Fix entitlements and sandboxing for iphoneminimalsimulator
authorjer.noble@apple.com <jer.noble@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 18 Apr 2018 21:06:50 +0000 (21:06 +0000)
committerjer.noble@apple.com <jer.noble@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 18 Apr 2018 21:06:50 +0000 (21:06 +0000)
https://bugs.webkit.org/show_bug.cgi?id=184692

Reviewed by Tim Horton.

Use the correct implementations for ChildProcess and NetworkProcess
when building for iphoneminimalsimulator. Stub out imlementations
which rely on methods not available in the iphoneminimalsimulator SDK.

* Configurations/Network-OSX.entitlements: Added.
* Configurations/NetworkService.xcconfig:
* NetworkProcess/cocoa/NetworkProcessCocoa.mm:
(WebKit::NetworkProcess::sourceApplicationAuditData const):
* NetworkProcess/ios/NetworkProcessIOS.mm:
* NetworkProcess/mac/NetworkProcessMac.mm:
(WebKit::NetworkProcess::initializeProcessName):
(WebKit::overrideSystemProxies):
* Shared/ios/ChildProcessIOS.mm:
(WebKit::ChildProcess::initializeSandbox):
* Shared/mac/ChildProcessMac.mm:
(WebKit::ChildProcess::setApplicationIsDaemon):
(WebKit::enableSandboxStyleFileQuarantine):
(WebKit::ChildProcess::initializeSandbox):
(WebKit::ChildProcess::platformStopRunLoop):
* Shared/mac/CodeSigning.mm:
* WebKit.xcodeproj/project.pbxproj:
* WebProcess/cocoa/WebProcessCocoa.mm:
(WebKit::WebProcess::initializeSandbox):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230778 268f45cc-cd09-0410-ab3c-d52691b4dbfc

15 files changed:
Source/WebKit/ChangeLog
Source/WebKit/Configurations/BaseXPCService.xcconfig
Source/WebKit/Configurations/Network-iOS-minimalsimulator.entitlements [new file with mode: 0644]
Source/WebKit/Configurations/NetworkService.xcconfig
Source/WebKit/Configurations/WebContent-iOS-minimalsimulator.entitlements [new file with mode: 0644]
Source/WebKit/Configurations/WebContentService.Development.xcconfig
Source/WebKit/Configurations/WebContentService.xcconfig
Source/WebKit/NetworkProcess/cocoa/NetworkProcessCocoa.mm
Source/WebKit/NetworkProcess/ios/NetworkProcessIOS.mm
Source/WebKit/NetworkProcess/mac/NetworkProcessMac.mm
Source/WebKit/Shared/ios/ChildProcessIOS.mm
Source/WebKit/Shared/mac/ChildProcessMac.mm
Source/WebKit/Shared/mac/CodeSigning.mm
Source/WebKit/WebKit.xcodeproj/project.pbxproj
Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm

index 5de167a..3209a44 100644 (file)
@@ -1,3 +1,34 @@
+2018-04-18  Jer Noble  <jer.noble@apple.com>
+
+        Fix entitlements and sandboxing for iphoneminimalsimulator
+        https://bugs.webkit.org/show_bug.cgi?id=184692
+
+        Reviewed by Tim Horton.
+
+        Use the correct implementations for ChildProcess and NetworkProcess
+        when building for iphoneminimalsimulator. Stub out imlementations
+        which rely on methods not available in the iphoneminimalsimulator SDK.
+
+        * Configurations/Network-OSX.entitlements: Added.
+        * Configurations/NetworkService.xcconfig:
+        * NetworkProcess/cocoa/NetworkProcessCocoa.mm:
+        (WebKit::NetworkProcess::sourceApplicationAuditData const):
+        * NetworkProcess/ios/NetworkProcessIOS.mm:
+        * NetworkProcess/mac/NetworkProcessMac.mm:
+        (WebKit::NetworkProcess::initializeProcessName):
+        (WebKit::overrideSystemProxies):
+        * Shared/ios/ChildProcessIOS.mm:
+        (WebKit::ChildProcess::initializeSandbox):
+        * Shared/mac/ChildProcessMac.mm:
+        (WebKit::ChildProcess::setApplicationIsDaemon):
+        (WebKit::enableSandboxStyleFileQuarantine):
+        (WebKit::ChildProcess::initializeSandbox):
+        (WebKit::ChildProcess::platformStopRunLoop):
+        * Shared/mac/CodeSigning.mm:
+        * WebKit.xcodeproj/project.pbxproj:
+        * WebProcess/cocoa/WebProcessCocoa.mm:
+        (WebKit::WebProcess::initializeSandbox):
+
 2018-04-18  Commit Queue  <commit-queue@webkit.org>
 
         Unreviewed, rolling out r230743.
index 761c16e..93f9418 100644 (file)
@@ -53,7 +53,10 @@ WK_PATH_FROM_SERVICE_EXECUTABLE_TO_FRAMEWORK = $(WK_PATH_FROM_SERVICE_EXECUTABLE
 WK_PATH_FROM_SERVICE_EXECUTABLE_TO_FRAMEWORK_SHALLOW_BUNDLE_NO = ../../../../../..;
 WK_PATH_FROM_SERVICE_EXECUTABLE_TO_FRAMEWORK_SHALLOW_BUNDLE_YES = ../..;
 
-CODE_SIGN_ENTITLEMENTS[sdk=iphone*] = $(CODE_SIGN_ENTITLEMENTS_IOS_SKIP_INSTALL_$(SKIP_INSTALL));
+CODE_SIGN_ENTITLEMENTS = $(CODE_SIGN_ENTITLEMENTS_$(WK_PLATFORM_NAME))
+CODE_SIGN_ENTITLEMENTS_iphoneos = $(CODE_SIGN_ENTITLEMENTS_IOS_SKIP_INSTALL_$(SKIP_INSTALL));
+CODE_SIGN_ENTITLEMENTS_iphonesimulator = $(CODE_SIGN_ENTITLEMENTS_IOS_SKIP_INSTALL_$(SKIP_INSTALL));
+CODE_SIGN_ENTITLEMENTS_iphoneminimalsimulator = $(CODE_SIGN_ENTITLEMENTS_IOS_SKIP_INSTALL_$(SKIP_INSTALL));
 
 CODE_SIGN_ENTITLEMENTS_IOS_SKIP_INSTALL_ = $(CODE_SIGN_ENTITLEMENTS_IOS_SKIP_INSTALL_NO);
 CODE_SIGN_ENTITLEMENTS_IOS_SKIP_INSTALL_NO = $(CODE_SIGN_ENTITLEMENTS_IOS_MANUAL_SANDBOXING_$(WK_MANUAL_SANDBOXING_ENABLED));
diff --git a/Source/WebKit/Configurations/Network-iOS-minimalsimulator.entitlements b/Source/WebKit/Configurations/Network-iOS-minimalsimulator.entitlements
new file mode 100644 (file)
index 0000000..699e298
--- /dev/null
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>seatbelt-profiles</key>
+    <array>
+        <string>com.apple.WebKit.Networking</string>
+    </array>
+       <key>com.apple.security.network.client</key>
+       <true/>
+</dict>
+</plist>
index 504f2da..50b31c3 100644 (file)
 
 #include "BaseXPCService.xcconfig"
 
-WK_XPC_SERVICE_IOS_ENTITLEMENTS_BASE = Network-iOS;
+WK_XPC_SERVICE_IOS_ENTITLEMENTS_BASE = $(WK_XPC_SERVICE_IOS_ENTITLEMENTS_BASE_$(WK_PLATFORM_NAME));
+WK_XPC_SERVICE_IOS_ENTITLEMENTS_BASE_iphoneos = Network-iOS;
+WK_XPC_SERVICE_IOS_ENTITLEMENTS_BASE_iphonesimulator = Network-iOS;
+WK_XPC_SERVICE_IOS_ENTITLEMENTS_BASE_iphoneminimalsimulator = Network-iOS-minimalsimulator;
 
 OTHER_CODE_SIGN_FLAGS = $(WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS);
 
diff --git a/Source/WebKit/Configurations/WebContent-iOS-minimalsimulator.entitlements b/Source/WebKit/Configurations/WebContent-iOS-minimalsimulator.entitlements
new file mode 100644 (file)
index 0000000..da80ba1
--- /dev/null
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+       <key>seatbelt-profiles</key>
+       <array>
+               <string>com.apple.WebKit.WebContent</string>
+       </array>
+</dict>
+</plist>
index d94431c..8a22b63 100644 (file)
@@ -26,6 +26,6 @@
 SKIP_INSTALL = YES;
 SKIP_INSTALL[sdk=macosx*] = $(WK_RELOCATABLE_FRAMEWORKS);
 
-CODE_SIGN_ENTITLEMENTS[sdk=macosx*] = Configurations/WebContent.Development.entitlements;
+CODE_SIGN_ENTITLEMENTS_macosx = Configurations/WebContent.Development.entitlements;
 
 WK_XPC_SERVICE_VARIANT = Development;
index 6cc9ebf..fbd92ba 100644 (file)
 
 #include "BaseXPCService.xcconfig"
 
-WK_XPC_SERVICE_IOS_ENTITLEMENTS_BASE = WebContent-iOS;
+WK_XPC_SERVICE_IOS_ENTITLEMENTS_BASE = $(WK_XPC_SERVICE_IOS_ENTITLEMENTS_BASE_$(WK_PLATFORM_NAME));
+WK_XPC_SERVICE_IOS_ENTITLEMENTS_BASE_iphoneos = WebContent-iOS;
+WK_XPC_SERVICE_IOS_ENTITLEMENTS_BASE_iphonesimulator = WebContent-iOS;
+WK_XPC_SERVICE_IOS_ENTITLEMENTS_BASE_iphoneminimalsimulator = WebContent-iOS-minimalsimulator;
 
-CODE_SIGN_ENTITLEMENTS[sdk=macosx*] = $(CODE_SIGN_ENTITLEMENTS_OSX_WITH_XPC_DOMAIN_EXTENSION_$(WK_WEBCONTENT_SERVICE_NEEDS_XPC_DOMAIN_EXTENSION_ENTITLEMENT));
+CODE_SIGN_ENTITLEMENTS_macosx = $(CODE_SIGN_ENTITLEMENTS_OSX_WITH_XPC_DOMAIN_EXTENSION_$(WK_WEBCONTENT_SERVICE_NEEDS_XPC_DOMAIN_EXTENSION_ENTITLEMENT));
 CODE_SIGN_ENTITLEMENTS_OSX_WITH_XPC_DOMAIN_EXTENSION_YES = Configurations/WebContent-OSX.entitlements;
 OTHER_CODE_SIGN_FLAGS = $(WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS);
 
index a47189b..0f583d8 100644 (file)
@@ -154,7 +154,7 @@ void NetworkProcess::platformSetURLCacheSize(unsigned urlCacheMemoryCapacity, ui
 
 RetainPtr<CFDataRef> NetworkProcess::sourceApplicationAuditData() const
 {
-#if PLATFORM(IOS)
+#if PLATFORM(IOS) && !ENABLE(MINIMAL_SIMULATOR)
     audit_token_t auditToken;
     ASSERT(parentProcessConnection());
     if (!parentProcessConnection() || !parentProcessConnection()->getAuditToken(auditToken))
index a226639..06b5731 100644 (file)
@@ -26,7 +26,7 @@
 #import "config.h"
 #import "NetworkProcess.h"
 
-#if PLATFORM(IOS)
+#if PLATFORM(IOS) && !ENABLE(MINIMAL_SIMULATOR)
 
 #import "NetworkCache.h"
 #import "NetworkProcessCreationParameters.h"
index 517ba02..54ab302 100644 (file)
@@ -26,7 +26,7 @@
 #import "config.h"
 #import "NetworkProcess.h"
 
-#if PLATFORM(MAC)
+#if PLATFORM(MAC) || ENABLE(MINIMAL_SIMULATOR)
 
 #import "NetworkCache.h"
 #import "NetworkProcessCreationParameters.h"
@@ -58,8 +58,10 @@ void NetworkProcess::initializeProcess(const ChildProcessInitializationParameter
 
 void NetworkProcess::initializeProcessName(const ChildProcessInitializationParameters& parameters)
 {
+#if !ENABLE(MINIMAL_SIMULATOR)
     NSString *applicationName = [NSString stringWithFormat:WEB_UI_STRING("%@ Networking", "visible name of the network process. The argument is the application name."), (NSString *)parameters.uiProcessName];
     _LSSetApplicationInformationItem(kLSDefaultSessionID, _LSGetCurrentApplicationASN(), _kLSDisplayNameKey, (CFStringRef)applicationName, nullptr);
+#endif
 }
 
 static void overrideSystemProxies(const String& httpProxy, const String& httpsProxy)
@@ -82,11 +84,13 @@ static void overrideSystemProxies(const String& httpProxy, const String& httpsPr
     if (!httpsProxy.isNull()) {
         URL httpsProxyURL(URL(), httpsProxy);
         if (httpsProxyURL.isValid()) {
+#if !ENABLE(MINIMAL_SIMULATOR)
             [proxySettings setObject:nsStringFromWebCoreString(httpsProxyURL.host()) forKey:(NSString *)kCFNetworkProxiesHTTPSProxy];
             if (httpsProxyURL.port()) {
                 NSNumber *port = [NSNumber numberWithInt:httpsProxyURL.port().value()];
                 [proxySettings setObject:port forKey:(NSString *)kCFNetworkProxiesHTTPSPort];
             }
+#endif
         } else
             NSLog(@"Malformed HTTPS Proxy URL '%s'.  Expected 'https://<hostname>[:<port>]'\n", httpsProxy.utf8().data());
     }
index e91a03e..c2f898c 100644 (file)
@@ -25,7 +25,7 @@
 
 #import "config.h"
 
-#if PLATFORM(IOS)
+#if PLATFORM(IOS) && !ENABLE(MINIMAL_SIMULATOR)
 
 #import "ChildProcess.h"
 
@@ -70,8 +70,10 @@ void ChildProcess::initializeSandbox(const ChildProcessInitializationParameters&
         sandboxParameters.setUserDirectorySuffix(defaultUserDirectorySuffix);
     }
 
+#if !ENABLE(MINIMAL_SIMULATOR)
     String sandboxImportPath = "/usr/local/share/sandbox/imports";
     sandboxParameters.addPathParameter("IMPORT_DIR", FileSystem::fileSystemRepresentation(sandboxImportPath).data());
+#endif
 
     switch (sandboxParameters.mode()) {
     case SandboxInitializationParameters::UseDefaultSandboxProfilePath:
index ca28f57..0013c10 100644 (file)
 
 #import "config.h"
 
-#if PLATFORM(MAC)
+#if PLATFORM(MAC) || ENABLE(MINIMAL_SIMULATOR)
 #import "ChildProcess.h"
 
 #import "CodeSigning.h"
 #import "QuarantineSPI.h"
 #import "SandboxInitializationParameters.h"
+#import "XPCServiceEntryPoint.h"
 #import <WebCore/FileSystem.h>
 #import <WebCore/SystemVersion.h>
 #import <mach/mach.h>
@@ -65,8 +66,10 @@ static void initializeTimerCoalescingPolicy()
 
 void ChildProcess::setApplicationIsDaemon()
 {
+#if !ENABLE(MINIMAL_SIMULATOR)
     OSStatus error = SetApplicationIsDaemon(true);
     ASSERT_UNUSED(error, error == noErr);
+#endif
 
     launchServicesCheckIn();
 }
@@ -85,6 +88,7 @@ void ChildProcess::platformInitialize()
 
 static OSStatus enableSandboxStyleFileQuarantine()
 {
+#if !ENABLE(MINIMAL_SIMULATOR)
     int error;
     qtn_proc_t quarantineProperties = qtn_proc_alloc();
     auto quarantinePropertiesDeleter = makeScopeExit([quarantineProperties]() {
@@ -100,6 +104,9 @@ static OSStatus enableSandboxStyleFileQuarantine()
     // QTN_FLAG_SANDBOX is silently ignored if security.mac.qtn.sandbox_enforce sysctl is 0.
     // In that case, quarantine falls back to advisory QTN_FLAG_DOWNLOAD.
     return qtn_proc_apply_to_self(quarantineProperties);
+#else
+    return false;
+#endif
 }
 
 void ChildProcess::initializeSandbox(const ChildProcessInitializationParameters& parameters, SandboxInitializationParameters& sandboxParameters)
@@ -170,7 +177,10 @@ void ChildProcess::initializeSandbox(const ChildProcessInitializationParameters&
         if (!sandboxProfilePath.isEmpty()) {
             CString profilePath = FileSystem::fileSystemRepresentation(sandboxProfilePath);
             char* errorBuf;
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
             if (sandbox_init_with_parameters(profilePath.data(), SANDBOX_NAMED_EXTERNAL, sandboxParameters.namedParameterArray(), &errorBuf)) {
+#pragma clang diagnostic pop
                 WTFLogAlways("%s: Couldn't initialize sandbox profile [%s], error '%s'\n", getprogname(), profilePath.data(), errorBuf);
                 for (size_t i = 0, count = sandboxParameters.count(); i != count; ++i)
                     WTFLogAlways("%s=%s\n", sandboxParameters.name(i), sandboxParameters.value(i));
@@ -182,7 +192,10 @@ void ChildProcess::initializeSandbox(const ChildProcessInitializationParameters&
     }
     case SandboxInitializationParameters::UseSandboxProfile: {
         char* errorBuf;
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
         if (sandbox_init_with_parameters(sandboxParameters.sandboxProfile().utf8().data(), 0, sandboxParameters.namedParameterArray(), &errorBuf)) {
+#pragma clang diagnostic pop
             WTFLogAlways("%s: Couldn't initialize sandbox profile, error '%s'\n", getprogname(), errorBuf);
             for (size_t i = 0, count = sandboxParameters.count(); i != count; ++i)
                 WTFLogAlways("%s=%s\n", sandboxParameters.name(i), sandboxParameters.value(i));
@@ -212,7 +225,7 @@ void ChildProcess::stopNSAppRunLoop()
 }
 #endif
 
-#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101400
+#if !ENABLE(MINIMAL_SIMULATOR) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101400
 void ChildProcess::stopNSRunLoop()
 {
     ASSERT([NSRunLoop mainRunLoop]);
@@ -222,6 +235,13 @@ void ChildProcess::stopNSRunLoop()
 }
 #endif
 
+#if ENABLE(MINIMAL_SIMULATOR)
+void ChildProcess::platformStopRunLoop()
+{
+    XPCServiceExit(WTFMove(m_priorityBoostMessage));
+}
+#endif
+
 void ChildProcess::setQOS(int latencyQOS, int throughputQOS)
 {
     if (!latencyQOS && !throughputQOS)
index 9e73308..89f1ff1 100644 (file)
@@ -26,7 +26,7 @@
 #include "config.h"
 #include "CodeSigning.h"
 
-#if PLATFORM(MAC)
+#if PLATFORM(MAC) || ENABLE(MINIMAL_SIMULATOR)
 
 #include <wtf/RetainPtr.h>
 #include <wtf/spi/cocoa/SecuritySPI.h>
index ad15475..561392c 100644 (file)
                                "$(SRCROOT)/Configurations/Databases-iOS.entitlements",
                                "$(SRCROOT)/Configurations/Network-iOS.entitlements",
                                "$(SRCROOT)/Configurations/WebContent-iOS.entitlements",
+                               "$(SRCROOT)/Configurations/Network-iOS-minimalsimulator.entitlements",
+                               "$(SRCROOT)/Configurations/WebContent-iOS-minimalsimulator.entitlements",
                        );
                        name = "Derive Entitlements for Manual Sandboxing";
                        outputPaths = (
                                "$(BUILT_PRODUCTS_DIR)/DerivedSources/WebKit2/Databases-iOS-no-sandbox.entitlements",
                                "$(BUILT_PRODUCTS_DIR)/DerivedSources/WebKit2/Network-iOS-no-sandbox.entitlements",
                                "$(BUILT_PRODUCTS_DIR)/DerivedSources/WebKit2/WebContent-iOS-no-sandbox.entitlements",
+                               "$(BUILT_PRODUCTS_DIR)/DerivedSources/WebKit2/Network-iOS-minimalsimulator-no-sandbox.entitlements",
+                               "$(BUILT_PRODUCTS_DIR)/DerivedSources/WebKit2/WebContent-iOS-minimalsimulator-no-sandbox.entitlements",
                        );
                        runOnlyForDeploymentPostprocessing = 0;
                        shellPath = /bin/sh;
                        );
                        runOnlyForDeploymentPostprocessing = 0;
                        shellPath = /bin/sh;
-                       shellScript = "if [[ \"${WK_MANUAL_SANDBOXING_ENABLED}\" != \"YES\" || \"${WK_PLATFORM_NAME}\" == \"macosx\" ]]; then\n    exit\nfi\n\nif [[ \"${ACTION}\" == \"build\" || \"${ACTION}\" == \"install\" ]]; then\n    for ((i = 0; i < ${SCRIPT_INPUT_FILE_COUNT}; ++i)); do\n        eval SANDBOX_PROFILE=\\${SCRIPT_INPUT_FILE_${i}}\n        ditto \"${SANDBOX_PROFILE}\" \"${TARGET_BUILD_DIR}/${UNLOCALIZED_RESOURCES_FOLDER_PATH}/${SANDBOX_PROFILE##*/}\"\n    done\nfi";
+                       shellScript = "if [[ \"${WK_MANUAL_SANDBOXING_ENABLED}\" != \"YES\" || \"${WK_PLATFORM_NAME}\" == \"macosx\" || \"${WK_PLATFORM_NAME}\" == \"iphoneminimalsimulator\" ]]; then\n    exit\nfi\n\nif [[ \"${ACTION}\" == \"build\" || \"${ACTION}\" == \"install\" ]]; then\n    for ((i = 0; i < ${SCRIPT_INPUT_FILE_COUNT}; ++i)); do\n        eval SANDBOX_PROFILE=\\${SCRIPT_INPUT_FILE_${i}}\n        ditto \"${SANDBOX_PROFILE}\" \"${TARGET_BUILD_DIR}/${UNLOCALIZED_RESOURCES_FOLDER_PATH}/${SANDBOX_PROFILE##*/}\"\n    done\nfi\n";
                };
                5DF408C5131DD46700130071 /* Check For Weak VTables and Externals */ = {
                        isa = PBXShellScriptBuildPhase;
index a147207..b3f6d33 100644 (file)
@@ -343,7 +343,7 @@ void WebProcess::initializeSandbox(const ChildProcessInitializationParameters& p
 #else
     NSBundle *webKit2Bundle = [NSBundle bundleForClass:NSClassFromString(@"WKView")];
 #endif
-#if PLATFORM(IOS)
+#if PLATFORM(IOS) && !ENABLE(MINIMAL_SIMULATOR)
     sandboxParameters.setOverrideSandboxProfilePath([webKit2Bundle pathForResource:@"com.apple.WebKit.WebContent" ofType:@"sb"]);
 #else
     sandboxParameters.setOverrideSandboxProfilePath([webKit2Bundle pathForResource:@"com.apple.WebProcess" ofType:@"sb"]);