Block access to trustd on macOS

https://bugs.webkit.org/show_bug.cgi?id=264685 rdar://114834439 Reviewed by Sihui Liu. This can be achieved by using a new flag to skip code sign validation for trusted plugins. This change also enables us to remove eager opening of the trustd connection. * Source/WebCore/PAL/pal/spi/cf/VideoToolboxSPI.h: * Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm: (WebKit::WebProcessPool::platformInitializeWebProcess): * Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm: (WebKit::setVideoDecoderBehaviors): (WebKit::WebProcess::platformInitializeWebProcess): * Source/WebKit/WebProcess/com.apple.WebProcess.sb.in: Canonical link: https://commits.webkit.org/270720@main
WebKit · Nov 14, 2023 · e1fa6b5 · e1fa6b5
1 parent 362150b
commit e1fa6b5
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 3 deletions.
diff --git a/Source/WebCore/PAL/pal/spi/cf/VideoToolboxSPI.h b/Source/WebCore/PAL/pal/spi/cf/VideoToolboxSPI.h
@@ -32,6 +32,7 @@ enum {
     kVTRestrictions_AvoidHardwareDecoders       = 1UL << 1,
     kVTRestrictions_AvoidIOSurfaceBackings      = 1UL << 2,
     kVTRestrictions_AvoidHardwarePixelTransfer  = 1UL << 3,
+    kVTRestrictions_RegisterLimitedSystemDecodersWithoutValidation = 1UL<<6
 };
 typedef uint32_t VTVideoDecoderRestrictions;
 

diff --git a/Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm b/Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm
@@ -448,7 +448,7 @@ static void logProcessPoolState(const WebProcessPool& pool)
 #endif
 
 #if HAVE(VIDEO_RESTRICTED_DECODING)
-#if PLATFORM(MAC)
+#if PLATFORM(MAC) && !ENABLE(TRUSTD_BLOCKING_IN_WEBCONTENT)
     // FIXME: this will not be needed when rdar://74144544 is fixed.
     if (auto trustdExtensionHandle = SandboxExtension::createHandleForMachLookup("com.apple.trustd.agent"_s, std::nullopt))
         parameters.trustdExtensionHandle = WTFMove(*trustdExtensionHandle);

diff --git a/Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm b/Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm
@@ -314,6 +314,10 @@ static void setVideoDecoderBehaviors(OptionSet<VideoDecoderBehavior> videoDecode
     if (videoDecoderBehavior.contains(VideoDecoderBehavior::AvoidIOSurface))
         flags |= kVTRestrictions_AvoidIOSurfaceBackings;
 
+#if ENABLE(TRUSTD_BLOCKING_IN_WEBCONTENT)
+    flags |= kVTRestrictions_RegisterLimitedSystemDecodersWithoutValidation;
+#endif
+
     PAL::softLinkVideoToolboxVTRestrictVideoDecoders(flags, allowedCodecTypeList.data(), allowedCodecTypeList.size());
 }
 
@@ -346,7 +350,7 @@ static void setVideoDecoderBehaviors(OptionSet<VideoDecoderBehavior> videoDecode
 #endif
 
 #if HAVE(VIDEO_RESTRICTED_DECODING)
-#if PLATFORM(MAC)
+#if PLATFORM(MAC) && !ENABLE(TRUSTD_BLOCKING_IN_WEBCONTENT)
     OSObjectPtr<dispatch_semaphore_t> codeCheckSemaphore;
     if (SandboxExtension::consumePermanently(parameters.trustdExtensionHandle)) {
         // Open up a Mach connection to trustd by doing a code check validation on the main bundle.
@@ -547,7 +551,7 @@ static void setVideoDecoderBehaviors(OptionSet<VideoDecoderBehavior> videoDecode
 
     disableURLSchemeCheckInDataDetectors();
 
-#if HAVE(VIDEO_RESTRICTED_DECODING) && PLATFORM(MAC)
+#if HAVE(VIDEO_RESTRICTED_DECODING) && PLATFORM(MAC) && !ENABLE(TRUSTD_BLOCKING_IN_WEBCONTENT)
     if (codeCheckSemaphore)
         dispatch_semaphore_wait(codeCheckSemaphore.get(), DISPATCH_TIME_FOREVER);
 #endif

diff --git a/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in b/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in
@@ -1400,10 +1400,12 @@
 ))
 #endif
 
+#if !ENABLE(TRUSTD_BLOCKING_IN_WEBCONTENT)
 (allow mach-lookup
     (require-all
         (extension "com.apple.webkit.extension.mach")
         (global-name "com.apple.trustd.agent")))
+#endif
 
 #if ENABLE(LOGD_BLOCKING_IN_WEBCONTENT)
 (with-filter (system-attribute apple-internal)