169431 2017-03-09 12:54:02 -0800 [WK2][iOS] Extend WebProcess sandbox to support audio and video compression/decompression 2017-03-10 12:14:32 -0800 1 1 1 Unclassified WebKit WebKit2 WebKit Nightly Build iPhone / iPad All RESOLVED FIXED InRadar P2 Normal --- 169480 1 bfulgham bfulgham achristensen bfulgham commit-queue eric.carlson jonlee youennf oldest_to_newest 1285484 0 bfulgham 2017-03-09 12:54:02 -0800 The iOS web process needs access to the following Mach names in order to compress, decompress, and render audio and video for WebRTC: These are needed to decode video content delivered over WebRTC: com.apple.coremedia.videoqueue com.apple.audio.audiohald com.apple.coremedia.decompressionsession This is needed to encode video to ship over WebRTC: com.apple.coremedia.compressionsession 1285485 1 bfulgham 2017-03-09 12:54:35 -0800 <rdar://problem/30844650> 1285491 2 303960 bfulgham 2017-03-09 12:57:22 -0800 Created attachment 303960 Patch 1285511 3 303960 youennf 2017-03-09 13:09:03 -0800 Comment on attachment 303960 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=303960&action=review > Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:116 > + (allow mach-lookup (global-name "com.apple.coremedia.compressionsession"))) We need compressionsession when doing exporting canvas through peer connection, not only for gum. I would add it next to decompressionsession. > Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:141 > + (global-name "com.apple.audio.audiohald") I wonder whether we can put this one under com.apple.webkit.microphone? 1285519 4 303960 bfulgham 2017-03-09 13:13:26 -0800 Comment on attachment 303960 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=303960&action=review >> Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:116 >> + (allow mach-lookup (global-name "com.apple.coremedia.compressionsession"))) > > We need compressionsession when doing exporting canvas through peer connection, not only for gum. > I would add it next to decompressionsession. We need this for microphone OR camera, but not otherwise. So I think this is correct (it's safe to tell the Sandbox to allow a particular mach name more than once). >> Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:141 >> + (global-name "com.apple.audio.audiohald") > > I wonder whether we can put this one under com.apple.webkit.microphone? Eric said it was needed for incoming video streams (which I assume include audio?), so I put it here. 1285551 5 303960 commit-queue 2017-03-09 13:42:07 -0800 Comment on attachment 303960 Patch Clearing flags on attachment: 303960 Committed r213665: <http://trac.webkit.org/changeset/213665> 1285552 6 commit-queue 2017-03-09 13:42:11 -0800 All reviewed patches have been landed. Closing bug. 1285806 7 youennf 2017-03-10 08:02:21 -0800 (In reply to comment #4) > Comment on attachment 303960 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=303960&action=review > > >> Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:116 > >> + (allow mach-lookup (global-name "com.apple.coremedia.compressionsession"))) > > > > We need compressionsession when doing exporting canvas through peer connection, not only for gum. > > I would add it next to decompressionsession. > > We need this for microphone OR camera, but not otherwise. So I think this is > correct (it's safe to tell the Sandbox to allow a particular mach name more > than once). We also need it when no microphone and no camera,: canvas is exported to a mediastream track which is then sent to peer connection. Can you update the patch? > > >> Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:141 > >> + (global-name "com.apple.audio.audiohald") > > > > I wonder whether we can put this one under com.apple.webkit.microphone? > > Eric said it was needed for incoming video streams (which I assume include > audio?), so I put it here. 1285807 8 youennf 2017-03-10 08:03:35 -0800 See https://youennf.github.io/webrtc-tests/src/content/capture/canvas-pc2/ as an example 303960 2017-03-09 12:57:22 -0800 2017-03-09 13:42:07 -0800 Patch bug-169431-20170309125721.patch text/plain 2512 bfulgham SW5kZXg6IFNvdXJjZS9XZWJLaXQyL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi S2l0Mi9DaGFuZ2VMb2cJKHJldmlzaW9uIDIxMzY1NikKKysrIFNvdXJjZS9XZWJLaXQyL0NoYW5n ZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDEzIEBACisyMDE3LTAzLTA5ICBCcmVudCBG dWxnaGFtICA8YmZ1bGdoYW1AYXBwbGUuY29tPgorCisgICAgICAgIFtXSzJdW2lPU10gRXh0ZW5k IFdlYlByb2Nlc3Mgc2FuZGJveCB0byBzdXBwb3J0IGF1ZGlvIGFuZCB2aWRlbyBjb21wcmVzc2lv bi9kZWNvbXByZXNzaW9uCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVn LmNnaT9pZD0xNjk0MzEKKyAgICAgICAgPHJkYXI6Ly9wcm9ibGVtLzMwODQ0NjUwPgorCisgICAg ICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgICogUmVzb3VyY2VzL1Nh bmRib3hQcm9maWxlcy9pb3MvY29tLmFwcGxlLldlYktpdC5XZWJDb250ZW50LnNiOgorCiAyMDE3 LTAzLTA4ICBNYXR0IFJhamNhICA8bXJhamNhQGFwcGxlLmNvbT4KIAogICAgICAgICBMZXQgY2xp ZW50cyBjb250cm9sIGF1dG9wbGF5IHF1aXJrcyB3aXRoIHdlYnNpdGUgcG9saWNpZXMuCkluZGV4 OiBTb3VyY2UvV2ViS2l0Mi9SZXNvdXJjZXMvU2FuZGJveFByb2ZpbGVzL2lvcy9jb20uYXBwbGUu V2ViS2l0LldlYkNvbnRlbnQuc2IKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291cmNlL1dlYktpdDIvUmVzb3Vy Y2VzL1NhbmRib3hQcm9maWxlcy9pb3MvY29tLmFwcGxlLldlYktpdC5XZWJDb250ZW50LnNiCShy ZXZpc2lvbiAyMTM2MTApCisrKyBTb3VyY2UvV2ViS2l0Mi9SZXNvdXJjZXMvU2FuZGJveFByb2Zp bGVzL2lvcy9jb20uYXBwbGUuV2ViS2l0LldlYkNvbnRlbnQuc2IJKHdvcmtpbmcgY29weSkKQEAg LTExMiw3ICsxMTIsOCBAQAogCiA7OyBNZWRpYSBjYXB0dXJlLCBtaWNyb3Bob25lIGFjY2Vzcwog KHdpdGgtZmlsdGVyIChleHRlbnNpb24gImNvbS5hcHBsZS53ZWJraXQubWljcm9waG9uZSIpCi0g ICAgKGFsbG93IGRldmljZS1taWNyb3Bob25lKSkKKyAgICAoYWxsb3cgZGV2aWNlLW1pY3JvcGhv bmUpCisgICAgKGFsbG93IG1hY2gtbG9va3VwIChnbG9iYWwtbmFtZSAiY29tLmFwcGxlLmNvcmVt ZWRpYS5jb21wcmVzc2lvbnNlc3Npb24iKSkpCiAKIDs7IE1lZGlhIGNhcHR1cmUsIGNhbWVyYSBh Y2Nlc3MKICh3aXRoLWZpbHRlciAoZXh0ZW5zaW9uICJjb20uYXBwbGUud2Via2l0LmNhbWVyYSIp CkBAIC0xMjEsMTYgKzEyMiwyMiBAQAogICAgIChhbGxvdyBmaWxlLXJlYWQqIChzdWJwYXRoICIv TGlicmFyeS9Db3JlTWVkaWFJTy9QbHVnLUlucy9EQUwiKSkKICAgICAoYWxsb3cgbWFjaC1sb29r dXAgKGV4dGVuc2lvbiAiY29tLmFwcGxlLmFwcC1zYW5kYm94Lm1hY2giKSkKICAgICAoYWxsb3cg bWFjaC1sb29rdXAKLSAgICAgICAgKGdsb2JhbC1uYW1lICJjb20uYXBwbGUuY29yZW1lZGlhLnZp ZGVvcXVldWUiKQogICAgICAgICAoZ2xvYmFsLW5hbWUgImNvbS5hcHBsZS5jbWlvLkFwcGxlQ2Ft ZXJhQXNzaXN0YW50IikKICAgICAgICAgOzsgQXBwbGUgREFMIGFzc2lzdGFudHMKICAgICAgICAg KGdsb2JhbC1uYW1lICJjb20uYXBwbGUuY21pby5WRENBc3Npc3RhbnQiKQogICAgICAgICAoZ2xv YmFsLW5hbWUgImNvbS5hcHBsZS5jbWlvLkFWQ0Fzc2lzdGFudCIpCiAgICAgICAgIChnbG9iYWwt bmFtZSAiY29tLmFwcGxlLmNtaW8uSUlEQ1ZpZGVvQXNzaXN0YW50IikKICAgICAgICAgOzsgUXVp Y2tUaW1lSUlEQ0RpZ2l0aXplciBhc3Npc3RhbnQKLSAgICAgICAgKGdsb2JhbC1uYW1lICJjb20u YXBwbGUuSUlEQ0Fzc2lzdGFudCIpKQorICAgICAgICAoZ2xvYmFsLW5hbWUgImNvbS5hcHBsZS5J SURDQXNzaXN0YW50IikKKyAgICAgICAgKGdsb2JhbC1uYW1lICJjb20uYXBwbGUuY29yZW1lZGlh LmNvbXByZXNzaW9uc2Vzc2lvbiIpKQogICAgIChhbGxvdyBpb2tpdC1vcGVuCiAgICAgICAgIDs7 IFF1aWNrVGltZVVTQlZEQ0RpZ2l0aXplcgogICAgICAgICAoaW9raXQtdXNlci1jbGllbnQtY2xh c3MgIklPVVNCRGV2aWNlVXNlckNsaWVudFYyIikKICAgICAgICAgKGlva2l0LXVzZXItY2xpZW50 LWNsYXNzICJJT1VTQkludGVyZmFjZVVzZXJDbGllbnRWMiIpKQogICAgIChhbGxvdyBkZXZpY2Ut Y2FtZXJhKSkKKworOzsgU3VwcG9ydCBpbmNvbWluZyB2aWRlbyBjb25uZWN0aW9ucworKGFsbG93 IG1hY2gtbG9va3VwCisgICAgKGdsb2JhbC1uYW1lICJjb20uYXBwbGUuYXVkaW8uYXVkaW9oYWxk IikKKyAgICAoZ2xvYmFsLW5hbWUgImNvbS5hcHBsZS5jb3JlbWVkaWEuZGVjb21wcmVzc2lvbnNl c3Npb24iKQorICAgIChnbG9iYWwtbmFtZSAiY29tLmFwcGxlLmNvcmVtZWRpYS52aWRlb3F1ZXVl IikpCg==