RESOLVED FIXED 179548
WebContent sandbox should not include 'system.sb' 
https://bugs.webkit.org/show_bug.cgi?id=179548
Summary WebContent sandbox should not include 'system.sb'
Brent Fulgham
Reported 2017-11-10 14:28:52 PST
To support further strengthening of the Safari sandbox, stop including the 'system.sb' sandbox, and instead place relevant rules from that sandbox profile in our WebContent sandbox. This will allow us to tighten things down further than we could using the global sandbox. <rdar://problem/35367154>
Attachments
Patch (10.16 KB, patch)
2017-11-10 14:33 PST, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Archive of layout-test-results from ews107 for mac-elcapitan-wk2 (76.78 KB, application/zip)
2017-11-10 15:27 PST, Build Bot 		no flags
Details
Patch (12.84 KB, patch)
2017-11-11 16:27 PST, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Archive of layout-test-results from ews106 for mac-elcapitan-wk2 (77.25 KB, application/zip)
2017-11-11 17:13 PST, Build Bot 		no flags
Details
Patch (12.90 KB, patch)
2017-11-13 09:37 PST, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Patch (6.94 KB, patch)
2017-11-13 17:17 PST, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Archive of layout-test-results from ews123 for ios-simulator-wk2 (2.14 MB, application/zip)
2017-11-13 18:42 PST, Build Bot 		no flags
Details
Show Obsolete (6) View All Add attachment proposed patch, testcase, etc.
Brent Fulgham
Comment 1 2017-11-10 14:33:24 PST
Created attachment 326633 [details] Patch
Build Bot
Comment 2 2017-11-10 15:27:16 PST
Comment on attachment 326633 [details] Patch Attachment 326633 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/5182796 Number of test failures exceeded the failure limit.
Build Bot
Comment 3 2017-11-10 15:27:17 PST
Created attachment 326641 [details] Archive of layout-test-results from ews107 for mac-elcapitan-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews107 Port: mac-elcapitan-wk2 Platform: Mac OS X 10.11.6
Brent Fulgham
Comment 4 2017-11-11 16:27:52 PST
Created attachment 326700 [details] Patch
Build Bot
Comment 5 2017-11-11 17:13:33 PST
Comment on attachment 326700 [details] Patch Attachment 326700 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/5195322 Number of test failures exceeded the failure limit.
Build Bot
Comment 6 2017-11-11 17:13:34 PST
Created attachment 326701 [details] Archive of layout-test-results from ews106 for mac-elcapitan-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews106 Port: mac-elcapitan-wk2 Platform: Mac OS X 10.11.6
Brent Fulgham
Comment 7 2017-11-13 09:37:48 PST
Created attachment 326764 [details] Patch
Darin Adler
Comment 8 2017-11-13 09:58:07 PST
Comment on attachment 326764 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=326764&action=review > Source/WebKit/WebProcess/com.apple.WebProcess.sb.in:32 > +;;; Imported from system.sb We should word this comment differently. The section below starts out as a copy of system.sb, but eventually it will be different; that’s the point of copying it here rather than doing an import command. So the comment should be worded differently to be forward-looking. Related: the term "imported" in the comment is unnecessarily slightly confusing since the directive is "import" and idea is that we copied the contents here and did not import it. > Source/WebKit/WebProcess/com.apple.WebProcess.sb.in:217 > (allow sysctl-read > (sysctl-name > + "hw.activecpu" > "hw.availcpu" > - "hw.ncpu" > + "hw.cputype" > + "hw.l2cachesize" > + "hw.logicalcpu_max" > + "hw.physicalcpu_max" > + "hw.machine" > + "hw.memsize" > "hw.model" > + "hw.ncpu" > + "hw.optional.avx1_0" > + "hw.optional.avx2_0" > + "hw.optional.sse4_2" > + "hw.optional.sse4_1" > + "hw.optional.sse3" > + "hw.optional.sse2" > + "hw.vectorunit" > + "kern.hostname" > + "kern.maxfilesperproc" > "kern.memorystatus_level" > + "kern.osrelease" > + "kern.ostype" > + "kern.osvariant_status" > + "kern.safeboot" > + "kern.version" > "vm.footprint_suspend")) ChangeLog comment does not mention this change. > Source/WebKit/WebProcess/com.apple.WebProcess.sb.in:229 > - (iokit-property-regex #"^AAPL,(DisplayPipe|OpenCLdisabled|alias-policy|boot-display|display-alias|mux-switch-state|ndrv-dev|primary-display|slot-name)") > + (iokit-property-regex #"^AAPL,(DisplayPipe|OpenCLdisabled|IOGraphics_LER(|_RegTag_1|_RegTag_0|_Busy_2)|alias-policy|boot-display|display-alias|mux-switch-state|ndrv-dev|primary-display|slot-name)") ChangeLog comment does not mention this change. > Source/WebKit/WebProcess/com.apple.WebProcess.sb.in:375 > (allow mach-lookup > + (xpc-service-name "com.apple.PerformanceAnalysis.animationperfd") > (xpc-service-name "com.apple.accessibility.mediaaccessibilityd") > (xpc-service-name "com.apple.audio.SandboxHelper") > (xpc-service-name "com.apple.coremedia.videodecoder") > (xpc-service-name "com.apple.coremedia.videoencoder") > (xpc-service-name-regex #"\.apple-extension-service$") > (xpc-service-name "com.apple.hiservices-xpcservice") > + (xpc-service-name "com.apple.ist.ds.appleconnect2.HelperService") > (xpc-service-name "com.apple.print.normalizerd") > + (xpc-service-name "com.apple.securityd.xpc") > + (xpc-service-name "com.apple.signpost.signpost-notificationd") > ) ChangeLog comment does not mention this change.
Brent Fulgham
Comment 9 2017-11-13 17:17:29 PST
Created attachment 326830 [details] Patch
Build Bot
Comment 10 2017-11-13 18:42:19 PST
Comment on attachment 326830 [details] Patch Attachment 326830 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: http://webkit-queues.webkit.org/results/5220993 New failing tests: http/tests/workers/service/service-worker-clear.html
Build Bot
Comment 11 2017-11-13 18:42:21 PST
Created attachment 326836 [details] Archive of layout-test-results from ews123 for ios-simulator-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews123 Port: ios-simulator-wk2 Platform: Mac OS X 10.12.6
Brent Fulgham
Comment 12 2017-11-13 18:50:44 PST
Comment on attachment 326830 [details] Patch This sandbox is not used for any iOS build, so the test failure is spurious.
WebKit Commit Bot
Comment 13 2017-11-13 18:58:39 PST
Comment on attachment 326830 [details] Patch Clearing flags on attachment: 326830 Committed r224799: <https://trac.webkit.org/changeset/224799>
WebKit Commit Bot
Comment 14 2017-11-13 18:58:41 PST
All reviewed patches have been landed. Closing bug.
Ryosuke Niwa
Comment 15 2017-11-13 23:17:30 PST
This caused WebContent process to crash at launch. See https://webkit.org/b/179656.
Note You need to log in before you can comment on or make changes to this bug.