Bug 218920

Summary: [macOS] Issue sandbox extension to the WebContent process for com.apple.lskdd
Product: WebKit Reporter: Per Arne Vollan <pvollan>
Component: WebKit Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, ggaren, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch none

Per Arne Vollan
Reported 2020-11-13 12:18:41 PST
This is a Media related service, and a sandbox extension should be issued to the WebContent process based on GPU runtime settings.
Attachments
Patch (3.08 KB, patch)
2020-11-13 12:26 PST, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Patch (2.96 KB, patch)
2020-11-13 12:28 PST, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Patch (2.92 KB, patch)
2020-11-13 12:35 PST, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Per Arne Vollan
Comment 1 2020-11-13 12:20:09 PST
<rdar://problem/69168801>
Per Arne Vollan
Comment 2 2020-11-13 12:26:12 PST
Created attachment 414078 [details] Patch
Per Arne Vollan
Comment 3 2020-11-13 12:28:26 PST
Created attachment 414079 [details] Patch
Per Arne Vollan
Comment 4 2020-11-13 12:35:54 PST
Created attachment 414082 [details] Patch
Geoffrey Garen
Comment 5 2020-11-13 12:43:56 PST
Comment on attachment 414082 [details] Patch r=me When we enable GPU Process for media, we plan to deny access to lskdd and the other media related mach services. But before we deny access to a service, we prefer to gather telemetry on its use. How will we gather telemetry on the media related mach services before we deny them outright?
Per Arne Vollan
Comment 6 2020-11-13 12:55:47 PST
(In reply to Geoffrey Garen from comment #5) > Comment on attachment 414082 [details] > Patch > > r=me > > When we enable GPU Process for media, we plan to deny access to lskdd and > the other media related mach services. But before we deny access to a > service, we prefer to gather telemetry on its use. How will we gather > telemetry on the media related mach services before we deny them outright? I think we should create a temporary rule, where we allow Media services, but with telemetry. This is what we currently do for GPU related IOKit classes. Thanks for reviewing!
EWS
Comment 7 2020-11-13 14:14:21 PST
Committed r269792: <https://trac.webkit.org/changeset/269792> All reviewed patches have been landed. Closing bug and clearing flags on attachment 414082 [details].
Note You need to log in before you can comment on or make changes to this bug.