| Summary: | Remove network access from the WebContent process sandbox | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Brent Fulgham <bfulgham> | ||||||||
| Component: | WebKit2 | Assignee: | Brent Fulgham <bfulgham> | ||||||||
| Status: | RESOLVED FIXED | ||||||||||
| Severity: | Normal | CC: | achristensen, ap, bfulgham, commit-queue, eric.carlson, ews-watchlist, jer.noble, mcatanzaro, rniwa, youennf | ||||||||
| Priority: | P2 | Keywords: | InRadar | ||||||||
| Version: | WebKit Nightly Build | ||||||||||
| Hardware: | Unspecified | ||||||||||
| OS: | Unspecified | ||||||||||
| See Also: |
https://bugs.webkit.org/show_bug.cgi?id=183382 https://bugs.webkit.org/show_bug.cgi?id=185874 |
||||||||||
| Bug Depends on: | 178540 | ||||||||||
| Bug Blocks: | 183421 | ||||||||||
| Attachments: |
|
||||||||||
|
Description
Brent Fulgham
2018-02-27 17:21:39 PST
I've run local tests against the upcoming macOS 10.13.4 and iOS 11.3 betas and confirmed this does not break browsing or media playback. I ran a full test pass on macOS and confirmed no new test failures. Created attachment 334717 [details]
Patch
Comment on attachment 334717 [details]
Patch
r=me!
HOORAY!
In Source/WebKit/WebProcess/com.apple.WebProcess.sb.in, there is also:
(allow network-outbound
(remote udp))
Can we try removing it as well?
Comment on attachment 334717 [details] Patch Attachment 334717 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/6699122 Number of test failures exceeded the failure limit. Created attachment 334721 [details]
Archive of layout-test-results from ews105 for mac-sierra-wk2
The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews105 Port: mac-sierra-wk2 Platform: Mac OS X 10.12.6
Could there still be some media loading directly from the WebProcess on this Sierra bot? (In reply to youenn fablet from comment #8) > Could there still be some media loading directly from the WebProcess on this > Sierra bot? Oh, I'll bet there is. I think we only took over full media loading in High Sierra. I'll conditionalize the patch so it only takes effect on High Sierra and newer. (In reply to youenn fablet from comment #5) > In Source/WebKit/WebProcess/com.apple.WebProcess.sb.in, there is also: > (allow network-outbound > (remote udp)) > > Can we try removing it as well? Absolutely! I'll try it out in the morning. Created attachment 334726 [details]
Patch
(In reply to Brent Fulgham from comment #10) > (In reply to youenn fablet from comment #5) > > In Source/WebKit/WebProcess/com.apple.WebProcess.sb.in, there is also: > > (allow network-outbound > > (remote udp)) > > > > Can we try removing it as well? > > Absolutely! I'll try it out in the morning. ... or, right now. Comment on attachment 334726 [details] Patch Rejecting attachment 334726 [details] from commit-queue. Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.webkit.org', '--bot-id=webkit-cq-02', 'land-attachment', '--force-clean', '--non-interactive', '--parent-command=commit-queue', 334726, '--port=mac']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit Last 500 characters of output: rdparty/autoinstalled/mechanize/_urllib2_fork.py", line 332, in _call_chain result = func(*args) File "/Volumes/Data/EWS/WebKit/Tools/Scripts/webkitpy/thirdparty/autoinstalled/mechanize/_urllib2_fork.py", line 1170, in https_open return self.do_open(conn_factory, req) File "/Volumes/Data/EWS/WebKit/Tools/Scripts/webkitpy/thirdparty/autoinstalled/mechanize/_urllib2_fork.py", line 1118, in do_open raise URLError(err) urllib2.URLError: <urlopen error [Errno 60] Operation timed out> Full output: http://webkit-queues.webkit.org/results/6705241 Committed r229093: <https://trac.webkit.org/changeset/229093> Nice! |