WebKit Bugzilla
Attachment 359277 Details for
Bug 192670
: [macOS] Block coreservicesd in sandbox.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-192670-20190116101325.patch (text/plain), 4.05 KB, created by
Per Arne Vollan
on 2019-01-16 10:13:26 PST
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Per Arne Vollan
Created:
2019-01-16 10:13:26 PST
Size:
4.05 KB
patch
obsolete
>Index: Source/WebKit/ChangeLog >=================================================================== >--- Source/WebKit/ChangeLog (revision 240039) >+++ Source/WebKit/ChangeLog (working copy) >@@ -1,3 +1,24 @@ >+2019-01-16 Per Arne Vollan <pvollan@apple.com> >+ >+ [macOS] Block coreservicesd in sandbox. >+ https://bugs.webkit.org/show_bug.cgi?id=192670 >+ <rdar://problem/47106766> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ We should block CoreServices in newer versions of macOS. In order to achieve this we need to avoid calling >+ _RegisterApplication before entering the sandbox, since this call will open up a connection to CoreServices. >+ The call to _RegisterApplication is moved to ChildProcess::updateProcessName, since it is needed to >+ successfully update the process name. The call to ChildProcess::updateProcessName is made after entering >+ the sandbox. >+ >+ * Shared/ChildProcess.cpp: >+ (WebKit::ChildProcess::initialize): >+ * WebProcess/cocoa/WebProcessCocoa.mm: >+ (WebKit::WebProcess::initializeProcessName): >+ (WebKit::WebProcess::platformInitializeProcess): >+ * WebProcess/com.apple.WebProcess.sb.in: >+ > 2019-01-15 Fujii Hironori <Hironori.Fujii@sony.com> > > Unreviewed WinCairo build fix. >Index: Source/WebKit/Shared/ChildProcess.cpp >=================================================================== >--- Source/WebKit/Shared/ChildProcess.cpp (revision 240011) >+++ Source/WebKit/Shared/ChildProcess.cpp (working copy) >@@ -70,11 +70,12 @@ void ChildProcess::initialize(const Chil > #endif > > initializeProcess(parameters); >- initializeProcessName(parameters); > > SandboxInitializationParameters sandboxParameters; > initializeSandbox(parameters, sandboxParameters); > >+ initializeProcessName(parameters); >+ > // In WebKit2, only the UI process should ever be generating non-default PAL::SessionIDs. > PAL::SessionID::enableGenerationProtection(); > >Index: Source/WebKit/WebProcess/com.apple.WebProcess.sb.in >=================================================================== >--- Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (revision 240011) >+++ Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (working copy) >@@ -635,8 +635,12 @@ > > ;; CoreFoundation. We don't import com.apple.corefoundation.sb, because it allows unnecessary access to pasteboard. > (allow mach-lookup >- (global-name-regex #"^com.apple.distributed_notifications") >- (global-name "com.apple.CoreServices.coreservicesd")) >+ (global-name-regex #"^com.apple.distributed_notifications") >+#if __MAC_OS_X_VERSION_MIN_REQUIRED < 101500 >+ (global-name "com.apple.CoreServices.coreservicesd") >+#endif >+) >+ > (allow file-read-data > (literal "/dev/autofs_nowait")) ; Used by CF to circumvent automount triggers > (allow ipc-posix-shm >Index: Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm >=================================================================== >--- Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm (revision 240011) >+++ Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm (working copy) >@@ -101,6 +101,10 @@ > #import <os/state_private.h> > #endif > >+#if PLATFORM(MAC) >+extern "C" void _CSCheckFixDisable(); >+#endif >+ > namespace WebKit { > using namespace WebCore; > >@@ -211,6 +215,11 @@ void WebProcess::platformInitializeWebPr > void WebProcess::initializeProcessName(const ChildProcessInitializationParameters&) > { > #if PLATFORM(MAC) >+ // _CSCheckFixDisable() needs to be called before checking in with Launch Services. >+ _CSCheckFixDisable(); >+ // This is necessary so that we are able to set the process' display name. >+ _RegisterApplication(nullptr, nullptr); >+ > updateProcessName(); > #endif > } >@@ -360,10 +369,6 @@ void WebProcess::platformInitializeProce > CGSShutdownServerConnections(); > > SwitchingGPUClient::setSingleton(WebSwitchingGPUClient::singleton()); >- >- // This is necessary so that we are able to set the process' display name. >- _RegisterApplication(nullptr, nullptr); >- > #else > > if (![NSApp isRunning]) {
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=359277">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 192670
:
357240
|
359277
|
359280
|
361411
|
361431
|
361433
|
361453