Title: [234303] branches/safari-606-branch/Source/WebKit
- Revision
- 234303
- Author
- [email protected]
- Date
- 2018-07-26 23:02:14 -0700 (Thu, 26 Jul 2018)
Log Message
Cherry-pick r234223. rdar://problem/42650367
[macOS] Update sandboxes for revised OpenCL calls and streaming media
https://bugs.webkit.org/show_bug.cgi?id=188013
<rdar://problem/42594262>
Reviewed by Eric Carlson.
Testing logs from recent Mojave builds shows that OpenCL is checking more CPU-specific values as part of WebKit
painting operations. We need to allow these checks in the sandbox to support these more optimized drawing operations.
I also corrected some sandbox violations I found while investigating streaming media issues.
* WebProcess/com.apple.WebProcess.sb.in:
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@234223 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-606-branch/Source/WebKit/ChangeLog (234302 => 234303)
--- branches/safari-606-branch/Source/WebKit/ChangeLog 2018-07-27 06:02:12 UTC (rev 234302)
+++ branches/safari-606-branch/Source/WebKit/ChangeLog 2018-07-27 06:02:14 UTC (rev 234303)
@@ -1,5 +1,40 @@
2018-07-26 Babak Shafiei <[email protected]>
+ Cherry-pick r234223. rdar://problem/42650367
+
+ [macOS] Update sandboxes for revised OpenCL calls and streaming media
+ https://bugs.webkit.org/show_bug.cgi?id=188013
+ <rdar://problem/42594262>
+
+ Reviewed by Eric Carlson.
+
+ Testing logs from recent Mojave builds shows that OpenCL is checking more CPU-specific values as part of WebKit
+ painting operations. We need to allow these checks in the sandbox to support these more optimized drawing operations.
+
+ I also corrected some sandbox violations I found while investigating streaming media issues.
+
+ * WebProcess/com.apple.WebProcess.sb.in:
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@234223 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2018-07-25 Brent Fulgham <[email protected]>
+
+ [macOS] Update sandboxes for revised OpenCL calls and streaming media
+ https://bugs.webkit.org/show_bug.cgi?id=188013
+ <rdar://problem/42594262>
+
+ Reviewed by Eric Carlson.
+
+ Testing logs from recent Mojave builds shows that OpenCL is checking more CPU-specific values as part of WebKit
+ painting operations. We need to allow these checks in the sandbox to support these more optimized drawing operations.
+
+ I also corrected some sandbox violations I found while investigating streaming media issues.
+
+ * WebProcess/com.apple.WebProcess.sb.in:
+
+2018-07-26 Babak Shafiei <[email protected]>
+
Cherry-pick r234081. rdar://problem/42490080
REGRESSION(r233925): Can't go into PiP twice
Modified: branches/safari-606-branch/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (234302 => 234303)
--- branches/safari-606-branch/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2018-07-27 06:02:12 UTC (rev 234302)
+++ branches/safari-606-branch/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2018-07-27 06:02:14 UTC (rev 234303)
@@ -165,7 +165,6 @@
"hw.byteorder"
"hw.busfrequency_max"
"hw.cputype"
- "hw.l2cachesize"
"hw.machine"
"hw.memsize"
"hw.model"
@@ -176,10 +175,12 @@
"kern.memorystatus_level"
"kern.safeboot"
"kern.version"
+ "machdep.cpu.brand_string"
"security.mac.sandbox.sentinel"
"vm.footprint_suspend")
(sysctl-name-regex #"^hw.(active|avail)cpu")
- (sysctl-name-regex #"^hw.(busfrequency|cachelinesize|cpufrequency|pagesize|tbfrequency)_compat")
+ (sysctl-name-regex #"^hw.(busfrequency|cachelinesize|cpufrequency(|_max)|pagesize|tbfrequency)(|_compat)")
+ (sysctl-name-regex #"^hw.l.+cachesize")
(sysctl-name-regex #"^hw.(logical|physical)cpu_max")
(sysctl-name-regex #"^hw.optional\.")
(sysctl-name-regex #"^kern.os(release|type|variant_status|version)")
@@ -260,6 +261,7 @@
(iokit-property-regex #"^IOName(|Match(|ed))")
(iokit-property "IOOCDBundleName")
(iokit-property "IOPCITunnelled")
+ (iokit-property "IOPCITunnelCompatible")
(iokit-property "IOPMStrictTreeOrder")
(iokit-property "IOParentMatch")
(iokit-property-regex #"^IOPCI((Class|Primary|Property|)Match|Express(Capabilities|Link(Status|Capabilities))|MSIMode|Resourced|Tunnelled)")
@@ -492,6 +494,11 @@
(allow file-read*
(literal "/Library/Preferences/com.apple.ViewBridge.plist"))
+; FIXME: This is needed for some security framework calls (that use non-CFPreferences readers)
+(allow file-read-data
+ (literal "/Library/Preferences/com.apple.security.plist")
+ (home-subpath "/Library/Preferences/com.apple.security.plist"))
+
;; On-disk WebKit2 framework location, to account for debug installations outside of /System/Library/Frameworks,
;; and to allow issuing extensions.
(allow-read-directory-and-issue-read-extensions (param "WEBKIT2_FRAMEWORK_DIR"))
@@ -573,6 +580,7 @@
(global-name "com.apple.analyticsd")
(global-name "com.apple.audio.AudioComponentRegistrar")
#endif
+ (global-name "com.apple.assertiond.processassertionconnection")
(global-name "com.apple.audio.audiohald")
(global-name "com.apple.audio.coreaudiod")
(global-name "com.apple.awdd")
@@ -579,6 +587,7 @@
(global-name "com.apple.cfnetwork.AuthBrokerAgent")
(global-name "com.apple.cfprefsd.agent")
(global-name "com.apple.cfprefsd.daemon")
+ (global-name "com.apple.cmio.registerassistantservice") ;; Needed by CoreMedia for plugin drivers
(global-name "com.apple.cookied")
(global-name "com.apple.coreservices.launchservicesd")
(global-name "com.apple.diagnosticd")
@@ -593,6 +602,7 @@
(global-name "com.apple.lsd.mapdb")
(global-name "com.apple.mobileassetd")
(global-name "com.apple.nesessionmanager.flow-divert-token")
+ (global-name "com.apple.powerlog.plxpclogger.xpc")
(global-name "com.apple.speech.speechsynthesisd")
(global-name "com.apple.speech.synthesis.console")
(global-name "com.apple.system.DirectoryService.libinfo_v1")
@@ -613,9 +623,17 @@
(global-name "com.apple.xpcd")
)
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101400
+(deny mach-lookup (with no-log)
+ (global-name "com.apple.ViewBridgeAuxiliary")
+ (global-name "com.apple.windowserver.active"))
+#endif
+
+
;; Needed to support encrypted media playback <rdar://problem/40038478>
(allow mach-lookup
- (global-name "com.apple.SecurityServer"))
+ (global-name "com.apple.SecurityServer")
+ (global-name "com.apple.ocspd"))
(allow file-read* file-write* (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
