Bug 206906

Summary: Limit access to 'com.apple.SecurityService' and 'com.apple.ocspd' to systems that require it
Product: WebKit Reporter: Brent Fulgham <bfulgham>
Component: WebKit Misc.Assignee: Brent Fulgham <bfulgham>
Status: RESOLVED WONTFIX    
Severity: Normal CC: ap, bfulgham, pvollan, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=206895
Bug Depends on: 206832    
Bug Blocks:    
Attachments:
Description Flags
Patch
none
Patch ap: review+

Description Brent Fulgham 2020-01-28 14:16:08 PST 
Make use of the Sandbox parameter features to allow WebKit to hint to the sandbox that it is running on a version of macOS that can benefit from updated system components.
Comment 1 Radar WebKit Bug Importer 2020-01-28 15:21:29 PST 
<rdar://problem/58971886>
Comment 2 Brent Fulgham 2020-01-28 15:25:00 PST 
Created attachment 389077 [details]
Patch
Comment 3 Per Arne Vollan 2020-01-28 15:38:44 PST 
Comment on attachment 389077 [details]
Patch

R=me.
Comment 4 Alexey Proskuryakov 2020-01-28 18:05:21 PST 
Comment on attachment 389077 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=389077&action=review

> Source/WebKit/Shared/mac/AuxiliaryProcessMac.mm:622
> +        if (osVersionParts.size() < 3 || osVersionParts[2].toInt() <= 3)

The logic looks wrong here. It seems exceeding unlikely that you are getting the right set of versions here. 

This means that 10.14.3 and 10.15.3 both need the parameter, but .4 updates do not.

> Source/WebKit/Shared/mac/AuxiliaryProcessMac.mm:623
> +            sandboxParameters.addParameter("_OS_NEEDS_EME_QUIRK", "YES");

We control all parameter names, what is the need for the leading underscore?
Comment 5 Brent Fulgham 2020-01-28 18:24:32 PST 
Created attachment 389100 [details]
Patch
Comment 6 Brent Fulgham 2020-01-28 18:33:39 PST 
Comment on attachment 389077 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=389077&action=review

>> Source/WebKit/Shared/mac/AuxiliaryProcessMac.mm:622
>> +        if (osVersionParts.size() < 3 || osVersionParts[2].toInt() <= 3)
> 
> The logic looks wrong here. It seems exceeding unlikely that you are getting the right set of versions here. 
> 
> This means that 10.14.3 and 10.15.3 both need the parameter, but .4 updates do not.

Doh!

>> Source/WebKit/Shared/mac/AuxiliaryProcessMac.mm:623
>> +            sandboxParameters.addParameter("_OS_NEEDS_EME_QUIRK", "YES");
> 
> We control all parameter names, what is the need for the leading underscore?

Consistency with the other parameters that work like this. _OS_VERSION
Comment 7 Alexey Proskuryakov 2020-01-28 19:56:59 PST 
Comment on attachment 389100 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=389100&action=review

> Source/WebKit/Shared/mac/AuxiliaryProcessMac.mm:621
> +    if (osVersionParts[0].toInt() == 10 && osVersionParts[1].toInt() <= 15) {

Can you put this into an #if block too, so that it’s easier to remove in the future?

> Source/WebKit/WebProcess/com.apple.WebProcess.sb.in:674
> +(if (equal? (param "_OS_NEEDS_EME_QUIRK") "YES")

Did you check how this behaves on old OS versions? I vaguely remember that profile may fail to compile when an undefined param is used.
Comment 8 Brent Fulgham 2020-01-29 10:16:01 PST 
After talking with a few other people, we're going to do this slightly differently.