Skip to site navigation (Press enter)

[webkit-changes] [270318] trunk/Source/WebKit

bfulgham Tue, 01 Dec 2020 11:09:53 -0800

Title: [270318] trunk/Source/WebKit

Revision: 270318
Author: [email protected]
Date: 2020-12-01 11:08:41 -0800 (Tue, 01 Dec 2020)

Log Message

[macOS] Add telemetry for sandbox rules we believe are unused
https://bugs.webkit.org/show_bug.cgi?id=219141
<rdar://problem/71569084>


Reviewed by Per Arne Vollan.

This patch adds telemetry to a set of sandbox features we believe are unused. We should
capture telemetry to verify, and confirm before removing.

* WebProcess/com.apple.WebProcess.sb.in:

Modified Paths

trunk/Source/WebKit/ChangeLog
trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in

Diff

Modified: trunk/Source/WebKit/ChangeLog (270317 => 270318)


--- trunk/Source/WebKit/ChangeLog	2020-12-01 18:54:50 UTC (rev 270317)
+++ trunk/Source/WebKit/ChangeLog	2020-12-01 19:08:41 UTC (rev 270318)
@@ -1,3 +1,16 @@
+2020-12-01  Brent Fulgham  <[email protected]>
+
+        [macOS] Add telemetry for sandbox rules we believe are unused
+        https://bugs.webkit.org/show_bug.cgi?id=219141
+        <rdar://problem/71569084>
+
+        Reviewed by Per Arne Vollan.
+
+        This patch adds telemetry to a set of sandbox features we believe are unused. We should
+        capture telemetry to verify, and confirm before removing.
+
+        * WebProcess/com.apple.WebProcess.sb.in:
+
 2020-12-01  Keith Rollin  <[email protected]>
 
         Consolidate header postprocessing scripts

Modified: trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (270317 => 270318)


--- trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in	2020-12-01 18:54:50 UTC (rev 270317)
+++ trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in	2020-12-01 19:08:41 UTC (rev 270318)
@@ -84,6 +84,9 @@
 (allow file-read*
        file-write-data
        file-ioctl
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 110000
+    (with telemetry-backtrace)
+#endif
     (literal "/dev/dtracehelper"))
 
 ;;; Allow creation of core dumps.
@@ -104,6 +107,9 @@
         (preference-domain "com.nvidia.OpenGL"))
     ;; CVMS
     (allow mach-lookup
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 110000
+        (with telemetry-backtrace)
+#endif
         (global-name "com.apple.cvmsServ"))
 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101400 || PLATFORM(MACCATALYST)
     (allow file-read*
@@ -281,10 +287,22 @@
 
 ;;; process-info* defaults to allow; deny it and then allow operations we actually need.
 (deny process-info*)
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 110000
+(allow process-info-pidinfo
+    (with report) (with telemetry-backtrace))
+(allow process-info-pidinfo (target self))
+#else
 (allow process-info-pidinfo)
+#endif
 (allow process-info-setcontrol (target self))
 (allow process-info-dirtycontrol (target self))
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 110000
+(allow process-codesigning-status*
+    (with report) (with telemetry-backtrace))
+(allow process-codesigning-status* (target self))
+#else
 (allow process-codesigning-status*)
+#endif
 
 (deny sysctl*)
 (allow sysctl-read
@@ -793,7 +811,11 @@
 
 ;; Allow the OpenGL Profiler to attach.
 (if (defined? 'mach-register)
-    (allow mach-register (global-name-regex #"^_oglprof_attach_<[0-9]+>$")))
+    (allow mach-register
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 110000
+        (with telemetry-backtrace)
+#endif
+        (global-name-regex #"^_oglprof_attach_<[0-9]+>$")))
 
 (if (positive? (string-length (param "DARWIN_USER_CACHE_DIR")))
     (allow-read-write-directory-and-issue-read-write-extensions (param "DARWIN_USER_CACHE_DIR")))
@@ -972,8 +994,12 @@
 
 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101400 || PLATFORM(MACCATALYST)
 ;; <rdar://problem/47268166>
-(allow mach-lookup (xpc-service-name "com.apple.MTLCompilerService"))
+(allow mach-lookup
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 110000
+    (with telemetry-backtrace)
 #endif
+    (xpc-service-name "com.apple.MTLCompilerService"))
+#endif
 
 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101400 || PLATFORM(MACCATALYST)
 (deny mach-lookup (with no-log)
@@ -995,13 +1021,24 @@
     (global-name "com.apple.ocspd"))
 #endif
 
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 110000
+(allow file-read* (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
+(allow file-write*
+    (with report) (with telemetry-backtrace)
+    (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
+#else
 (allow file-read* file-write* (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
+#endif
 
+
 (allow file-read*
        (subpath "/private/var/db/mds")
        (literal "/private/var/db/DetachedSignatures"))
 
 (allow ipc-posix-shm-read* ipc-posix-shm-write-data ipc-posix-shm-write-create
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 110000
+       (with report) (with telemetry-backtrace)
+#endif
        (ipc-posix-name "com.apple.AppleDatabaseChanged"))
 
 ;; CoreFoundation. We don't import com.apple.corefoundation.sb, because it allows unnecessary access to pasteboard.
@@ -1021,8 +1058,15 @@
 (allow file-read-data
     (literal "/dev/autofs_nowait")) ; Used by CF to circumvent automount triggers
 (allow ipc-posix-shm
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 110000
+    (with report) (with telemetry-backtrace)
+#endif
     (ipc-posix-name-regex #"^CFPBS:")) ; <rdar://problem/13757475>
-(allow system-fsctl (fsctl-command (_IO "h" 47)))
+(allow system-fsctl
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 110000
+    (with report) (with telemetry-backtrace)
+#endif
+    (fsctl-command (_IO "h" 47)))
 
 ;; Graphics
 (system-graphics)

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes