Bug 231308

Summary: Add AdAttributionDaemon sandbox on iOS
Product: WebKit Reporter: Alex Christensen <achristensen>
Component: New BugsAssignee: Alex Christensen <achristensen>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch none

Description Alex Christensen 2021-10-06 10:44:08 PDT 
Add AdAttributionDaemon sandbox on iOS
Comment 1 Alex Christensen 2021-10-06 10:47:04 PDT 
Created attachment 440387 [details]
Patch
Comment 2 Brent Fulgham 2021-10-06 13:35:06 PDT 
Comment on attachment 440387 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=440387&action=review

> Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.AdAttributionDaemon.sb:26
> +(allow system-audit file-read-metadata)

We might want to limit file-read-metadata to the specific directories we need.

> Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.AdAttributionDaemon.sb:38
> +(require-all (vnode-type DIRECTORY) (literal path))))))

The indenting on this section above is wrong.

> Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.AdAttributionDaemon.sb:65
> +(allow mach-lookup (global-name "com.apple.awdd"))

This can be written as:

(allow mach-lookup
    (global-name
        "com.apple.analyticsd"
        "com.apple.awdd"))

> Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.AdAttributionDaemon.sb:73
> +(allow mach-lookup (global-name "com.apple.lsd.modifydb"))

Ditto -- we can combine these into a single rule.

> Source/WebKit/Scripts/process-entitlements.sh:415
> +        cp "${CODE_SIGN_ENTITLEMENTS}" "${WK_PROCESSED_XCENT_FILE}"

Do we not need to sign the AdAttributionDaemon?
Comment 3 Brent Fulgham 2021-10-06 13:35:14 PDT 
r=me
Comment 4 Alex Christensen 2021-10-06 13:37:23 PDT 
Comment on attachment 440387 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=440387&action=review

>> Source/WebKit/Scripts/process-entitlements.sh:415
>> +        cp "${CODE_SIGN_ENTITLEMENTS}" "${WK_PROCESSED_XCENT_FILE}"
> 
> Do we not need to sign the AdAttributionDaemon?

Omitting this caused a build failure when building for iOS simulator.
Comment 5 Alex Christensen 2021-10-11 07:26:33 PDT 
Created attachment 440789 [details]
Patch
Comment 6 Alex Christensen 2021-10-11 07:29:09 PDT 
Created attachment 440790 [details]
Patch
Comment 7 EWS 2021-10-11 09:04:47 PDT 
Committed r283897 (242774@main): <https://commits.webkit.org/242774@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 440790 [details].
Comment 8 Radar WebKit Bug Importer 2021-10-11 09:05:39 PDT 
<rdar://problem/84101320>