[WebRTC][Mac] Network process sandbox does not allow WebRTC networking
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 21 Feb 2017 21:30:56 +0000 (21:30 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 21 Feb 2017 21:30:56 +0000 (21:30 +0000)
https://bugs.webkit.org/show_bug.cgi?id=168594

Patch by Youenn Fablet <youenn@apple.com> on 2017-02-21
Reviewed by Brent Fulgham.

UIProcess was passing a boolean to know whether WebRTC networking is allowed or not to the network process.
This boolean was known to late for the sandbox to be relaxed.
A sandbox extension is now used instead to relax the sandbox.

* NetworkProcess/NetworkProcess.h:
* NetworkProcess/NetworkProcessCreationParameters.cpp:
(WebKit::NetworkProcessCreationParameters::encode):
(WebKit::NetworkProcessCreationParameters::decode):
* NetworkProcess/NetworkProcessCreationParameters.h:
* NetworkProcess/cocoa/NetworkProcessCocoa.mm:
(WebKit::NetworkProcess::platformInitializeNetworkProcessCocoa):
* NetworkProcess/mac/NetworkProcessMac.mm:
(WebKit::NetworkProcess::platformInitializeNetworkProcess):
(WebKit::NetworkProcess::initializeSandbox):
* NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
* UIProcess/Cocoa/WebProcessPoolCocoa.mm:
(WebKit::WebProcessPool::platformInitializeNetworkProcess):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@212746 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit2/ChangeLog
Source/WebKit2/NetworkProcess/NetworkProcess.h
Source/WebKit2/NetworkProcess/NetworkProcessCreationParameters.cpp
Source/WebKit2/NetworkProcess/NetworkProcessCreationParameters.h
Source/WebKit2/NetworkProcess/cocoa/NetworkProcessCocoa.mm
Source/WebKit2/NetworkProcess/mac/NetworkProcessMac.mm
Source/WebKit2/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in
Source/WebKit2/UIProcess/Cocoa/WebProcessPoolCocoa.mm

index d0f264e..74aa69a 100644 (file)
@@ -1,5 +1,30 @@
 2017-02-21  Youenn Fablet  <youenn@apple.com>
 
+        [WebRTC][Mac] Network process sandbox does not allow WebRTC networking
+        https://bugs.webkit.org/show_bug.cgi?id=168594
+
+        Reviewed by Brent Fulgham.
+
+        UIProcess was passing a boolean to know whether WebRTC networking is allowed or not to the network process.
+        This boolean was known to late for the sandbox to be relaxed.
+        A sandbox extension is now used instead to relax the sandbox.
+
+        * NetworkProcess/NetworkProcess.h:
+        * NetworkProcess/NetworkProcessCreationParameters.cpp:
+        (WebKit::NetworkProcessCreationParameters::encode):
+        (WebKit::NetworkProcessCreationParameters::decode):
+        * NetworkProcess/NetworkProcessCreationParameters.h:
+        * NetworkProcess/cocoa/NetworkProcessCocoa.mm:
+        (WebKit::NetworkProcess::platformInitializeNetworkProcessCocoa):
+        * NetworkProcess/mac/NetworkProcessMac.mm:
+        (WebKit::NetworkProcess::platformInitializeNetworkProcess):
+        (WebKit::NetworkProcess::initializeSandbox):
+        * NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
+        * UIProcess/Cocoa/WebProcessPoolCocoa.mm:
+        (WebKit::WebProcessPool::platformInitializeNetworkProcess):
+
+2017-02-21  Youenn Fablet  <youenn@apple.com>
+
         [WebRTC] ICE candidates should be filtered according a policy
         https://bugs.webkit.org/show_bug.cgi?id=168348
 
index 5575eda..3a374e9 100644 (file)
@@ -215,10 +215,6 @@ private:
     HashMap<uint64_t, Function<void ()>> m_sandboxExtensionForBlobsCompletionHandlers;
     HashMap<uint64_t, Ref<NetworkResourceLoader>> m_waitingNetworkResourceLoaders;
 
-#if ENABLE(WEB_RTC)
-    bool m_webRTCEnabled { false };
-#endif
-
 #if PLATFORM(COCOA)
     void platformInitializeNetworkProcessCocoa(const NetworkProcessCreationParameters&);
     void setCookieStoragePartitioningEnabled(bool);
index 5dfabd6..5a2702c 100644 (file)
@@ -102,7 +102,7 @@ void NetworkProcessCreationParameters::encode(IPC::Encoder& encoder) const
     encoder << recordReplayCacheLocation;
 #endif
 #if ENABLE(WEB_RTC)
-    encoder << webRTCEnabled;
+    encoder << webRTCNetworkingHandle;
 #endif
 }
 
@@ -205,8 +205,9 @@ bool NetworkProcessCreationParameters::decode(IPC::Decoder& decoder, NetworkProc
     if (!decoder.decode(result.recordReplayCacheLocation))
         return false;
 #endif
+
 #if ENABLE(WEB_RTC)
-    if (!decoder.decode(result.webRTCEnabled))
+    if (!decoder.decode(result.webRTCNetworkingHandle))
         return false;
 #endif
 
index 2b88e88..bfed3ae 100644 (file)
@@ -112,9 +112,8 @@ struct NetworkProcessCreationParameters {
     String recordReplayMode;
     String recordReplayCacheLocation;
 #endif
-
 #if ENABLE(WEB_RTC)
-    bool webRTCEnabled { false };
+    SandboxExtension::Handle webRTCNetworkingHandle;
 #endif
 };
 
index dc3aa73..1a8e061 100644 (file)
@@ -72,6 +72,9 @@ void NetworkProcess::platformInitializeNetworkProcessCocoa(const NetworkProcessC
     SandboxExtension::consumePermanently(parameters.containerCachesDirectoryExtensionHandle);
     SandboxExtension::consumePermanently(parameters.parentBundleDirectoryExtensionHandle);
 #endif
+#if ENABLE(WEB_RTC)
+    SandboxExtension::consumePermanently(parameters.webRTCNetworkingHandle);
+#endif
     m_diskCacheDirectory = parameters.diskCacheDirectory;
 
 #if PLATFORM(IOS) || (PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101100)
index ae724a0..ff8e360 100644 (file)
@@ -105,10 +105,6 @@ void NetworkProcess::platformInitializeNetworkProcess(const NetworkProcessCreati
 
     if (!parameters.httpProxy.isNull() || !parameters.httpsProxy.isNull())
         overrideSystemProxies(parameters.httpProxy, parameters.httpsProxy);
-
-#if ENABLE(WEB_RTC)
-    m_webRTCEnabled = parameters.webRTCEnabled;
-#endif
 }
 
 void NetworkProcess::allowSpecificHTTPSCertificateForHost(const CertificateInfo& certificateInfo, const String& host)
@@ -122,11 +118,6 @@ void NetworkProcess::initializeSandbox(const ChildProcessInitializationParameter
     NSBundle *webkit2Bundle = [NSBundle bundleForClass:NSClassFromString(@"WKView")];
     sandboxParameters.setOverrideSandboxProfilePath([webkit2Bundle pathForResource:@"com.apple.WebKit.NetworkProcess" ofType:@"sb"]);
 
-#if ENABLE(WEB_RTC)
-    if (m_webRTCEnabled)
-        sandboxParameters.addParameter("ENABLE_WEB_RTC", "TRUE");
-#endif
-
     ChildProcess::initializeSandbox(parameters, sandboxParameters);
 }
 
index 356a0f8..f456938 100644 (file)
     (home-literal "/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2")
     (home-literal "/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2-journal"))
 
-#if ENABLE_WEB_RTC
+(macro (with-filter form)
+   (let* ((ps (cdr form))
+          (extra-filter (car ps))
+          (rules (cdr ps)))
+    `(letrec
+        ((collect
+             (lambda (l filters non-filters)
+                 (if (null? l)
+                     (list filters non-filters)
+                     (let* 
+                         ((x (car l))
+                          (rest (cdr l)))
+                         (if (sbpl-filter? x)
+                             (collect rest (cons x filters) non-filters)
+                             (collect rest filters (cons x non-filters)))))))
+         (inject-filter
+             (lambda args
+                 (let* ((collected (collect args '() '()))
+                        (filters (car collected))
+                        (non-filters (cadr collected)))
+                 (if (null? filters)
+                     (cons ,extra-filter non-filters)
+                     (cons (require-all (apply require-any filters) ,extra-filter) non-filters)))))
+         (orig-allow allow)
+         (orig-deny deny)
+         (wrapper
+             (lambda (action)
+                 (lambda args (apply action (apply inject-filter args))))))
+        (set! allow (wrapper orig-allow))
+        (set! deny (wrapper orig-deny))
+        ,@rules
+        (set! deny orig-deny)
+        (set! allow orig-allow))))
+
 ;; FIXME should be removed when <rdar://problem/30498072> is fixed.
-(if (positive? (string-length (param "ENABLE_WEB_RTC")))
+(with-filter (extension "com.apple.webkit.webrtc")
     (allow network*
         (local udp)
         (remote udp)
         (local tcp)
         (remote tcp)))
-#endif
index ac232a6..0d3b57a 100644 (file)
@@ -308,8 +308,9 @@ void WebProcessPool::platformInitializeNetworkProcess(NetworkProcessCreationPara
     bool webRTCEnabled = m_defaultPageGroup->preferences().peerConnectionEnabled();
     if ([defaults objectForKey:@"ExperimentalPeerConnectionEnabled"])
         webRTCEnabled = [defaults boolForKey:@"ExperimentalPeerConnectionEnabled"];
-    
-    parameters.webRTCEnabled = webRTCEnabled;
+
+    if (webRTCEnabled)
+        SandboxExtension::createHandleForGenericExtension("com.apple.webkit.webrtc", parameters.webRTCNetworkingHandle);
 #endif
 }