Bug 144315

Summary: [WK2][Mac] Update WebContent process' sandbox profile for AWD
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: WebKit2Assignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: ap
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch none

Chris Dumez
Reported 2015-04-27 23:04:22 PDT
Update sandbox profile for AWD similarly to what was done for iOS in <http://trac.webkit.org/changeset/182278>. Radar: <rdar://problem/20719293>
Attachments
Patch (1.38 KB, patch)
2015-04-27 23:05 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Patch (1.47 KB, patch)
2015-04-28 09:39 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2015-04-27 23:05:57 PDT
Created attachment 251826 [details] Patch
Alexey Proskuryakov
Comment 2 2015-04-27 23:36:44 PDT
Comment on attachment 251826 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=251826&action=review > Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in:310 > +(allow mach-lookup > + (global-name "com.apple.awdd")) Why is this OK to do? Let's discuss offline, we should not allow anything in the sandbox profile without extreme caution and long deliberation. Also, why WebContent only, what does it even have to do with awd?
Chris Dumez
Comment 3 2015-04-27 23:42:03 PDT
(In reply to comment #2) > Comment on attachment 251826 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=251826&action=review > > > Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in:310 > > +(allow mach-lookup > > + (global-name "com.apple.awdd")) > > Why is this OK to do? > > Let's discuss offline, we should not allow anything in the sandbox profile > without extreme caution and long deliberation. > > Also, why WebContent only, what does it even have to do with awd? Please see comment on radar as to why we need this for the web content process only. Also you already approved this change for iOS, why is this an issue for Mac specifically? I use the same code on Mac and iOS so it makes sense we need the same sandbox permissions on both platforms.
Alexey Proskuryakov
Comment 4 2015-04-28 09:33:55 PDT
Comment on attachment 251826 [details] Patch I'd just add this to the "various" section.
Chris Dumez
Comment 5 2015-04-28 09:39:38 PDT
Created attachment 251851 [details] Patch
Chris Dumez
Comment 6 2015-04-28 09:40:29 PDT
Comment on attachment 251851 [details] Patch Clearing flags on attachment: 251851 Committed r183480: <http://trac.webkit.org/changeset/183480>
Chris Dumez
Comment 7 2015-04-28 09:40:34 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.