Mac production builds should sign the network process xpc service with entitlements
authorachristensen@apple.com <achristensen@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 3 Nov 2018 00:33:53 +0000 (00:33 +0000)
committerachristensen@apple.com <achristensen@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 3 Nov 2018 00:33:53 +0000 (00:33 +0000)
https://bugs.webkit.org/show_bug.cgi?id=191209
<rdar://problem/45377609>

Reviewed by Geoff Garen.

Source/WebKit:

* Configurations/NetworkService.xcconfig:
Set CODE_SIGN_ENTITLEMENTS_COCOA_TOUCH_NO like we do for the web process,
except with the corresponoding network process entitlements file.
* UIProcess/API/Cocoa/WKProcessPool.mm:
(-[WKProcessPool _networkProcessHasEntitlementForTesting:]):
* UIProcess/API/Cocoa/WKProcessPoolPrivate.h:
* UIProcess/Cocoa/WebProcessPoolCocoa.mm:
(WebKit::WebProcessPool::networkProcessHasEntitlementForTesting):
* UIProcess/WebProcessPool.h:
Add infrastructure to test that the network process actually has an entitlement.

Tools:

* TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
* TestWebKitAPI/Tests/WebKitCocoa/NetworkProcess.mm: Added.
(TEST):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@237761 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit/ChangeLog
Source/WebKit/Configurations/NetworkService.xcconfig
Source/WebKit/UIProcess/API/Cocoa/WKProcessPool.mm
Source/WebKit/UIProcess/API/Cocoa/WKProcessPoolPrivate.h
Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm
Source/WebKit/UIProcess/WebProcessPool.h
Tools/ChangeLog
Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj
Tools/TestWebKitAPI/Tests/WebKitCocoa/NetworkProcess.mm [new file with mode: 0644]

index 8b88597..1ebb339 100644 (file)
@@ -1,3 +1,22 @@
+2018-11-02  Alex Christensen  <achristensen@webkit.org>
+
+        Mac production builds should sign the network process xpc service with entitlements
+        https://bugs.webkit.org/show_bug.cgi?id=191209
+        <rdar://problem/45377609>
+
+        Reviewed by Geoff Garen.
+
+        * Configurations/NetworkService.xcconfig:
+        Set CODE_SIGN_ENTITLEMENTS_COCOA_TOUCH_NO like we do for the web process,
+        except with the corresponoding network process entitlements file.
+        * UIProcess/API/Cocoa/WKProcessPool.mm:
+        (-[WKProcessPool _networkProcessHasEntitlementForTesting:]):
+        * UIProcess/API/Cocoa/WKProcessPoolPrivate.h:
+        * UIProcess/Cocoa/WebProcessPoolCocoa.mm:
+        (WebKit::WebProcessPool::networkProcessHasEntitlementForTesting):
+        * UIProcess/WebProcessPool.h:
+        Add infrastructure to test that the network process actually has an entitlement.
+
 2018-11-02  Daniel Bates  <dabates@apple.com>
 
         [iOS] WebKit should dispatch DOM events when a modifier key is pressed
index 674bbd4..b7ef733 100644 (file)
@@ -32,6 +32,7 @@ WK_XPC_SERVICE_IOS_ENTITLEMENTS_BASE_appletvos = Network-iOS;
 WK_XPC_SERVICE_IOS_ENTITLEMENTS_BASE_appletvsimulator = Network-iOS;
 WK_XPC_SERVICE_IOS_ENTITLEMENTS_BASE_iosmac = Network-iOS-minimalsimulator;
 
+CODE_SIGN_ENTITLEMENTS_COCOA_TOUCH_NO = Configurations/Network-OSX-sandbox.entitlements;
 OTHER_CODE_SIGN_FLAGS = $(WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS);
 
 PRODUCT_NAME = com.apple.WebKit.Networking;
index 11bebda..79ba442 100644 (file)
@@ -584,6 +584,11 @@ static NSDictionary *policiesHashMapToDictionary(const HashMap<String, HashMap<S
     return [array autorelease];
 }
 
+- (BOOL)_networkProcessHasEntitlementForTesting:(NSString *)entitlement
+{
+    return _processPool->networkProcessHasEntitlementForTesting(entitlement);
+}
+
 @end
 
 #endif // WK_API_ENABLED
index 072da59..a6744d9 100644 (file)
 - (void)_registerURLSchemeServiceWorkersCanHandle:(NSString *)scheme WK_API_AVAILABLE(macosx(10.13.4), ios(11.3));
 - (void)_setMaximumNumberOfProcesses:(NSUInteger)value WK_API_AVAILABLE(macosx(10.13.4), ios(11.3));
 - (NSArray<NSString *> *)_getActivePagesOriginsInWebProcessForTesting:(pid_t)pid WK_API_AVAILABLE(macosx(WK_MAC_TBA), ios(WK_IOS_TBA));
+- (BOOL)_networkProcessHasEntitlementForTesting:(NSString *)entitlement WK_API_AVAILABLE(macosx(WK_MAC_TBA), ios(WK_IOS_TBA));
 
 @property (nonatomic, getter=_isCookieStoragePartitioningEnabled, setter=_setCookieStoragePartitioningEnabled:) BOOL _cookieStoragePartitioningEnabled WK_API_DEPRECATED("Partitioned cookies are no longer supported", macosx(10.12.3, WK_MAC_TBA), ios(10.3, WK_IOS_TBA));
 @property (nonatomic, getter=_isStorageAccessAPIEnabled, setter=_setStorageAccessAPIEnabled:) BOOL _storageAccessAPIEnabled WK_API_AVAILABLE(macosx(10.13.4), ios(11.3));
index f6c9840..92580fc 100644 (file)
@@ -53,6 +53,7 @@
 #import <pal/spi/cocoa/NSKeyedArchiverSPI.h>
 #import <sys/param.h>
 #import <wtf/ProcessPrivilege.h>
+#import <wtf/cocoa/Entitlements.h>
 #import <wtf/spi/darwin/dyldSPI.h>
 
 #if PLATFORM(MAC)
@@ -385,6 +386,11 @@ bool WebProcessPool::processSuppressionEnabled() const
     return !m_userObservablePageCounter.value() && !m_processSuppressionDisabledForPageCounter.value();
 }
 
+bool WebProcessPool::networkProcessHasEntitlementForTesting(const String& entitlement)
+{
+    return WTF::hasEntitlement(ensureNetworkProcess().connection()->xpcConnection(), entitlement.utf8().data());
+}
+
 void WebProcessPool::registerNotificationObservers()
 {
 #if !PLATFORM(IOS_FAMILY)
index dfacf81..c911ee2 100644 (file)
@@ -216,6 +216,7 @@ public:
 
     ProcessID networkProcessIdentifier();
     Vector<String> activePagesOriginsInWebProcessForTesting(ProcessID);
+    bool networkProcessHasEntitlementForTesting(const String&);
 
     WebPageGroup& defaultPageGroup() { return m_defaultPageGroup.get(); }
 
index 6d31866..355ea84 100644 (file)
@@ -1,3 +1,15 @@
+2018-11-02  Alex Christensen  <achristensen@webkit.org>
+
+        Mac production builds should sign the network process xpc service with entitlements
+        https://bugs.webkit.org/show_bug.cgi?id=191209
+        <rdar://problem/45377609>
+
+        Reviewed by Geoff Garen.
+
+        * TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
+        * TestWebKitAPI/Tests/WebKitCocoa/NetworkProcess.mm: Added.
+        (TEST):
+
 2018-11-02  Lucas Forschler  <lforschler@apple.com>
 
         Add Windows 10 archive bots
index 2190f57..1b62665 100644 (file)
                5C7964101EB0278D0075D74C /* EventModifiers.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 5C79640F1EB0269B0075D74C /* EventModifiers.cpp */; };
                5C7C74CB1FB529BA002F9ABE /* WebViewScheduleInRunLoop.mm in Sources */ = {isa = PBXBuildFile; fileRef = 5C7C74CA1FB528D4002F9ABE /* WebViewScheduleInRunLoop.mm */; };
                5C838F7F1DB04F900082858F /* LoadInvalidURLRequest.mm in Sources */ = {isa = PBXBuildFile; fileRef = 57901FAE1CAF137100ED64F9 /* LoadInvalidURLRequest.mm */; };
+               5C8BC799218CF44700813886 /* NetworkProcess.mm in Sources */ = {isa = PBXBuildFile; fileRef = 5C8BC798218CF3E900813886 /* NetworkProcess.mm */; };
                5C973F5C1F58EF8B00359C27 /* WebGLPolicy.mm in Sources */ = {isa = PBXBuildFile; fileRef = 5C973F5B1F58EF0A00359C27 /* WebGLPolicy.mm */; };
                5C9E56851DF9145400C9EE33 /* WebsitePolicies.mm in Sources */ = {isa = PBXBuildFile; fileRef = 5C9E56841DF9143D00C9EE33 /* WebsitePolicies.mm */; };
                5C9E56871DF914AE00C9EE33 /* contentBlockerCheck.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 5C9E56861DF9148E00C9EE33 /* contentBlockerCheck.html */; };
                5C726D6E1D3EE06800C5E1A1 /* InstanceMethodSwizzler.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; name = InstanceMethodSwizzler.mm; path = cocoa/InstanceMethodSwizzler.mm; sourceTree = "<group>"; };
                5C79640F1EB0269B0075D74C /* EventModifiers.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = EventModifiers.cpp; sourceTree = "<group>"; };
                5C7C74CA1FB528D4002F9ABE /* WebViewScheduleInRunLoop.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = WebViewScheduleInRunLoop.mm; sourceTree = "<group>"; };
+               5C8BC798218CF3E900813886 /* NetworkProcess.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = NetworkProcess.mm; sourceTree = "<group>"; };
                5C973F5B1F58EF0A00359C27 /* WebGLPolicy.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = WebGLPolicy.mm; sourceTree = "<group>"; };
                5C9E56841DF9143D00C9EE33 /* WebsitePolicies.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = WebsitePolicies.mm; sourceTree = "<group>"; };
                5C9E56861DF9148E00C9EE33 /* contentBlockerCheck.html */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.html; path = contentBlockerCheck.html; sourceTree = "<group>"; };
                                5165FE03201EE617009F7EC3 /* MessagePortProviders.mm */,
                                51CD1C6A1B38CE3600142CA5 /* ModalAlerts.mm */,
                                1ABC3DED1899BE6D004F0626 /* Navigation.mm */,
+                               5C8BC798218CF3E900813886 /* NetworkProcess.mm */,
                                5CAE4637201937CD0051610F /* NetworkProcessCrashNonPersistentDataStore.mm */,
                                CD2D0D19213465560018C784 /* NowPlaying.mm */,
                                2ECFF5541D9B12F800B55394 /* NowPlayingControlsTests.mm */,
                                7CCE7F011A411AE600447C4C /* MouseMoveAfterCrash.cpp in Sources */,
                                7CCE7F241A411AF600447C4C /* Navigation.mm in Sources */,
                                5C0BF8951DD599CD00B00328 /* NavigatorLanguage.mm in Sources */,
+                               5C8BC799218CF44700813886 /* NetworkProcess.mm in Sources */,
                                5CAE463820193B6A0051610F /* NetworkProcessCrashNonPersistentDataStore.mm in Sources */,
                                9B19CDA01F06DFE3000548DD /* NetworkProcessCrashWithPendingConnection.mm in Sources */,
                                7CCE7F021A411AE600447C4C /* NewFirstVisuallyNonEmptyLayout.cpp in Sources */,
diff --git a/Tools/TestWebKitAPI/Tests/WebKitCocoa/NetworkProcess.mm b/Tools/TestWebKitAPI/Tests/WebKitCocoa/NetworkProcess.mm
new file mode 100644 (file)
index 0000000..723f31f
--- /dev/null
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2018 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#import "TestWKWebView.h"
+#import <WebKit/WKProcessPoolPrivate.h>
+#import <wtf/RetainPtr.h>
+
+#if WK_API_ENABLED
+
+#if PLATFORM(MAC)
+TEST(WebKit, NetworkProcessEntitlements)
+{
+    auto webView = adoptNS([[TestWKWebView alloc] initWithFrame:NSMakeRect(0, 0, 800, 600) configuration:[[[WKWebViewConfiguration alloc] init] autorelease]]);
+    [webView synchronouslyLoadTestPageNamed:@"simple"];
+    WKProcessPool *pool = [webView configuration].processPool;
+    EXPECT_TRUE([pool _networkProcessHasEntitlementForTesting:@"com.apple.rootless.storage.WebKitNetworkingSandbox"]);
+    EXPECT_FALSE([pool _networkProcessHasEntitlementForTesting:@"test failure case"]);
+}
+#endif // PLATFORM(MAC)
+
+#endif // WK_API_ENABLED
+
+