New issue
Advanced search Search tips

Issue 891823 link

Starred by 1 user
Status: Verified
Owner:
kerrnel@chromium.org
Closed: Oct 5
Cc:
kerrnel@chromium.org
rsesek@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug-Regression



Sign in to add a comment

Mac OSX Core Graphics API stopped working from Pepper Flash since Chrome 66

Reported by ankur.ma...@adobe.com, Oct 3 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36

Steps to reproduce the problem:
Adobe Access DRM library for Video streaming, that is statically bundled with Pepper Flash, is dependent on certain Mac OSX.sdk API to detect the attached display types. This is needed to apply Output-Protection on Video content. Some of the API methods that are in use are: CGGetOnlineDisplayList 
 (https://developer.apple.com/documentation/coregraphics/1454964-cggetonlinedisplaylist) which detects the number of connected displays and CGDisplayIOServicePort (https://developer.apple.com/documentation/coregraphics/1543516-cgdisplayioserviceport) which helps identify if the displays are connected with digital or analog connections.

What is the expected behavior?
The mentioned API CGGetOnlineDisplayList and  CGDisplayIOServicePort should return the correct values when called in Pepper Flash

What went wrong?
Since Chrome 66, the mentioned API has stopped working correctly and return wrong results now. CGGetOnlineDisplayList always returns a 0 count of connected displays. Older versions of Chrome running on the same Mac environment behave correctly. On newer versions, the same API methods are failing. 
It seems like some restrictions have been introduced for Pepper Flash on Chrome from accessing Mac system API.

Did this work before? Yes 65

Does this work in other browsers? N/A

Chrome version: 69.0.3497.100  Channel: stable
OS Version: OS X 10.13.6
Flash Version: 31

Please clarify if there have been new sandboxing applied for Pepper flash from Accessing system API around release 66. If so, can there be an exception made for allowing specific Core Graphics API, so that DRM protected streams could be played?

Comment 1 by lgrey@chromium.org, Oct 3

Cc: rsesek@chromium.org kerrnel@chromium.org
Components: Internals>Plugins>Flash
+kerrnel/rsesek@ for sandbox

Comment 2 by kerrnel@chromium.org, Oct 3 

Thanks for the report. Is there a web-site I can visit to trigger this DRM behavior? That way I can reproduce and tweak the sandbox profile, assuming this is the sandbox causing it.

Comment 3 by kerrnel@chromium.org, Oct 3

Owner: kerrnel@chromium.org
Status: Assigned (was: Unconfirmed)

Comment 4 by ankur.ma...@adobe.com, Oct 4 

Thanks for picking this up.
Our test player is hosted at http://drmtest2.adobe.com/AccessPlayer/player.html. 
To reproduce the issue, copy the following DRM protected stream URL in the 'Media URL'
http://de9b7h88wgj5l.cloudfront.net/static/users/ankmathu/protected/sintel/sintel-1024-stereo.m3u8 
Now try to play this (using the play button on bottom left)
On latest Chrome, this video stream fails to start video playback with "Error: 3338 [null]"  (shown in the logs on the right pane).
On Chrome versions older than 66, the video plays fine. It plays fine on the latest Firefox as well.
The issue is specific to Mac OSX.

Comment 5 by ankur.ma...@adobe.com, Oct 4 

To ensure a clean environment before playing the stream, clean up the caches by deleting all the contents at following paths: 
~/Library/Application\ Support/Google/Chrome/Default/Pepper\ Data/Shockwave\ Flash/CacheWritableAdobeRoot/0/*
~/Library/Application\ Support/Google/Chrome/Default/Pepper\ Data/Shockwave\ Flash/CacheWritableAdobeRoot/AssetCache/*

Comment 6 by kerrnel@chromium.org, Oct 4 

I confirmed that reverting to the V1 sandbox allows the video to play. Now I will diagnose what sandbox rule needs to be added to the V2 profile and submit that.

Comment 7 by kerrnel@chromium.org, Oct 4 

From the flash process, likely the issue:

Sandbox: Google Chrome He(1515) deny mach-lookup com.apple.windowserver.active
Sandbox Check by:    launchd(1)

Violation:       deny mach-lookup com.apple.windowserver.active 
MetaData: {"build":"Mac OS X 10.13 (17A360a)","sandbox_checker":"launchd","action":"deny","target":["com.apple.windowserver.active"],"hardware":"Mac","platform_binary":"no","profile":"unknown","process":"Google Chrome He","op":"mach-lookup"}

Process:         Google Chrome He [1515]
Path:            /Applications/Google Chrome Canary.app/Contents/Versions/71.0.3570.0/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper
Load Address:    0x10875f000
Identifier:      com.google.Chrome.helper
Version:         3570.0 (71.0.3570.0)
Code Type:       x86_64 (Native)
Parent Process:  Google Chrome Canary [1495]
Responsible:     /Applications/Google Chrome Canary.app/Contents/MacOS/Google Chrome Canary [1495]
User ID:         501

Date/Time:       2018-10-04 14:03:07.750 PDT
OS Version:      Mac OS X 10.13 (17A360a)
Report Version:  8

Thread 0 (id: 187708, CrPPAPIMain):
0   libsystem_kernel.dylib        	0x00007fff6dfdae76 mach_msg_trap + 10
1   Google Chrome Framework       	0x000000011247043d
2   Google Chrome Framework       	0x0000000112436592
3   Google Chrome Framework       	0x0000000112459645
4   Google Chrome Framework       	0x0000000111f105e0
5   Google Chrome Framework       	0x0000000111fda661
6   Google Chrome Framework       	0x0000000113ce260d
7   Google Chrome Framework       	0x0000000111fd9a54
8   Google Chrome Framework       	0x000000010ff1725f ChromeMain + 175
9   Google Chrome Helper          	0x000000010875faee main + 494
10  libdyld.dylib                 	0x00007fff6de94145 start + 1
11  Google Chrome Helper          	0x000000000000000b
Project Member

Comment 8 by bugdroid1@chromium.org, Oct 5 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/cd1c7208c7266aefe80f964b93463a93a7bfc149

commit cd1c7208c7266aefe80f964b93463a93a7bfc149
Author: Greg Kerr <kerrnel@chromium.org>
Date: Fri Oct 05 16:52:58 2018

macOS V2 Sandbox: Allow PPAPI to contact window server.

Flash player DRM videos are currently broken because the V2 sandbox
blocks access to the window server. This allows the access.

Bug:  891823 
Change-Id: I06116f1de78480fe80b01465a6b9b097066b7278
Reviewed-on: https://chromium-review.googlesource.com/c/1263282
Reviewed-by: Mark Mentovai <mark@chromium.org>
Commit-Queue: Greg Kerr <kerrnel@chromium.org>
Cr-Commit-Position: refs/heads/master@{#597169}
[modify] https://crrev.com/cd1c7208c7266aefe80f964b93463a93a7bfc149/services/service_manager/sandbox/mac/ppapi_v2.sb

Comment 9 by kerrnel@chromium.org, Oct 5

Status: Fixed (was: Assigned)
Ankur, can you please verify this in a canary build early next week? Then I'll consider a merge to beta. Thanks again for the report.

Comment 10 by ankur.ma...@adobe.com, Oct 7 

Thank you, Greg. I have verified it on canary version 71.0.3572.0. The issue is fixed. Please go ahead with the merge.

Comment 11 by kerrnel@chromium.org, Oct 8

Status: Verified (was: Fixed)

Sign in to add a comment