Skip to content
Permalink
Browse files
[macOS] WebContent sandbox; remove AppleIntelMEUserClient
https://bugs.webkit.org/show_bug.cgi?id=219012
<rdar://problem/70462796>

Reviewed by Eric Carlson.

Source/WebKit:

Instead of globally extending access to the AppleIntelMEUserClient IOKit class,
only extend it when the GPU process is not in use.

* UIProcess/WebPageProxy.cpp:
(WebKit::gpuIOKitClasses): Add 'AppleIntelMEUserClient' as a dynamically-extended
IOKit class.
* WebProcess/com.apple.WebProcess.sb.in: Only allow 'AppleIntelMEUserClient' if it
was dynamically extended.

Tools:

Update the various sandboxes to allow the UIProcess to extend IOKit classes
to child processes on macOS. We already do this on iOS.

* MiniBrowser/MiniBrowser.entitlements:
* TestWebKitAPI/Configurations/TestWebKitAPI-macOS-internal.entitlements:
* TestWebKitAPI/Configurations/TestWebKitAPI-macOS.entitlements:
* WebKitTestRunner/Configurations/WebKitTestRunner.entitlements:


Canonical link: https://commits.webkit.org/232068@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@270381 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information
brentfulgham committed Dec 3, 2020
1 parent 0488642 commit b504567a866b5dbc2550aae23c9e6d0086971523
Showing 8 changed files with 66 additions and 11 deletions.
@@ -1,3 +1,20 @@
2020-12-02 Brent Fulgham <bfulgham@apple.com>

[macOS] WebContent sandbox; remove AppleIntelMEUserClient
https://bugs.webkit.org/show_bug.cgi?id=219012
<rdar://problem/70462796>

Reviewed by Eric Carlson.

Instead of globally extending access to the AppleIntelMEUserClient IOKit class,
only extend it when the GPU process is not in use.

* UIProcess/WebPageProxy.cpp:
(WebKit::gpuIOKitClasses): Add 'AppleIntelMEUserClient' as a dynamically-extended
IOKit class.
* WebProcess/com.apple.WebProcess.sb.in: Only allow 'AppleIntelMEUserClient' if it
was dynamically extended.

2020-12-02 Wenson Hsieh <wenson_hsieh@apple.com>

Unreviewed, fix the iOS build after r270362
@@ -7738,6 +7738,9 @@ static const Vector<ASCIILiteral>& gpuIOKitClasses()
"IOMobileFramebufferUserClient"_s,
"IOSurfaceAcceleratorClient"_s,
"IOSurfaceRootUserClient"_s,
#endif
#if PLATFORM(MAC) || PLATFORM(MACCATALYST)
"AppleIntelMEUserClient"_s,
#endif
});
return services;
@@ -180,7 +180,10 @@

;; This is needed for Encrypted Media on some hardware (MacMini8,1 for example)
(allow iokit-open
(iokit-registry-entry-class "AppleIntelMEUserClient")
(require-all
(extension "com.apple.webkit.extension.iokit")
(iokit-registry-entry-class "AppleIntelMEUserClient")
)
#if HAVE(SANDBOX_MESSAGE_FILTERING)
(with telemetry-backtrace)
(apply-message-filter
@@ -1606,4 +1609,16 @@
)
)
)

;; FIXME: This is just for logging. Remove when the GPU process is enabled by default.
;; These should only be accessed through an iokit-extension, so log if they are not.
(allow iokit-open (with report) (with telemetry-backtrace)
(require-all
(require-not (extension "com.apple.webkit.extension.iokit"))
(iokit-registry-entry-class
"AppleIntelMEUserClient"
)
)
)

#endif // HAVE(SANDBOX_MESSAGE_FILTERING)
@@ -1,3 +1,19 @@
2020-12-02 Brent Fulgham <bfulgham@apple.com>

[macOS] WebContent sandbox; remove AppleIntelMEUserClient
https://bugs.webkit.org/show_bug.cgi?id=219012
<rdar://problem/70462796>

Reviewed by Eric Carlson.

Update the various sandboxes to allow the UIProcess to extend IOKit classes
to child processes on macOS. We already do this on iOS.

* MiniBrowser/MiniBrowser.entitlements:
* TestWebKitAPI/Configurations/TestWebKitAPI-macOS-internal.entitlements:
* TestWebKitAPI/Configurations/TestWebKitAPI-macOS.entitlements:
* WebKitTestRunner/Configurations/WebKitTestRunner.entitlements:

2020-12-02 Jonathan Bedard <jbedard@apple.com>

[webkitcorepy] Allow caller of autoinstall to specify CA file
@@ -21,6 +21,7 @@
<key>com.apple.security.temporary-exception.sbpl</key>
<array>
<string>(allow mach-issue-extension (require-all (extension-class &quot;com.apple.webkit.extension.mach&quot;)))</string>
<string>(allow iokit-issue-extension (require-all (extension-class &quot;com.apple.webkit.extension.iokit&quot;)))</string>
</array>
<key>com.apple.security.device.camera</key>
<true/>
@@ -13,6 +13,7 @@
<key>com.apple.security.temporary-exception.sbpl</key>
<array>
<string>(allow mach-issue-extension (require-all (extension-class &quot;com.apple.webkit.extension.mach&quot;)))</string>
<string>(allow iokit-issue-extension (require-all (extension-class &quot;com.apple.webkit.extension.iokit&quot;)))</string>
</array>
</dict>
</plist>
@@ -9,6 +9,7 @@
<key>com.apple.security.temporary-exception.sbpl</key>
<array>
<string>(allow mach-issue-extension (require-all (extension-class &quot;com.apple.webkit.extension.mach&quot;)))</string>
<string>(allow iokit-issue-extension (require-all (extension-class &quot;com.apple.webkit.extension.iokit&quot;)))</string>
</array>
</dict>
</plist>
@@ -1,14 +1,15 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>keychain-access-groups</key>
<array>
<string>com.apple.WebKitTestRunner</string>
</array>
<key>com.apple.security.temporary-exception.sbpl</key>
<array>
<string>(allow mach-issue-extension (require-all (extension-class &quot;com.apple.webkit.extension.mach&quot;)))</string>
</array>
</dict>
<dict>
<key>keychain-access-groups</key>
<array>
<string>com.apple.WebKitTestRunner</string>
</array>
<key>com.apple.security.temporary-exception.sbpl</key>
<array>
<string>(allow mach-issue-extension (require-all (extension-class &quot;com.apple.webkit.extension.mach&quot;)))</string>
<string>(allow iokit-issue-extension (require-all (extension-class &quot;com.apple.webkit.extension.iokit&quot;)))</string>
</array>
</dict>
</plist>

0 comments on commit b504567

Please sign in to comment.