Bug 231308

Summary: Add AdAttributionDaemon sandbox on iOS
Product: WebKit Reporter: Alex Christensen <achristensen>
Component: New BugsAssignee: Alex Christensen <achristensen>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch none

Alex Christensen
Reported 2021-10-06 10:44:08 PDT
Add AdAttributionDaemon sandbox on iOS
Attachments
Patch (13.56 KB, patch)
2021-10-06 10:47 PDT, Alex Christensen 		no flags
DetailsFormatted DiffDiff
Patch (13.50 KB, patch)
2021-10-11 07:26 PDT, Alex Christensen 		no flags
DetailsFormatted DiffDiff
Patch (12.95 KB, patch)
2021-10-11 07:29 PDT, Alex Christensen 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Alex Christensen
Comment 1 2021-10-06 10:47:04 PDT
Created attachment 440387 [details] Patch
Brent Fulgham
Comment 2 2021-10-06 13:35:06 PDT
Comment on attachment 440387 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=440387&action=review > Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.AdAttributionDaemon.sb:26 > +(allow system-audit file-read-metadata) We might want to limit file-read-metadata to the specific directories we need. > Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.AdAttributionDaemon.sb:38 > +(require-all (vnode-type DIRECTORY) (literal path)))))) The indenting on this section above is wrong. > Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.AdAttributionDaemon.sb:65 > +(allow mach-lookup (global-name "com.apple.awdd")) This can be written as: (allow mach-lookup (global-name "com.apple.analyticsd" "com.apple.awdd")) > Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.AdAttributionDaemon.sb:73 > +(allow mach-lookup (global-name "com.apple.lsd.modifydb")) Ditto -- we can combine these into a single rule. > Source/WebKit/Scripts/process-entitlements.sh:415 > + cp "${CODE_SIGN_ENTITLEMENTS}" "${WK_PROCESSED_XCENT_FILE}" Do we not need to sign the AdAttributionDaemon?
Brent Fulgham
Comment 3 2021-10-06 13:35:14 PDT
r=me
Alex Christensen
Comment 4 2021-10-06 13:37:23 PDT
Comment on attachment 440387 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=440387&action=review >> Source/WebKit/Scripts/process-entitlements.sh:415 >> + cp "${CODE_SIGN_ENTITLEMENTS}" "${WK_PROCESSED_XCENT_FILE}" > > Do we not need to sign the AdAttributionDaemon? Omitting this caused a build failure when building for iOS simulator.
Alex Christensen
Comment 5 2021-10-11 07:26:33 PDT
Created attachment 440789 [details] Patch
Alex Christensen
Comment 6 2021-10-11 07:29:09 PDT
Created attachment 440790 [details] Patch
EWS
Comment 7 2021-10-11 09:04:47 PDT
Committed r283897 (242774@main): <https://commits.webkit.org/242774@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 440790 [details].
Radar WebKit Bug Importer
Comment 8 2021-10-11 09:05:39 PDT
<rdar://problem/84101320>
Note You need to log in before you can comment on or make changes to this bug.