We should cache the compiled sandbox profile in a data vault

commit-queue@webkit.org · commit-queue@webkit.org · commit 51ecb2fe60af · 2018-08-04T01:09:37.000Z
https://bugs.webkit.org/show_bug.cgi?id=184991 Patch by Ben Richards <benton_richards@apple.com> on 2018-08-03 Reviewed by Ryosuke Niwa. Source/WebCore: Added functionality to FileHandle so that it can lock a file while open. Added a function to FileSystem to delete non empty directories. * platform/FileHandle.cpp: (WebCore::FileHandle::FileHandle): (WebCore::FileHandle::open): (WebCore::FileHandle::close): * platform/FileHandle.h: * platform/FileSystem.h: * platform/cocoa/FileSystemCocoa.mm: (WebCore::FileSystem::deleteNonEmptyDirectory): Source/WebKit: This patch changes a few things (note: data vaults and sandbox entitlements are only used in internal builds): (1) Instead of compiling a sandbox every time a process is launched, processes now look for a cached sandbox in a process specific data vault on macOS platforms. (ChildProcessMac.mm) (2) If a valid cached sandbox is not found, a process will create the data vault (or ensure that it exists), compile a sandbox, and cache it. (3) In order to create process specific data vaults, each process now has their own <process name>-OSX-sandbox.entitlements file which contains an entitlement with a process specific "storage class" which ensures that each process can only ever access its own data vault. (See the article on confluence "Data Vaults and Restricted Files" for more info) (4) The sandbox entitlements file for the Network, WebContent and Plugin services are loaded dynamically through Scripts/<process name>-process-entitlements.sh which is triggered in a new build phase for each service. The Storage process sandbox entitlements are loaded directly in Configurations/StorageService.xcconfig. The reason that the sandbox entitlements are applied dynamically is so that these sandbox entitlements are only applied when WK_USE_RESTRICTED_ENTITLEMENTS is YES. This means that open source builds will still work. * Configurations/Network-OSX-sandbox.entitlements: Added. * Configurations/Plugin-OSX-sandbox.entitlements: Added. * Configurations/Storage-OSX-sandbox.entitlements: Added. * Configurations/StorageService.xcconfig: * Configurations/WebContent-OSX-sandbox.entitlements: Added. * Configurations/WebKit.xcconfig: * NetworkProcess/NetworkProcess.h: * PluginProcess/PluginProcess.h: * Scripts/process-network-entitlements.sh: Added. * Scripts/process-plugin-entitlements.sh: Added. * Scripts/process-webcontent-entitlements.sh: * Shared/ChildProcess.h: * Shared/EntryPointUtilities/mac/XPCService/XPCServiceEntryPoint.h: (WebKit::XPCServiceInitializer): * Shared/SandboxInitializationParameters.h: (WebKit::SandboxInitializationParameters::setOverrideSandboxProfilePath): (WebKit::SandboxInitializationParameters::overrideSandboxProfilePath const): (WebKit::SandboxInitializationParameters::setSandboxProfile): (WebKit::SandboxInitializationParameters::sandboxProfile const): (): Deleted. * Shared/mac/ChildProcessMac.mm: (WebKit::SandboxProfileDeleter::operator()): (WebKit::SandboxParametersDeleter::operator()): (WebKit::SandboxInfo::SandboxInfo): (WebKit::fileContents): (WebKit::processStorageClass): (WebKit::setAndSerializeSandboxParameters): (WebKit::getUserCacheDirectory): (WebKit::sandboxDataVaultParentDirectory): (WebKit::sandboxDirectory): (WebKit::sandboxFilePath): (WebKit::ensureSandboxCacheDirectory): (WebKit::writeSandboxDataToCacheFile): (WebKit::compileAndCacheSandboxProfile): (WebKit::tryApplyCachedSandbox): (WebKit::webKit2Bundle): (WebKit::sandboxProfilePath): (WebKit::compileAndApplySandboxSlowCase): (WebKit::applySandbox): (WebKit::initializeSandboxParameters): (WebKit::ChildProcess::initializeSandbox): * Shared/mac/SandboxInitialiationParametersMac.mm: (WebKit::SandboxInitializationParameters::SandboxInitializationParameters): * StorageProcess/StorageProcess.h: * WebKit.xcodeproj/project.pbxproj: * WebProcess/WebProcess.h: Source/WTF: Added trace points for sandbox initialization and exposed functions needed for sandbox caching * wtf/SystemTracing.h: * wtf/spi/darwin/SandboxSPI.h: Tools: Added trace points for sandbox initialization * Tracing/SystemTracePoints.plist: git-svn-id: http://svn.webkit.org/repository/webkit/trunk@234569 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/WTF/ChangeLog b/Source/WTF/ChangeLog
@@ -1,3 +1,15 @@
+2018-08-03  Ben Richards  <benton_richards@apple.com>
+
+        We should cache the compiled sandbox profile in a data vault
+        https://bugs.webkit.org/show_bug.cgi?id=184991
+
+        Reviewed by Ryosuke Niwa.
+
+        Added trace points for sandbox initialization and exposed functions needed for sandbox caching
+
+        * wtf/SystemTracing.h:
+        * wtf/spi/darwin/SandboxSPI.h:
+
 2018-08-02  Saam Barati  <sbarati@apple.com>
 
         Reading instructionPointer from PlatformRegisters may fail when using pointer tagging
diff --git a/Source/WTF/wtf/SystemTracing.h b/Source/WTF/wtf/SystemTracing.h
@@ -96,6 +96,8 @@ enum TracePointCode {
     CommitLayerTreeEnd,
     ProcessLaunchStart,
     ProcessLaunchEnd,
+    InitializeSandboxStart,
+    InitializeSandboxEnd,
 };
 
 #ifdef __cplusplus
diff --git a/Source/WTF/wtf/spi/darwin/SandboxSPI.h b/Source/WTF/wtf/spi/darwin/SandboxSPI.h
@@ -42,6 +42,21 @@ enum sandbox_filter_type {
 
 WTF_EXTERN_C_BEGIN
 
+typedef struct {
+    char* builtin;
+    unsigned char* data;
+    size_t size;
+#if PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED < 101300
+    char* trace;
+#endif
+} *sandbox_profile_t;
+
+typedef struct {
+    const char **params;
+    size_t size;
+    size_t available;
+} *sandbox_params_t;
+
 extern const char *const APP_SANDBOX_READ;
 extern const char *const APP_SANDBOX_READ_WRITE;
 extern const enum sandbox_filter_type SANDBOX_CHECK_NO_REPORT;
@@ -54,6 +69,12 @@ int sandbox_container_path_for_pid(pid_t, char *buffer, size_t bufsize);
 int sandbox_extension_release(int64_t extension_handle);
 int sandbox_init_with_parameters(const char *profile, uint64_t flags, const char *const parameters[], char **errorbuf);
 int64_t sandbox_extension_consume(const char *extension_token);
+sandbox_params_t sandbox_create_params(void);
+int sandbox_set_param(sandbox_params_t, const char *key, const char *value);
+void sandbox_free_params(sandbox_params_t);
+sandbox_profile_t sandbox_compile_file(const char *path, sandbox_params_t, char **error);
+void sandbox_free_profile(sandbox_profile_t);
+int sandbox_apply(sandbox_profile_t);
 
 WTF_EXTERN_C_END
 
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
@@ -1,3 +1,22 @@
+2018-08-03  Ben Richards  <benton_richards@apple.com>
+
+        We should cache the compiled sandbox profile in a data vault
+        https://bugs.webkit.org/show_bug.cgi?id=184991
+
+        Reviewed by Ryosuke Niwa.
+
+        Added functionality to FileHandle so that it can lock a file while open.
+        Added a function to FileSystem to delete non empty directories.
+
+        * platform/FileHandle.cpp:
+        (WebCore::FileHandle::FileHandle):
+        (WebCore::FileHandle::open):
+        (WebCore::FileHandle::close):
+        * platform/FileHandle.h:
+        * platform/FileSystem.h:
+        * platform/cocoa/FileSystemCocoa.mm:
+        (WebCore::FileSystem::deleteNonEmptyDirectory):
+
 2018-08-03  Justin Fan  <justin_fan@apple.com>
 
         WebGL 2 conformance: vertex_arrays/vertex_array_object.html
diff --git a/Source/WebCore/platform/FileHandle.cpp b/Source/WebCore/platform/FileHandle.cpp
@@ -32,15 +32,23 @@
 namespace WebCore {
 
 FileHandle::FileHandle(const String& path, FileSystem::FileOpenMode mode)
-    : m_path(path)
-    , m_mode(mode)
+    : m_path { path }
+    , m_mode { mode }
 {
 }
 
 FileHandle::FileHandle(FileHandle&& other)
-    : m_path(WTFMove(other.m_path))
-    , m_mode(WTFMove(other.m_mode))
-    , m_fileHandle(std::exchange(other.m_fileHandle, FileSystem::invalidPlatformFileHandle))
+    : m_path { WTFMove(other.m_path) }
+    , m_mode { WTFMove(other.m_mode) }
+    , m_fileHandle { std::exchange(other.m_fileHandle, FileSystem::invalidPlatformFileHandle) }
+{
+}
+    
+FileHandle::FileHandle(const String& path, FileSystem::FileOpenMode mode, OptionSet<FileSystem::FileLockMode> lockMode)
+    : m_path { path }
+    , m_mode { mode }
+    , m_shouldLock { true }
+    , m_lockMode { lockMode }
 {
 }
 
@@ -77,7 +85,7 @@ bool FileHandle::open(const String& path, FileSystem::FileOpenMode mode)
 bool FileHandle::open()
 {
     if (!*this)
-        m_fileHandle = FileSystem::openFile(m_path, m_mode);
+        m_fileHandle = m_shouldLock ? FileSystem::openAndLockFile(m_path, m_mode, m_lockMode) :  FileSystem::openFile(m_path, m_mode);
     return static_cast<bool>(*this);
 }
 
@@ -115,7 +123,11 @@ bool FileHandle::printf(const char* format, ...)
 
 void FileHandle::close()
 {
-    FileSystem::closeFile(m_fileHandle);
+    if (m_shouldLock && *this) {
+        // FileSystem::unlockAndCloseFile requires the file handle to be valid while closeFile does not
+        FileSystem::unlockAndCloseFile(m_fileHandle);
+    } else
+        FileSystem::closeFile(m_fileHandle);
 }
 
 } // namespace WebCore
diff --git a/Source/WebCore/platform/FileHandle.h b/Source/WebCore/platform/FileHandle.h
@@ -38,6 +38,7 @@ class WEBCORE_EXPORT FileHandle final {
 public:
     FileHandle() = default;
     FileHandle(const String& path, FileSystem::FileOpenMode);
+    FileHandle(const String& path, FileSystem::FileOpenMode, OptionSet<FileSystem::FileLockMode>);
     FileHandle(const FileHandle& other) = delete;
     FileHandle(FileHandle&& other);
 
@@ -59,6 +60,8 @@ class WEBCORE_EXPORT FileHandle final {
     String m_path;
     FileSystem::FileOpenMode m_mode { FileSystem::FileOpenMode::Read };
     FileSystem::PlatformFileHandle m_fileHandle { FileSystem::invalidPlatformFileHandle };
+    bool m_shouldLock { false };
+    OptionSet<FileSystem::FileLockMode> m_lockMode;
 };
 
 } // namespace WebCore
diff --git a/Source/WebCore/platform/FileSystem.h b/Source/WebCore/platform/FileSystem.h
@@ -184,6 +184,7 @@ String roamingUserSpecificStorageDirectory();
 
 #if PLATFORM(COCOA)
 WEBCORE_EXPORT NSString *createTemporaryDirectory(NSString *directoryPrefix);
+WEBCORE_EXPORT bool deleteNonEmptyDirectory(const String&);
 #endif
 
 WEBCORE_EXPORT String realPath(const String&);
diff --git a/Source/WebCore/platform/cocoa/FileSystemCocoa.mm b/Source/WebCore/platform/cocoa/FileSystemCocoa.mm
@@ -134,5 +134,10 @@ bool getVolumeFreeSpace(const String& path, uint64_t& freeSpace)
     return [[NSFileManager defaultManager] stringWithFileSystemRepresentation:path.data() length:length];
 }
 
+bool deleteNonEmptyDirectory(const String& path)
+{
+    return [[NSFileManager defaultManager] removeItemAtPath:path error:nil];
+}
+
 } // namespace FileSystem
 } // namespace WebCore
diff --git a/Source/WebKit/ChangeLog b/Source/WebKit/ChangeLog
@@ -1,3 +1,71 @@
+2018-08-03  Ben Richards  <benton_richards@apple.com>
+
+        We should cache the compiled sandbox profile in a data vault
+        https://bugs.webkit.org/show_bug.cgi?id=184991
+
+        Reviewed by Ryosuke Niwa.
+
+        This patch changes a few things (note: data vaults and sandbox entitlements are only used in internal builds):
+        (1) Instead of compiling a sandbox every time a process is launched, processes now look for a cached sandbox
+            in a process specific data vault on macOS platforms. (ChildProcessMac.mm)
+        (2) If a valid cached sandbox is not found, a process will create the data vault (or ensure that it exists),
+            compile a sandbox, and cache it.
+        (3) In order to create process specific data vaults, each process now has their own <process name>-OSX-sandbox.entitlements
+            file which contains an entitlement with a process specific "storage class" which ensures that each process
+            can only ever access its own data vault. (See the article on confluence "Data Vaults and Restricted Files" for more info)
+        (4) The sandbox entitlements file for the Network, WebContent and Plugin services are loaded dynamically
+            through Scripts/<process name>-process-entitlements.sh which is triggered in a new build phase for each service.
+            The Storage process sandbox entitlements are loaded directly in Configurations/StorageService.xcconfig.
+            The reason that the sandbox entitlements are applied dynamically is so that these sandbox entitlements
+            are only applied when WK_USE_RESTRICTED_ENTITLEMENTS is YES. This means that open source builds will still work.
+
+        * Configurations/Network-OSX-sandbox.entitlements: Added.
+        * Configurations/Plugin-OSX-sandbox.entitlements: Added.
+        * Configurations/Storage-OSX-sandbox.entitlements: Added.
+        * Configurations/StorageService.xcconfig:
+        * Configurations/WebContent-OSX-sandbox.entitlements: Added.
+        * Configurations/WebKit.xcconfig:
+        * NetworkProcess/NetworkProcess.h:
+        * PluginProcess/PluginProcess.h:
+        * Scripts/process-network-entitlements.sh: Added.
+        * Scripts/process-plugin-entitlements.sh: Added.
+        * Scripts/process-webcontent-entitlements.sh:
+        * Shared/ChildProcess.h:
+        * Shared/EntryPointUtilities/mac/XPCService/XPCServiceEntryPoint.h:
+        (WebKit::XPCServiceInitializer):
+        * Shared/SandboxInitializationParameters.h:
+        (WebKit::SandboxInitializationParameters::setOverrideSandboxProfilePath):
+        (WebKit::SandboxInitializationParameters::overrideSandboxProfilePath const):
+        (WebKit::SandboxInitializationParameters::setSandboxProfile):
+        (WebKit::SandboxInitializationParameters::sandboxProfile const):
+        (): Deleted.
+        * Shared/mac/ChildProcessMac.mm:
+        (WebKit::SandboxProfileDeleter::operator()):
+        (WebKit::SandboxParametersDeleter::operator()):
+        (WebKit::SandboxInfo::SandboxInfo):
+        (WebKit::fileContents):
+        (WebKit::processStorageClass):
+        (WebKit::setAndSerializeSandboxParameters):
+        (WebKit::getUserCacheDirectory):
+        (WebKit::sandboxDataVaultParentDirectory):
+        (WebKit::sandboxDirectory):
+        (WebKit::sandboxFilePath):
+        (WebKit::ensureSandboxCacheDirectory):
+        (WebKit::writeSandboxDataToCacheFile):
+        (WebKit::compileAndCacheSandboxProfile):
+        (WebKit::tryApplyCachedSandbox):
+        (WebKit::webKit2Bundle):
+        (WebKit::sandboxProfilePath):
+        (WebKit::compileAndApplySandboxSlowCase):
+        (WebKit::applySandbox):
+        (WebKit::initializeSandboxParameters):
+        (WebKit::ChildProcess::initializeSandbox):
+        * Shared/mac/SandboxInitialiationParametersMac.mm:
+        (WebKit::SandboxInitializationParameters::SandboxInitializationParameters):
+        * StorageProcess/StorageProcess.h:
+        * WebKit.xcodeproj/project.pbxproj:
+        * WebProcess/WebProcess.h:
+
 2018-08-03  Alex Christensen  <achristensen@webkit.org>
 
         Fix spelling of "overridden"
diff --git a/Source/WebKit/Configurations/Network-OSX-sandbox.entitlements b/Source/WebKit/Configurations/Network-OSX-sandbox.entitlements
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.rootless.storage.WebKitNetworkingSandbox</key>
+	<true/>
+</dict>
+</plist>
diff --git a/Source/WebKit/Configurations/Storage-OSX-sandbox.entitlements b/Source/WebKit/Configurations/Storage-OSX-sandbox.entitlements
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.rootless.storage.WebKitStorageSandbox</key>
+	<true/>
+</dict>
+</plist>
diff --git a/Source/WebKit/Configurations/StorageService.xcconfig b/Source/WebKit/Configurations/StorageService.xcconfig
@@ -25,6 +25,10 @@
 
 WK_XPC_SERVICE_IOS_ENTITLEMENTS_BASE = Databases-iOS;
 
+WK_STORAGE_ENTITLEMENTS_RESTRICTED_NO = ;
+WK_STORAGE_ENTITLEMENTS_RESTRICTED_YES = Configurations/Storage-OSX-sandbox.entitlements;
+
+CODE_SIGN_ENTITLEMENTS_COCOA_TOUCH_NO = $(WK_STORAGE_ENTITLEMENTS_RESTRICTED_$(WK_USE_RESTRICTED_ENTITLEMENTS));
 OTHER_CODE_SIGN_FLAGS = $(WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS);
 
 PRODUCT_NAME = $(WK_STORAGE_SERVICE_PRODUCT_NAME);
diff --git a/Source/WebKit/Configurations/WebContent-OSX-sandbox.entitlements b/Source/WebKit/Configurations/WebContent-OSX-sandbox.entitlements
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.rootless.storage.WebKitWebContentSandbox</key>
+	<true/>
+</dict>
+</plist>
diff --git a/Source/WebKit/Configurations/WebKit.xcconfig b/Source/WebKit/Configurations/WebKit.xcconfig
@@ -82,6 +82,9 @@ WK_MOBILE_CORE_SERVICES_LDFLAGS_cocoatouch = -framework MobileCoreServices;
 WK_MOBILE_GESTALT_LDFLAGS = $(WK_MOBILE_GESTALT_LDFLAGS_$(WK_COCOA_TOUCH));
 WK_MOBILE_GESTALT_LDFLAGS_cocoatouch = -lMobileGestalt;
 
+WK_LIBSANDBOX_LDFLAGS = $(WK_LIBSANDBOX_LDFLAGS_$(WK_PLATFORM_NAME));
+WK_LIBSANDBOX_LDFLAGS_macosx = -lsandbox;
+
 WK_OPENGL_LDFLAGS = $(WK_OPENGL_LDFLAGS_$(WK_PLATFORM_NAME));
 WK_OPENGL_LDFLAGS_iphoneos = -framework OpenGLES;
 WK_OPENGL_LDFLAGS_iosmac = -framework OpenGL;
@@ -112,7 +115,7 @@ WK_UIKIT_LDFLAGS_cocoatouch = -framework UIKit;
 WK_URL_FORMATTING_LDFLAGS = $(WK_URL_FORMATTING_LDFLAGS_$(WK_HAVE_URL_FORMATTING));
 WK_URL_FORMATTING_LDFLAGS_YES = -framework URLFormatting;
 
-FRAMEWORK_AND_LIBRARY_LDFLAGS = -lobjc -framework CFNetwork -framework CoreAudio -framework CoreFoundation -framework CoreGraphics -framework CoreText -framework Foundation -framework ImageIO -framework IOKit -framework WebKitLegacy -lnetwork $(WK_ACCESSIBILITY_LDFLAGS) $(WK_APPKIT_LDFLAGS) $(WK_ASSERTION_SERVICES_LDFLAGS) $(WK_CARBON_LDFLAGS) $(WK_CORE_PDF_LDFLAGS) $(WK_CORE_PREDICTION_LDFLAGS) $(WK_CORE_SERVICES_LDFLAGS) $(WK_GRAPHICS_SERVICES_LDFLAGS) $(WK_IOSURFACE_LDFLAGS) $(WK_LIBWEBRTC_LDFLAGS) $(WK_MOBILE_CORE_SERVICES_LDFLAGS) $(WK_MOBILE_GESTALT_LDFLAGS) $(WK_OPENGL_LDFLAGS) $(WK_PDFKIT_LDFLAGS) $(WK_SAFE_BROWSING_LDFLAGS) $(WK_UIKIT_LDFLAGS) $(WK_URL_FORMATTING_LDFLAGS);
+FRAMEWORK_AND_LIBRARY_LDFLAGS = -lobjc -framework CFNetwork -framework CoreAudio -framework CoreFoundation -framework CoreGraphics -framework CoreText -framework Foundation -framework ImageIO -framework IOKit -framework WebKitLegacy -lnetwork $(WK_ACCESSIBILITY_LDFLAGS) $(WK_APPKIT_LDFLAGS) $(WK_ASSERTION_SERVICES_LDFLAGS) $(WK_CARBON_LDFLAGS) $(WK_CORE_PDF_LDFLAGS) $(WK_CORE_PREDICTION_LDFLAGS) $(WK_CORE_SERVICES_LDFLAGS) $(WK_GRAPHICS_SERVICES_LDFLAGS) $(WK_IOSURFACE_LDFLAGS) $(WK_LIBSANDBOX_LDFLAGS) $(WK_LIBWEBRTC_LDFLAGS) $(WK_MOBILE_CORE_SERVICES_LDFLAGS) $(WK_MOBILE_GESTALT_LDFLAGS) $(WK_OPENGL_LDFLAGS) $(WK_PDFKIT_LDFLAGS) $(WK_SAFE_BROWSING_LDFLAGS) $(WK_UIKIT_LDFLAGS) $(WK_URL_FORMATTING_LDFLAGS);
 
 // Prevent C++ standard library basic_stringstream, operator new, delete and their related exception types from being exported as weak symbols.
 UNEXPORTED_SYMBOL_LDFLAGS = -Wl,-unexported_symbol -Wl,__ZTISt9bad_alloc -Wl,-unexported_symbol -Wl,__ZTISt9exception -Wl,-unexported_symbol -Wl,__ZTSSt9bad_alloc -Wl,-unexported_symbol -Wl,__ZTSSt9exception -Wl,-unexported_symbol -Wl,__ZdlPvS_ -Wl,-unexported_symbol -Wl,__ZnwmPv -Wl,-unexported_symbol -Wl,__Znwm -Wl,-unexported_symbol -Wl,__ZNSt3__18functionIFvN7WebCore12PolicyActionEEEC2EOS4_ -Wl,-unexported_symbol -Wl,__ZNSt3__18functionIFvN7WebCore12PolicyActionEEEC1EOS4_ -Wl,-unexported_symbol -Wl,__ZNSt3__18functionIFvN7WebCore12PolicyActionEEEaSEDn -Wl,-unexported_symbol -Wl,__ZNKSt3__18functionIFvN7WebCore12PolicyActionEEEclES2_ -Wl,-unexported_symbol -Wl,__ZNSt3__18functionIFvN7WebCore12PolicyActionEEE4swapERS4_ -Wl,-unexported_symbol -Wl,__ZNSt3__18functionIFvN7WebCore12PolicyActionEEEC1ERKS4_ -Wl,-unexported_symbol -Wl,__ZNSt3__18functionIFvN7WebCore12PolicyActionEEEC2ERKS4_ -Wl,-unexported_symbol -Wl,__ZNSt3__18functionIFvN7WebCore12PolicyActionEEED1Ev -Wl,-unexported_symbol -Wl,__ZNSt3__18functionIFvN7WebCore12PolicyActionEEED2Ev -Wl,-unexported_symbol -Wl,__ZNSt3__18functionIFvN7WebCore12PolicyActionEEEaSERKS4_ -Wl,-unexported_symbol -Wl,__ZTVNSt3__117bad_function_callE -Wl,-unexported_symbol -Wl,__ZTCNSt3__118basic_stringstreamIcNS_11char_traitsIcEENS_9allocatorIcEEEE0_NS_13basic_istreamIcS2_EE -Wl,-unexported_symbol -Wl,__ZTCNSt3__118basic_stringstreamIcNS_11char_traitsIcEENS_9allocatorIcEEEE0_NS_14basic_iostreamIcS2_EE -Wl,-unexported_symbol -Wl,__ZTCNSt3__118basic_stringstreamIcNS_11char_traitsIcEENS_9allocatorIcEEEE16_NS_13basic_ostreamIcS2_EE -Wl,-unexported_symbol -Wl,__ZTTNSt3__118basic_stringstreamIcNS_11char_traitsIcEENS_9allocatorIcEEEE -Wl,-unexported_symbol -Wl,__ZTVNSt3__115basic_stringbufIcNS_11char_traitsIcEENS_9allocatorIcEEEE -Wl,-unexported_symbol -Wl,__ZTVNSt3__118basic_stringstreamIcNS_11char_traitsIcEENS_9allocatorIcEEEE -Wl,-unexported_symbol -Wl,__ZTCNSt3__118basic_stringstreamIcNS_11char_traitsIcEENS_9allocatorIcEEEE8_NS_13basic_ostreamIcS2_EE;
diff --git a/Source/WebKit/NetworkProcess/NetworkProcess.h b/Source/WebKit/NetworkProcess/NetworkProcess.h
@@ -80,6 +80,7 @@ class NetworkProcess : public ChildProcess, private DownloadManager::Client {
     friend NeverDestroyed<DownloadManager>;
 public:
     static NetworkProcess& singleton();
+    static constexpr ProcessType processType = ProcessType::Network;
 
     template <typename T>
     T* supplement()
diff --git a/Source/WebKit/PluginProcess/PluginProcess.h b/Source/WebKit/PluginProcess/PluginProcess.h
@@ -49,6 +49,7 @@ class PluginProcess : public ChildProcess
 
 public:
     static PluginProcess& singleton();
+    static constexpr ProcessType processType = ProcessType::Plugin;
 
     void removeWebProcessConnection(WebProcessConnection*);
 
diff --git a/Source/WebKit/Scripts/process-network-sandbox-entitlements.sh b/Source/WebKit/Scripts/process-network-sandbox-entitlements.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+set -e
+
+PROCESSED_XCENT_FILE="${TEMP_FILE_DIR}/${FULL_PRODUCT_NAME}.xcent"
+
+if [[ ${WK_PLATFORM_NAME} == "macosx" ]]; then
+
+    if [[ ${WK_USE_RESTRICTED_ENTITLEMENTS} == "YES" ]]; then
+        echo "Processing restricted entitlements for Internal SDK";
+
+        echo "Adding sandbox entitlements for Network process.";
+        /usr/libexec/PlistBuddy -c "Merge Configurations/Network-OSX-sandbox.entitlements" "${PROCESSED_XCENT_FILE}";
+    fi
+fi
diff --git a/Source/WebKit/Scripts/process-webcontent-sandbox-entitlements.sh b/Source/WebKit/Scripts/process-webcontent-sandbox-entitlements.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+set -e
+
+PROCESSED_XCENT_FILE="${TEMP_FILE_DIR}/${FULL_PRODUCT_NAME}.xcent"
+
+if [[ ${WK_PLATFORM_NAME} == "macosx" ]]; then
+
+    if [[ ${WK_USE_RESTRICTED_ENTITLEMENTS} == "YES" ]]; then
+        echo "Processing restricted entitlements for Internal SDK";
+
+        echo "Adding sandbox entitlements for WebContent process.";
+        /usr/libexec/PlistBuddy -c "Merge Configurations/WebContent-OSX-sandbox.entitlements" "${PROCESSED_XCENT_FILE}";
+    fi
+fi
diff --git a/Source/WebKit/Shared/ChildProcess.h b/Source/WebKit/Shared/ChildProcess.h
@@ -39,22 +39,19 @@
 namespace WebKit {
 
 class SandboxInitializationParameters;
-
-struct ChildProcessInitializationParameters {
-    String uiProcessName;
-    String clientIdentifier;
-    std::optional<WebCore::ProcessIdentifier> processIdentifier;
-    IPC::Connection::Identifier connectionIdentifier;
-    HashMap<String, String> extraInitializationData;
-#if PLATFORM(COCOA)
-    OSObjectPtr<xpc_object_t> priorityBoostMessage;
-#endif
-};
+struct ChildProcessInitializationParameters;
 
 class ChildProcess : protected IPC::Connection::Client, public IPC::MessageSender {
     WTF_MAKE_NONCOPYABLE(ChildProcess);
 
 public:
+    enum class ProcessType : uint8_t {
+        WebContent,
+        Network,
+        Storage,
+        Plugin
+    };
+
     void initialize(const ChildProcessInitializationParameters&);
 
     // disable and enable termination of the process. when disableTermination is called, the
@@ -150,6 +147,18 @@ class ChildProcess : protected IPC::Connection::Client, public IPC::MessageSende
 #endif
 };
 
+struct ChildProcessInitializationParameters {
+    String uiProcessName;
+    String clientIdentifier;
+    std::optional<WebCore::ProcessIdentifier> processIdentifier;
+    IPC::Connection::Identifier connectionIdentifier;
+    HashMap<String, String> extraInitializationData;
+    ChildProcess::ProcessType processType;
+#if PLATFORM(COCOA)
+    OSObjectPtr<xpc_object_t> priorityBoostMessage;
+#endif
+};
+
 } // namespace WebKit
 
 #endif // ChildProcess_h
diff --git a/Source/WebKit/Shared/EntryPointUtilities/mac/XPCService/XPCServiceEntryPoint.h b/Source/WebKit/Shared/EntryPointUtilities/mac/XPCService/XPCServiceEntryPoint.h
diff --git a/Source/WebKit/Shared/SandboxInitializationParameters.h b/Source/WebKit/Shared/SandboxInitializationParameters.h
diff --git a/Source/WebKit/Shared/mac/ChildProcessMac.mm b/Source/WebKit/Shared/mac/ChildProcessMac.mm
diff --git a/Source/WebKit/Shared/mac/SandboxInitialiationParametersMac.mm b/Source/WebKit/Shared/mac/SandboxInitialiationParametersMac.mm
diff --git a/Source/WebKit/StorageProcess/StorageProcess.h b/Source/WebKit/StorageProcess/StorageProcess.h
diff --git a/Source/WebKit/WebKit.xcodeproj/project.pbxproj b/Source/WebKit/WebKit.xcodeproj/project.pbxproj
diff --git a/Source/WebKit/WebProcess/WebProcess.h b/Source/WebKit/WebProcess/WebProcess.h
diff --git a/Tools/ChangeLog b/Tools/ChangeLog
diff --git a/Tools/Tracing/SystemTracePoints.plist b/Tools/Tracing/SystemTracePoints.plist

Original file line number	Diff line number	Diff line change
`@@ -32,15 +32,23 @@`
`32`	`32`	`namespace WebCore {`
`33`	`33`
`34`	`34`	`FileHandle::FileHandle(const String& path, FileSystem::FileOpenMode mode)`
`35`		`- : m_path(path)`
`36`		`- , m_mode(mode)`
	`35`	`+ : m_path { path }`
	`36`	`+ , m_mode { mode }`
`37`	`37`	`{`
`38`	`38`	`}`
`39`	`39`
`40`	`40`	`FileHandle::FileHandle(FileHandle&& other)`
`41`		`- : m_path(WTFMove(other.m_path))`
`42`		`- , m_mode(WTFMove(other.m_mode))`
`43`		`- , m_fileHandle(std::exchange(other.m_fileHandle, FileSystem::invalidPlatformFileHandle))`
	`41`	`+ : m_path { WTFMove(other.m_path) }`
	`42`	`+ , m_mode { WTFMove(other.m_mode) }`
	`43`	`+ , m_fileHandle { std::exchange(other.m_fileHandle, FileSystem::invalidPlatformFileHandle) }`
	`44`	`+{`
	`45`	`+}`
	`46`	`+`
	`47`	`+FileHandle::FileHandle(const String& path, FileSystem::FileOpenMode mode, OptionSet<FileSystem::FileLockMode> lockMode)`
	`48`	`+ : m_path { path }`
	`49`	`+ , m_mode { mode }`
	`50`	`+ , m_shouldLock { true }`
	`51`	`+ , m_lockMode { lockMode }`
`44`	`52`	`{`
`45`	`53`	`}`
`46`	`54`
`@@ -77,7 +85,7 @@ bool FileHandle::open(const String& path, FileSystem::FileOpenMode mode)`
`77`	`85`	`bool FileHandle::open()`
`78`	`86`	`{`
`79`	`87`	`if (!*this)`
`80`		`- m_fileHandle = FileSystem::openFile(m_path, m_mode);`
	`88`	`+ m_fileHandle = m_shouldLock ? FileSystem::openAndLockFile(m_path, m_mode, m_lockMode) : FileSystem::openFile(m_path, m_mode);`
`81`	`89`	`return static_cast<bool>(*this);`
`82`	`90`	`}`
`83`	`91`
`@@ -115,7 +123,11 @@ bool FileHandle::printf(const char* format, ...)`
`115`	`123`
`116`	`124`	`void FileHandle::close()`
`117`	`125`	`{`
`118`		`- FileSystem::closeFile(m_fileHandle);`
	`126`	`+ if (m_shouldLock && *this) {`
	`127`	`+ // FileSystem::unlockAndCloseFile requires the file handle to be valid while closeFile does not`
	`128`	`+ FileSystem::unlockAndCloseFile(m_fileHandle);`
	`129`	`+ } else`
	`130`	`+ FileSystem::closeFile(m_fileHandle);`
`119`	`131`	`}`
`120`	`132`
`121`	`133`	`} // namespace WebCore`