RESOLVED FIXED 228812
Ease sandboxing restrictions for Mail to allow HEIF image decoding 
https://bugs.webkit.org/show_bug.cgi?id=228812
Summary Ease sandboxing restrictions for Mail to allow HEIF image decoding
Said Abou-Hallawa
Reported 2021-08-05 00:18:15 PDT
Hardware decoding calls methods from sandboxed frameworks so it fails.
Attachments
Patch (13.25 KB, patch)
2021-08-05 00:22 PDT, Said Abou-Hallawa 		ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Patch (13.27 KB, patch)
2021-08-05 00:48 PDT, Said Abou-Hallawa 		no flags
DetailsFormatted DiffDiff
Patch (15.02 KB, patch)
2021-08-05 11:00 PDT, Said Abou-Hallawa 		no flags
DetailsFormatted DiffDiff
Patch (28.56 KB, patch)
2021-08-06 23:17 PDT, Said Abou-Hallawa 		pvollan: review+
ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Patch (28.68 KB, patch)
2021-08-09 10:42 PDT, Said Abou-Hallawa 		no flags
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Said Abou-Hallawa
Comment 1 2021-08-05 00:22:45 PDT
Created attachment 434967 [details] Patch
Said Abou-Hallawa
Comment 2 2021-08-05 00:23:51 PDT
<rdar://80967782>
Said Abou-Hallawa
Comment 3 2021-08-05 00:48:45 PDT
Created attachment 434968 [details] Patch
Sam Weinig
Comment 4 2021-08-05 07:49:00 PDT
Is this really disabling all hardware decoding for WebKit? Or only in the WebContent process and the GPU process will still be allowed? If it is more constrained, please update the title and add a little explanation of the reasoning in the ChangeLog.
Said Abou-Hallawa
Comment 5 2021-08-05 11:00:33 PDT
Created attachment 435009 [details] Patch
Said Abou-Hallawa
Comment 6 2021-08-05 13:21:38 PDT
The test fast/images/heic-as-background-image.html is failing on mac-AS-debug-wk2 because it is the only bot which has macOS Big Sur. Big Sur has more tight rules for HW and in-process rules for image and video decoding. I think this test should be removed from WebKit.
Said Abou-Hallawa
Comment 7 2021-08-06 23:17:51 PDT
Created attachment 435118 [details] Patch
Sam Weinig
Comment 8 2021-08-07 11:26:36 PDT
Comment on attachment 435118 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=435118&action=review > Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm:469 > + if (MacApplication::isAppleMail()) The more resilient way to do this is to create a new entitlement for this capability, check for the entitlement on the host process, and then have Mail add that entitlement.
Said Abou-Hallawa
Comment 9 2021-08-08 16:38:28 PDT
Comment on attachment 435118 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=435118&action=review >> Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm:469 >> + if (MacApplication::isAppleMail()) > > The more resilient way to do this is to create a new entitlement for this capability, check for the entitlement on the host process, and then have Mail add that entitlement. This seems a good idea. But can we reverse the order such that Mail will not be broken: land this patch, ask Mail to add that entitlement then replace this condition by checking for this entitlement?
Sam Weinig
Comment 10 2021-08-09 08:41:53 PDT
(In reply to Said Abou-Hallawa from comment #9) > Comment on attachment 435118 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=435118&action=review > > >> Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm:469 > >> + if (MacApplication::isAppleMail()) > > > > The more resilient way to do this is to create a new entitlement for this capability, check for the entitlement on the host process, and then have Mail add that entitlement. > > This seems a good idea. > > But can we reverse the order such that Mail will not be broken: land this > patch, ask Mail to add that entitlement then replace this condition by > checking for this entitlement? Yes. That is totally fine. After discussing with Tim, he made the good point that you could just a preference instead of using an entitlement in this case.
Per Arne Vollan
Comment 11 2021-08-09 10:35:51 PDT
Comment on attachment 435118 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=435118&action=review R=me. > Source/WebCore/PAL/ChangeLog:9 > + Delete unneeded SPIs and their sof-linking. soft-linking > Source/WebKit/Shared/WebProcessCreationParameters.h:214 > + SandboxExtension::HandleArray videoDecoderExtensionHandles; This can also be just a handle, not an array of handles.
Said Abou-Hallawa
Comment 12 2021-08-09 10:38:21 PDT
Comment on attachment 435118 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=435118&action=review >> Source/WebKit/Shared/WebProcessCreationParameters.h:214 >> + SandboxExtension::HandleArray videoDecoderExtensionHandles; > > This can also be just a handle, not an array of handles. This is true for IOS but not for macOS since we have add extensions for "com.apple.coremedia.videodecoder" and "com.apple.trustd.agent" for macOS.
Said Abou-Hallawa
Comment 13 2021-08-09 10:42:27 PDT
Created attachment 435194 [details] Patch
EWS
Comment 14 2021-08-09 12:06:48 PDT
Committed r280789 (240368@main): <https://commits.webkit.org/240368@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 435194 [details].
Per Arne Vollan
Comment 15 2021-08-09 12:10:05 PDT
Comment on attachment 435118 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=435118&action=review >>> Source/WebKit/Shared/WebProcessCreationParameters.h:214 >>> + SandboxExtension::HandleArray videoDecoderExtensionHandles; >> >> This can also be just a handle, not an array of handles. > > This is true for IOS but not for macOS since we have add extensions for "com.apple.coremedia.videodecoder" and "com.apple.trustd.agent" for macOS. Is access to "com.apple.trustd.agent" required when you allow access to "com.apple.coremedia.videodecoder"? I think it would be good to confirm that.
Said Abou-Hallawa
Comment 16 2021-08-09 12:14:15 PDT
Comment on attachment 435118 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=435118&action=review >>>> Source/WebKit/Shared/WebProcessCreationParameters.h:214 >>>> + SandboxExtension::HandleArray videoDecoderExtensionHandles; >>> >>> This can also be just a handle, not an array of handles. >> >> This is true for IOS but not for macOS since we have add extensions for "com.apple.coremedia.videodecoder" and "com.apple.trustd.agent" for macOS. > > Is access to "com.apple.trustd.agent" required when you allow access to "com.apple.coremedia.videodecoder"? I think it would be good to confirm that. Yes. I found this through "sbutil log stream" when the HEIF was not displayed correctly even after allowing access to "com.apple.coremedia.videodecoder".
Note You need to log in before you can comment on or make changes to this bug.