Use sandbox state flag to enable syscall telemetry

https://bugs.webkit.org/show_bug.cgi?id=272046
rdar://125796089

Reviewed by Sihui Liu.

Use sandbox state flag to enable syscall telemetry related to QuickLook. If the parent process
is able to set the state flag EnableQuickLookSandboxResources in the WebContent process, and
this state flag is not set, telemetry is enabled. This will enable us to determine which
rarely used syscalls are being used when not loading QuickLook documents. This will give us
information on which syscalls can be blocked in that scenario.

* Source/WTF/wtf/cocoa/Entitlements.h:
* Source/WTF/wtf/cocoa/Entitlements.mm:
(WTF::hasEntitlementValue):
(WTF::hasEntitlementValueInArray):
* Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:
* Source/WebKit/Scripts/process-entitlements.sh:
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::decidePolicyForResponseShared):
* Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm:
(WebKit::WebProcess::platformInitializeWebProcess):
* Tools/MobileMiniBrowser/Configurations/MobileMiniBrowser.xcconfig:
* Tools/MobileMiniBrowser/MobileMiniBrowser.xcodeproj/project.pbxproj:
* Tools/MobileMiniBrowser/MobileMiniBrowser/MobileMiniBrowser.entitlements: Added.

Canonical link: https://commits.webkit.org/277118@main

Source/WTF/wtf/cocoa/Entitlements.h

@@ -39,6 +39,7 @@ WTF_EXPORT_PRIVATE bool hasEntitlement(xpc_connection_t, StringView entitlement)
 WTF_EXPORT_PRIVATE bool hasEntitlement(xpc_connection_t, ASCIILiteral entitlement);
 WTF_EXPORT_PRIVATE bool processHasEntitlement(ASCIILiteral entitlement);
 WTF_EXPORT_PRIVATE bool hasEntitlementValue(audit_token_t, ASCIILiteral entitlement, ASCIILiteral value);
+WTF_EXPORT_PRIVATE bool hasEntitlementValueInArray(audit_token_t, ASCIILiteral entitlement, ASCIILiteral value);
 
 } // namespace WTF
 

Source/WTF/wtf/cocoa/Entitlements.mm

@@ -68,11 +68,36 @@ bool hasEntitlementValue(audit_token_t token, ASCIILiteral entitlement, ASCIILit
 {
     auto secTaskForToken = adoptCF(SecTaskCreateWithAuditToken(kCFAllocatorDefault, token));
     if (!secTaskForToken)
-        return { };
+        return false;
 
     auto string = adoptCF(CFStringCreateWithCStringNoCopy(kCFAllocatorDefault, entitlement.characters(), kCFStringEncodingASCII, kCFAllocatorNull));
     String entitlementValue = dynamic_cf_cast<CFStringRef>(adoptCF(SecTaskCopyValueForEntitlement(secTaskForToken.get(), string.get(), nullptr)).get());
     return entitlementValue == value;
 }
 
+bool hasEntitlementValueInArray(audit_token_t token, ASCIILiteral entitlement, ASCIILiteral value)
+{
+    auto secTaskForToken = adoptCF(SecTaskCreateWithAuditToken(kCFAllocatorDefault, token));
+    if (!secTaskForToken)
+        return false;
+
+    auto string = adoptCF(CFStringCreateWithCStringNoCopy(kCFAllocatorDefault, entitlement.characters(), kCFStringEncodingASCII, kCFAllocatorNull));
+    auto entitlementValue = adoptCF(SecTaskCopyValueForEntitlement(secTaskForToken.get(), string.get(), nullptr)).get();
+    if (!entitlementValue || CFGetTypeID(entitlementValue) != CFArrayGetTypeID())
+        return false;
+
+    RetainPtr<CFArrayRef> array = static_cast<CFArrayRef>(entitlementValue);
+
+    for (CFIndex i = 0; i < CFArrayGetCount(array.get()); ++i) {
+        auto element = CFArrayGetValueAtIndex(array.get(), i);
+        if (CFGetTypeID(element) != CFStringGetTypeID())
+            continue;
+        CFStringRef stringElement = static_cast<CFStringRef>(element);
+        if (value == stringElement)
+            return true;
+    }
+
+    return false;
+}
+
 } // namespace WTF

Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in

@@ -1103,14 +1103,16 @@
 
 
 #if ENABLE(QUICKLOOK_SANDBOX_RESTRICTIONS)
-(with-filter (require-not (state-flag "EnableQuickLookSandboxResources"))
+(allow syscall-unix
+    (syscall-unix-rarely-in-use)
+    (syscall-unix-rarely-in-use-blocked-in-lockdown-mode))
+(with-filter
+    (require-all
+        (state-flag "ParentProcessCanEnableQuickLookStateFlag")
+        (require-not (state-flag "EnableQuickLookSandboxResources")))
     (allow syscall-unix (with report) (with telemetry-backtrace)
         (syscall-unix-rarely-in-use)
         (syscall-unix-rarely-in-use-blocked-in-lockdown-mode)))
-(with-filter (state-flag "EnableQuickLookSandboxResources")
-    (allow syscall-unix
-        (syscall-unix-rarely-in-use)
-        (syscall-unix-rarely-in-use-blocked-in-lockdown-mode)))
 #else
 (allow syscall-unix
     (syscall-unix-rarely-in-use)

Source/WebKit/Scripts/process-entitlements.sh

@@ -187,10 +187,12 @@ function webcontent_sandbox_entitlements()
     plistbuddy Add :com.apple.private.security.mutable-state-flags:1 string BlockIOKitInWebContentSandbox
     plistbuddy Add :com.apple.private.security.mutable-state-flags:2 string local:WebContentProcessLaunched
     plistbuddy Add :com.apple.private.security.mutable-state-flags:3 string EnableQuickLookSandboxResources
+    plistbuddy Add :com.apple.private.security.mutable-state-flags:4 string ParentProcessCanEnableQuickLookStateFlag
     plistbuddy Add :com.apple.private.security.enable-state-flags array
     plistbuddy Add :com.apple.private.security.enable-state-flags:0 string EnableExperimentalSandbox
     plistbuddy Add :com.apple.private.security.enable-state-flags:1 string BlockIOKitInWebContentSandbox
     plistbuddy Add :com.apple.private.security.enable-state-flags:2 string local:WebContentProcessLaunched
+    plistbuddy Add :com.apple.private.security.enable-state-flags:3 string ParentProcessCanEnableQuickLookStateFlag
 }
 
 function notify_entitlements()

Source/WebKit/UIProcess/WebPageProxy.cpp

@@ -7222,7 +7222,8 @@ void WebPageProxy::decidePolicyForResponseShared(Ref<WebProcessProxy>&& process,
 #if ENABLE(QUICKLOOK_SANDBOX_RESTRICTIONS)
         if (policyAction == PolicyAction::Use && PreviewConverter::supportsMIMEType(navigationResponse->response().mimeType())) {
             auto auditToken = m_process->connection()->getAuditToken();
-            sandbox_enable_state_flag("EnableQuickLookSandboxResources", *auditToken);
+            bool status = sandbox_enable_state_flag("EnableQuickLookSandboxResources", *auditToken);
+            WEBPAGEPROXY_RELEASE_LOG(Sandbox, "Enabling EnableQuickLookSandboxResources state flag, status = %d", status);
         }
 #endif // ENABLE(QUICKLOOK_SANDBOX_RESTRICTIONS)
 #endif // USE(QUICK_LOOK)

Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm

@@ -121,11 +121,13 @@
 #import <wtf/MemoryPressureHandler.h>
 #import <wtf/ProcessPrivilege.h>
 #import <wtf/SoftLinking.h>
+#import <wtf/cocoa/Entitlements.h>
 #import <wtf/cocoa/NSURLExtras.h>
 #import <wtf/cocoa/RuntimeApplicationChecksCocoa.h>
 #import <wtf/cocoa/TypeCastsCocoa.h>
 #import <wtf/cocoa/VectorCocoa.h>
 #import <wtf/spi/cocoa/OSLogSPI.h>
+#import <wtf/spi/darwin/SandboxSPI.h>
 
 #if ENABLE(REMOTE_INSPECTOR)
 #import <JavaScriptCore/RemoteInspector.h>
@@ -568,6 +570,17 @@ static void setVideoDecoderBehaviors(OptionSet<VideoDecoderBehavior> videoDecode
 
     disableURLSchemeCheckInDataDetectors();
 
+#if ENABLE(QUICKLOOK_SANDBOX_RESTRICTIONS)
+    if (auto auditToken = parentProcessConnection()->getAuditToken()) {
+        bool parentCanSetStateFlags = WTF::hasEntitlementValueInArray(auditToken.value(), "com.apple.private.security.enable-state-flags"_s, "EnableQuickLookSandboxResources"_s);
+        if (parentCanSetStateFlags) {
+            auto auditToken = auditTokenForSelf();
+            bool status = sandbox_enable_state_flag("ParentProcessCanEnableQuickLookStateFlag", auditToken.value());
+            WEBPROCESS_RELEASE_LOG(Sandbox, "Enabling ParentProcessCanEnableQuickLookStateFlag state flag, status = %d", status);
+        }
+    }
+#endif
+
 #if HAVE(VIDEO_RESTRICTED_DECODING) && PLATFORM(MAC) && !ENABLE(TRUSTD_BLOCKING_IN_WEBCONTENT)
     if (codeCheckSemaphore)
         dispatch_semaphore_wait(codeCheckSemaphore.get(), DISPATCH_TIME_FOREVER);

Tools/MobileMiniBrowser/Configurations/MobileMiniBrowser.xcconfig

@@ -24,3 +24,5 @@
 PRODUCT_NAME = MiniBrowser
 STRIP_STYLE=debugging
 SUPPORTED_PLATFORMS = iphoneos iphonesimulator xros xrsimulator;
+CODE_SIGN_ENTITLEMENTS[sdk=*simulator] = MobileMiniBrowser/MobileMiniBrowser.entitlements;
+OTHER_CODE_SIGN_FLAGS[sdk=*simulator] = ;

Tools/MobileMiniBrowser/MobileMiniBrowser.xcodeproj/project.pbxproj

@@ -117,6 +117,7 @@
 		CDC279282935417100151088 /* test.mp4 */ = {isa = PBXFileReference; lastKnownFileType = file; path = test.mp4; sourceTree = "<group>"; };
 		CDC279292935417100151088 /* looping2s.html */ = {isa = PBXFileReference; lastKnownFileType = text.html; path = looping2s.html; sourceTree = "<group>"; };
 		DD954C942A90280800C6843C /* UIKit.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = UIKit.framework; path = System/Library/Frameworks/UIKit.framework; sourceTree = SDKROOT; };
+		E3C8BD852BBF286D00181A2E /* MobileMiniBrowser.entitlements */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.entitlements; path = MobileMiniBrowser.entitlements; sourceTree = "<group>"; };
 /* End PBXFileReference section */
 
 /* Begin PBXFrameworksBuildPhase section */
@@ -177,6 +178,7 @@
 				CD1DAFA61D709E3600017CF0 /* Info.plist */,
 				CD1DAFA31D709E3600017CF0 /* LaunchScreen.storyboard */,
 				CD1DAF961D709E3600017CF0 /* main.m */,
+				E3C8BD852BBF286D00181A2E /* MobileMiniBrowser.entitlements */,
 			);
 			name = "MobileMiniBrowser App";
 			path = MobileMiniBrowser;

Tools/MobileMiniBrowser/MobileMiniBrowser/MobileMiniBrowser.entitlements

@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.runningboard.assertions.webkit</key>
+	<true/>
+	<key>com.apple.private.security.enable-state-flags</key>
+	<array>
+		<string>EnableQuickLookSandboxResources</string>
+	</array>
+</dict>
+</plist>