Summary: | WebProcess sandboxing does not apply for open source builds on macOS 12.0 (beta 2 and later) | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Dinesh Kumar Vyas <dinodev90> | ||||||
Component: | WebKit2 | Assignee: | Nobody <webkit-unassigned> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | Major | CC: | ap, dinodev90, jbedard, kkinnunen, pvollan, saagar, webkit-bug-importer | ||||||
Priority: | P2 | Keywords: | InRadar | ||||||
Version: | WebKit Local Build | ||||||||
Hardware: | Mac (Apple Silicon) | ||||||||
OS: | Other | ||||||||
Attachments: |
|
Description
Dinesh Kumar Vyas
2021-07-22 22:57:19 PDT
Created attachment 434065 [details]
Patch to fix WebProcess sandboxing issue for open source builds (on macOS 12.0 beta 2 and later)
Added check for USE(APPLE_INTERNAL_SDK) wherever needed as ENABLE_SANDBOX_MESSAGE_FILTER is always NO/false for open source builds and AppleAVDUserClientMessageFilter, IOSurfaceAcceleratorClientMessageFilter and IOMobileFramebufferUserClientMessageFilter are anavailable there which breaks sandbox compilation using sandbox_compile_file
Created attachment 434204 [details]
Patch
Here's a slightly different patch that fixes the conditional instead of conditionalizing on USE(APPLE_INTERNAL_SDK). Like the rest of the profile, it duplicates the allow rule and wraps one side in the check for ENABLE_SANDBOX_MESSAGE_FILTER. I was hoping this would do for now, as it matches what the other code looks like, but I'd be interested to see if there was interest for cleaning this up a bit in across all the message filters in a future patch. Comment on attachment 434204 [details]
Patch
R=me.
Committed r280345 (239992@main): <https://commits.webkit.org/239992@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 434204 [details]. |