Enable library validation on the Web Content service
authormitz@apple.com <mitz@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 24 Jan 2018 23:30:23 +0000 (23:30 +0000)
committermitz@apple.com <mitz@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 24 Jan 2018 23:30:23 +0000 (23:30 +0000)
commit8636507b57a1bb8da332ea67c7e6624de18688fe
tree2cff62cdfb267c4b0612926c2236592b22fa285f
parent0a29cf46b9fc0829283b705e3ccc3b358328e28a
Enable library validation on the Web Content service
Part 1 of https://bugs.webkit.org/show_bug.cgi?id=172365
<rdar://problem/26470661>

Reviewed by David Kilzer.

This makes the Web Content process signed with the Library Validation flag in production
builds. Because doing so would prevent engineering builds of Apple apps that use an
injected bundle from working, this also adds a Development version of the service, which
does not enforce Library Validation. The UI process chooses to use the Development service
iff it would need to load an injected bundle that is not part of the OS.

* Configurations/DebugRelease.xcconfig: Disable Library Validation in engineering builds.

* Configurations/WebContentService.Development.xcconfig: Added. Like the normal service, but
  only installed when WebKit is installed in the OS, and uses a Development variant.

* Configurations/WebContentService.xcconfig: For the Development variant, append
  ".Development" to the product name, which is also the service identifier. Enable Library
  Validation for the Normal variant of the service when WK_LIBRARY_VALIDATION_ENABLED allows
  it.

* UIProcess/Launcher/ProcessLauncher.h: Add nonValidInjectedCodeAllowed member to
  LaunchOptions, false by default.

* UIProcess/Launcher/mac/ProcessLauncherMac.mm:
(WebKit::serviceName): Use the Development variant if nonValidInjectedCodeAllowed is true.

* UIProcess/WebProcessProxy.cpp:
(WebKit::WebProcessProxy::getLaunchOptions): Initialize nonValidInjectedCodeAllowed using
   the new shouldAllowNonValidInjectedCode().
(WebKit::WebProcessProxy::shouldAllowNonValidInjectedCode const): Generic implementation
  that returns false.
* UIProcess/WebProcessProxy.h: Declared shouldAllowNonValidInjectedCode.
* UIProcess/mac/WebProcessProxyMac.mm:
(WebKit::WebProcessProxy::shouldAllowNonValidInjectedCode const): Return true if this is
  system WebKit with a non-system injected bundle.

* WebKit.xcodeproj/project.pbxproj: Added new service target.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@227582 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/WebKit/ChangeLog
Source/WebKit/Configurations/DebugRelease.xcconfig
Source/WebKit/Configurations/WebContentService.Development.xcconfig [new file with mode: 0644]
Source/WebKit/Configurations/WebContentService.xcconfig
Source/WebKit/UIProcess/Launcher/ProcessLauncher.h
Source/WebKit/UIProcess/Launcher/mac/ProcessLauncherMac.mm
Source/WebKit/UIProcess/WebProcessProxy.cpp
Source/WebKit/UIProcess/WebProcessProxy.h
Source/WebKit/UIProcess/mac/WebProcessProxyMac.mm
Source/WebKit/WebKit.xcodeproj/project.pbxproj