Title: [234195] trunk/Source/WebKit
Revision
234195
Author
bfulg...@apple.com
Date
2018-07-25 08:47:43 -0700 (Wed, 25 Jul 2018)

Log Message

[macOS] PluginProcess needs TCC entitlements for media capture
https://bugs.webkit.org/show_bug.cgi?id=187981
<rdar://problem/42433634>

Reviewed by Chris Dumez.

The changes needed in Bug 185526 are also needed for the plugin process, or else the UIProcess
(e.g., Safari) is not able to pass the user's camera/microphone access permission to the plugin process.

This patch has the following changes:

1. Rename "WebContent-OSX-restricted.entitlements" to "WebContent-or-Plugin-OSX-restricted.entitlements"
2. Rename "process-webcontent-entitlements.sh" to "process-webcontent-or-plugin-entitlements.sh"
3. Add a run-script step to the Plugin.64 and Plugin.32 builds to add the relevant entitlements.
4. Silence some Flash plugin sandbox exceptions triggered after activating the camera.

* Configurations/WebContent-or-Plugin-OSX-restricted.entitlements: Renamed from Source/WebKit/Configurations/WebContent-OSX-restricted.entitlements.
* Resources/PlugInSandboxProfiles/com.macromedia.Flash Player ESR.plugin.sb: Address sandbox violations needed by camera use.
* Resources/PlugInSandboxProfiles/com.macromedia.Flash Player.plugin.sb: Ditto.
* Scripts/process-webcontent-or-plugin-entitlements.sh: Renamed from Source/WebKit/Scripts/process-webcontent-entitlements.sh.
* WebKit.xcodeproj/project.pbxproj: Update for renaming, and perform entitlement steps on Plugin process.

Modified Paths

Added Paths

Removed Paths

Diff

Modified: trunk/Source/WebKit/ChangeLog (234194 => 234195)


--- trunk/Source/WebKit/ChangeLog	2018-07-25 15:43:44 UTC (rev 234194)
+++ trunk/Source/WebKit/ChangeLog	2018-07-25 15:47:43 UTC (rev 234195)
@@ -1,3 +1,27 @@
+2018-07-25  Brent Fulgham  <bfulg...@apple.com>
+
+        [macOS] PluginProcess needs TCC entitlements for media capture
+        https://bugs.webkit.org/show_bug.cgi?id=187981
+        <rdar://problem/42433634>
+
+        Reviewed by Chris Dumez.
+
+        The changes needed in Bug 185526 are also needed for the plugin process, or else the UIProcess
+        (e.g., Safari) is not able to pass the user's camera/microphone access permission to the plugin process.
+
+        This patch has the following changes:
+
+        1. Rename "WebContent-OSX-restricted.entitlements" to "WebContent-or-Plugin-OSX-restricted.entitlements"
+        2. Rename "process-webcontent-entitlements.sh" to "process-webcontent-or-plugin-entitlements.sh"
+        3. Add a run-script step to the Plugin.64 and Plugin.32 builds to add the relevant entitlements.
+        4. Silence some Flash plugin sandbox exceptions triggered after activating the camera.
+
+        * Configurations/WebContent-or-Plugin-OSX-restricted.entitlements: Renamed from Source/WebKit/Configurations/WebContent-OSX-restricted.entitlements.
+        * Resources/PlugInSandboxProfiles/com.macromedia.Flash Player ESR.plugin.sb: Address sandbox violations needed by camera use.
+        * Resources/PlugInSandboxProfiles/com.macromedia.Flash Player.plugin.sb: Ditto.
+        * Scripts/process-webcontent-or-plugin-entitlements.sh: Renamed from Source/WebKit/Scripts/process-webcontent-entitlements.sh.
+        * WebKit.xcodeproj/project.pbxproj: Update for renaming, and perform entitlement steps on Plugin process.
+
 2018-07-24  Tim Horton  <timothy_hor...@apple.com>
 
         Enable Web Content Filtering on watchOS

Deleted: trunk/Source/WebKit/Configurations/WebContent-OSX-restricted.entitlements (234194 => 234195)


--- trunk/Source/WebKit/Configurations/WebContent-OSX-restricted.entitlements	2018-07-25 15:43:44 UTC (rev 234194)
+++ trunk/Source/WebKit/Configurations/WebContent-OSX-restricted.entitlements	2018-07-25 15:47:43 UTC (rev 234195)
@@ -1,11 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-	<key>com.apple.tcc.delegated-services</key>
-	<array>
-		<string>kTCCServiceCamera</string>
-		<string>kTCCServiceMicrophone</string>
-	</array>
-</dict>
-</plist>

Copied: trunk/Source/WebKit/Configurations/WebContent-or-Plugin-OSX-restricted.entitlements (from rev 234194, trunk/Source/WebKit/Configurations/WebContent-OSX-restricted.entitlements) (0 => 234195)


--- trunk/Source/WebKit/Configurations/WebContent-or-Plugin-OSX-restricted.entitlements	                        (rev 0)
+++ trunk/Source/WebKit/Configurations/WebContent-or-Plugin-OSX-restricted.entitlements	2018-07-25 15:47:43 UTC (rev 234195)
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.tcc.delegated-services</key>
+	<array>
+		<string>kTCCServiceCamera</string>
+		<string>kTCCServiceMicrophone</string>
+	</array>
+</dict>
+</plist>

Modified: trunk/Source/WebKit/Resources/PlugInSandboxProfiles/com.macromedia.Flash Player ESR.plugin.sb (234194 => 234195)


--- trunk/Source/WebKit/Resources/PlugInSandboxProfiles/com.macromedia.Flash Player ESR.plugin.sb	2018-07-25 15:43:44 UTC (rev 234194)
+++ trunk/Source/WebKit/Resources/PlugInSandboxProfiles/com.macromedia.Flash Player ESR.plugin.sb	2018-07-25 15:47:43 UTC (rev 234195)
@@ -62,3 +62,18 @@
 
 (allow network-bind (local ip))
 
+;;;
+;;; Needed for Camera access
+;;;
+(allow iokit-get-properties
+    (iokit-property-regex #"^(Activation|Animation)Thresholds")
+    (iokit-property-regex #"^((Accurate|Extended)Max|Min)DigitizerPressureValue")
+    (iokit-property "IOPCITunnelCompatible")
+    (iokit-property "PowerControlSupported")
+    (iokit-property "Removable")
+    (iokit-property "ResetOnLockMs")
+    (iokit-property "ResetOnUnlockMs")
+    (iokit-property "ShouldResetOnButton")
+    (iokit-property-regex #"^Support(sSilentClick|TapToWake)")
+    (iokit-property "WirelessChargingNotificationSupported")
+)

Modified: trunk/Source/WebKit/Resources/PlugInSandboxProfiles/com.macromedia.Flash Player.plugin.sb (234194 => 234195)


--- trunk/Source/WebKit/Resources/PlugInSandboxProfiles/com.macromedia.Flash Player.plugin.sb	2018-07-25 15:43:44 UTC (rev 234194)
+++ trunk/Source/WebKit/Resources/PlugInSandboxProfiles/com.macromedia.Flash Player.plugin.sb	2018-07-25 15:47:43 UTC (rev 234195)
@@ -62,3 +62,18 @@
 
 (allow network-bind (local ip))
 
+;;;
+;;; Needed for Camera access
+;;;
+(allow iokit-get-properties
+    (iokit-property-regex #"^(Activation|Animation)Thresholds")
+    (iokit-property-regex #"^((Accurate|Extended)Max|Min)DigitizerPressureValue")
+    (iokit-property "IOPCITunnelCompatible")
+    (iokit-property "PowerControlSupported")
+    (iokit-property "Removable")
+    (iokit-property "ResetOnLockMs")
+    (iokit-property "ResetOnUnlockMs")
+    (iokit-property "ShouldResetOnButton")
+    (iokit-property-regex #"^Support(sSilentClick|TapToWake)")
+    (iokit-property "WirelessChargingNotificationSupported")
+)

Deleted: trunk/Source/WebKit/Scripts/process-webcontent-entitlements.sh (234194 => 234195)


--- trunk/Source/WebKit/Scripts/process-webcontent-entitlements.sh	2018-07-25 15:43:44 UTC (rev 234194)
+++ trunk/Source/WebKit/Scripts/process-webcontent-entitlements.sh	2018-07-25 15:47:43 UTC (rev 234195)
@@ -1,26 +0,0 @@
-#!/bin/sh
-set -e
-
-PROCESSED_XCENT_FILE="${TEMP_FILE_DIR}/${FULL_PRODUCT_NAME}.xcent"
-
-if [[ ${WK_PLATFORM_NAME} == "macosx" ]]; then
-
-    if [[ ${WK_USE_RESTRICTED_ENTITLEMENTS} == "YES" ]]; then
-        echo "Processing restricted entitlements for Internal SDK";
-
-        if (( ${TARGET_MAC_OS_X_VERSION_MAJOR} >= 101400 )); then
-            echo "Adding macOS platform entitlements.";
-            /usr/libexec/PlistBuddy -c "Merge Configurations/WebContent-OSX-restricted.entitlements" "${PROCESSED_XCENT_FILE}";
-        fi
-
-        if [[ ${WK_WEBCONTENT_SERVICE_NEEDS_XPC_DOMAIN_EXTENSION_ENTITLEMENT} == "YES" ]]; then
-            echo "Adding domain extension entitlement for relocatable build.";
-            /usr/libexec/PlistBuddy -c "Add :com.apple.private.xpc.domain-extension bool YES" "${PROCESSED_XCENT_FILE}";
-        fi
-    fi
-
-    if [[ ${WK_XPC_SERVICE_VARIANT} == "Development" ]]; then
-        echo "Disabling library validation for development build.";
-        /usr/libexec/PlistBuddy -c "Add :com.apple.security.cs.disable-library-validation bool YES" "${PROCESSED_XCENT_FILE}";
-    fi
-fi

Copied: trunk/Source/WebKit/Scripts/process-webcontent-or-plugin-entitlements.sh (from rev 234194, trunk/Source/WebKit/Scripts/process-webcontent-entitlements.sh) (0 => 234195)


--- trunk/Source/WebKit/Scripts/process-webcontent-or-plugin-entitlements.sh	                        (rev 0)
+++ trunk/Source/WebKit/Scripts/process-webcontent-or-plugin-entitlements.sh	2018-07-25 15:47:43 UTC (rev 234195)
@@ -0,0 +1,26 @@
+#!/bin/sh
+set -e
+
+PROCESSED_XCENT_FILE="${TEMP_FILE_DIR}/${FULL_PRODUCT_NAME}.xcent"
+
+if [[ ${WK_PLATFORM_NAME} == "macosx" ]]; then
+
+    if [[ ${WK_USE_RESTRICTED_ENTITLEMENTS} == "YES" ]]; then
+        echo "Processing restricted entitlements for Internal SDK";
+
+        if (( ${TARGET_MAC_OS_X_VERSION_MAJOR} >= 101400 )); then
+            echo "Adding macOS platform entitlements.";
+            /usr/libexec/PlistBuddy -c "Merge Configurations/WebContent-or-Plugin-OSX-restricted.entitlements" "${PROCESSED_XCENT_FILE}";
+        fi
+
+        if [[ ${WK_WEBCONTENT_SERVICE_NEEDS_XPC_DOMAIN_EXTENSION_ENTITLEMENT} == "YES" ]]; then
+            echo "Adding domain extension entitlement for relocatable build.";
+            /usr/libexec/PlistBuddy -c "Add :com.apple.private.xpc.domain-extension bool YES" "${PROCESSED_XCENT_FILE}";
+        fi
+    fi
+
+    if [[ ${WK_XPC_SERVICE_VARIANT} == "Development" ]]; then
+        echo "Disabling library validation for development build.";
+        /usr/libexec/PlistBuddy -c "Add :com.apple.security.cs.disable-library-validation bool YES" "${PROCESSED_XCENT_FILE}";
+    fi
+fi

Modified: trunk/Source/WebKit/WebKit.xcodeproj/project.pbxproj (234194 => 234195)


--- trunk/Source/WebKit/WebKit.xcodeproj/project.pbxproj	2018-07-25 15:43:44 UTC (rev 234194)
+++ trunk/Source/WebKit/WebKit.xcodeproj/project.pbxproj	2018-07-25 15:47:43 UTC (rev 234195)
@@ -3361,7 +3361,7 @@
 		37A64E5618F38F4600EB30F1 /* _WKFormInputSession.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = _WKFormInputSession.h; sourceTree = "<group>"; };
 		37A709A61E3EA0FD00CA5969 /* WKDataDetectorTypes.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WKDataDetectorTypes.h; sourceTree = "<group>"; };
 		37A709A81E3EA40C00CA5969 /* WKDataDetectorTypesInternal.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WKDataDetectorTypesInternal.h; sourceTree = "<group>"; };
-		37B418EB1C9624F20031E63B /* WebContent-OSX-restricted.entitlements */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.entitlements; path = "WebContent-OSX-restricted.entitlements"; sourceTree = "<group>"; };
+		37B418EB1C9624F20031E63B /* WebContent-or-Plugin-OSX-restricted.entitlements */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.entitlements; path = "WebContent-or-Plugin-OSX-restricted.entitlements"; sourceTree = "<group>"; };
 		37B47E2C1D64DB76005F4EFF /* objcSPI.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = objcSPI.h; sourceTree = "<group>"; };
 		37B5045119EEF31300CE2CF8 /* WKErrorPrivate.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WKErrorPrivate.h; sourceTree = "<group>"; };
 		37BEC4DE19491486008B4286 /* CompletionHandlerCallChecker.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = CompletionHandlerCallChecker.mm; sourceTree = "<group>"; };
@@ -3915,7 +3915,7 @@
 		7A9CD8C21C779AD600D9F6C7 /* WebResourceLoadStatisticsStore.messages.in */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = WebResourceLoadStatisticsStore.messages.in; sourceTree = "<group>"; };
 		7AB6EA441EEAAE2300037B2B /* APIIconDatabaseClient.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = APIIconDatabaseClient.h; sourceTree = "<group>"; };
 		7AB6EA461EEAB6B000037B2B /* APIGeolocationProvider.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = APIGeolocationProvider.h; sourceTree = "<group>"; };
-		7ACFAAD820B88D4F00C53203 /* process-webcontent-entitlements.sh */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.script.sh; path = "process-webcontent-entitlements.sh"; sourceTree = "<group>"; };
+		7ACFAAD820B88D4F00C53203 /* process-webcontent-or-plugin-entitlements.sh */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.script.sh; path = "process-webcontent-or-plugin-entitlements.sh"; sourceTree = "<group>"; };
 		7AF2361E1E79A3B400438A05 /* WebErrors.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = WebErrors.cpp; sourceTree = "<group>"; };
 		7AF2361F1E79A3D800438A05 /* WebErrors.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WebErrors.h; sourceTree = "<group>"; };
 		7AF236221E79A43100438A05 /* WebErrorsCocoa.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = WebErrorsCocoa.mm; sourceTree = "<group>"; };
@@ -5196,7 +5196,7 @@
 				1A4F976E100E7B6600637A18 /* Version.xcconfig */,
 				37119A7E20CCB64E002C6DC9 /* WebContent-iOS-minimalsimulator.entitlements */,
 				7C0BB9A818DCDE890006C086 /* WebContent-iOS.entitlements */,
-				37B418EB1C9624F20031E63B /* WebContent-OSX-restricted.entitlements */,
+				37B418EB1C9624F20031E63B /* WebContent-or-Plugin-OSX-restricted.entitlements */,
 				7AF66E1120C07CB6007828EA /* WebContent-OSX.entitlements */,
 				372EBB4A2017E76000085064 /* WebContentService.Development.xcconfig */,
 				BCACC40E16B0B8A800B6E092 /* WebContentService.xcconfig */,
@@ -8643,7 +8643,7 @@
 				0FC0856F187CE0A900780D86 /* messages.py */,
 				0FC08570187CE0A900780D86 /* model.py */,
 				0FC08571187CE0A900780D86 /* parser.py */,
-				7ACFAAD820B88D4F00C53203 /* process-webcontent-entitlements.sh */,
+				7ACFAAD820B88D4F00C53203 /* process-webcontent-or-plugin-entitlements.sh */,
 			);
 			path = Scripts;
 			sourceTree = "<group>";
@@ -10161,6 +10161,7 @@
 				BC8283F516B4FDDE00A278FE /* Sources */,
 				BC8283F616B4FDDE00A278FE /* Frameworks */,
 				BC8283F716B4FDDE00A278FE /* Resources */,
+				7A79E2DE2107F32B00EF32A4 /* Process Plugin entitlements */,
 			);
 			buildRules = (
 			);
@@ -10180,6 +10181,7 @@
 				BC82841B16B4FDF600A278FE /* Sources */,
 				BC82841C16B4FDF600A278FE /* Frameworks */,
 				BC82841D16B4FDF600A278FE /* Resources */,
+				7A79E2DD2107F2DD00EF32A4 /* Process Plugin entitlements */,
 			);
 			buildRules = (
 			);
@@ -10544,6 +10546,44 @@
 			shellPath = /bin/sh;
 			shellScript = "# We autogenerate this file, so don't want to retain an old copy during builds.\nrm -f ${TEMP_FILE_DIR}/${FULL_PRODUCT_NAME}.xcent\n";
 		};
+		7A79E2DD2107F2DD00EF32A4 /* Process Plugin entitlements */ = {
+			isa = PBXShellScriptBuildPhase;
+			buildActionMask = 2147483647;
+			files = (
+			);
+			inputFileListPaths = (
+			);
+			inputPaths = (
+				"$(TEMP_FILE_DIR)/$(FULL_PRODUCT_NAME).xcent",
+			);
+			name = "Process Plugin entitlements";
+			outputFileListPaths = (
+			);
+			outputPaths = (
+			);
+			runOnlyForDeploymentPostprocessing = 0;
+			shellPath = /bin/sh;
+			shellScript = "Scripts/process-webcontent-or-plugin-entitlements.sh\n";
+		};
+		7A79E2DE2107F32B00EF32A4 /* Process Plugin entitlements */ = {
+			isa = PBXShellScriptBuildPhase;
+			buildActionMask = 2147483647;
+			files = (
+			);
+			inputFileListPaths = (
+			);
+			inputPaths = (
+				"$(TEMP_FILE_DIR)/$(FULL_PRODUCT_NAME).xcent",
+			);
+			name = "Process Plugin entitlements";
+			outputFileListPaths = (
+			);
+			outputPaths = (
+			);
+			runOnlyForDeploymentPostprocessing = 0;
+			shellPath = /bin/sh;
+			shellScript = "Scripts/process-webcontent-or-plugin-entitlements.sh\n";
+		};
 		7AFCBD5420B8911D00F55C9C /* Process WebContent entitlements */ = {
 			isa = PBXShellScriptBuildPhase;
 			buildActionMask = 2147483647;
@@ -10557,7 +10597,7 @@
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 			shellPath = /bin/sh;
-			shellScript = "Scripts/process-webcontent-entitlements.sh\n";
+			shellScript = "Scripts/process-webcontent-or-plugin-entitlements.sh\n";
 		};
 		7AFCBD5520B8917D00F55C9C /* Process WebContent entitlements */ = {
 			isa = PBXShellScriptBuildPhase;
@@ -10572,7 +10612,7 @@
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 			shellPath = /bin/sh;
-			shellScript = "Scripts/process-webcontent-entitlements.sh\n";
+			shellScript = "Scripts/process-webcontent-or-plugin-entitlements.sh\n";
 		};
 		99CA3862207286DB00BAD578 /* Copy WebDriver Atoms to Framework Private Headers */ = {
 			isa = PBXShellScriptBuildPhase;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to