We only have a small number of cases where we use sysctl in WebKit, and those cases are always in a read-only mode.
Modify our sandboxes to limit 'sysctl' use to read-only, and whitelist that access for the very small number of cases we actually use:
CTL_KERN, KERN_PROC. KERN_PROC_PID, #
Created attachment 303724 [details]
Created attachment 303725 [details]
Committed r213544: <http://trac.webkit.org/changeset/213544>