We should cache the compiled sandbox profile in a data vault
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 4 Aug 2018 01:09:37 +0000 (01:09 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 4 Aug 2018 01:09:37 +0000 (01:09 +0000)
commitad563fdcf62e463ec61eab76d06564c73ea6e96b
tree1c2ec6607033246d424a59d336ce229345c56af0
parent3977db2b576fa678cfe483b5ed0ba0daabb3ce38
We should cache the compiled sandbox profile in a data vault
https://bugs.webkit.org/show_bug.cgi?id=184991

Patch by Ben Richards <benton_richards@apple.com> on 2018-08-03
Reviewed by Ryosuke Niwa.

Source/WebCore:

Added functionality to FileHandle so that it can lock a file while open.
Added a function to FileSystem to delete non empty directories.

* platform/FileHandle.cpp:
(WebCore::FileHandle::FileHandle):
(WebCore::FileHandle::open):
(WebCore::FileHandle::close):
* platform/FileHandle.h:
* platform/FileSystem.h:
* platform/cocoa/FileSystemCocoa.mm:
(WebCore::FileSystem::deleteNonEmptyDirectory):

Source/WebKit:

This patch changes a few things (note: data vaults and sandbox entitlements are only used in internal builds):
(1) Instead of compiling a sandbox every time a process is launched, processes now look for a cached sandbox
    in a process specific data vault on macOS platforms. (ChildProcessMac.mm)
(2) If a valid cached sandbox is not found, a process will create the data vault (or ensure that it exists),
    compile a sandbox, and cache it.
(3) In order to create process specific data vaults, each process now has their own <process name>-OSX-sandbox.entitlements
    file which contains an entitlement with a process specific "storage class" which ensures that each process
    can only ever access its own data vault. (See the article on confluence "Data Vaults and Restricted Files" for more info)
(4) The sandbox entitlements file for the Network, WebContent and Plugin services are loaded dynamically
    through Scripts/<process name>-process-entitlements.sh which is triggered in a new build phase for each service.
    The Storage process sandbox entitlements are loaded directly in Configurations/StorageService.xcconfig.
    The reason that the sandbox entitlements are applied dynamically is so that these sandbox entitlements
    are only applied when WK_USE_RESTRICTED_ENTITLEMENTS is YES. This means that open source builds will still work.

* Configurations/Network-OSX-sandbox.entitlements: Added.
* Configurations/Plugin-OSX-sandbox.entitlements: Added.
* Configurations/Storage-OSX-sandbox.entitlements: Added.
* Configurations/StorageService.xcconfig:
* Configurations/WebContent-OSX-sandbox.entitlements: Added.
* Configurations/WebKit.xcconfig:
* NetworkProcess/NetworkProcess.h:
* PluginProcess/PluginProcess.h:
* Scripts/process-network-entitlements.sh: Added.
* Scripts/process-plugin-entitlements.sh: Added.
* Scripts/process-webcontent-entitlements.sh:
* Shared/ChildProcess.h:
* Shared/EntryPointUtilities/mac/XPCService/XPCServiceEntryPoint.h:
(WebKit::XPCServiceInitializer):
* Shared/SandboxInitializationParameters.h:
(WebKit::SandboxInitializationParameters::setOverrideSandboxProfilePath):
(WebKit::SandboxInitializationParameters::overrideSandboxProfilePath const):
(WebKit::SandboxInitializationParameters::setSandboxProfile):
(WebKit::SandboxInitializationParameters::sandboxProfile const):
(): Deleted.
* Shared/mac/ChildProcessMac.mm:
(WebKit::SandboxProfileDeleter::operator()):
(WebKit::SandboxParametersDeleter::operator()):
(WebKit::SandboxInfo::SandboxInfo):
(WebKit::fileContents):
(WebKit::processStorageClass):
(WebKit::setAndSerializeSandboxParameters):
(WebKit::getUserCacheDirectory):
(WebKit::sandboxDataVaultParentDirectory):
(WebKit::sandboxDirectory):
(WebKit::sandboxFilePath):
(WebKit::ensureSandboxCacheDirectory):
(WebKit::writeSandboxDataToCacheFile):
(WebKit::compileAndCacheSandboxProfile):
(WebKit::tryApplyCachedSandbox):
(WebKit::webKit2Bundle):
(WebKit::sandboxProfilePath):
(WebKit::compileAndApplySandboxSlowCase):
(WebKit::applySandbox):
(WebKit::initializeSandboxParameters):
(WebKit::ChildProcess::initializeSandbox):
* Shared/mac/SandboxInitialiationParametersMac.mm:
(WebKit::SandboxInitializationParameters::SandboxInitializationParameters):
* StorageProcess/StorageProcess.h:
* WebKit.xcodeproj/project.pbxproj:
* WebProcess/WebProcess.h:

Source/WTF:

Added trace points for sandbox initialization and exposed functions needed for sandbox caching

* wtf/SystemTracing.h:
* wtf/spi/darwin/SandboxSPI.h:

Tools:

Added trace points for sandbox initialization

* Tracing/SystemTracePoints.plist:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@234569 268f45cc-cd09-0410-ab3c-d52691b4dbfc
28 files changed:
Source/WTF/ChangeLog
Source/WTF/wtf/SystemTracing.h
Source/WTF/wtf/spi/darwin/SandboxSPI.h
Source/WebCore/ChangeLog
Source/WebCore/platform/FileHandle.cpp
Source/WebCore/platform/FileHandle.h
Source/WebCore/platform/FileSystem.h
Source/WebCore/platform/cocoa/FileSystemCocoa.mm
Source/WebKit/ChangeLog
Source/WebKit/Configurations/Network-OSX-sandbox.entitlements [new file with mode: 0644]
Source/WebKit/Configurations/Storage-OSX-sandbox.entitlements [new file with mode: 0644]
Source/WebKit/Configurations/StorageService.xcconfig
Source/WebKit/Configurations/WebContent-OSX-sandbox.entitlements [new file with mode: 0644]
Source/WebKit/Configurations/WebKit.xcconfig
Source/WebKit/NetworkProcess/NetworkProcess.h
Source/WebKit/PluginProcess/PluginProcess.h
Source/WebKit/Scripts/process-network-sandbox-entitlements.sh [new file with mode: 0755]
Source/WebKit/Scripts/process-webcontent-sandbox-entitlements.sh [new file with mode: 0755]
Source/WebKit/Shared/ChildProcess.h
Source/WebKit/Shared/EntryPointUtilities/mac/XPCService/XPCServiceEntryPoint.h
Source/WebKit/Shared/SandboxInitializationParameters.h
Source/WebKit/Shared/mac/ChildProcessMac.mm
Source/WebKit/Shared/mac/SandboxInitialiationParametersMac.mm
Source/WebKit/StorageProcess/StorageProcess.h
Source/WebKit/WebKit.xcodeproj/project.pbxproj
Source/WebKit/WebProcess/WebProcess.h
Tools/ChangeLog
Tools/Tracing/SystemTracePoints.plist