[iOS] Deny mach lookup access to "*.apple-extension-service" in the WebContent process
authorpvollan@apple.com <pvollan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 13 Dec 2019 19:07:51 +0000 (19:07 +0000)
committerpvollan@apple.com <pvollan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 13 Dec 2019 19:07:51 +0000 (19:07 +0000)
https://bugs.webkit.org/show_bug.cgi?id=205134
<rdar://problem/56984257>

Reviewed by Brent Fulgham.

Source/WebCore:

Add method to Internals checking mach lookup access to a given XPC service name.

Test: fast/sandbox/ios/sandbox-mach-lookup.html

* testing/Internals.cpp:
(WebCore::Internals::hasSandboxMachLookupAccessToXPCServiceName):
* testing/Internals.h:
* testing/Internals.idl:

Source/WebKit:

Remove mach lookup access to "*.apple-extension-service" in the sandbox.

* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:

Source/WTF:

Add enum value for the XPC service name filter type.

* wtf/spi/darwin/SandboxSPI.h:

LayoutTests:

Add test for mach lookup access to "*.apple-extension-service".

* TestExpectations:
* fast/sandbox: Added.
* fast/sandbox/ios: Added.
* fast/sandbox/ios/sandbox-mach-lookup-expected.txt: Added.
* fast/sandbox/ios/sandbox-mach-lookup.html: Added.
* platform/ios-device-wk2/TestExpectations:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@253488 268f45cc-cd09-0410-ab3c-d52691b4dbfc

13 files changed:
LayoutTests/ChangeLog
LayoutTests/TestExpectations
LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-expected.txt [new file with mode: 0644]
LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html [new file with mode: 0644]
LayoutTests/platform/ios-device-wk2/TestExpectations
Source/WTF/ChangeLog
Source/WTF/wtf/spi/darwin/SandboxSPI.h
Source/WebCore/ChangeLog
Source/WebCore/testing/Internals.cpp
Source/WebCore/testing/Internals.h
Source/WebCore/testing/Internals.idl
Source/WebKit/ChangeLog
Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb

index 2fb4f63..0e2c556 100644 (file)
@@ -1,3 +1,20 @@
+2019-12-13  Per Arne Vollan  <pvollan@apple.com>
+
+        [iOS] Deny mach lookup access to "*.apple-extension-service" in the WebContent process
+        https://bugs.webkit.org/show_bug.cgi?id=205134
+        <rdar://problem/56984257>
+
+        Reviewed by Brent Fulgham.
+
+        Add test for mach lookup access to "*.apple-extension-service".
+
+        * TestExpectations:
+        * fast/sandbox: Added.
+        * fast/sandbox/ios: Added.
+        * fast/sandbox/ios/sandbox-mach-lookup-expected.txt: Added.
+        * fast/sandbox/ios/sandbox-mach-lookup.html: Added.
+        * platform/ios-device-wk2/TestExpectations:
+
 2019-12-13  youenn fablet  <youenn@apple.com>
 
         Help debugging flaky http/tests/cache-storage/page-cache-domcachestorage-pending-promise.html
index 8a13c9c..7e1da39 100644 (file)
@@ -28,6 +28,7 @@ fast/dom/Window/watchos [ Skip ]
 fast/forms/select/mac-wk2 [ Skip ]
 fast/forms/textarea/ios [ Skip ]
 fast/forms/watchos [ Skip ]
+fast/sandbox/ios [ Skip ]
 fast/viewport/watchos [ Skip ]
 fast/visual-viewport/watchos [ Skip ]
 fast/visual-viewport/tiled-drawing [ Skip ]
diff --git a/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-expected.txt b/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-expected.txt
new file mode 100644 (file)
index 0000000..10117d9
--- /dev/null
@@ -0,0 +1,7 @@
+Regression tests for mach lookup sandbox changes on iOS
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS internals.hasSandboxMachLookupAccessToXPCServiceName("com.apple.WebKit.WebContent", "com.apple.apple-extension-service") is false
+
diff --git a/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html b/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html
new file mode 100644 (file)
index 0000000..94e37b4
--- /dev/null
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="../../../resources/js-test-pre.js"></script>
+<script>
+description('Regression tests for mach lookup sandbox changes on iOS');
+
+if (window.internals) {
+    shouldBeFalse("internals.hasSandboxMachLookupAccessToXPCServiceName(\"com.apple.WebKit.WebContent\", \"com.apple.apple-extension-service\")");
+}
+</script>
+</head>
+<body>
+</body>
index d035922..85b5440 100644 (file)
@@ -3,3 +3,4 @@
 # See http://trac.webkit.org/wiki/TestExpectations for more information on this file.
 #
 
+fast/sandbox/ios [ Pass ]
index 3681158..3ccf306 100644 (file)
@@ -1,3 +1,15 @@
+2019-12-13  Per Arne Vollan  <pvollan@apple.com>
+
+        [iOS] Deny mach lookup access to "*.apple-extension-service" in the WebContent process
+        https://bugs.webkit.org/show_bug.cgi?id=205134
+        <rdar://problem/56984257>
+
+        Reviewed by Brent Fulgham.
+
+        Add enum value for the XPC service name filter type.
+
+        * wtf/spi/darwin/SandboxSPI.h:
+
 2019-12-09  Fujii Hironori  <Hironori.Fujii@sony.com>
 
         [MSVC] writeNumberToBufferUnsigned is unsafe for bool type
index 233aa07..37a8708 100644 (file)
@@ -35,6 +35,7 @@
 enum sandbox_filter_type {
     SANDBOX_FILTER_NONE,
     SANDBOX_FILTER_GLOBAL_NAME = 2,
+    SANDBOX_FILTER_XPC_SERVICE_NAME = 12,
 };
 
 #define SANDBOX_NAMED_EXTERNAL 0x0003
index 32e1e28..35cd726 100644 (file)
@@ -1,3 +1,20 @@
+2019-12-13  Per Arne Vollan  <pvollan@apple.com>
+
+        [iOS] Deny mach lookup access to "*.apple-extension-service" in the WebContent process
+        https://bugs.webkit.org/show_bug.cgi?id=205134
+        <rdar://problem/56984257>
+
+        Reviewed by Brent Fulgham.
+
+        Add method to Internals checking mach lookup access to a given XPC service name.
+
+        Test: fast/sandbox/ios/sandbox-mach-lookup.html
+
+        * testing/Internals.cpp:
+        (WebCore::Internals::hasSandboxMachLookupAccessToXPCServiceName):
+        * testing/Internals.h:
+        * testing/Internals.idl:
+
 2019-12-13  Wenson Hsieh  <wenson_hsieh@apple.com>
 
         [Clipboard API] Sanitize HTML and image data written using clipboard.write
index fa3b4e3..372539c 100644 (file)
@@ -5363,4 +5363,19 @@ bool Internals::hasSandboxMachLookupAccessToGlobalName(const String& process, co
 #endif
 }
 
+bool Internals::hasSandboxMachLookupAccessToXPCServiceName(const String& process, const String& service)
+{
+#if PLATFORM(COCOA)
+    pid_t pid;
+    if (process == "com.apple.WebKit.WebContent")
+        pid = getpid();
+    else
+        RELEASE_ASSERT_NOT_REACHED();
+
+    return !sandbox_check(pid, "mach-lookup", static_cast<enum sandbox_filter_type>(SANDBOX_FILTER_XPC_SERVICE_NAME | SANDBOX_CHECK_NO_REPORT), service.utf8().data());
+#else
+    return false;
+#endif
+}
+
 } // namespace WebCore
index 20f4c7c..d4b2657 100644 (file)
@@ -914,6 +914,7 @@ public:
     Ref<InternalsMapLike> createInternalsMapLike();
 
     bool hasSandboxMachLookupAccessToGlobalName(const String& process, const String& service);
+    bool hasSandboxMachLookupAccessToXPCServiceName(const String& process, const String& service);
 
     String highlightPseudoElementColor(const String& highlightName, Element&);
 
index bde8f99..aff76ff 100644 (file)
@@ -825,4 +825,5 @@ enum CompositingPolicy {
     DOMString highlightPseudoElementColor(DOMString highlightName, Element element);
 
     boolean hasSandboxMachLookupAccessToGlobalName(DOMString process, DOMString service);
+    boolean hasSandboxMachLookupAccessToXPCServiceName(DOMString process, DOMString service);
 };
index 85647ea..ae619e7 100644 (file)
@@ -1,3 +1,15 @@
+2019-12-13  Per Arne Vollan  <pvollan@apple.com>
+
+        [iOS] Deny mach lookup access to "*.apple-extension-service" in the WebContent process
+        https://bugs.webkit.org/show_bug.cgi?id=205134
+        <rdar://problem/56984257>
+
+        Reviewed by Brent Fulgham.
+
+        Remove mach lookup access to "*.apple-extension-service" in the sandbox.
+
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+
 2019-12-13  youenn fablet  <youenn@apple.com>
 
         Help debugging flaky http/tests/cache-storage/page-cache-domcachestorage-pending-promise.html
index 318273e..c8215e9 100644 (file)
 
     (allow mach-lookup (with report) (with telemetry)
         (global-name-regex #"^com\.apple\.uikit\.viewservice\..+")
-        (xpc-service-name-regex #"\.apple-extension-service$") ;; <rdar://problem/19525887>
         (xpc-service-name-regex #"\.viewservice$") ;; <rdar://problem/31252371>
     )