[macOS] PluginProcess needs TCC entitlements for media capture
authorbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 25 Jul 2018 15:47:43 +0000 (15:47 +0000)
committerbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 25 Jul 2018 15:47:43 +0000 (15:47 +0000)
https://bugs.webkit.org/show_bug.cgi?id=187981
<rdar://problem/42433634>

Reviewed by Chris Dumez.

The changes needed in Bug 185526 are also needed for the plugin process, or else the UIProcess
(e.g., Safari) is not able to pass the user's camera/microphone access permission to the plugin process.

This patch has the following changes:

1. Rename "WebContent-OSX-restricted.entitlements" to "WebContent-or-Plugin-OSX-restricted.entitlements"
2. Rename "process-webcontent-entitlements.sh" to "process-webcontent-or-plugin-entitlements.sh"
3. Add a run-script step to the Plugin.64 and Plugin.32 builds to add the relevant entitlements.
4. Silence some Flash plugin sandbox exceptions triggered after activating the camera.

* Configurations/WebContent-or-Plugin-OSX-restricted.entitlements: Renamed from Source/WebKit/Configurations/WebContent-OSX-restricted.entitlements.
* Resources/PlugInSandboxProfiles/com.macromedia.Flash Player ESR.plugin.sb: Address sandbox violations needed by camera use.
* Resources/PlugInSandboxProfiles/com.macromedia.Flash Player.plugin.sb: Ditto.
* Scripts/process-webcontent-or-plugin-entitlements.sh: Renamed from Source/WebKit/Scripts/process-webcontent-entitlements.sh.
* WebKit.xcodeproj/project.pbxproj: Update for renaming, and perform entitlement steps on Plugin process.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@234195 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit/ChangeLog
Source/WebKit/Configurations/WebContent-or-Plugin-OSX-restricted.entitlements [moved from Source/WebKit/Configurations/WebContent-OSX-restricted.entitlements with 100% similarity]
Source/WebKit/Resources/PlugInSandboxProfiles/com.macromedia.Flash Player ESR.plugin.sb
Source/WebKit/Resources/PlugInSandboxProfiles/com.macromedia.Flash Player.plugin.sb
Source/WebKit/Scripts/process-webcontent-or-plugin-entitlements.sh [moved from Source/WebKit/Scripts/process-webcontent-entitlements.sh with 93% similarity]
Source/WebKit/WebKit.xcodeproj/project.pbxproj

index 4053c11..74a1808 100644 (file)
@@ -1,3 +1,27 @@
+2018-07-25  Brent Fulgham  <bfulgham@apple.com>
+
+        [macOS] PluginProcess needs TCC entitlements for media capture
+        https://bugs.webkit.org/show_bug.cgi?id=187981
+        <rdar://problem/42433634>
+
+        Reviewed by Chris Dumez.
+
+        The changes needed in Bug 185526 are also needed for the plugin process, or else the UIProcess
+        (e.g., Safari) is not able to pass the user's camera/microphone access permission to the plugin process.
+
+        This patch has the following changes:
+
+        1. Rename "WebContent-OSX-restricted.entitlements" to "WebContent-or-Plugin-OSX-restricted.entitlements"
+        2. Rename "process-webcontent-entitlements.sh" to "process-webcontent-or-plugin-entitlements.sh"
+        3. Add a run-script step to the Plugin.64 and Plugin.32 builds to add the relevant entitlements.
+        4. Silence some Flash plugin sandbox exceptions triggered after activating the camera.
+
+        * Configurations/WebContent-or-Plugin-OSX-restricted.entitlements: Renamed from Source/WebKit/Configurations/WebContent-OSX-restricted.entitlements.
+        * Resources/PlugInSandboxProfiles/com.macromedia.Flash Player ESR.plugin.sb: Address sandbox violations needed by camera use.
+        * Resources/PlugInSandboxProfiles/com.macromedia.Flash Player.plugin.sb: Ditto.
+        * Scripts/process-webcontent-or-plugin-entitlements.sh: Renamed from Source/WebKit/Scripts/process-webcontent-entitlements.sh.
+        * WebKit.xcodeproj/project.pbxproj: Update for renaming, and perform entitlement steps on Plugin process.
+
 2018-07-24  Tim Horton  <timothy_horton@apple.com>
 
         Enable Web Content Filtering on watchOS
index e0ca65d..b1faf49 100644 (file)
 
 (allow network-bind (local ip))
 
+;;;
+;;; Needed for Camera access
+;;;
+(allow iokit-get-properties
+    (iokit-property-regex #"^(Activation|Animation)Thresholds")
+    (iokit-property-regex #"^((Accurate|Extended)Max|Min)DigitizerPressureValue")
+    (iokit-property "IOPCITunnelCompatible")
+    (iokit-property "PowerControlSupported")
+    (iokit-property "Removable")
+    (iokit-property "ResetOnLockMs")
+    (iokit-property "ResetOnUnlockMs")
+    (iokit-property "ShouldResetOnButton")
+    (iokit-property-regex #"^Support(sSilentClick|TapToWake)")
+    (iokit-property "WirelessChargingNotificationSupported")
+)
index 36a335c..c0c2a23 100644 (file)
 
 (allow network-bind (local ip))
 
+;;;
+;;; Needed for Camera access
+;;;
+(allow iokit-get-properties
+    (iokit-property-regex #"^(Activation|Animation)Thresholds")
+    (iokit-property-regex #"^((Accurate|Extended)Max|Min)DigitizerPressureValue")
+    (iokit-property "IOPCITunnelCompatible")
+    (iokit-property "PowerControlSupported")
+    (iokit-property "Removable")
+    (iokit-property "ResetOnLockMs")
+    (iokit-property "ResetOnUnlockMs")
+    (iokit-property "ShouldResetOnButton")
+    (iokit-property-regex #"^Support(sSilentClick|TapToWake)")
+    (iokit-property "WirelessChargingNotificationSupported")
+)
@@ -10,7 +10,7 @@ if [[ ${WK_PLATFORM_NAME} == "macosx" ]]; then
 
         if (( ${TARGET_MAC_OS_X_VERSION_MAJOR} >= 101400 )); then
             echo "Adding macOS platform entitlements.";
-            /usr/libexec/PlistBuddy -c "Merge Configurations/WebContent-OSX-restricted.entitlements" "${PROCESSED_XCENT_FILE}";
+            /usr/libexec/PlistBuddy -c "Merge Configurations/WebContent-or-Plugin-OSX-restricted.entitlements" "${PROCESSED_XCENT_FILE}";
         fi
 
         if [[ ${WK_WEBCONTENT_SERVICE_NEEDS_XPC_DOMAIN_EXTENSION_ENTITLEMENT} == "YES" ]]; then
index acd05ff..6a6f113 100644 (file)
                37A64E5618F38F4600EB30F1 /* _WKFormInputSession.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = _WKFormInputSession.h; sourceTree = "<group>"; };
                37A709A61E3EA0FD00CA5969 /* WKDataDetectorTypes.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WKDataDetectorTypes.h; sourceTree = "<group>"; };
                37A709A81E3EA40C00CA5969 /* WKDataDetectorTypesInternal.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WKDataDetectorTypesInternal.h; sourceTree = "<group>"; };
-               37B418EB1C9624F20031E63B /* WebContent-OSX-restricted.entitlements */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.entitlements; path = "WebContent-OSX-restricted.entitlements"; sourceTree = "<group>"; };
+               37B418EB1C9624F20031E63B /* WebContent-or-Plugin-OSX-restricted.entitlements */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.entitlements; path = "WebContent-or-Plugin-OSX-restricted.entitlements"; sourceTree = "<group>"; };
                37B47E2C1D64DB76005F4EFF /* objcSPI.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = objcSPI.h; sourceTree = "<group>"; };
                37B5045119EEF31300CE2CF8 /* WKErrorPrivate.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WKErrorPrivate.h; sourceTree = "<group>"; };
                37BEC4DE19491486008B4286 /* CompletionHandlerCallChecker.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = CompletionHandlerCallChecker.mm; sourceTree = "<group>"; };
                7A9CD8C21C779AD600D9F6C7 /* WebResourceLoadStatisticsStore.messages.in */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = WebResourceLoadStatisticsStore.messages.in; sourceTree = "<group>"; };
                7AB6EA441EEAAE2300037B2B /* APIIconDatabaseClient.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = APIIconDatabaseClient.h; sourceTree = "<group>"; };
                7AB6EA461EEAB6B000037B2B /* APIGeolocationProvider.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = APIGeolocationProvider.h; sourceTree = "<group>"; };
-               7ACFAAD820B88D4F00C53203 /* process-webcontent-entitlements.sh */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.script.sh; path = "process-webcontent-entitlements.sh"; sourceTree = "<group>"; };
+               7ACFAAD820B88D4F00C53203 /* process-webcontent-or-plugin-entitlements.sh */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.script.sh; path = "process-webcontent-or-plugin-entitlements.sh"; sourceTree = "<group>"; };
                7AF2361E1E79A3B400438A05 /* WebErrors.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = WebErrors.cpp; sourceTree = "<group>"; };
                7AF2361F1E79A3D800438A05 /* WebErrors.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WebErrors.h; sourceTree = "<group>"; };
                7AF236221E79A43100438A05 /* WebErrorsCocoa.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = WebErrorsCocoa.mm; sourceTree = "<group>"; };
                                1A4F976E100E7B6600637A18 /* Version.xcconfig */,
                                37119A7E20CCB64E002C6DC9 /* WebContent-iOS-minimalsimulator.entitlements */,
                                7C0BB9A818DCDE890006C086 /* WebContent-iOS.entitlements */,
-                               37B418EB1C9624F20031E63B /* WebContent-OSX-restricted.entitlements */,
+                               37B418EB1C9624F20031E63B /* WebContent-or-Plugin-OSX-restricted.entitlements */,
                                7AF66E1120C07CB6007828EA /* WebContent-OSX.entitlements */,
                                372EBB4A2017E76000085064 /* WebContentService.Development.xcconfig */,
                                BCACC40E16B0B8A800B6E092 /* WebContentService.xcconfig */,
                                0FC0856F187CE0A900780D86 /* messages.py */,
                                0FC08570187CE0A900780D86 /* model.py */,
                                0FC08571187CE0A900780D86 /* parser.py */,
-                               7ACFAAD820B88D4F00C53203 /* process-webcontent-entitlements.sh */,
+                               7ACFAAD820B88D4F00C53203 /* process-webcontent-or-plugin-entitlements.sh */,
                        );
                        path = Scripts;
                        sourceTree = "<group>";
                                BC8283F516B4FDDE00A278FE /* Sources */,
                                BC8283F616B4FDDE00A278FE /* Frameworks */,
                                BC8283F716B4FDDE00A278FE /* Resources */,
+                               7A79E2DE2107F32B00EF32A4 /* Process Plugin entitlements */,
                        );
                        buildRules = (
                        );
                                BC82841B16B4FDF600A278FE /* Sources */,
                                BC82841C16B4FDF600A278FE /* Frameworks */,
                                BC82841D16B4FDF600A278FE /* Resources */,
+                               7A79E2DD2107F2DD00EF32A4 /* Process Plugin entitlements */,
                        );
                        buildRules = (
                        );
                        shellPath = /bin/sh;
                        shellScript = "# We autogenerate this file, so don't want to retain an old copy during builds.\nrm -f ${TEMP_FILE_DIR}/${FULL_PRODUCT_NAME}.xcent\n";
                };
+               7A79E2DD2107F2DD00EF32A4 /* Process Plugin entitlements */ = {
+                       isa = PBXShellScriptBuildPhase;
+                       buildActionMask = 2147483647;
+                       files = (
+                       );
+                       inputFileListPaths = (
+                       );
+                       inputPaths = (
+                               "$(TEMP_FILE_DIR)/$(FULL_PRODUCT_NAME).xcent",
+                       );
+                       name = "Process Plugin entitlements";
+                       outputFileListPaths = (
+                       );
+                       outputPaths = (
+                       );
+                       runOnlyForDeploymentPostprocessing = 0;
+                       shellPath = /bin/sh;
+                       shellScript = "Scripts/process-webcontent-or-plugin-entitlements.sh\n";
+               };
+               7A79E2DE2107F32B00EF32A4 /* Process Plugin entitlements */ = {
+                       isa = PBXShellScriptBuildPhase;
+                       buildActionMask = 2147483647;
+                       files = (
+                       );
+                       inputFileListPaths = (
+                       );
+                       inputPaths = (
+                               "$(TEMP_FILE_DIR)/$(FULL_PRODUCT_NAME).xcent",
+                       );
+                       name = "Process Plugin entitlements";
+                       outputFileListPaths = (
+                       );
+                       outputPaths = (
+                       );
+                       runOnlyForDeploymentPostprocessing = 0;
+                       shellPath = /bin/sh;
+                       shellScript = "Scripts/process-webcontent-or-plugin-entitlements.sh\n";
+               };
                7AFCBD5420B8911D00F55C9C /* Process WebContent entitlements */ = {
                        isa = PBXShellScriptBuildPhase;
                        buildActionMask = 2147483647;
                        );
                        runOnlyForDeploymentPostprocessing = 0;
                        shellPath = /bin/sh;
-                       shellScript = "Scripts/process-webcontent-entitlements.sh\n";
+                       shellScript = "Scripts/process-webcontent-or-plugin-entitlements.sh\n";
                };
                7AFCBD5520B8917D00F55C9C /* Process WebContent entitlements */ = {
                        isa = PBXShellScriptBuildPhase;
                        );
                        runOnlyForDeploymentPostprocessing = 0;
                        shellPath = /bin/sh;
-                       shellScript = "Scripts/process-webcontent-entitlements.sh\n";
+                       shellScript = "Scripts/process-webcontent-or-plugin-entitlements.sh\n";
                };
                99CA3862207286DB00BAD578 /* Copy WebDriver Atoms to Framework Private Headers */ = {
                        isa = PBXShellScriptBuildPhase;