Cherry-pick c284650. rdar://124356858

Restrict access to notifyd only when process has entitlement https://bugs.webkit.org/show_bug.cgi?id=271247 rdar://124356858 Reviewed by Sihui Liu. Restrict access to notifyd only when process has entitlement. This entitlement will only be set in the WebContent process for now. This change is fixing a regression from <https://commits.webkit.org/275186@main>, where notifications are not being received in the GPU process and Networking process, since notification changes are only being pushed to the WebContent process. * Source/WTF/wtf/spi/darwin/XPCSPI.h: * Source/WebKit/Scripts/process-entitlements.sh: * Source/WebKit/Shared/EntryPointUtilities/Cocoa/XPCService/XPCServiceMain.mm: (WebKit::shouldRestrictNotifyd): (WebKit::setNotifyOptions): Canonical link: https://commits.webkit.org/276376@main Identifier: 276246.10@safari-7619.1.6-branch
WebKit · Mar 22, 2024 · 8c847ec · 8c847ec
1 parent 4320d68
commit 8c847ec
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 1 deletion.
diff --git a/Source/WTF/wtf/spi/darwin/XPCSPI.h b/Source/WTF/wtf/spi/darwin/XPCSPI.h
@@ -234,6 +234,7 @@ const void * xpc_data_get_bytes_ptr(xpc_object_t xdata);
 size_t xpc_data_get_length(xpc_object_t xdata);
 xpc_object_t xpc_dictionary_get_array(xpc_object_t xdict, const char* key);
 
+xpc_object_t xpc_copy_entitlement_for_token(const char* name, audit_token_t*);
 
 #if OS_OBJECT_USE_OBJC_RETAIN_RELEASE
 #if !defined(xpc_retain)

diff --git a/Source/WebKit/Scripts/process-entitlements.sh b/Source/WebKit/Scripts/process-entitlements.sh
@@ -208,6 +208,11 @@ function mac_process_webcontent_shared_entitlements()
             plistbuddy Add :com.apple.runningboard.assertions.webkit bool YES
         fi
 
+        if (( "${TARGET_MAC_OS_X_VERSION_MAJOR}" > 140000 ))
+        then
+            plistbuddy Add :com.apple.developer.web-browser-engine.restrict.notifyd bool YES
+        fi
+
         if [[ "${WK_WEBCONTENT_SERVICE_NEEDS_XPC_DOMAIN_EXTENSION_ENTITLEMENT}" == YES ]]
         then
             plistbuddy Add :com.apple.private.xpc.domain-extension bool YES
@@ -350,6 +355,7 @@ function ios_family_process_webcontent_shared_entitlements()
     plistbuddy Add :com.apple.QuartzCore.webkit-end-points bool YES
     plistbuddy add :com.apple.QuartzCore.webkit-limited-types bool YES
     plistbuddy Add :com.apple.developer.coremedia.allow-alternate-video-decoder-selection bool YES
+    plistbuddy Add :com.apple.developer.web-browser-engine.restrict.notifyd bool YES
     plistbuddy Add :com.apple.mediaremote.set-playback-state bool YES
     plistbuddy Add :com.apple.pac.shared_region_id string WebContent
     plistbuddy Add :com.apple.private.allow-explicit-graphics-priority bool YES

diff --git a/Source/WebKit/Shared/EntryPointUtilities/Cocoa/XPCService/XPCServiceMain.mm b/Source/WebKit/Shared/EntryPointUtilities/Cocoa/XPCService/XPCServiceMain.mm
@@ -104,6 +104,22 @@ static void initializeLogd(bool disableLogging)
     RELEASE_LOG(Process, "Initialized logd %s", stringWithSpaces);
 }
 
+#if ENABLE(NOTIFY_BLOCKING)
+static bool shouldRestrictNotifyd()
+{
+    static dispatch_once_t once;
+    static bool hasEntitlement = false;
+    dispatch_once(&once, ^{
+        xpc_object_t entitlement = xpc_copy_entitlement_for_token("com.apple.developer.web-browser-engine.restrict.notifyd", nullptr);
+        if (entitlement == XPC_BOOL_TRUE)
+            hasEntitlement = true;
+        if (entitlement)
+            xpc_release(entitlement);
+    });
+    return hasEntitlement;
+}
+#endif
+
 static void setNotifyOptions()
 {
     static bool hasSetOptions = false;
@@ -116,7 +132,8 @@ static void setNotifyOptions()
     opts |= NOTIFY_OPT_DISPATCH | NOTIFY_OPT_REGEN | NOTIFY_OPT_FILTERED;
 #endif
 #if ENABLE(NOTIFY_BLOCKING)
-    opts |= NOTIFY_OPT_LOOPBACK;
+    if (shouldRestrictNotifyd())
+        opts |= NOTIFY_OPT_LOOPBACK;
 #endif
     if (!opts)
         return;