Summary: | Add AdAttributionDaemon sandbox on iOS | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Alex Christensen <achristensen> | ||||||||
Component: | New Bugs | Assignee: | Alex Christensen <achristensen> | ||||||||
Status: | RESOLVED FIXED | ||||||||||
Severity: | Normal | CC: | bfulgham, webkit-bug-importer | ||||||||
Priority: | P2 | Keywords: | InRadar | ||||||||
Version: | WebKit Nightly Build | ||||||||||
Hardware: | Unspecified | ||||||||||
OS: | Unspecified | ||||||||||
Attachments: |
|
Description
Alex Christensen
2021-10-06 10:44:08 PDT
Created attachment 440387 [details]
Patch
Comment on attachment 440387 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=440387&action=review > Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.AdAttributionDaemon.sb:26 > +(allow system-audit file-read-metadata) We might want to limit file-read-metadata to the specific directories we need. > Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.AdAttributionDaemon.sb:38 > +(require-all (vnode-type DIRECTORY) (literal path)))))) The indenting on this section above is wrong. > Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.AdAttributionDaemon.sb:65 > +(allow mach-lookup (global-name "com.apple.awdd")) This can be written as: (allow mach-lookup (global-name "com.apple.analyticsd" "com.apple.awdd")) > Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.AdAttributionDaemon.sb:73 > +(allow mach-lookup (global-name "com.apple.lsd.modifydb")) Ditto -- we can combine these into a single rule. > Source/WebKit/Scripts/process-entitlements.sh:415 > + cp "${CODE_SIGN_ENTITLEMENTS}" "${WK_PROCESSED_XCENT_FILE}" Do we not need to sign the AdAttributionDaemon? r=me Comment on attachment 440387 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=440387&action=review >> Source/WebKit/Scripts/process-entitlements.sh:415 >> + cp "${CODE_SIGN_ENTITLEMENTS}" "${WK_PROCESSED_XCENT_FILE}" > > Do we not need to sign the AdAttributionDaemon? Omitting this caused a build failure when building for iOS simulator. Created attachment 440789 [details]
Patch
Created attachment 440790 [details]
Patch
Committed r283897 (242774@main): <https://commits.webkit.org/242774@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 440790 [details]. |