When I hardened keychain access in Bug 165818, it had the unintended side effect of making it difficult to permanently allow use of a certificate. This happened because the network process is no longer allowed to create a new keychain file when it needs to, forcing the user to approve it every time. This change relaxes this restriction so that we can create the certificate file as needed.
Created attachment 318819 [details] Patch
Comment on attachment 318819 [details] Patch Attachment 318819 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/4364520 Number of test failures exceeded the failure limit.
Created attachment 318825 [details] Archive of layout-test-results from ews105 for mac-elcapitan-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews105 Port: mac-elcapitan-wk2 Platform: Mac OS X 10.11.6
Created attachment 318828 [details] Patch
Comment on attachment 318828 [details] Patch Clearing flags on attachment: 318828 Committed r221061: <http://trac.webkit.org/changeset/221061>
All reviewed patches have been landed. Closing bug.
<rdar://problem/34026380>
This is actually <rdar://problem/32293867>.
We still get a sandbox violation, because the file-mode is not allowed. Revising the patch.
Created attachment 319948 [details] Patch
Comment on attachment 319948 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=319948&action=review > Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:168 > -(allow file-read-data file-read-metadata file-write-create file-write-data > +(allow file-read-data file-read-metadata file-write* Wouldn't it be better to just expand the list rather than just giving it a wildcard?
Comment on attachment 319948 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=319948&action=review >> Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:168 >> +(allow file-read-data file-read-metadata file-write* > > Wouldn't it be better to just expand the list rather than just giving it a wildcard? I started off with that approach, but the Keychain framework really wanted access to every file operation. We'll re-tighten this soon when we fix the underlying Keychain access issue.
Comment on attachment 319948 [details] Patch Clearing flags on attachment: 319948 Committed r221647: <http://trac.webkit.org/changeset/221647>