314979 2026-05-17 09:17:26 -0700 REGRESSION (313328@main): Multiple WebKit framework build phases produce "Operation not permitted" errors under user script sandboxing 2026-05-17 14:19:36 -0700 1 1 1 Unclassified WebKit WebKit Misc. WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 313032 314977 1 ddkilzer ddkilzer webkit-bug-importer oldest_to_newest 2211527 0 ddkilzer 2026-05-17 09:17:26 -0700 With `ENABLE_USER_SCRIPT_SANDBOXING = YES` set in `Source/WTF/Configurations/Base.xcconfig` and `Source/WebKit/Configurations/Base.xcconfig` (Bug 313032, 271107@main), Xcode auto-generates a sandbox profile for each `PBXShellScriptBuildPhase` from its declared `inputPaths` and `outputPaths`. When a script reads or writes files outside its declared inputs/outputs, `sandbox-exec` denies the operation, producing `Operation not permitted` errors. Three build phases trigger such errors during a `make release SDKROOT=macosx.internal` build, although only the WTF changes caused a non-fatal error: message. 1. The `Verify Module` phase in the `WTF` target runs `Source/WTF/Scripts/modules-verifier/library-modules-verifier.py`, which invokes `xcrun clang -fmodules -fsyntax-only` against generated `Test.cpp`/`Test.mm` files that include `wtf/*.h`, `wtf/module.modulemap`, and `WebKitAdditions/pas_mte_additions.h` from `$(BUILT_PRODUCTS_DIR)$(WK_LIBRARY_HEADERS_FOLDER_PATH)/`. These transitive reads cannot be enumerated as `inputPaths`. Sample output: ``` fatal error: cannot open file '.../WebKitBuild/Release/usr/local/include/wtf/module.modulemap': Operation not permitted .../WebKitBuild/WTF.build/Release/WTF.build/VerifyModule/WTF/objective-c++/Test.framework/Headers/Test.h:1:9: fatal error: cannot open file '.../WebKitBuild/Release/usr/local/include/wtf/ASCIICType.h': Operation not permitted .../MacOSX26.4.Internal.sdk/usr/local/include/wtf/Assertions.h:28:10: fatal error: cannot open file '.../WebKitBuild/Release/usr/local/include/wtf/Platform.h': Operation not permitted .../MacOSX26.4.Internal.sdk/usr/local/include/bmalloc/./BPlatform.h:37:19: fatal error: cannot open file '.../WebKitBuild/Release/usr/local/include/WebKitAdditions/pas_mte_additions.h': Operation not permitted 4 errors generated. [...] error: Failed to verify module. Command PhaseScriptExecution emitted errors but did not return a nonzero exit code to indicate failure ``` The phase's shell script touches `${SCRIPT_OUTPUT_FILE_0}` (the timestamp file) at the end regardless of the verifier's exit, so the build proceeds, but module verification is silently broken, and the `--depfile` output is incomplete so incremental rebuilds cannot track the headers the verifier actually consumes. 2. The `Create symlinks to XPC services and dylibs` phase in the `WebKit` framework target creates a top-level `WebKit.framework/XPCServices` symlink in addition to the per-XPC service symlinks under `Versions/A/XPCServices/`. Only the per-service symlinks are listed in `outputPaths`, so the sandbox denies the top-level `ln -sfhv "Versions/Current/XPCServices" "${BUILT_PRODUCTS_DIR}/WebKit.framework/XPCServices"`. Sample output: ``` ln: .../WebKitBuild/Release/WebKit.framework/XPCServices: Operation not permitted .../WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc -> ../../../../com.apple.WebKit.WebContent.xpc .../WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.CaptivePortal.xpc -> ../../../../com.apple.WebKit.WebContent.CaptivePortal.xpc [...other per-service symlinks succeed...] ``` The top-level symlink is platform-conditional in the script (only created on macOS / Mac Catalyst / iosmac), which `outputPaths` cannot express. The remaining XPC service symlinks succeed because they are listed in `outputPaths`, but the missing top-level symlink leaves the framework bundle structurally incomplete on the affected platforms. 3. The `Update Info.plist for RunningBoard management` phase in the `WebContent`, `WebContent.CaptivePortal`, `WebContent.EnhancedSecurity`, `Networking`, and `GPU` targets invokes `Scripts/update-info-plist-for-runningboard.sh` from `Source/WebKit`, but only the target's `Info.plist` is listed in `inputPaths`. Sample output (one per affected target): ``` /bin/sh: Scripts/update-info-plist-for-runningboard.sh: Operation not permitted ``` The script's conditional `PlistBuddy` edits never run on internal macOS builds with `WK_USE_RESTRICTED_ENTITLEMENTS = YES`, silently dropping `LSDoNotSetTaskPolicyAutomatically`, `XPCService:_AdditionalProperties:RunningBoard:Managed`, and `XPCService:_AdditionalProperties:RunningBoard:Reported` from each XPC service's `Info.plist`. All three sets of errors are non-fatal -- the build reports `** BUILD SUCCEEDED **` -- but produce noisy build logs and silently break each phase's intended behavior (module verification, framework bundle layout, RunningBoard management Info.plist keys). 2211528 1 webkit-bug-importer 2026-05-17 09:17:33 -0700 <rdar://problem/177287735> 2211531 2 ddkilzer 2026-05-17 09:48:06 -0700 Pull request: https://github.com/WebKit/WebKit/pull/65066 2211568 3 ews-feeder 2026-05-17 14:19:34 -0700 Committed 313381@main (2daa97082eab): <https://commits.webkit.org/313381@main> Reviewed commits have been landed. Closing PR #65066 and removing active labels.