Diff
Modified: trunk/Source/WebKit/ChangeLog (277399 => 277400)
--- trunk/Source/WebKit/ChangeLog 2021-05-12 22:56:22 UTC (rev 277399)
+++ trunk/Source/WebKit/ChangeLog 2021-05-12 22:59:16 UTC (rev 277400)
@@ -1,3 +1,27 @@
+2021-05-12 Brent Fulgham <[email protected]>
+
+ [Cocoa] Silence uninteresting sandbox reports
+ https://bugs.webkit.org/show_bug.cgi?id=225713
+ <rdar://problem/77483132>
+
+ Reviewed by Per Arne Vollan.
+
+ Telemetry from the recently released iOS and macOS updates show a set of uninteresting sandbox violations. Most of
+ these are harmless, but all of them involve some runtime cost and may prevent code from making the best use of
+ available hardware and should be permitted.
+
+ These changes also bring the various sandboxes into better alignment, as many of these items had previously been
+ added to one of the other sandboxes.
+
+ * GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in:
+ * NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb:
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.WebAuthn.sb:
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+ * WebAuthnProcess/mac/com.apple.WebKit.WebAuthnProcess.sb.in:
+ * WebProcess/com.apple.WebProcess.sb.in:
+
2021-05-12 Wenson Hsieh <[email protected]>
Plumb some more metadata to QuickLook when revealing images
Modified: trunk/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in (277399 => 277400)
--- trunk/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in 2021-05-12 22:56:22 UTC (rev 277399)
+++ trunk/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in 2021-05-12 22:59:16 UTC (rev 277400)
@@ -152,6 +152,7 @@
;;; process-info* defaults to allow; deny it and then allow operations we actually need.
(deny process-info*)
+(allow process-info-dirtycontrol (target self))
(allow process-info-pidinfo)
(allow process-info-setcontrol (target self))
(allow process-codesigning-status*)
@@ -161,6 +162,7 @@
(sysctl-name
"hw.byteorder"
"hw.busfrequency_max"
+ "hw.cputhreadtype"
"hw.cputype"
"hw.machine"
"hw.memsize"
@@ -372,6 +374,7 @@
(iokit-property "filevault-image") ;; Needed by LaunchServices
(iokit-property "graphic-options")
(iokit-property "hda-gfx")
+ (iokit-property "housing-color")
(iokit-property-regex #"^id(Product|Vendor)")
(iokit-property "iofb_version")
(iokit-property "image-encrypted")
Modified: trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in (277399 => 277400)
--- trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in 2021-05-12 22:56:22 UTC (rev 277399)
+++ trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in 2021-05-12 22:59:16 UTC (rev 277400)
@@ -165,6 +165,7 @@
;;; process-info* defaults to allow; deny it and then allow operations we actually need.
(deny process-info*)
+(allow process-info-dirtycontrol (target self))
(allow process-info-pidinfo)
(allow process-info-setcontrol (target self))
@@ -172,6 +173,7 @@
(allow sysctl-read
(sysctl-name
"hw.availcpu"
+ "hw.cputhreadtype"
"hw.ncpu"
"hw.memsize"
"hw.model" ;; Needed for bundle loading
@@ -181,6 +183,7 @@
"kern.osproductversion" ;; Needed by CFNetwork (HSTS store and others)
"kern.osversion" ;; Needed by WebKit and ASL logging.
"kern.tcsm_available" ;; Needed for IndexedDB support.
+ "kern.tcsm_enable"
"kern.ostype"
"kern.version"
"sysctl.name2oid"
@@ -189,6 +192,10 @@
(sysctl-name-regex #"^net.routetable")
)
+(allow sysctl-write
+ (sysctl-name
+ "kern.tcsm_enable"))
+
(deny iokit-get-properties)
(allow iokit-get-properties
(iokit-property
@@ -195,9 +202,14 @@
"Ejectable"
"IOClassNameOverride"
"IOMediaIcon"
+ "IOServiceDEXTEntitlements"
+ "No-idle-support"
"Product Identification"
"Protocol Characteristics"
"Removable"
+ "acpi-pmcap-offset"
+ "driver-child-bundle"
+ "iommu-selection"
)
)
Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb (277399 => 277400)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb 2021-05-12 22:56:22 UTC (rev 277399)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb 2021-05-12 22:59:16 UTC (rev 277400)
@@ -799,6 +799,7 @@
"hw.activecpu"
"hw.availcpu"
"hw.cachelinesize"
+ "hw.cputhreadtype"
"hw.cputype"
"hw.l2cachesize"
"hw.logicalcpu"
Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb (277399 => 277400)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb 2021-05-12 22:56:22 UTC (rev 277399)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb 2021-05-12 22:59:16 UTC (rev 277400)
@@ -431,6 +431,7 @@
(sysctl-name "hw.cpufrequency_compat")
(sysctl-name "hw.cpufrequency_max")
(sysctl-name "hw.cpusubtype")
+ (sysctl-name "hw.cputhreadtype")
(sysctl-name "hw.cputype")
(sysctl-name "hw.l1dcachesize")
(sysctl-name "hw.l1dcachesize_compat")
Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebAuthn.sb (277399 => 277400)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebAuthn.sb 2021-05-12 22:56:22 UTC (rev 277399)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebAuthn.sb 2021-05-12 22:59:16 UTC (rev 277400)
@@ -477,6 +477,7 @@
"hw.activecpu"
"hw.availcpu"
"hw.cachelinesize"
+ "hw.cputhreadtype"
"hw.cputype"
"hw.l2cachesize"
"hw.logicalcpu"
Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb (277399 => 277400)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb 2021-05-12 22:56:22 UTC (rev 277399)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb 2021-05-12 22:59:16 UTC (rev 277400)
@@ -925,6 +925,7 @@
"hw.cachelinesize"
"hw.cachelinesize_compat"
"hw.cpufamily" ;; <rdar://problem/58416475>
+ "hw.cputhreadtype"
"hw.cputype"
"hw.l2cachesize"
"hw.logicalcpu"
Modified: trunk/Source/WebKit/WebAuthnProcess/mac/com.apple.WebKit.WebAuthnProcess.sb.in (277399 => 277400)
--- trunk/Source/WebKit/WebAuthnProcess/mac/com.apple.WebKit.WebAuthnProcess.sb.in 2021-05-12 22:56:22 UTC (rev 277399)
+++ trunk/Source/WebKit/WebAuthnProcess/mac/com.apple.WebKit.WebAuthnProcess.sb.in 2021-05-12 22:59:16 UTC (rev 277400)
@@ -102,6 +102,7 @@
;;; process-info* defaults to allow; deny it and then allow operations we actually need.
(deny process-info*)
+(allow process-info-dirtycontrol (target self))
(allow process-info-pidinfo)
(allow process-info-setcontrol (target self))
(allow process-codesigning-status*)
@@ -111,6 +112,7 @@
(sysctl-name
"hw.byteorder"
"hw.busfrequency_max"
+ "hw.cputhreadtype"
"hw.cputype"
"hw.machine"
"hw.memsize"
Modified: trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (277399 => 277400)
--- trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2021-05-12 22:56:22 UTC (rev 277399)
+++ trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2021-05-12 22:59:16 UTC (rev 277400)
@@ -778,6 +778,7 @@
(iokit-property "filevault-image") ;; Needed by LaunchServices
(iokit-property "graphic-options")
(iokit-property "hda-gfx")
+ (iokit-property "housing-color")
(iokit-property-regex #"^id(Product|Vendor)")
(iokit-property "iofb_version")
(iokit-property "image-encrypted")
