Skip to site navigation (Press enter)

[webkit-changes] [291806] trunk/Source/WebKit

pvollan Thu, 24 Mar 2022 11:16:20 -0700

Title: [291806] trunk/Source/WebKit

Revision: 291806
Author: pvol...@apple.com
Date: 2022-03-24 11:15:40 -0700 (Thu, 24 Mar 2022)

Log Message

[macOS] Remove reports for some sandbox violations on process launch
https://bugs.webkit.org/show_bug.cgi?id=238324


Reviewed by Geoffrey Garen.

Remove reports for some sandbox violations on process launch on macOS. These violations are not critical,
and are slowing down process launch. This patch also adds access to a mach syscall observed being in use.

* NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
* WebProcess/com.apple.WebProcess.sb.in:

Modified Paths

trunk/Source/WebKit/ChangeLog
trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in
trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in

Diff

Modified: trunk/Source/WebKit/ChangeLog (291805 => 291806)


--- trunk/Source/WebKit/ChangeLog	2022-03-24 18:08:02 UTC (rev 291805)
+++ trunk/Source/WebKit/ChangeLog	2022-03-24 18:15:40 UTC (rev 291806)
@@ -1,3 +1,16 @@
+2022-03-24  Per Arne Vollan  <pvol...@apple.com>
+
+        [macOS] Remove reports for some sandbox violations on process launch
+        https://bugs.webkit.org/show_bug.cgi?id=238324
+
+        Reviewed by Geoffrey Garen.
+
+        Remove reports for some sandbox violations on process launch on macOS. These violations are not critical,
+        and are slowing down process launch. This patch also adds access to a mach syscall observed being in use.
+
+        * NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
+        * WebProcess/com.apple.WebProcess.sb.in:
+
 2022-03-24  Chris Dumez  <cdu...@apple.com>
 
         String's find() / reverseFind() / replace() should take in a StringView instead of a String

Modified: trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in (291805 => 291806)


--- trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in	2022-03-24 18:08:02 UTC (rev 291805)
+++ trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in	2022-03-24 18:15:40 UTC (rev 291806)
@@ -306,11 +306,11 @@
 (allow mach-lookup (global-name "com.apple.webkit.webpushd.service"))
 (allow mach-lookup (global-name "org.webkit.webpushtestdaemon.service"))
 
+(deny mach-lookup (with no-log)
+    (global-name "com.apple.DiskArbitration.diskarbitrationd"))
 (with-filter (uid 0)
     (allow mach-lookup 
-        (global-name "com.apple.DiskArbitration.diskarbitrationd")
-    )
-)
+        (global-name "com.apple.DiskArbitration.diskarbitrationd")))
 
 (deny mach-lookup 
    (global-name "com.apple.ctkd.token-client")
@@ -450,6 +450,11 @@
 (allow mach-lookup
     (global-name "com.apple.tccd"))
 
+(deny mach-lookup (with no-log)
+    (global-name "com.apple.tccd.system")
+    (global-name "com.apple.CoreServices.coreservicesd")
+    (global-name-prefix "com.apple.distributed_notifications"))
+
 ;; <rdar://89031731>
 (allow mach-lookup
     (global-name "com.apple.networkserviceproxy.fetch-token"))
@@ -604,6 +609,7 @@
             MSC__kernelrpc_mach_port_extract_member_trap
             MSC__kernelrpc_mach_port_guard_trap
             MSC__kernelrpc_mach_port_insert_member_trap
+            MSC__kernelrpc_mach_port_insert_right_trap
             MSC__kernelrpc_mach_port_mod_refs_trap
             MSC__kernelrpc_mach_port_request_notification_trap
             MSC__kernelrpc_mach_port_type_trap

Modified: trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (291805 => 291806)


--- trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in	2022-03-24 18:08:02 UTC (rev 291805)
+++ trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in	2022-03-24 18:15:40 UTC (rev 291806)
@@ -961,8 +961,10 @@
 
 #if __MAC_OS_X_VERSION_MIN_REQUIRED <= 110000
 (allow mach-lookup
-    (xpc-service-name "com.apple.audio.SandboxHelper")
-)
+    (xpc-service-name "com.apple.audio.SandboxHelper"))
+#else
+(deny mach-lookup (with no-log)
+    (xpc-service-name "com.apple.audio.SandboxHelper"))
 #endif
 
 #if __MAC_OS_X_VERSION_MIN_REQUIRED < 110000
@@ -1390,8 +1392,10 @@
 
 #if __MAC_OS_X_VERSION_MIN_REQUIRED < 120000
 (allow mach-lookup
-    (global-name "com.apple.tccd.system")
-)
+    (global-name "com.apple.tccd.system"))
+#else
+(deny mach-lookup (with no-log)
+    (global-name "com.apple.tccd.system"))
 #endif
 
 #if __MAC_OS_X_VERSION_MIN_REQUIRED <= 110000
@@ -1510,13 +1514,11 @@
 #endif
 
 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 120000
-(deny mach-lookup
-    (global-name-prefix "com.apple.distributed_notifications")
-)
+(deny mach-lookup (with no-log)
+    (global-name-prefix "com.apple.distributed_notifications"))
 #else
 (allow mach-lookup
-    (global-name-prefix "com.apple.distributed_notifications")
-)
+    (global-name-prefix "com.apple.distributed_notifications"))
 #endif
 
 (allow file-read-data
@@ -1788,6 +1790,9 @@
     (require-all
         (require-not (extension "com.apple.webkit.extension.mach"))
         (global-name "com.apple.audio.AudioComponentRegistrar")))
+#else
+(deny mach-lookup (with no-log)
+    (global-name "com.apple.audio.AudioComponentRegistrar"))
 #endif
 
 ;; Caches for LaunchServices data needs to be able to mark the directory as 'hot'.

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes