Bug 144315

Summary: [WK2][Mac] Update WebContent process' sandbox profile for AWD
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: WebKit2Assignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: ap
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch none

Description Chris Dumez 2015-04-27 23:04:22 PDT 
Update sandbox profile for AWD similarly to what was done for iOS in <http://trac.webkit.org/changeset/182278>.

Radar: <rdar://problem/20719293>
Comment 1 Chris Dumez 2015-04-27 23:05:57 PDT 
Created attachment 251826 [details]
Patch
Comment 2 Alexey Proskuryakov 2015-04-27 23:36:44 PDT 
Comment on attachment 251826 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=251826&action=review

> Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in:310
> +(allow mach-lookup
> +    (global-name "com.apple.awdd"))

Why is this OK to do?

Let's discuss offline, we should not allow anything in the sandbox profile without extreme caution and long deliberation.

Also, why WebContent only, what does it even have to do with awd?
Comment 3 Chris Dumez 2015-04-27 23:42:03 PDT 
(In reply to comment #2)
> Comment on attachment 251826 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=251826&action=review
> 
> > Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in:310
> > +(allow mach-lookup
> > +    (global-name "com.apple.awdd"))
> 
> Why is this OK to do?
> 
> Let's discuss offline, we should not allow anything in the sandbox profile
> without extreme caution and long deliberation.
> 
> Also, why WebContent only, what does it even have to do with awd?

Please see comment on radar as to why we need this for the web content process only. Also you already approved this change for iOS, why is this an issue for Mac specifically? I use the same code on Mac and iOS so it makes sense we need the same sandbox permissions on both platforms.
Comment 4 Alexey Proskuryakov 2015-04-28 09:33:55 PDT 
Comment on attachment 251826 [details]
Patch

I'd just add this to the "various" section.
Comment 5 Chris Dumez 2015-04-28 09:39:38 PDT 
Created attachment 251851 [details]
Patch
Comment 6 Chris Dumez 2015-04-28 09:40:29 PDT 
Comment on attachment 251851 [details]
Patch

Clearing flags on attachment: 251851

Committed r183480: <http://trac.webkit.org/changeset/183480>
Comment 7 Chris Dumez 2015-04-28 09:40:34 PDT 
All reviewed patches have been landed.  Closing bug.