Changeset 291806 in webkit

Timestamp:

Mar 24, 2022 11:15:40 AM (2 years ago)

Author:

pvollan@apple.com

Message:

[macOS] Remove reports for some sandbox violations on process launch
​https://bugs.webkit.org/show_bug.cgi?id=238324

Reviewed by Geoffrey Garen.

Remove reports for some sandbox violations on process launch on macOS. These violations are not critical,
and are slowing down process launch. This patch also adds access to a mach syscall observed being in use.

• NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
• WebProcess/com.apple.WebProcess.sb.in:

Location:

trunk/Source/WebKit

Files:

• ChangeLog (modified) (1 diff)
• NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in (modified) (3 diffs)
• WebProcess/com.apple.WebProcess.sb.in (modified) (4 diffs)

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2022-03-24  Per Arne Vollan  <pvollan@apple.com>
+
+        [macOS] Remove reports for some sandbox violations on process launch
+        https://bugs.webkit.org/show_bug.cgi?id=238324
+
+        Reviewed by Geoffrey Garen.
+
+        Remove reports for some sandbox violations on process launch on macOS. These violations are not critical,
+        and are slowing down process launch. This patch also adds access to a mach syscall observed being in use.
+
+        * NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
+        * WebProcess/com.apple.WebProcess.sb.in:
+
 2022-03-24  Chris Dumez  <cdumez@apple.com>
 

trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in

@@ -307 +307 @@
 (allow mach-lookup (global-name "org.webkit.webpushtestdaemon.service"))
 
+(deny mach-lookup (with no-log)
+    (global-name "com.apple.DiskArbitration.diskarbitrationd"))
 (with-filter (uid 0)
     (allow mach-lookup 
-        (global-name "com.apple.DiskArbitration.diskarbitrationd")
-    )
-)
+        (global-name "com.apple.DiskArbitration.diskarbitrationd")))
 
 (deny mach-lookup 
@@ -450 +450 @@
 (allow mach-lookup
     (global-name "com.apple.tccd"))
+
+(deny mach-lookup (with no-log)
+    (global-name "com.apple.tccd.system")
+    (global-name "com.apple.CoreServices.coreservicesd")
+    (global-name-prefix "com.apple.distributed_notifications"))
 
 ;; <rdar://89031731>
@@ -605 +610 @@
             MSC__kernelrpc_mach_port_guard_trap
             MSC__kernelrpc_mach_port_insert_member_trap
+            MSC__kernelrpc_mach_port_insert_right_trap
             MSC__kernelrpc_mach_port_mod_refs_trap
             MSC__kernelrpc_mach_port_request_notification_trap

trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in

@@ -962 +962 @@
 #if __MAC_OS_X_VERSION_MIN_REQUIRED <= 110000
 (allow mach-lookup
-    (xpc-service-name "com.apple.audio.SandboxHelper")
-)
+    (xpc-service-name "com.apple.audio.SandboxHelper"))
+#else
+(deny mach-lookup (with no-log)
+    (xpc-service-name "com.apple.audio.SandboxHelper"))
 #endif
 
@@ -1391 +1393 @@
 #if __MAC_OS_X_VERSION_MIN_REQUIRED < 120000
 (allow mach-lookup
-    (global-name "com.apple.tccd.system")
-)
+    (global-name "com.apple.tccd.system"))
+#else
+(deny mach-lookup (with no-log)
+    (global-name "com.apple.tccd.system"))
 #endif
 
@@ -1511 +1515 @@
 
 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 120000
-(deny mach-lookup
-    (global-name-prefix "com.apple.distributed_notifications")
-)
+(deny mach-lookup (with no-log)
+    (global-name-prefix "com.apple.distributed_notifications"))
 #else
 (allow mach-lookup
-    (global-name-prefix "com.apple.distributed_notifications")
-)
+    (global-name-prefix "com.apple.distributed_notifications"))
 #endif
 
@@ -1789 +1791 @@
         (require-not (extension "com.apple.webkit.extension.mach"))
         (global-name "com.apple.audio.AudioComponentRegistrar")))
+#else
+(deny mach-lookup (with no-log)
+    (global-name "com.apple.audio.AudioComponentRegistrar"))
 #endif