[Cocoa] Deny access to database mapping service
authorpvollan@apple.com <pvollan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 21 Mar 2020 01:10:42 +0000 (01:10 +0000)
committerpvollan@apple.com <pvollan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 21 Mar 2020 01:10:42 +0000 (01:10 +0000)
https://bugs.webkit.org/show_bug.cgi?id=209339
Source/WebKit:

<rdar://problem/56966010>

Reviewed by Brent Fulgham.

In order for the WebContent process to not have permantent access to the database mapping service,
this patch creates an extension for the service in the UI process, sends it to the WebContent
process, where it is consumed. Then, an API call is made which will map the database, and next the
WebContent process will revoke the extension. The WebContent process has then mapped the database,
and access to the database mapping service is no longer needed.

Tested by: fast/sandbox/ios/sandbox-mach-lookup.html

* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
* Shared/WebProcessCreationParameters.cpp:
(WebKit::WebProcessCreationParameters::encode const):
(WebKit::WebProcessCreationParameters::decode):
* Shared/WebProcessCreationParameters.h:
* UIProcess/Cocoa/WebProcessPoolCocoa.mm:
(WebKit::WebProcessPool::platformInitializeWebProcess):
* WebProcess/cocoa/WebProcessCocoa.mm:
(WebKit::WebProcess::platformInitializeWebProcess):
* WebProcess/com.apple.WebProcess.sb.in:

Source/WTF:

<rdar://problem/56966010>

Reviewed by Brent Fulgham.

Disable the use of UTTypeRecord swizzling, since this is not needed with the new approach
of denying the database mapping service in this patch.

* wtf/PlatformUse.h:

LayoutTests:

Reviewed by Brent Fulgham.

* fast/sandbox/ios/sandbox-mach-lookup-expected.txt:
* fast/sandbox/ios/sandbox-mach-lookup.html:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@258803 268f45cc-cd09-0410-ab3c-d52691b4dbfc

12 files changed:
LayoutTests/ChangeLog
LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-expected.txt
LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html
Source/WTF/ChangeLog
Source/WTF/wtf/PlatformUse.h
Source/WebKit/ChangeLog
Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb
Source/WebKit/Shared/WebProcessCreationParameters.cpp
Source/WebKit/Shared/WebProcessCreationParameters.h
Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm
Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm
Source/WebKit/WebProcess/com.apple.WebProcess.sb.in

index 27e1e45..50572e0 100644 (file)
@@ -1,3 +1,13 @@
+2020-03-20  Per Arne Vollan  <pvollan@apple.com>
+
+        [Cocoa] Deny access to database mapping service
+        https://bugs.webkit.org/show_bug.cgi?id=209339
+
+        Reviewed by Brent Fulgham.
+
+        * fast/sandbox/ios/sandbox-mach-lookup-expected.txt:
+        * fast/sandbox/ios/sandbox-mach-lookup.html:
+
 2020-03-20  David Kilzer  <ddkilzer@apple.com>
 
         Content-Type & Nosniff Ignored on XML External Entity Resources
index df44fd4..77fe90c 100644 (file)
@@ -24,3 +24,4 @@ PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebConte
 PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.PowerManagement.control") is false
 PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.mobileassetd") is false
 PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.mobileassetd.v2") is false
+PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.lsd.mapdb") is false
index a8873e7..4747617 100644 (file)
@@ -27,6 +27,7 @@ if (window.internals) {
     shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.PowerManagement.control\")");
     shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.mobileassetd\")");
     shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.mobileassetd.v2\")");
+    shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.lsd.mapdb\")");
 }
 </script>
 </head>
index 758e6ac..005b466 100644 (file)
@@ -1,3 +1,16 @@
+2020-03-20  Per Arne Vollan  <pvollan@apple.com>
+
+        [Cocoa] Deny access to database mapping service
+        https://bugs.webkit.org/show_bug.cgi?id=209339
+        <rdar://problem/56966010>
+
+        Reviewed by Brent Fulgham.
+
+        Disable the use of UTTypeRecord swizzling, since this is not needed with the new approach
+        of denying the database mapping service in this patch.
+
+        * wtf/PlatformUse.h:
+
 2020-03-20  Oliver Hunt  <oliver@nerget,com>
 
         Add correct annotations to block isa pointer
index be5aecc..3f83f66 100644 (file)
 #define USE_CTFONTTRANSFORMGLYPHSWITHLANGUAGE 1
 #endif
 
-#if PLATFORM(IOS) && __IPHONE_OS_VERSION_MIN_REQUIRED >= 140000
-#define USE_UTTYPE_SWIZZLER 1
-#endif
+#define USE_UTTYPE_SWIZZLER 0
index 038b6ea..659d1f8 100644 (file)
@@ -1,5 +1,32 @@
 2020-03-20  Per Arne Vollan  <pvollan@apple.com>
 
+        [Cocoa] Deny access to database mapping service
+        https://bugs.webkit.org/show_bug.cgi?id=209339
+        <rdar://problem/56966010>
+
+        Reviewed by Brent Fulgham.
+
+        In order for the WebContent process to not have permantent access to the database mapping service,
+        this patch creates an extension for the service in the UI process, sends it to the WebContent
+        process, where it is consumed. Then, an API call is made which will map the database, and next the
+        WebContent process will revoke the extension. The WebContent process has then mapped the database,
+        and access to the database mapping service is no longer needed.
+
+        Tested by: fast/sandbox/ios/sandbox-mach-lookup.html
+
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+        * Shared/WebProcessCreationParameters.cpp:
+        (WebKit::WebProcessCreationParameters::encode const):
+        (WebKit::WebProcessCreationParameters::decode):
+        * Shared/WebProcessCreationParameters.h:
+        * UIProcess/Cocoa/WebProcessPoolCocoa.mm:
+        (WebKit::WebProcessPool::platformInitializeWebProcess):
+        * WebProcess/cocoa/WebProcessCocoa.mm:
+        (WebKit::WebProcess::platformInitializeWebProcess):
+        * WebProcess/com.apple.WebProcess.sb.in:
+
+2020-03-20  Per Arne Vollan  <pvollan@apple.com>
+
         [iOS] Add telemetry for message filtering
         https://bugs.webkit.org/show_bug.cgi?id=209003
         <rdar://problem/60376722>
index 35c28aa..07b4cb9 100644 (file)
     (global-name "com.apple.cfprefsd.daemon")
 )
 
-(deny mach-lookup (with telemetry)
+(deny mach-lookup (with telemetry-backtrace)
     (global-name "com.apple.distributed_notifications@1v3"))
 
 (allow ipc-posix-shm-read*
        (ipc-posix-name-prefix "apple.cfprefs."))
  
-(allow mach-lookup (with telemetry-backtrace)
+(deny mach-lookup (with telemetry-backtrace)
     (global-name "com.apple.lsd.mapdb"))
 
 ;; <rdar://problem/12413942>
index 393135c..3358f81 100644 (file)
@@ -169,6 +169,7 @@ void WebProcessCreationParameters::encode(IPC::Encoder& encoder) const
 #if PLATFORM(COCOA)
     encoder << neHelperExtensionHandle;
     encoder << neSessionManagerExtensionHandle;
+    encoder << mapDBExtensionHandle;
     encoder << systemHasBattery;
     encoder << mimeTypesMap;
     encoder << mapUTIFromMIMEType;
@@ -456,6 +457,12 @@ bool WebProcessCreationParameters::decode(IPC::Decoder& decoder, WebProcessCreat
         return false;
     parameters.neSessionManagerExtensionHandle = WTFMove(*neSessionManagerExtensionHandle);
 
+    Optional<Optional<SandboxExtension::Handle>> mapDBExtensionHandle;
+    decoder >> mapDBExtensionHandle;
+    if (!mapDBExtensionHandle)
+        return false;
+    parameters.mapDBExtensionHandle = WTFMove(*mapDBExtensionHandle);
+
     Optional<bool> systemHasBattery;
     decoder >> systemHasBattery;
     if (!systemHasBattery)
index 5cde19e..a02d9d0 100644 (file)
@@ -213,6 +213,7 @@ struct WebProcessCreationParameters {
 #if PLATFORM(COCOA)
     Optional<SandboxExtension::Handle> neHelperExtensionHandle;
     Optional<SandboxExtension::Handle> neSessionManagerExtensionHandle;
+    Optional<SandboxExtension::Handle> mapDBExtensionHandle;
     bool systemHasBattery { false };
     Optional<HashMap<String, Vector<String>, ASCIICaseInsensitiveHash>> mimeTypesMap;
     HashMap<String, String> mapUTIFromMIMEType;
index 69c5810..d44bb09 100644 (file)
@@ -380,7 +380,6 @@ void WebProcessPool::platformInitializeWebProcess(const WebProcessProxy& process
     if (!WebCore::IOSApplication::isMobileSafari() || _AXSApplicationAccessibilityEnabled()) {
         static const char* services[] = {
             "com.apple.lsd.open",
-            "com.apple.lsd.mapdb",
             "com.apple.mobileassetd",
             "com.apple.iconservices",
             "com.apple.PowerManagement.control",
@@ -415,6 +414,10 @@ void WebProcessPool::platformInitializeWebProcess(const WebProcessProxy& process
     parameters.systemHasBattery = systemHasBattery();
     parameters.mimeTypesMap = commonMimeTypesMap();
     parameters.mapUTIFromMIMEType = createUTIFromMIMETypeMap();
+
+    SandboxExtension::Handle mapDBHandle;
+    SandboxExtension::createHandleForMachLookup("com.apple.lsd.mapdb", WTF::nullopt, mapDBHandle, SandboxExtension::Flags::NoReport);
+    parameters.mapDBExtensionHandle = WTFMove(mapDBHandle);
 #endif
     
 #if PLATFORM(IOS)
index 20df9c4..9b9e822 100644 (file)
 #import "RunningBoardServicesSPI.h"
 #import "UserInterfaceIdiom.h"
 #import "WKAccessibilityWebPageObjectIOS.h"
+#import <MobileCoreServices/MobileCoreServices.h>
 #import <UIKit/UIAccessibility.h>
 #import <WebCore/UTTypeRecordSwizzler.h>
 #import <pal/spi/ios/GraphicsServicesSPI.h>
@@ -274,6 +275,17 @@ void WebProcess::platformInitializeWebProcess(WebProcessCreationParameters& para
     if (parameters.neSessionManagerExtensionHandle)
         SandboxExtension::consumePermanently(*parameters.neSessionManagerExtensionHandle);
     NetworkExtensionContentFilter::setHasConsumedSandboxExtensions(parameters.neHelperExtensionHandle.hasValue() && parameters.neSessionManagerExtensionHandle.hasValue());
+
+    if (parameters.mapDBExtensionHandle) {
+        auto extension = SandboxExtension::create(WTFMove(*parameters.mapDBExtensionHandle));
+        bool ok = extension->consume();
+        ASSERT_UNUSED(ok, ok);
+        // Perform an API call which will communicate with the database mapping service, and map the database.
+        auto r = adoptCF(UTTypeCreatePreferredIdentifierForTag(kUTTagClassMIMEType, CFSTR("text/html"), 0));
+        ok = extension->revoke();
+        ASSERT_UNUSED(ok, ok);
+    }
+
     setSystemHasBattery(parameters.systemHasBattery);
 
     if (parameters.mimeTypesMap)
index c8960dd..0776e27 100644 (file)
     (global-name "com.apple.PowerManagement.control")
     (global-name "com.apple.cfprefsd.daemon")
     (global-name "com.apple.coreservices.launchservicesd")
-    (global-name "com.apple.lsd.mapdb")
     (global-name "com.apple.trustd.agent")
 )
 
             "com.apple.webinspector"
             "com.apple.cfprefsd.daemon"
             "com.apple.tccd"
+            "com.apple.lsd.mapdb"
 
             ;;; FIXME(207716): The following should be removed when the GPU process is complete
             "com.apple.audio.AudioComponentRegistrar" "com.apple.coremedia.endpoint.xpc" "com.apple.coremedia.endpointstream.xpc"