- Revision
- 262560
- Author
- bfulg...@apple.com
- Date
- 2020-06-04 12:45:01 -0700 (Thu, 04 Jun 2020)
Log Message
Revise sandbox to support network stack telemetry without sandbox violation reports
https://bugs.webkit.org/show_bug.cgi?id=212720
<rdar://problem/63895783>
Reviewed by Per Arne Vollan.
Telemetry captured for various networking configurations has revealed a handful of mach service
connections that should be allowed in the Network Process to support troubleshooting and field diagnostics.
This patch revises the sandbox to avoid logging these accesses during normal operation.
* NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in: Do not generate traces for 'com.apple.diagnosticd'.
* Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb: Ditto.
* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb: Allow 'com.apple.osanalytics.osanalyticshelper' to
be used on internal development builds.
* Shared/WebProcessCreationParameters.cpp:
(WebKit::WebProcessCreationParameters::encode const): Update to handle both 'diagnosticd' and 'osanalyticshelper'
as optional services for internal builds.
(WebKit::WebProcessCreationParameters::decode): Ditto.
* Shared/WebProcessCreationParameters.h:
* UIProcess/Cocoa/WebProcessPoolCocoa.mm:
(WebKit::diagnosticServices): Ditto.
(WebKit::WebProcessPool::platformInitializeWebProcess): Ditto.
* WebProcess/cocoa/WebProcessCocoa.mm:
(WebKit::WebProcess::platformInitializeWebProcess): Ditto.
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (262559 => 262560)
--- trunk/Source/WebKit/ChangeLog 2020-06-04 19:44:30 UTC (rev 262559)
+++ trunk/Source/WebKit/ChangeLog 2020-06-04 19:45:01 UTC (rev 262560)
@@ -1,3 +1,31 @@
+2020-06-04 Brent Fulgham <bfulg...@apple.com>
+
+ Revise sandbox to support network stack telemetry without sandbox violation reports
+ https://bugs.webkit.org/show_bug.cgi?id=212720
+ <rdar://problem/63895783>
+
+ Reviewed by Per Arne Vollan.
+
+ Telemetry captured for various networking configurations has revealed a handful of mach service
+ connections that should be allowed in the Network Process to support troubleshooting and field diagnostics.
+
+ This patch revises the sandbox to avoid logging these accesses during normal operation.
+
+ * NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in: Do not generate traces for 'com.apple.diagnosticd'.
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb: Ditto.
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb: Allow 'com.apple.osanalytics.osanalyticshelper' to
+ be used on internal development builds.
+ * Shared/WebProcessCreationParameters.cpp:
+ (WebKit::WebProcessCreationParameters::encode const): Update to handle both 'diagnosticd' and 'osanalyticshelper'
+ as optional services for internal builds.
+ (WebKit::WebProcessCreationParameters::decode): Ditto.
+ * Shared/WebProcessCreationParameters.h:
+ * UIProcess/Cocoa/WebProcessPoolCocoa.mm:
+ (WebKit::diagnosticServices): Ditto.
+ (WebKit::WebProcessPool::platformInitializeWebProcess): Ditto.
+ * WebProcess/cocoa/WebProcessCocoa.mm:
+ (WebKit::WebProcess::platformInitializeWebProcess): Ditto.
+
2020-06-04 Per Arne Vollan <pvol...@apple.com>
[Cocoa] Adopt read-only mode for preferences in the WebContent process
Modified: trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in (262559 => 262560)
--- trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in 2020-06-04 19:44:30 UTC (rev 262559)
+++ trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in 2020-06-04 19:45:01 UTC (rev 262560)
@@ -116,7 +116,6 @@
(global-name "com.apple.bsd.dirhelper")
(global-name "com.apple.cfprefsd.agent")
(global-name "com.apple.cfprefsd.daemon")
- (global-name "com.apple.diagnosticd")
(global-name "com.apple.espd")
(global-name "com.apple.logd")
(global-name "com.apple.logd.events")
@@ -298,10 +297,12 @@
(global-name "com.apple.FileCoordination")
(global-name "com.apple.PowerManagement.control")
(global-name "com.apple.SystemConfiguration.configd")
+ (global-name "com.apple.aggregated")
(global-name "com.apple.analyticsd")
(global-name "com.apple.cookied")
(global-name "com.apple.cfnetwork.AuthBrokerAgent")
(global-name "com.apple.cfnetwork.cfnetworkagent")
+ (global-name "com.apple.diagnosticd")
(global-name "com.apple.ist.ds.appleconnect2.service.kdctunnelcontroller")
(global-name "com.apple.lsd.mapdb")
(global-name "com.apple.nesessionmanager.flow-divert-token")
Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb (262559 => 262560)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb 2020-06-04 19:44:30 UTC (rev 262559)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb 2020-06-04 19:45:01 UTC (rev 262560)
@@ -507,8 +507,11 @@
(allow mach-lookup (with report) (with telemetry)
(global-name "com.apple.distributed_notifications@1v3"))
-(allow mach-lookup (with report) (with telemetry)
- (global-name "com.apple.diagnosticd"))
+;; These are always needed in the Network process:
+(allow mach-lookup
+ (global-name "com.apple.diagnosticd")
+ (global-name "com.apple.aggregated")
+)
(logd-diagnostic-client)
Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb (262559 => 262560)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb 2020-06-04 19:44:30 UTC (rev 262559)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb 2020-06-04 19:45:01 UTC (rev 262560)
@@ -950,6 +950,7 @@
"com.apple.mobileassetd.v2"
"com.apple.nehelper"
"com.apple.nesessionmanager.content-filter"
+ "com.apple.osanalytics.osanalyticshelper"
"com.apple.runningboard"
"com.apple.tccd"
"com.apple.uikit.viewservice.com.apple.WebContentFilter.remoteUI"
Modified: trunk/Source/WebKit/Shared/WebProcessCreationParameters.cpp (262559 => 262560)
--- trunk/Source/WebKit/Shared/WebProcessCreationParameters.cpp 2020-06-04 19:44:30 UTC (rev 262559)
+++ trunk/Source/WebKit/Shared/WebProcessCreationParameters.cpp 2020-06-04 19:45:01 UTC (rev 262560)
@@ -162,7 +162,7 @@
#endif
#if PLATFORM(IOS_FAMILY)
- encoder << diagnosticsExtensionHandle;
+ encoder << diagnosticsExtensionHandles;
encoder << runningboardExtensionHandle;
encoder << dynamicMachExtensionHandles;
encoder << dynamicIOKitExtensionHandles;
@@ -437,11 +437,11 @@
#endif
#if PLATFORM(IOS_FAMILY)
- Optional<Optional<SandboxExtension::Handle>> diagnosticsExtensionHandle;
- decoder >> diagnosticsExtensionHandle;
- if (!diagnosticsExtensionHandle)
+ Optional<SandboxExtension::HandleArray> diagnosticsExtensionHandles;
+ decoder >> diagnosticsExtensionHandles;
+ if (!diagnosticsExtensionHandles)
return false;
- parameters.diagnosticsExtensionHandle = WTFMove(*diagnosticsExtensionHandle);
+ parameters.diagnosticsExtensionHandles = WTFMove(*diagnosticsExtensionHandles);
Optional<Optional<SandboxExtension::Handle>> runningboardExtensionHandle;
decoder >> runningboardExtensionHandle;
Modified: trunk/Source/WebKit/Shared/WebProcessCreationParameters.h (262559 => 262560)
--- trunk/Source/WebKit/Shared/WebProcessCreationParameters.h 2020-06-04 19:44:30 UTC (rev 262559)
+++ trunk/Source/WebKit/Shared/WebProcessCreationParameters.h 2020-06-04 19:45:01 UTC (rev 262560)
@@ -202,7 +202,7 @@
#endif
#if PLATFORM(IOS_FAMILY)
- Optional<SandboxExtension::Handle> diagnosticsExtensionHandle;
+ SandboxExtension::HandleArray diagnosticsExtensionHandles;
Optional<SandboxExtension::Handle> runningboardExtensionHandle;
SandboxExtension::HandleArray dynamicMachExtensionHandles;
SandboxExtension::HandleArray dynamicIOKitExtensionHandles;
Modified: trunk/Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm (262559 => 262560)
--- trunk/Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm 2020-06-04 19:44:30 UTC (rev 262559)
+++ trunk/Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm 2020-06-04 19:45:01 UTC (rev 262560)
@@ -262,6 +262,16 @@
return services;
}
+static const Vector<String>& diagnosticServices()
+{
+ ASSERT(isMainThread());
+ static const auto services = makeNeverDestroyed(Vector<String> {
+ "com.apple.diagnosticd",
+ "com.apple.osanalytics.osanalyticshelper"
+ });
+ return services;
+}
+
static const Vector<String>& agxCompilerClasses()
{
ASSERT(isMainThread());
@@ -279,6 +289,7 @@
});
return iokitClasses;
}
+
#endif
void WebProcessPool::platformInitializeWebProcess(const WebProcessProxy& process, WebProcessCreationParameters& parameters)
@@ -389,11 +400,8 @@
if (!WebCore::IOSApplication::isMobileSafari())
parameters.dynamicMachExtensionHandles = SandboxExtension::createHandlesForMachLookup(nonBrowserServices(), WTF::nullopt);
- if (isInternalInstall()) {
- SandboxExtension::Handle diagnosticsExtensionHandle;
- SandboxExtension::createHandleForMachLookup("com.apple.diagnosticd", WTF::nullopt, diagnosticsExtensionHandle, SandboxExtension::Flags::NoReport);
- parameters.diagnosticsExtensionHandle = WTFMove(diagnosticsExtensionHandle);
- }
+ if (isInternalInstall())
+ parameters.diagnosticsExtensionHandles = SandboxExtension::createHandlesForMachLookup(diagnosticServices(), WTF::nullopt, SandboxExtension::Flags::NoReport);
SandboxExtension::Handle runningboardExtensionHandle;
if (SandboxExtension::createHandleForMachLookup("com.apple.runningboard", WTF::nullopt, runningboardExtensionHandle, SandboxExtension::Flags::NoReport))
Modified: trunk/Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm (262559 => 262560)
--- trunk/Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm 2020-06-04 19:44:30 UTC (rev 262559)
+++ trunk/Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm 2020-06-04 19:45:01 UTC (rev 262560)
@@ -301,9 +301,7 @@
#endif
#if PLATFORM(IOS_FAMILY)
- if (parameters.diagnosticsExtensionHandle)
- SandboxExtension::consumePermanently(*parameters.diagnosticsExtensionHandle);
-
+ SandboxExtension::consumePermanently(parameters.diagnosticsExtensionHandles);
SandboxExtension::consumePermanently(parameters.dynamicMachExtensionHandles);
SandboxExtension::consumePermanently(parameters.dynamicIOKitExtensionHandles);
#endif
