RESOLVED FIXED 231248
Add an entitlement check to only allow AdAttributionDaemon to be connected to by the network process
https://bugs.webkit.org/show_bug.cgi?id=231248
Summary Add an entitlement check to only allow AdAttributionDaemon to be connected to...
Alex Christensen
Reported 2021-10-05 13:31:28 PDT
Add an entitlement check to only allow AdAttributionDaemon to be connected to by the network process
Attachments
Patch (6.59 KB, patch)
2021-10-05 13:35 PDT, Alex Christensen
no flags
Patch (7.33 KB, patch)
2021-10-05 15:50 PDT, Alex Christensen
no flags
Alex Christensen
Comment 1 2021-10-05 13:35:16 PDT
Alexey Proskuryakov
Comment 2 2021-10-05 13:42:25 PDT
Comment on attachment 440257 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=440257&action=review > Source/WebKit/Shared/EntryPointUtilities/Cocoa/Daemon/PCMDaemonEntryPoint.mm:84 > + NSLog(@"connection attempted connection without required entitlement"); Does this look right in the log starting with lower case? > Tools/TestWebKitAPI/Tests/WebKitCocoa/EventAttribution.mm:513 > + xpc_connection_set_event_handler(connection.get(), ^(xpc_object_t event) { > + if (event == XPC_ERROR_CONNECTION_INTERRUPTED) { > + done = true; > + }); Not sure if this tests enough. Isn't the purpose to verify that the connection is never established? This just verifies that it's dropped, perhaps only eventually. Also, failing as timeout isn't always understood to be a legitimate failure in practice.
Alex Christensen
Comment 3 2021-10-05 15:19:52 PDT
Comment on attachment 440257 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=440257&action=review >> Source/WebKit/Shared/EntryPointUtilities/Cocoa/Daemon/PCMDaemonEntryPoint.mm:84 >> + NSLog(@"connection attempted connection without required entitlement"); > > Does this look right in the log starting with lower case? I'll capitalize. > Tools/TestWebKitAPI/Tests/WebKitCocoa/EventAttribution.mm:483 > + system([NSString stringWithFormat:@"launchctl unload %@ 2> /dev/null", plistLocation.path].fileSystemRepresentation); I committed this separately in http://trac.webkit.org/r283574 >> Tools/TestWebKitAPI/Tests/WebKitCocoa/EventAttribution.mm:513 >> + }); > > Not sure if this tests enough. Isn't the purpose to verify that the connection is never established? This just verifies that it's dropped, perhaps only eventually. > > Also, failing as timeout isn't always understood to be a legitimate failure in practice. This is what it looks like at this API level when a connection is never established. I'll change this to make sure event is always equal to XPC_ERROR_CONNECTION_INTERRUPTED to make sure that nothing else happens. I agree that it's not great to have the failure mode be a timeout, but I think that's how this test needs to be.
Alex Christensen
Comment 4 2021-10-05 15:50:29 PDT
EWS
Comment 5 2021-10-05 16:47:55 PDT
Committed r283586 (242544@main): <https://commits.webkit.org/242544@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 440285 [details].
Radar WebKit Bug Importer
Comment 6 2021-10-05 16:48:18 PDT
Note You need to log in before you can comment on or make changes to this bug.