That's ok. >+ hasSandboxDirectory = FileSystem::fileIsDirectory(info.directoryPath, FileSystem::ShouldFollowSymbolicLinks::Yes); >+ } >+ } >+ >+ if (!hasSandboxDirectory) { >+ // Bailing because we don't have a sandbox directory >+ return false; >+ } >+#endif // USE(APPLE_INTERNAL_SDK) >+ >+ return true; >+} >+ >+static SandboxProfile* compileAndCacheSandboxProfile(const SandboxInfo& info) >+{ >+ if (!ensureSandboxCacheDirectory(info)) >+ return nullptr; >+ >+ // Create a sandbox profile that must be freed by the caller of this function >+ char* error = nullptr; >+ CString profilePath = FileSystem::fileSystemRepresentation(info.profilePath); >+ if (profilePath.isNull()) >+ return nullptr; >+ SandboxProfile* sandboxProfile = sandbox_compile_file(profilePath.data(), info.sandboxParameters, &error); >+ if (!sandboxProfile) { >+ WTFLogAlways("%s: Couldn't compile WebContent sandbox %s\n", getprogname(), error); >+ CRASH(); >+ } >+ >+ // Begin building our file to cache >+ CachedSandboxHeader cachedHeader { >+ CachedSandboxVersionNumber, >+ "", >+ safeCast<uint32_t>(info.header.size()), >+ sandboxProfile->builtin ? safeCast<uint32_t>(strlen(sandboxProfile->builtin) + 1) : std::numeric_limits<uint32_t>::max(), >+ safeCast<uint32_t>(sandboxProfile->size) >+ }; >+ >+ // Make sure to set header OS version >+ size_t osVersionSize = sizeof(CachedSandboxHeader::osVersion); >+ if (sysctlbyname("kern.osversion", cachedHeader.osVersion, &osVersionSize, NULL, 0)) >+ return nullptr; >+ >+ // Write contents into a temporary vector >+ Vector<char> fileContents; >+ fileContents.append(bitwise_cast<uint8_t *>(&cachedHeader), sizeof(CachedSandboxHeader)); >+ fileContents.append(info.header.data(), info.header.size()); >+ if (sandboxProfile->builtin) >+ fileContents.append(sandboxProfile->builtin, cachedHeader.builtinSize); >+ fileContents.append(sandboxProfile->data, cachedHeader.dataSize); >+ >+ // Find a temporary filename to write to >+ FileSystem::PlatformFileHandle tempHandle; >+ String tempFileString; >+ CString tempFilePath; >+ while (true) { >+ tempFileString = info.directoryPath + "/tempfile+" + randomString(); >+ tempFilePath = FileSystem::fileSystemRepresentation(tempFileString); >+ if (tempFilePath.isNull()) >+ return nullptr; >+ tempHandle = open(tempFilePath.data(), (O_WRONLY | O_CREAT | O_EXCL), 0666); >+ if (tempHandle != FileSystem::invalidPlatformFileHandle) >+ break; >+ if (errno != EEXIST) >+ return nullptr; >+ } >+ ASSERT(tempHandle != FileSystem::invalidPlatformFileHandle); >+ >+ // Attempt to rename the temporary file to its proper name (this operation is atomic) >+ bool didRenameFile = false; >+ int writeSize = FileSystem::writeToFile(tempHandle, bitwise_cast<const char*>(fileContents.data()), safeCast<int>(fileContents.size())); >+ if (writeSize == safeCast<int>(fileContents.size())) { >+ CString sandboxFilePath = FileSystem::fileSystemRepresentation(info.filePath); >+ if (!sandboxFilePath.isNull()) { >+ // According to POSIX compliance requirements, this should not only rename the temporary >+ // file but also overwrite any existing file with the same name atomically. >+ // See http://pubs.opengroup.org/onlinepubs/9699919799/ for more information. >+ if (!rename(tempFilePath.data(), sandboxFilePath.data())) >+ didRenameFile = true; >+ } >+ } >+ >+ FileSystem::closeFile(tempHandle); >+ if (!didRenameFile) >+ FileSystem::deleteFile(tempFileString); >+ >+ return sandboxProfile; >+} >+ >+static bool applyCachedSandbox(const SandboxInfo& info) >+{ >+#if USE(APPLE_INTERNAL_SDK) >+ // Need to make sure the sandbox directory is a data vault for security reasons >+ CString directoryPath = FileSystem::fileSystemRepresentation(info.directoryPath); >+ if (directoryPath.isNull()) >+ return false; >+ if (rootless_check_datavault_flag(directoryPath.data(), processStorageClass(info.processType))) { >+ // Directory isn't a datavault so we didn't put it there >+ return false; >+ } >+#endif >+ >+ Vector<char> cachedSandboxContents; >+ if (auto contents = fileContents(info.filePath)) >+ cachedSandboxContents = WTFMove(*contents); >+ else >+ return false; >+ >+ // Make sure cachedSandboxContents aren't too small to contain CachedSandboxHeader >+ if (sizeof(CachedSandboxHeader) > cachedSandboxContents.size()) >+ return false; >+ >+ // Read CachedSandboxHeader from top of file >+ CachedSandboxHeader cachedSandboxHeader; >+ memcpy(&cachedSandboxHeader, cachedSandboxContents.data(), sizeof(CachedSandboxHeader)); >+ >+ // Verify cached sandbox was compiled for the same OS version >+ char *osVersionBuffer; >+ CString osVersion = CString::newUninitialized(sizeof(CachedSandboxHeader::osVersion), osVersionBuffer); >+ size_t osVersionSize = osVersion.length(); >+ if (sysctlbyname("kern.osversion", osVersionBuffer, &osVersionSize, NULL, 0)) >+ return false; >+ if (osVersion != cachedSandboxHeader.osVersion) >+ return false; >+ >+ // Make sure the sandbox versions match >+ if (cachedSandboxHeader.versionNumber != CachedSandboxVersionNumber) >+ return false; >+ >+ // Make sure the cached sandbox is the correct size >+ size_t expectedFileSize = sizeof(CachedSandboxHeader) + cachedSandboxHeader.headerSize + cachedSandboxHeader.dataSize; >+ bool haveBuiltin = cachedSandboxHeader.builtinSize != std::numeric_limits<uint32_t>::max(); >+ if (haveBuiltin) >+ expectedFileSize += cachedSandboxHeader.builtinSize; >+ if (cachedSandboxContents.size() != expectedFileSize) >+ return false; >+ if (cachedSandboxHeader.headerSize != info.header.size()) >+ return false; >+ >+ // Make sure the computed header and the cached header are the same as a final check >+ const char* sandboxHeaderPointer = cachedSandboxContents.data() + sizeof(CachedSandboxHeader); >+ const char* sandboxBuiltinPointer = sandboxHeaderPointer + cachedSandboxHeader.headerSize; >+ const char* sandboxDataPointer = haveBuiltin ? sandboxBuiltinPointer + cachedSandboxHeader.builtinSize : sandboxBuiltinPointer; >+ >+ if (memcmp(info.header.data(), sandboxHeaderPointer, info.header.size())) { >+ // Header and cached header do not have the same contents. >+ return false; >+ } >+ >+ // Start loading a SandboxProfile from the file contents >+ SandboxProfile profile; >+ CString builtin; >+ profile.builtin = nullptr; >+ profile.size = cachedSandboxHeader.dataSize; >+ if (haveBuiltin) { >+ builtin = CString::newUninitialized(cachedSandboxHeader.builtinSize, profile.builtin); >+ if (builtin.isNull()) >+ return false; >+ memcpy(profile.builtin, sandboxBuiltinPointer, cachedSandboxHeader.builtinSize); >+ } >+ profile.data = bitwise_cast<unsigned char*>(sandboxDataPointer); >+ >+ if (sandbox_apply(&profile)) { >+ WTFLogAlways("Could not apply cached sandbox"); >+ return false; >+ } >+ >+ return true; >+} >+ >+static inline const NSBundle *webKit2Bundle() > { > #if WK_API_ENABLED >- NSBundle *webKit2Bundle = [NSBundle bundleForClass:NSClassFromString(@"WKWebView")]; >+ const static NSBundle *bundle = [NSBundle bundleForClass:NSClassFromString(@"WKWebView")]; > #else >- NSBundle *webKit2Bundle = [NSBundle bundleForClass:NSClassFromString(@"WKView")]; >+ const static NSBundle *bundle = [NSBundle bundleForClass:NSClassFromString(@"WKView")]; > #endif >- String defaultProfilePath = [webKit2Bundle pathForResource:[[NSBundle mainBundle] bundleIdentifier] ofType:@"sb"]; >+ >+ return bundle; >+} >+ >+static inline String sandboxProfilePath(const SandboxInitializationParameters& parameters) >+{ >+ switch (parameters.mode()) { >+ case SandboxInitializationParameters::ProfileSelectionMode::UseDefaultSandboxProfilePath: >+ return [webKit2Bundle() pathForResource:[[NSBundle mainBundle] bundleIdentifier] ofType:@"sb"]; >+ case SandboxInitializationParameters::ProfileSelectionMode::UseOverrideSandboxProfilePath: >+ return parameters.overrideSandboxProfilePath(); >+ case SandboxInitializationParameters::ProfileSelectionMode::UseSandboxProfile: >+ return parameters.sandboxProfile(); >+ } >+} >+ >+static bool applySandbox(const ChildProcessInitializationParameters& parameters, const SandboxInitializationParameters& sandboxParameters) >+{ >+ SandboxInfo info(sandboxParameters); >+ info.processType = parameters.processType; >+ info.profilePath = sandboxProfilePath(sandboxParameters); >+ info.directoryPath = sandboxDirectory(info.processType); >+ info.sandboxParameters = sandbox_create_params(); >+ >+ auto freeParamsOnExit = makeScopeExit([&] { >+ sandbox_free_params(info.sandboxParameters); >+ }); >+ >+ if (info.profilePath.isEmpty()) >+ return false; >+ >+ if (auto header = sandboxHeader(sandboxParameters, info)) { >+ // Order here is important! Header must be set before calling sandboxFilename(info) >+ info.header = WTFMove(*header); >+ info.filePath = sandboxFilePath(info); >+ } else >+ return false; >+ >+ // Try to find a cached version of the sandbox and apply it >+ if (applyCachedSandbox(info)) >+ return true; >+ >+ // We failed to find a valid sandbox on the fs so let's compile and cache one for the next process >+ SandboxProfile* sandboxProfile = nullptr; >+ sandboxProfile = compileAndCacheSandboxProfile(info); >+ if (!sandboxProfile) >+ return false; >+ auto freeSandboxOnExit = makeScopeExit([&] { >+ sandbox_free_profile(sandboxProfile); >+ }); >+ >+ if (sandbox_apply(sandboxProfile)) { >+ WTFLogAlways("%s: Couldn't apply compiled sandbox profile, errno: %d\n", getprogname(), errno); >+ exit(EX_NOPERM); >+ } >+ >+ return true; >+} > >+static void initializeSandboxParameters(const ChildProcessInitializationParameters& parameters, SandboxInitializationParameters& sandboxParameters) >+{ >+ // Verify user directory suffix > if (sandboxParameters.userDirectorySuffix().isNull()) { > auto userDirectorySuffix = parameters.extraInitializationData.find("user-directory-suffix"); > if (userDirectorySuffix != parameters.extraInitializationData.end()) >@@ -132,6 +632,7 @@ void ChildProcess::initializeSandbox(const ChildProcessInitializationParameters& > } > } > >+ // Set OS version parameter > Vector<String> osVersionParts; > String osSystemMarketingVersion = systemMarketingVersion(); > osSystemMarketingVersion.split('.', false, osVersionParts); >@@ -144,14 +645,14 @@ void ChildProcess::initializeSandbox(const ChildProcessInitializationParameters& > > // Use private temporary and cache directories. > setenv("DIRHELPER_USER_DIR_SUFFIX", FileSystem::fileSystemRepresentation(sandboxParameters.userDirectorySuffix()).data(), 1); >- char temporaryDirectory[PATH_MAX]; >+ char temporaryDirectory[PATH_MAX + 1]; > if (!confstr(_CS_DARWIN_USER_TEMP_DIR, temporaryDirectory, sizeof(temporaryDirectory))) { > WTFLogAlways("%s: couldn't retrieve private temporary directory path: %d\n", getprogname(), errno); > exit(EX_NOPERM); > } > setenv("TMPDIR", temporaryDirectory, 1); > >- sandboxParameters.addPathParameter("WEBKIT2_FRAMEWORK_DIR", [[webKit2Bundle bundlePath] stringByDeletingLastPathComponent]); >+ sandboxParameters.addPathParameter("WEBKIT2_FRAMEWORK_DIR", [[webKit2Bundle() bundlePath] stringByDeletingLastPathComponent]); > sandboxParameters.addConfDirectoryParameter("DARWIN_USER_TEMP_DIR", _CS_DARWIN_USER_TEMP_DIR); > sandboxParameters.addConfDirectoryParameter("DARWIN_USER_CACHE_DIR", _CS_DARWIN_USER_CACHE_DIR); > >@@ -165,50 +666,25 @@ void ChildProcess::initializeSandbox(const ChildProcessInitializationParameters& > } > > sandboxParameters.addPathParameter("HOME_DIR", pwd.pw_dir); >- > String path = String::fromUTF8(pwd.pw_dir); > path.append("/Library"); >- >+ String libraryPath = path; > sandboxParameters.addPathParameter("HOME_LIBRARY_DIR", FileSystem::fileSystemRepresentation(path).data()); >- > path.append("/Preferences"); >- > sandboxParameters.addPathParameter("HOME_LIBRARY_PREFERENCES_DIR", FileSystem::fileSystemRepresentation(path).data()); >+} > >- switch (sandboxParameters.mode()) { >- case SandboxInitializationParameters::UseDefaultSandboxProfilePath: >- case SandboxInitializationParameters::UseOverrideSandboxProfilePath: { >- String sandboxProfilePath = sandboxParameters.mode() == SandboxInitializationParameters::UseDefaultSandboxProfilePath ? defaultProfilePath : sandboxParameters.overrideSandboxProfilePath(); >- if (!sandboxProfilePath.isEmpty()) { >- CString profilePath = FileSystem::fileSystemRepresentation(sandboxProfilePath); >- char* errorBuf; >-#pragma clang diagnostic push >-#pragma clang diagnostic ignored "-Wdeprecated-declarations" >- if (sandbox_init_with_parameters(profilePath.data(), SANDBOX_NAMED_EXTERNAL, sandboxParameters.namedParameterArray(), &errorBuf)) { >-#pragma clang diagnostic pop >- WTFLogAlways("%s: Couldn't initialize sandbox profile [%s], error '%s'\n", getprogname(), profilePath.data(), errorBuf); >- for (size_t i = 0, count = sandboxParameters.count(); i != count; ++i) >- WTFLogAlways("%s=%s\n", sandboxParameters.name(i), sandboxParameters.value(i)); >- exit(EX_NOPERM); >- } >- } >+void ChildProcess::initializeSandbox(const ChildProcessInitializationParameters& parameters, SandboxInitializationParameters& sandboxParameters) >+{ >+ TraceScope traceScope(InitializeSandboxStart, InitializeSandboxEnd); > >- break; >- } >- case SandboxInitializationParameters::UseSandboxProfile: { >- char* errorBuf; >-#pragma clang diagnostic push >-#pragma clang diagnostic ignored "-Wdeprecated-declarations" >- if (sandbox_init_with_parameters(sandboxParameters.sandboxProfile().utf8().data(), 0, sandboxParameters.namedParameterArray(), &errorBuf)) { >-#pragma clang diagnostic pop >- WTFLogAlways("%s: Couldn't initialize sandbox profile, error '%s'\n", getprogname(), errorBuf); >- for (size_t i = 0, count = sandboxParameters.count(); i != count; ++i) >- WTFLogAlways("%s=%s\n", sandboxParameters.name(i), sandboxParameters.value(i)); >- exit(EX_NOPERM); >- } >+ initializeSandboxParameters(parameters, sandboxParameters); > >- break; >- } >+ // Try to apply the sandbox >+ if (!applySandbox(parameters, sandboxParameters)) { >+ // Something is really wrong, we can't continue without our sandbox >+ WTFLogAlways("%s: Unable to apply sandbox\n", getprogname()); >+ CRASH(); > } > > // This will override LSFileQuarantineEnabled from Info.plist unless sandbox quarantine is globally disabled. >diff --git a/Source/WebKit/Shared/mac/SandboxInitialiationParametersMac.mm b/Source/WebKit/Shared/mac/SandboxInitialiationParametersMac.mm >index 6cb4c88a70c8e7224ba737922cfa3520ce96c0dd..634909da9999adc43e7e6ccaed8f8fcafdb0b6a9 100644 >--- a/Source/WebKit/Shared/mac/SandboxInitialiationParametersMac.mm >+++ b/Source/WebKit/Shared/mac/SandboxInitialiationParametersMac.mm >@@ -29,7 +29,7 @@ > namespace WebKit { > > SandboxInitializationParameters::SandboxInitializationParameters() >- : m_profileSelectionMode(UseDefaultSandboxProfilePath) >+ : m_profileSelectionMode(ProfileSelectionMode::UseDefaultSandboxProfilePath) > { > } > >diff --git a/Source/WebKit/StorageProcess/StorageProcess.h b/Source/WebKit/StorageProcess/StorageProcess.h >index aee510042be3b5b3c895fe9ae5ad9af73c67548b..42271d9f13846532ee8c8545ec9ce8bb841cb21e 100644 >--- a/Source/WebKit/StorageProcess/StorageProcess.h >+++ b/Source/WebKit/StorageProcess/StorageProcess.h >@@ -71,6 +71,8 @@ class StorageProcess : public ChildProcess > friend NeverDestroyed<StorageProcess>; > public: > static StorageProcess& singleton(); >+ static constexpr ProcessType processType = ProcessType::StorageType; >+ > ~StorageProcess(); > > WorkQueue& queue() { return m_queue.get(); } >diff --git a/Source/WebKit/WebKit.xcodeproj/project.pbxproj b/Source/WebKit/WebKit.xcodeproj/project.pbxproj >index b9cf28e20e9828ec2b27732a8072db5ddeb0ea77..29b5f2abbab43ccacc46e9c0ffb9194967e51612 100644 >--- a/Source/WebKit/WebKit.xcodeproj/project.pbxproj >+++ b/Source/WebKit/WebKit.xcodeproj/project.pbxproj >@@ -3309,6 +3309,8 @@ > 411A8DD920DDB6050060D34F /* WKMockMediaDevice.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WKMockMediaDevice.h; sourceTree = "<group>"; }; > 411A8DDA20DDB6050060D34F /* WKMockMediaDevice.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = WKMockMediaDevice.cpp; sourceTree = "<group>"; }; > 411B22621E371244004F7363 /* LibWebRTCNetwork.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = LibWebRTCNetwork.h; path = Network/webrtc/LibWebRTCNetwork.h; sourceTree = "<group>"; }; >+ 41303BC920E2F0FD005827BA /* process-plugin-entitlements.sh */ = {isa = PBXFileReference; lastKnownFileType = text.script.sh; path = "process-plugin-entitlements.sh"; sourceTree = "<group>"; }; >+ 41303BCA20E2F248005827BA /* Plugin-OSX-sandbox.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = "Plugin-OSX-sandbox.entitlements"; sourceTree = "<group>"; }; > 413075981DE84FB00039EC69 /* NetworkRTCSocket.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = NetworkRTCSocket.cpp; path = NetworkProcess/webrtc/NetworkRTCSocket.cpp; sourceTree = "<group>"; }; > 413075991DE84FB00039EC69 /* NetworkRTCSocket.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = NetworkRTCSocket.h; path = NetworkProcess/webrtc/NetworkRTCSocket.h; sourceTree = "<group>"; }; > 4130759A1DE84FB00039EC69 /* NetworkRTCMonitor.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = NetworkRTCMonitor.cpp; path = NetworkProcess/webrtc/NetworkRTCMonitor.cpp; sourceTree = "<group>"; }; >@@ -3357,6 +3359,10 @@ > 41B7ED70206965900087D853 /* NetworkMDNSRegister.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = NetworkMDNSRegister.h; path = NetworkProcess/webrtc/NetworkMDNSRegister.h; sourceTree = "<group>"; }; > 41B7ED71206965900087D853 /* NetworkMDNSRegister.messages.in */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; name = NetworkMDNSRegister.messages.in; path = NetworkProcess/webrtc/NetworkMDNSRegister.messages.in; sourceTree = "<group>"; }; > 41C858191F510DEE0065E085 /* CacheStorageEngineCache.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = CacheStorageEngineCache.cpp; sourceTree = "<group>"; }; >+ 41D0FC7820E438DD00076AE8 /* WebContent-OSX-sandbox.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = "WebContent-OSX-sandbox.entitlements"; sourceTree = "<group>"; }; >+ 41D0FC7920E439AD00076AE8 /* process-network-entitlements.sh */ = {isa = PBXFileReference; lastKnownFileType = text.script.sh; path = "process-network-entitlements.sh"; sourceTree = "<group>"; }; >+ 41D0FC7C20E43A5100076AE8 /* Storage-OSX-sandbox.entitlements */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.entitlements; path = "Storage-OSX-sandbox.entitlements"; sourceTree = "<group>"; }; >+ 41D0FC7D20E43A5100076AE8 /* Network-OSX-sandbox.entitlements */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.entitlements; path = "Network-OSX-sandbox.entitlements"; sourceTree = "<group>"; }; > 41D129D91F3D101400D15E47 /* WebCacheStorageProvider.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = WebCacheStorageProvider.h; sourceTree = "<group>"; }; > 41DC45941E3D6E1E00B11F51 /* NetworkRTCProvider.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = NetworkRTCProvider.h; path = NetworkProcess/webrtc/NetworkRTCProvider.h; sourceTree = "<group>"; }; > 41DC45951E3D6E1E00B11F51 /* NetworkRTCProvider.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = NetworkRTCProvider.cpp; path = NetworkProcess/webrtc/NetworkRTCProvider.cpp; sourceTree = "<group>"; }; >@@ -5072,7 +5078,9 @@ > 1A4F976C100E7B6600637A18 /* FeatureDefines.xcconfig */, > 37119A7D20CCB64E002C6DC9 /* Network-iOS-minimalsimulator.entitlements */, > 7C0BB9A918DCDF5A0006C086 /* Network-iOS.entitlements */, >+ 41D0FC7D20E43A5100076AE8 /* Network-OSX-sandbox.entitlements */, > BC8283AB16B4BEAD00A278FE /* NetworkService.xcconfig */, >+ 41303BCA20E2F248005827BA /* Plugin-OSX-sandbox.entitlements */, > A1EDD2DB1884B96400BBFE98 /* PluginProcessShim.xcconfig */, > BC8283F216B4FC5300A278FE /* PluginService.32.xcconfig */, > BC8283F416B4FC5300A278FE /* PluginService.64.xcconfig */, >@@ -5080,11 +5088,13 @@ > 37E83D401B37D27B002079EE /* SandboxProfiles.xcconfig */, > A1EDD2DC1884B9B500BBFE98 /* SecItemShim.xcconfig */, > 5183B3931379F85C00E8754E /* Shim.xcconfig */, >+ 41D0FC7C20E43A5100076AE8 /* Storage-OSX-sandbox.entitlements */, > 51A60B29180CCD9000F3BF50 /* StorageService.xcconfig */, > 1A4F976E100E7B6600637A18 /* Version.xcconfig */, > 37119A7E20CCB64E002C6DC9 /* WebContent-iOS-minimalsimulator.entitlements */, > 7C0BB9A818DCDE890006C086 /* WebContent-iOS.entitlements */, > 37B418EB1C9624F20031E63B /* WebContent-OSX-restricted.entitlements */, >+ 41D0FC7820E438DD00076AE8 /* WebContent-OSX-sandbox.entitlements */, > 7AF66E1120C07CB6007828EA /* WebContent-OSX.entitlements */, > 372EBB4A2017E76000085064 /* WebContentService.Development.xcconfig */, > BCACC40E16B0B8A800B6E092 /* WebContentService.xcconfig */, >@@ -8519,6 +8529,8 @@ > 0FC0856F187CE0A900780D86 /* messages.py */, > 0FC08570187CE0A900780D86 /* model.py */, > 0FC08571187CE0A900780D86 /* parser.py */, >+ 41D0FC7920E439AD00076AE8 /* process-network-entitlements.sh */, >+ 41303BC920E2F0FD005827BA /* process-plugin-entitlements.sh */, > 7ACFAAD820B88D4F00C53203 /* process-webcontent-entitlements.sh */, > ); > path = Scripts; >@@ -10003,9 +10015,12 @@ > isa = PBXNativeTarget; > buildConfigurationList = BC8283BD16B4BF7700A278FE /* Build configuration list for PBXNativeTarget "Networking" */; > buildPhases = ( >+ 41D0FC7F20E43B0B00076AE8 /* Remove stale entitlements file */, > BC8283AD16B4BF7700A278FE /* Sources */, > BC8283AE16B4BF7700A278FE /* Frameworks */, > BC8283AF16B4BF7700A278FE /* Resources */, >+ 41D0FC8020E43B4500076AE8 /* Unlock keychain */, >+ 41D0FC8120E43B7000076AE8 /* Process Network entitlements */, > ); > buildRules = ( > ); >@@ -10021,9 +10036,12 @@ > isa = PBXNativeTarget; > buildConfigurationList = BC82840416B4FDDE00A278FE /* Build configuration list for PBXNativeTarget "Plugin.32" */; > buildPhases = ( >+ 41303BC320E2EC67005827BA /* Remove stale entitlement file */, > BC8283F516B4FDDE00A278FE /* Sources */, > BC8283F616B4FDDE00A278FE /* Frameworks */, > BC8283F716B4FDDE00A278FE /* Resources */, >+ 41303BC420E2ED41005827BA /* Unlock keychain */, >+ 41303BC520E2ED54005827BA /* Process Plugin entitlements */, > ); > buildRules = ( > ); >@@ -10039,9 +10057,12 @@ > isa = PBXNativeTarget; > buildConfigurationList = BC82842A16B4FDF700A278FE /* Build configuration list for PBXNativeTarget "Plugin.64" */; > buildPhases = ( >+ 41303BC620E2EFDF005827BA /* Remove stale entitlement file */, > BC82841B16B4FDF600A278FE /* Sources */, > BC82841C16B4FDF600A278FE /* Frameworks */, > BC82841D16B4FDF600A278FE /* Resources */, >+ 41303BC720E2F016005827BA /* Unlock keychain */, >+ 41303BC820E2F047005827BA /* Process Plugin entitlements */, > ); > buildRules = ( > ); >@@ -10252,7 +10273,7 @@ > name = "Copy Additional Resources"; > runOnlyForDeploymentPostprocessing = 0; > shellPath = /bin/sh; >- shellScript = "set -e\n\nRELATIVE_SOURCE_PATH=\"usr/local/include/WebKitAdditions/WebKit/AdditionalResources\"\nSOURCE_PATH=\"$BUILT_PRODUCTS_DIR/$RELATIVE_SOURCE_PATH\"\n\nif [[ ! -d \"$SOURCE_PATH\" ]]; then\n SOURCE_PATH=\"$SDK_DIR/$RELATIVE_SOURCE_PATH\"\nfi\n\nif [[ -d \"$SOURCE_PATH\" ]]; then\n ditto $SOURCE_PATH \"$BUILT_PRODUCTS_DIR/$UNLOCALIZED_RESOURCES_FOLDER_PATH\"\nfi"; >+ shellScript = "set -e\n\nRELATIVE_SOURCE_PATH=\"usr/local/include/WebKitAdditions/WebKit/AdditionalResources\"\nSOURCE_PATH=\"$BUILT_PRODUCTS_DIR/$RELATIVE_SOURCE_PATH\"\n\nif [[ ! -d \"$SOURCE_PATH\" ]]; then\n SOURCE_PATH=\"$SDK_DIR/$RELATIVE_SOURCE_PATH\"\nfi\n\nif [[ -d \"$SOURCE_PATH\" ]]; then\n ditto $SOURCE_PATH \"$BUILT_PRODUCTS_DIR/$UNLOCALIZED_RESOURCES_FOLDER_PATH\"\nfi\n"; > }; > 3713F0231429063D0036387F /* Check For Inappropriate Objective-C Class Names */ = { > isa = PBXShellScriptBuildPhase; >@@ -10291,7 +10312,7 @@ > ); > runOnlyForDeploymentPostprocessing = 0; > shellPath = /bin/sh; >- shellScript = "if [[ \"${WK_MANUAL_SANDBOXING_ENABLED}\" != \"YES\" || \"${WK_PLATFORM_NAME}\" == \"macosx\" ]]; then\n exit\nfi\n\nif [[ \"${ACTION}\" == \"build\" || \"${ACTION}\" == \"install\" ]]; then\n for ((i = 0; i < ${SCRIPT_INPUT_FILE_COUNT}; ++i)); do\n eval ENTITLEMENTS=\\${SCRIPT_INPUT_FILE_${i}}\n ENTITLEMENTS_BASE=${ENTITLEMENTS##*/}\n ENTITLEMENTS_BASE=${ENTITLEMENTS_BASE%.entitlements}\n plutil -remove seatbelt-profiles -o \"${BUILT_PRODUCTS_DIR}/DerivedSources/WebKit2/${ENTITLEMENTS_BASE}-no-sandbox.entitlements\" \"${ENTITLEMENTS}\"\n done\nfi"; >+ shellScript = "if [[ \"${WK_MANUAL_SANDBOXING_ENABLED}\" != \"YES\" || \"${WK_PLATFORM_NAME}\" == \"macosx\" ]]; then\n exit\nfi\n\nif [[ \"${ACTION}\" == \"build\" || \"${ACTION}\" == \"install\" ]]; then\n for ((i = 0; i < ${SCRIPT_INPUT_FILE_COUNT}; ++i)); do\n eval ENTITLEMENTS=\\${SCRIPT_INPUT_FILE_${i}}\n ENTITLEMENTS_BASE=${ENTITLEMENTS##*/}\n ENTITLEMENTS_BASE=${ENTITLEMENTS_BASE%.entitlements}\n plutil -remove seatbelt-profiles -o \"${BUILT_PRODUCTS_DIR}/DerivedSources/WebKit2/${ENTITLEMENTS_BASE}-no-sandbox.entitlements\" \"${ENTITLEMENTS}\"\n done\nfi\n"; > }; > 375A248817E5048E00C9A086 /* Postprocess WKBase.h */ = { > isa = PBXShellScriptBuildPhase; >@@ -10325,6 +10346,171 @@ > shellPath = /bin/sh; > shellScript = "if [[ \"${WK_MANUAL_SANDBOXING_ENABLED}\" != \"YES\" || \"${WK_PLATFORM_NAME}\" == \"macosx\" || \"${WK_PLATFORM_NAME}\" == \"iphoneminimalsimulator\" ]]; then\n exit\nfi\n\nif [[ \"${ACTION}\" == \"build\" || \"${ACTION}\" == \"install\" ]]; then\n for ((i = 0; i < ${SCRIPT_INPUT_FILE_COUNT}; ++i)); do\n eval SANDBOX_PROFILE=\\${SCRIPT_INPUT_FILE_${i}}\n ditto \"${SANDBOX_PROFILE}\" \"${TARGET_BUILD_DIR}/${UNLOCALIZED_RESOURCES_FOLDER_PATH}/${SANDBOX_PROFILE##*/}\"\n done\nfi\n"; > }; >+ 41303BC320E2EC67005827BA /* Remove stale entitlement file */ = { >+ isa = PBXShellScriptBuildPhase; >+ buildActionMask = 2147483647; >+ files = ( >+ ); >+ inputFileListPaths = ( >+ ); >+ inputPaths = ( >+ ); >+ name = "Remove stale entitlement file"; >+ outputFileListPaths = ( >+ ); >+ outputPaths = ( >+ ); >+ runOnlyForDeploymentPostprocessing = 0; >+ shellPath = /bin/sh; >+ shellScript = "# We autogenerate this file, so don't want to retain an old copy during builds.\nrm -f ${TEMP_FILE_DIR}/${FULL_PRODUCT_NAME}.xcent\n"; >+ }; >+ 41303BC420E2ED41005827BA /* Unlock keychain */ = { >+ isa = PBXShellScriptBuildPhase; >+ buildActionMask = 2147483647; >+ files = ( >+ ); >+ inputFileListPaths = ( >+ ); >+ inputPaths = ( >+ ); >+ name = "Unlock keychain"; >+ outputFileListPaths = ( >+ ); >+ outputPaths = ( >+ ); >+ runOnlyForDeploymentPostprocessing = 0; >+ shellPath = /bin/sh; >+ shellScript = "UNLOCK_SCRIPT_PATH=\"${SRCROOT}/../../../Internal/Tools/Scripts/unlock-safari-engineering-keychain-if-needed\"\n\n[[ -x \"${UNLOCK_SCRIPT_PATH}\" ]] && exec \"${UNLOCK_SCRIPT_PATH}\"\n\nexit 0\n"; >+ }; >+ 41303BC520E2ED54005827BA /* Process Plugin entitlements */ = { >+ isa = PBXShellScriptBuildPhase; >+ buildActionMask = 2147483647; >+ files = ( >+ ); >+ inputFileListPaths = ( >+ ); >+ inputPaths = ( >+ "$(TEMP_FILE_DIR)/$(FULL_PRODUCT_NAME).xcent", >+ ); >+ name = "Process Plugin entitlements"; >+ outputFileListPaths = ( >+ ); >+ outputPaths = ( >+ ); >+ runOnlyForDeploymentPostprocessing = 0; >+ shellPath = /bin/sh; >+ shellScript = "Scripts/process-plugin-entitlements.sh\n"; >+ }; >+ 41303BC620E2EFDF005827BA /* Remove stale entitlement file */ = { >+ isa = PBXShellScriptBuildPhase; >+ buildActionMask = 2147483647; >+ files = ( >+ ); >+ inputFileListPaths = ( >+ ); >+ inputPaths = ( >+ ); >+ name = "Remove stale entitlement file"; >+ outputFileListPaths = ( >+ ); >+ outputPaths = ( >+ ); >+ runOnlyForDeploymentPostprocessing = 0; >+ shellPath = /bin/sh; >+ shellScript = "# We autogenerate this file, so don't want to retain an old copy during builds.\nrm -f ${TEMP_FILE_DIR}/${FULL_PRODUCT_NAME}.xcent\n"; >+ }; >+ 41303BC720E2F016005827BA /* Unlock keychain */ = { >+ isa = PBXShellScriptBuildPhase; >+ buildActionMask = 2147483647; >+ files = ( >+ ); >+ inputFileListPaths = ( >+ ); >+ inputPaths = ( >+ ); >+ name = "Unlock keychain"; >+ outputFileListPaths = ( >+ ); >+ outputPaths = ( >+ ); >+ runOnlyForDeploymentPostprocessing = 0; >+ shellPath = /bin/sh; >+ shellScript = "UNLOCK_SCRIPT_PATH=\"${SRCROOT}/../../../Internal/Tools/Scripts/unlock-safari-engineering-keychain-if-needed\"\n\n[[ -x \"${UNLOCK_SCRIPT_PATH}\" ]] && exec \"${UNLOCK_SCRIPT_PATH}\"\n\nexit 0\n"; >+ }; >+ 41303BC820E2F047005827BA /* Process Plugin entitlements */ = { >+ isa = PBXShellScriptBuildPhase; >+ buildActionMask = 2147483647; >+ files = ( >+ ); >+ inputFileListPaths = ( >+ ); >+ inputPaths = ( >+ "$(TEMP_FILE_DIR)/$(FULL_PRODUCT_NAME).xcent", >+ ); >+ name = "Process Plugin entitlements"; >+ outputFileListPaths = ( >+ ); >+ outputPaths = ( >+ ); >+ runOnlyForDeploymentPostprocessing = 0; >+ shellPath = /bin/sh; >+ shellScript = "Scripts/process-plugin-entitlements.sh\n"; >+ }; >+ 41D0FC7F20E43B0B00076AE8 /* Remove stale entitlements file */ = { >+ isa = PBXShellScriptBuildPhase; >+ buildActionMask = 2147483647; >+ files = ( >+ ); >+ inputFileListPaths = ( >+ ); >+ inputPaths = ( >+ ); >+ name = "Remove stale entitlements file"; >+ outputFileListPaths = ( >+ ); >+ outputPaths = ( >+ ); >+ runOnlyForDeploymentPostprocessing = 0; >+ shellPath = /bin/sh; >+ shellScript = "# We autogenerate this file, so don't want to retain an old copy during builds.\nrm -f ${TEMP_FILE_DIR}/${FULL_PRODUCT_NAME}.xcent\n"; >+ }; >+ 41D0FC8020E43B4500076AE8 /* Unlock keychain */ = { >+ isa = PBXShellScriptBuildPhase; >+ buildActionMask = 2147483647; >+ files = ( >+ ); >+ inputFileListPaths = ( >+ ); >+ inputPaths = ( >+ ); >+ name = "Unlock keychain"; >+ outputFileListPaths = ( >+ ); >+ outputPaths = ( >+ ); >+ runOnlyForDeploymentPostprocessing = 0; >+ shellPath = /bin/sh; >+ shellScript = "UNLOCK_SCRIPT_PATH=\"${SRCROOT}/../../../Internal/Tools/Scripts/unlock-safari-engineering-keychain-if-needed\"\n\n[[ -x \"${UNLOCK_SCRIPT_PATH}\" ]] && exec \"${UNLOCK_SCRIPT_PATH}\"\n\nexit 0\n"; >+ }; >+ 41D0FC8120E43B7000076AE8 /* Process Network entitlements */ = { >+ isa = PBXShellScriptBuildPhase; >+ buildActionMask = 2147483647; >+ files = ( >+ ); >+ inputFileListPaths = ( >+ ); >+ inputPaths = ( >+ "$(TEMP_FILE_DIR)/$(FULL_PRODUCT_NAME).xcent", >+ ); >+ name = "Process Network entitlements"; >+ outputFileListPaths = ( >+ ); >+ outputPaths = ( >+ ); >+ runOnlyForDeploymentPostprocessing = 0; >+ shellPath = /bin/sh; >+ shellScript = "Scripts/process-network-entitlements.sh\n"; >+ }; > 5DF408C5131DD46700130071 /* Check For Weak VTables and Externals */ = { > isa = PBXShellScriptBuildPhase; > buildActionMask = 2147483647; >diff --git a/Source/WebKit/WebProcess/WebProcess.h b/Source/WebKit/WebProcess/WebProcess.h >index 88cc21f9f510980b006f5ce782628435af6ac26b..69208f350a6ce9d968ab9a525ea92684198bb2d3 100644 >--- a/Source/WebKit/WebProcess/WebProcess.h >+++ b/Source/WebKit/WebProcess/WebProcess.h >@@ -109,6 +109,7 @@ struct WebsiteDataStoreParameters; > class WebProcess : public ChildProcess { > public: > static WebProcess& singleton(); >+ static constexpr ProcessType processType = ProcessType::WebContentType; > > template <typename T> > T* supplement() >diff --git a/Tools/ChangeLog b/Tools/ChangeLog >index a4fdc327973e329b38b424816975436b01a92f43..aa6c2551e0e9388cc3e5422ab784435efd1e8c99 100644 >--- a/Tools/ChangeLog >+++ b/Tools/ChangeLog >@@ -1,3 +1,14 @@ >+2018-06-27 Ben Richards <benton_richards@apple.com> >+ >+ We should cache the compiled sandbox profile in a data vault >+ https://bugs.webkit.org/show_bug.cgi?id=184991 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Added trace points for sandbox initialization >+ >+ * Tracing/SystemTracePoints.plist: >+ > 2018-06-27 Daniel Bates <dabates@apple.com> > > webkit-patch should ignore non-ASCII characters in the status server API key >diff --git a/Tools/Tracing/SystemTracePoints.plist b/Tools/Tracing/SystemTracePoints.plist >index e9e1776965bac9ddd1d647fb920734600f8a2905..0e1a6783866dc2df5dbadb82eb375e8686330769 100644 >--- a/Tools/Tracing/SystemTracePoints.plist >+++ b/Tools/Tracing/SystemTracePoints.plist >@@ -300,6 +300,18 @@ > <key>CodeEnd</key> > <string>14004</string> > </dict> >+ <dict> >+ <key>Name</key> >+ <string>Initialize Sandbox</string> >+ <key>Type</key> >+ <string>Interval</string> >+ <key>Component</key> >+ <string>47</string> >+ <key>CodeBegin</key> >+ <string>14005</string> >+ <key>CodeEnd</key> >+ <string>14006</string> >+ </dict> > </array> > </dict> > </array>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=343771">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 184991
:
338858
|
338915
|
338951
|
338955
|
338963
|
338968
|
339519
|
342768
|
342781
|
342796
|
342947
|
342973
|
342997
|
343006
|
343012
|
343014
|
343025
|
343051
|
343063
|
343073
|
343094
|
343110
|
343126
|
343354
|
343356
|
343456
|
343554
|
343574
|
343651
|
343655
|
343771
|
343774
|
343776
|
343804
|
344130
|
344805
|
344832
|
345206
|
345287
|
345311
|
345327
|
345377
|
345392
|
345405
|
345588
|
345598
|
346440
|
346558
|
346743
|
346810
|
346841
|
347144
|
347170