Runtime reachability of IPC endpoints should be defined within the .m…

…essages.in files

https://bugs.webkit.org/show_bug.cgi?id=259552
rdar://112970535

Reviewed by Alex Christensen.

We should define the runtime reachability of IPC endpoints consistently
within the .messages.in files. Previously, this was achieved by a series
of MESSAGE_CHECKS placed within the receiving handlers. This change
introduces an [EnabledIf=""] attribute, which can be used within the
.messages.in files, which defines additional criteria which must be met at
runtime in order for the receiving handler to be invoked. Any messages received
which don't satisfy the additional criteria are dropped the same way as
if the endpoint had received a message it didn't know about.

* LayoutTests/TestExpectations:
* LayoutTests/ipc/restrictedendpoints/allow-access-attachmentElement-expected.txt: Added.
* LayoutTests/ipc/restrictedendpoints/allow-access-attachmentElement.html: Added.
* LayoutTests/ipc/restrictedendpoints/allow-access-modelElement-expected.txt: Added.
* LayoutTests/ipc/restrictedendpoints/allow-access-modelElement.html: Added.
* LayoutTests/ipc/restrictedendpoints/allow-access-webGPU-expected.txt: Added.
* LayoutTests/ipc/restrictedendpoints/allow-access-webGPU.html: Added.
* LayoutTests/ipc/restrictedendpoints/deny-access-attachmentElement-expected.txt: Added.
* LayoutTests/ipc/restrictedendpoints/deny-access-attachmentElement.html: Added.
* LayoutTests/ipc/restrictedendpoints/deny-access-modelElement-expected.txt: Added.
* LayoutTests/ipc/restrictedendpoints/deny-access-modelElement.html: Added.
* LayoutTests/ipc/restrictedendpoints/deny-access-updateQuotaBasedOnSpaceUsageForTesting-expected.txt: Added.
* LayoutTests/ipc/restrictedendpoints/deny-access-webGPU-expected.txt: Added.
* LayoutTests/ipc/restrictedendpoints/deny-access-webGPU.html: Added.
* LayoutTests/ipc/restrictedendpoints/deny-access-webPush-expected.txt: Added.
* LayoutTests/ipc/restrictedendpoints/deny-access-webPush.html:
* LayoutTests/ipc/restrictedendpoints/no-test-only-ipc-expected-crash-expected.txt: Added.
* LayoutTests/ipc/restrictedendpoints/no-test-only-ipc-expected-crash.html:
* Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml:
* Source/WebKit/GPUProcess/GPUConnectionToWebProcess.h:
(WebKit::GPUConnectionToWebProcess::isWebGPUEnabled):
(WebKit::GPUConnectionToWebProcess::isWebGLEnabled):
(WebKit::GPUConnectionToWebProcess::updateWebGLEnabled):
* Source/WebKit/GPUProcess/GPUConnectionToWebProcess.messages.in:
* Source/WebKit/GPUProcess/GPUProcess.cpp:
(WebKit::GPUProcess::updateWebGLEnabled):
* Source/WebKit/GPUProcess/GPUProcess.h:
* Source/WebKit/GPUProcess/GPUProcess.messages.in:
* Source/WebKit/GPUProcess/media/RemoteAudioSessionProxy.cpp:
(WebKit::RemoteAudioSessionProxy::allowTestOnlyIPC):
* Source/WebKit/GPUProcess/media/RemoteAudioSessionProxy.h:
* Source/WebKit/GPUProcess/media/RemoteAudioSessionProxy.messages.in:
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.messages.in:
* Source/WebKit/Scripts/webkit/messages.py:
(async_message_statement):
(sync_message_statement):
* Source/WebKit/Scripts/webkit/model.py:
(Message.__init__):
* Source/WebKit/Scripts/webkit/parser.py:
(parse):
* Source/WebKit/UIProcess/GPU/GPUProcessProxy.cpp:
(WebKit::GPUProcessProxy::updateWebGLEnabled):
* Source/WebKit/UIProcess/GPU/GPUProcessProxy.h:
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::m_limitsNavigationsToAppBoundDomains):
(WebKit::WebPageProxy::attachmentElementEnabled):
(WebKit::WebPageProxy::modelElementEnabled):
(WebKit::WebPageProxy::launchProcess):
* Source/WebKit/UIProcess/WebPageProxy.h:
* Source/WebKit/UIProcess/WebPageProxy.messages.in:
* Source/WebKit/UIProcess/WebProcessProxy.cpp:
(WebKit::WebProcessProxy::addExistingWebPage):
(WebKit::WebProcessProxy::removeWebPage):
(WebKit::WebProcessProxy::updatePreferencesEnabledStateInGPUProcess):
(WebKit::WebProcessProxy::updateWebGPUEnabledStateInGPUProcess): Deleted.
* Source/WebKit/UIProcess/WebProcessProxy.h:

Canonical link: https://commits.webkit.org/267014@main

LayoutTests/TestExpectations

@@ -6270,10 +6270,12 @@ imported/w3c/web-platform-tests/css/css-text/text-spacing/tentative/parsing/text
 imported/w3c/web-platform-tests/css/css-text/text-spacing/tentative/parsing [ Skip ]
 
 # This test is checking that WebContent is terminated when performing an invalid IPC operation
-ipc/restrictedendpoints/no-test-only-ipc-expected-crash.html [ Crash ]
-ipc/restrictedendpoints/deny-access-updateQuotaBasedOnSpaceUsageForTesting.html [ Crash ]
+[ Debug ] ipc/restrictedendpoints/no-test-only-ipc-expected-crash.html [ Crash ]
+[ Debug ] ipc/restrictedendpoints/deny-access-webGPU.html [ Crash ]
+[ Debug ] ipc/restrictedendpoints/deny-access-modelElement.html [ Crash ]
+[ Debug ] ipc/restrictedendpoints/deny-access-attachmentElement.html [ Crash ]
 [ Debug ] ipc/restrictedendpoints/deny-access-webPush.html [ Crash ]
-[ Release ] ipc/restrictedendpoints/deny-access-webPush.html [ Skip ]
+[ Debug ] ipc/restrictedendpoints/deny-access-updateQuotaBasedOnSpaceUsageForTesting.html [ Crash ]
 
 # Early hints require network callbacks that are only present in macOS 12 / iOS 15 or greater.
 http/wpt/loading/early-hints [ Skip ]

LayoutTests/ipc/restrictedendpoints/allow-access-attachmentElement-expected.txt

@@ -0,0 +1 @@
+

LayoutTests/ipc/restrictedendpoints/allow-access-attachmentElement.html

@@ -0,0 +1,28 @@
+<!DOCTYPE html> <!-- webkit-test-runner [ IPCTestingAPIEnabled=true IgnoreInvalidMessageWhenIPCTestingAPIEnabled=false AttachmentElementEnabled=true ] -->
+<title>Test that calling into attachmentElement specific methods, like RegisterAttachmentIdentifier, is enabled if AttachmentElementEnabled is true</title>
+<script src="../../resources/testharness.js"></script>
+<script src="../../resources/testharnessreport.js"></script>
+<body>
+<script>
+	testRunner.dumpAsText();
+
+	if (window.IPC) {
+		IPC.sendMessage(
+		'UI',
+		IPC.webPageProxyID,
+		IPC.messages.WebPageProxy_RegisterAttachmentIdentifier.name,
+		[
+			{
+			type: 'String',
+			value: 'Some UUID'
+			}
+		]
+		);
+
+		setTimeout(()=>{testRunner.notifyDone();}, 100)
+	} else {
+		testRunner.notifyDone();
+	}
+
+</script>
+</body>

LayoutTests/ipc/restrictedendpoints/allow-access-modelElement-expected.txt

@@ -0,0 +1 @@
+

LayoutTests/ipc/restrictedendpoints/allow-access-modelElement.html

@@ -0,0 +1,27 @@
+<!DOCTYPE html> <!-- webkit-test-runner [ IPCTestingAPIEnabled=true IgnoreInvalidMessageWhenIPCTestingAPIEnabled=false ModelElementEnabled=true ] -->
+<title>Test that calling into modelElement specific methods, like ModelElementDestroyRemotePreview, is enabled if ModelElementEnabled is true</title>
+<script src="../../resources/testharness.js"></script>
+<script src="../../resources/testharnessreport.js"></script>
+<body>
+<script>
+	testRunner.dumpAsText();
+
+	if (window.IPC) {
+		IPC.sendMessage(
+		'UI',
+		IPC.webPageProxyID,
+		IPC.messages.WebPageProxy_ModelElementDestroyRemotePreview.name,
+		[
+			{
+			type: 'String',
+			value: 'Some UUID'
+			}
+		]
+		);
+
+		setTimeout(()=>{testRunner.notifyDone();}, 100);
+	} else {
+		testRunner.notifyDone();
+	}
+</script>
+</body>

LayoutTests/ipc/restrictedendpoints/allow-access-webGPU-expected.txt

@@ -0,0 +1 @@
+

LayoutTests/ipc/restrictedendpoints/allow-access-webGPU.html

@@ -0,0 +1,60 @@
+<!DOCTYPE html> <!-- webkit-test-runner [ IPCTestingAPIEnabled=true WebGPUEnabled=true ] -->
+<title>Test that instantiating a remoteGPU is allowed if WebGPUEnabled</title>
+<script src="../../resources/testharness.js"></script>
+<script src="../../resources/testharnessreport.js"></script>
+<body>
+<script>
+	if (window.IPC) {
+		function randomID() {
+			return Math.floor(Math.random() * 10000) + 1;
+		}
+
+		function sleep(ms) {
+			return new Promise(resolve => setTimeout(resolve, ms));
+		}
+
+		let renderingBackendID = randomID();
+		let webgpuID = randomID();
+		let semaphore = IPC.createSemaphore();
+
+		let connectionIdentifier = IPC.createSharedMemory(0x1000);
+
+		let connectionPair = IPC.createConnectionPair();
+		let streamConnection = IPC.createStreamClientConnection(16);
+		let webgpuStreamConnection = IPC.createStreamClientConnection(16);
+
+		IPC.sendMessage(
+		'GPU',
+		IPC.webPageProxyID,
+		IPC.messages.GPUConnectionToWebProcess_CreateRenderingBackend.name,
+		[
+			{ // creationParameters
+			type: 'RemoteRenderingBackendCreationParameters',
+			identifier: renderingBackendID,
+			pageProxyID: IPC.webPageProxyID,
+			pageID: IPC.pageID,
+			},
+			{ // connectionIdentifier
+			type: 'StreamServerConnectionHandle',
+			value: streamConnection[1],
+			}
+		]
+		);
+
+		var result = IPC.sendMessage(
+		'GPU',
+		IPC.webPageProxyID,
+		IPC.messages.GPUConnectionToWebProcess_CreateRemoteGPU.name,
+		[
+			{ type: 'uint64_t', value: webgpuID }, // identifier
+			{ type: 'uint64_t', value: renderingBackendID }, // renderingBackendIdentifier
+			{ type: 'StreamServerConnectionHandle', value: streamConnection[1] }, // stream
+		]
+		);
+
+		setTimeout(()=>{testRunner.notifyDone();}, 100)
+	} else {
+		testRunner.notifyDone();
+	}
+</script>
+</body>

LayoutTests/ipc/restrictedendpoints/deny-access-attachmentElement-expected.txt

@@ -0,0 +1 @@
+

LayoutTests/ipc/restrictedendpoints/deny-access-attachmentElement.html

@@ -0,0 +1,36 @@
+<!DOCTYPE html> <!-- webkit-test-runner [ IPCTestingAPIEnabled=true IgnoreInvalidMessageWhenIPCTestingAPIEnabled=false AttachmentElementEnabled=false ] -->
+<title>Test that calling into attachmentElement specific methods, like RegisterAttachmentIdentifier, is disabled if AttachmentElementEnabled is false</title>
+<script src="../../resources/testharness.js"></script>
+<script src="../../resources/testharnessreport.js"></script>
+<body>
+<script>
+	testRunner.dumpAsText();
+
+	if (window.IPC) {
+
+		function randomID() {
+			return Math.floor(Math.random() * 10000) + 1;
+		}
+
+		function sleep(ms) {
+			return new Promise(resolve => setTimeout(resolve, ms));
+		}
+
+		IPC.sendMessage(
+		'UI',
+		IPC.webPageProxyID,
+		IPC.messages.WebPageProxy_RegisterAttachmentIdentifier.name,
+		[
+			{
+			type: 'String',
+			value: 'Some UUID'
+			}
+		]
+		);
+
+		setTimeout(()=>{console.log("Should Have Crashed!"); testRunner.notifyDone();}, 100)
+	} else {
+		testRunner.notifyDone();
+	}
+</script>
+</body>

LayoutTests/ipc/restrictedendpoints/deny-access-modelElement-expected.txt

@@ -0,0 +1 @@
+

LayoutTests/ipc/restrictedendpoints/deny-access-modelElement.html

@@ -0,0 +1,27 @@
+<!DOCTYPE html> <!-- webkit-test-runner [ IPCTestingAPIEnabled=true IgnoreInvalidMessageWhenIPCTestingAPIEnabled=false ModelElementEnabled=false ] -->
+<title>Test that calling into modelElement specific methods, like ModelElementDestroyRemotePreview, is disabled if ModelElementEnabled is false</title>
+<script src="../../resources/testharness.js"></script>
+<script src="../../resources/testharnessreport.js"></script>
+<body>
+<script>
+	testRunner.dumpAsText();
+
+	if (window.IPC) {
+		IPC.sendMessage(
+		'UI',
+		IPC.webPageProxyID,
+		IPC.messages.WebPageProxy_ModelElementDestroyRemotePreview.name,
+		[
+			{
+			type: 'String',
+			value: 'Some UUID'
+			}
+		]
+		);
+
+		setTimeout(()=>{console.log("Should Have Crashed!"); testRunner.notifyDone();}, 100)
+	} else {
+		testRunner.notifyDone();
+	}
+</script>
+</body>

LayoutTests/ipc/restrictedendpoints/deny-access-updateQuotaBasedOnSpaceUsageForTesting-expected.txt

@@ -0,0 +1,3 @@
+
+PASS Send updateQuotaBasedOnSpaceUsage without AllowTestOnlyIPC being set
+

LayoutTests/ipc/restrictedendpoints/deny-access-webGPU-expected.txt

@@ -0,0 +1 @@
+

LayoutTests/ipc/restrictedendpoints/deny-access-webGPU.html

@@ -0,0 +1,63 @@
+<!DOCTYPE html> <!-- webkit-test-runner [ IPCTestingAPIEnabled=true IgnoreInvalidMessageWhenIPCTestingAPIEnabled=false WebGPUEnabled=false ] -->
+<title>Test that instantiating a remoteGPU is allowed if WebGPUEnabled</title>
+<script src="../../resources/testharness.js"></script>
+<script src="../../resources/testharnessreport.js"></script>
+<body>
+<script>
+	testRunner.dumpAsText();
+
+	if (window.IPC) {
+		function randomID() {
+			return Math.floor(Math.random() * 10000) + 1;
+		}
+
+		function sleep(ms) {
+			return new Promise(resolve => setTimeout(resolve, ms));
+		}
+
+		let renderingBackendID = randomID();
+		let webgpuID = randomID();
+		let semaphore = IPC.createSemaphore();
+
+		let connectionIdentifier = IPC.createSharedMemory(0x1000);
+
+		let connectionPair = IPC.createConnectionPair();
+		let streamConnection = IPC.createStreamClientConnection(16);
+		let webgpuStreamConnection = IPC.createStreamClientConnection(16);
+		console.log("HERE")
+
+		IPC.sendMessage(
+		'GPU',
+		IPC.webPageProxyID,
+		IPC.messages.GPUConnectionToWebProcess_CreateRenderingBackend.name,
+		[
+			{ // creationParameters
+			type: 'RemoteRenderingBackendCreationParameters',
+			identifier: renderingBackendID,
+			pageProxyID: IPC.webPageProxyID,
+			pageID: IPC.pageID,
+			},
+			{ // connectionIdentifier
+			type: 'StreamServerConnectionHandle',
+			value: streamConnection[1],
+			}
+		]
+		);
+
+		var result = IPC.sendMessage(
+		'GPU',
+		IPC.webPageProxyID,
+		IPC.messages.GPUConnectionToWebProcess_CreateRemoteGPU.name,
+		[
+			{ type: 'uint64_t', value: webgpuID }, // identifier
+			{ type: 'uint64_t', value: renderingBackendID }, // renderingBackendIdentifier
+			{ type: 'StreamServerConnectionHandle', value: streamConnection[1] }, // stream
+		]
+		);
+
+		setTimeout(()=>{console.log("Should Have Crashed!"); testRunner.notifyDone();}, 100)
+	} else {
+		testRunner.notifyDone();
+	}
+</script>
+</body>

LayoutTests/ipc/restrictedendpoints/deny-access-webPush-expected.txt

@@ -0,0 +1 @@
+

LayoutTests/ipc/restrictedendpoints/deny-access-webPush.html

@@ -4,10 +4,12 @@
 <script src="../../resources/testharnessreport.js"></script>
 <body>
 <script>
-
-if (window.IPC) {
-    buf = new Uint8Array();
-    IPC.sendMessage('Networking',IPC.webPageProxyID,IPC.messages.NotificationManagerMessageHandler_PageWasNotifiedOfNotificationPermission.name,[]);
-}
+    if (window.IPC) {
+        buf = new Uint8Array();
+        IPC.sendMessage('Networking',IPC.webPageProxyID,IPC.messages.NotificationManagerMessageHandler_PageWasNotifiedOfNotificationPermission.name,[]);
+        setTimeout(()=>{console.log("Should Have Crashed!"); testRunner.notifyDone();}, 100)
+    } else {
+		testRunner.notifyDone();
+	}
 </script>
 </body>

LayoutTests/ipc/restrictedendpoints/no-test-only-ipc-expected-crash-expected.txt

@@ -0,0 +1 @@
+

LayoutTests/ipc/restrictedendpoints/no-test-only-ipc-expected-crash.html

@@ -4,13 +4,13 @@
 <script src="../../resources/testharnessreport.js"></script>
 <body>
 <script>
+    testRunner.dumpAsText();
 
-promise_test(async t => {
     if (!window.internals)
-        return;
+        throw 'window.internals are not available';
 
     internals.beginAudioSessionInterruption();
-}, "Send beginAudioSessionInterruption without AllowTestOnlyIPC being set");
 
+    setTimeout(()=>{testRunner.notifyDone();}, 100)
 </script>
 </body>

LayoutTests/platform/glib/ipc/restrictedendpoints/no-test-only-ipc-expected-crash-expected.txt

@@ -1,3 +1 @@
 
-PASS Send beginAudioSessionInterruption without AllowTestOnlyIPC being set
-

Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml

@@ -3041,6 +3041,19 @@ IPCTestingAPIEnabled:
     WebKit:
       default: false
 
+IgnoreInvalidMessageWhenIPCTestingAPIEnabled:
+  type: bool
+  status: internal
+  category: security
+  humanReadableName: "Ignore Invalid IPC Messages For Testing"
+  humanReadableDescription: "Prevents invalid IPC messages from terminating the caller"
+  webcoreBinding: none
+  condition: ENABLE(IPC_TESTING_API)
+  exposed: [ WebKit ]
+  defaultValue:
+    WebKit:
+      default: true
+
 ImageAnalysisDuringFindInPageEnabled:
   type: bool
   status: unstable

Source/WebKit/GPUProcess/GPUConnectionToWebProcess.cpp

@@ -278,6 +278,7 @@ GPUConnectionToWebProcess::GPUConnectionToWebProcess(GPUProcess& gpuProcess, Web
     , m_routingArbitrator(LocalAudioSessionRoutingArbitrator::create(*this))
 #endif
     , m_webGPUEnabled(parameters.isWebGPUEnabled)
+    , m_webGLEnabled(parameters.isWebGLEnabled)
 {
     RELEASE_ASSERT(RunLoop::isMain());
 

Source/WebKit/GPUProcess/GPUConnectionToWebProcess.h

@@ -131,7 +131,10 @@ class GPUConnectionToWebProcess
     static Ref<GPUConnectionToWebProcess> create(GPUProcess&, WebCore::ProcessIdentifier, PAL::SessionID, IPC::Connection::Handle&&, GPUProcessConnectionParameters&&);
     virtual ~GPUConnectionToWebProcess();
 
+    bool isWebGPUEnabled() { return m_webGPUEnabled; }
     void updateWebGPUEnabled(bool webGPUEnabled) { m_webGPUEnabled = webGPUEnabled; }
+    bool isWebGLEnabled() { return m_webGLEnabled; }
+    void updateWebGLEnabled(bool webGLEnabled) { m_webGLEnabled = webGLEnabled; }
     void updateDOMRenderingEnabled(bool isDOMRenderingEnabled) { m_isDOMRenderingEnabled = isDOMRenderingEnabled; }
 
     using WebCore::NowPlayingManager::Client::weakPtrFactory;
@@ -416,6 +419,7 @@ class GPUConnectionToWebProcess
     IPCTester m_ipcTester;
 #endif
     bool m_webGPUEnabled { false };
+    bool m_webGLEnabled { false };
 };
 
 } // namespace WebKit

Source/WebKit/GPUProcess/GPUConnectionToWebProcess.messages.in

@@ -27,11 +27,11 @@ messages -> GPUConnectionToWebProcess WantsDispatchMessage {
     void ReleaseRenderingBackend(WebKit::RenderingBackendIdentifier renderingBackendIdentifier) AllowedWhenWaitingForSyncReply
     void ReleaseSerializedImageBuffer(WebCore::RenderingResourceIdentifier imageBuffer)
 #if ENABLE(WEBGL)
-    void CreateGraphicsContextGL(struct WebCore::GraphicsContextGLAttributes attributes, WebKit::GraphicsContextGLIdentifier graphicsContextGLIdentifier, WebKit::RenderingBackendIdentifier renderingBackendIdentifier, IPC::StreamServerConnection::Handle serverConnection) AllowedWhenWaitingForSyncReply
-    void ReleaseGraphicsContextGL(WebKit::GraphicsContextGLIdentifier graphicsContextGLIdentifier) AllowedWhenWaitingForSyncReply
+    [EnabledIf='isWebGLEnabled()'] void CreateGraphicsContextGL(struct WebCore::GraphicsContextGLAttributes attributes, WebKit::GraphicsContextGLIdentifier graphicsContextGLIdentifier, WebKit::RenderingBackendIdentifier renderingBackendIdentifier, IPC::StreamServerConnection::Handle serverConnection) AllowedWhenWaitingForSyncReply
+    [EnabledIf='isWebGLEnabled()'] void ReleaseGraphicsContextGL(WebKit::GraphicsContextGLIdentifier graphicsContextGLIdentifier) AllowedWhenWaitingForSyncReply
 #endif
-    void CreateRemoteGPU(WebKit::WebGPUIdentifier identifier, WebKit::RenderingBackendIdentifier renderingBackendIdentifier, IPC::StreamServerConnection::Handle serverConnection) AllowedWhenWaitingForSyncReply
-    void ReleaseRemoteGPU(WebKit::WebGPUIdentifier identifier) AllowedWhenWaitingForSyncReply
+    [EnabledIf='isWebGPUEnabled()'] void CreateRemoteGPU(WebKit::WebGPUIdentifier identifier, WebKit::RenderingBackendIdentifier renderingBackendIdentifier, IPC::StreamServerConnection::Handle serverConnection) AllowedWhenWaitingForSyncReply
+    [EnabledIf='isWebGPUEnabled()'] void ReleaseRemoteGPU(WebKit::WebGPUIdentifier identifier) AllowedWhenWaitingForSyncReply
     void ClearNowPlayingInfo()
     void SetNowPlayingInfo(struct WebCore::NowPlayingInfo nowPlayingInfo)
 #if USE(AUDIO_SESSION)

Source/WebKit/GPUProcess/GPUProcess.cpp

@@ -126,6 +126,12 @@ void GPUProcess::updateWebGPUEnabled(WebCore::ProcessIdentifier processIdentifie
         connection->updateWebGPUEnabled(webGPUEnabled);
 }
 
+void GPUProcess::updateWebGLEnabled(WebCore::ProcessIdentifier processIdentifier, bool webGLEnabled)
+{
+    if (auto* connection = m_webProcessConnections.get(processIdentifier))
+        connection->updateWebGLEnabled(webGLEnabled);
+}
+
 void GPUProcess::updateDOMRenderingEnabled(WebCore::ProcessIdentifier processIdentifier, bool isDOMRenderingEnabled)
 {
     if (auto* connection = m_webProcessConnections.get(processIdentifier))