RESOLVED FIXED 169431
[WK2][iOS] Extend WebProcess sandbox to support audio and video compression/decompression 
https://bugs.webkit.org/show_bug.cgi?id=169431
Summary [WK2][iOS] Extend WebProcess sandbox to support audio and video compression/d...
Brent Fulgham
Reported 2017-03-09 12:54:02 PST
The iOS web process needs access to the following Mach names in order to compress, decompress, and render audio and video for WebRTC: These are needed to decode video content delivered over WebRTC: com.apple.coremedia.videoqueue com.apple.audio.audiohald com.apple.coremedia.decompressionsession This is needed to encode video to ship over WebRTC: com.apple.coremedia.compressionsession
Attachments
Patch (2.45 KB, patch)
2017-03-09 12:57 PST, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Brent Fulgham
Comment 1 2017-03-09 12:54:35 PST
<rdar://problem/30844650>
Brent Fulgham
Comment 2 2017-03-09 12:57:22 PST
Created attachment 303960 [details] Patch
youenn fablet
Comment 3 2017-03-09 13:09:03 PST
Comment on attachment 303960 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=303960&action=review > Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:116 > + (allow mach-lookup (global-name "com.apple.coremedia.compressionsession"))) We need compressionsession when doing exporting canvas through peer connection, not only for gum. I would add it next to decompressionsession. > Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:141 > + (global-name "com.apple.audio.audiohald") I wonder whether we can put this one under com.apple.webkit.microphone?
Brent Fulgham
Comment 4 2017-03-09 13:13:26 PST
Comment on attachment 303960 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=303960&action=review >> Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:116 >> + (allow mach-lookup (global-name "com.apple.coremedia.compressionsession"))) > > We need compressionsession when doing exporting canvas through peer connection, not only for gum. > I would add it next to decompressionsession. We need this for microphone OR camera, but not otherwise. So I think this is correct (it's safe to tell the Sandbox to allow a particular mach name more than once). >> Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:141 >> + (global-name "com.apple.audio.audiohald") > > I wonder whether we can put this one under com.apple.webkit.microphone? Eric said it was needed for incoming video streams (which I assume include audio?), so I put it here.
WebKit Commit Bot
Comment 5 2017-03-09 13:42:07 PST
Comment on attachment 303960 [details] Patch Clearing flags on attachment: 303960 Committed r213665: <http://trac.webkit.org/changeset/213665>
WebKit Commit Bot
Comment 6 2017-03-09 13:42:11 PST
All reviewed patches have been landed. Closing bug.
youenn fablet
Comment 7 2017-03-10 08:02:21 PST
(In reply to comment #4) > Comment on attachment 303960 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=303960&action=review > > >> Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:116 > >> + (allow mach-lookup (global-name "com.apple.coremedia.compressionsession"))) > > > > We need compressionsession when doing exporting canvas through peer connection, not only for gum. > > I would add it next to decompressionsession. > > We need this for microphone OR camera, but not otherwise. So I think this is > correct (it's safe to tell the Sandbox to allow a particular mach name more > than once). We also need it when no microphone and no camera,: canvas is exported to a mediastream track which is then sent to peer connection. Can you update the patch? > > >> Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:141 > >> + (global-name "com.apple.audio.audiohald") > > > > I wonder whether we can put this one under com.apple.webkit.microphone? > > Eric said it was needed for incoming video streams (which I assume include > audio?), so I put it here.
youenn fablet
Comment 8 2017-03-10 08:03:35 PST
See https://youennf.github.io/webrtc-tests/src/content/capture/canvas-pc2/ as an example
Note You need to log in before you can comment on or make changes to this bug.