RESOLVED FIXED 193454
[macOS] Adjust logging policy in WebKit's sandbox 
https://bugs.webkit.org/show_bug.cgi?id=193454
Summary [macOS] Adjust logging policy in WebKit's sandbox
Per Arne Vollan
Reported 2019-01-15 10:22:48 PST
Permissive logging should be removed.
Attachments
Patch (1.09 KB, patch)
2019-01-15 10:24 PST, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Patch (1.10 KB, patch)
2019-01-15 11:49 PST, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Patch (1.07 KB, patch)
2019-01-18 15:13 PST, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Patch (1.16 KB, patch)
2019-01-22 10:09 PST, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Patch (1.31 KB, patch)
2019-01-22 12:36 PST, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Show Obsolete (4) View All Add attachment proposed patch, testcase, etc.
Per Arne Vollan
Comment 1 2019-01-15 10:23:10 PST
rdar://problem/47256325
Per Arne Vollan
Comment 2 2019-01-15 10:24:32 PST
Created attachment 359177 [details] Patch
Brent Fulgham
Comment 3 2019-01-15 11:05:25 PST
Comment on attachment 359177 [details] Patch r=me
Per Arne Vollan
Comment 4 2019-01-15 11:07:58 PST
Comment on attachment 359177 [details] Patch Thanks for reviewing!
WebKit Commit Bot
Comment 5 2019-01-15 11:34:25 PST
Comment on attachment 359177 [details] Patch Rejecting attachment 359177 [details] from commit-queue. Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.webkit.org', '--bot-id=webkit-cq-03', 'land-attachment', '--force-clean', '--non-interactive', '--parent-command=commit-queue', 359177, '--port=mac']" exit_code: 2 cwd: /Volumes/Data/EWS/WebKit Logging in as commit-queue@webkit.org... Fetching: https://bugs.webkit.org/attachment.cgi?id=359177&action=edit Fetching: https://bugs.webkit.org/show_bug.cgi?id=193454&ctype=xml&excludefield=attachmentdata Processing 1 patch from 1 bug. Updating working directory Processing patch 359177 from bug 193454. Fetching: https://bugs.webkit.org/attachment.cgi?id=359177 Failed to run "['git', 'svn', 'dcommit', '--rmdir']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit Committing to http://svn.webkit.org/repository/webkit/trunk ... M Source/WebKit/ChangeLog ERROR from SVN: Item is out of date: File '/trunk/Source/WebKit/ChangeLog' is out of date W: 36daec2617e38d540319bb3ec9fb084f5711df76 and refs/remotes/origin/master differ, using rebase: :040000 040000 2395ff4dee0baa5553080013fa77d6fe00657547 05d6cdad9d46ed4568beb1a9beebcd061f9bfb5e M Source Current branch master is up to date. ERROR: Not all changes have been committed into SVN, however the committed ones (if any) seem to be successfully integrated into the working tree. Please see the above messages for details. Failed to run "['git', 'svn', 'dcommit', '--rmdir']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit Committing to http://svn.webkit.org/repository/webkit/trunk ... M Source/WebKit/ChangeLog ERROR from SVN: Item is out of date: File '/trunk/Source/WebKit/ChangeLog' is out of date W: 36daec2617e38d540319bb3ec9fb084f5711df76 and refs/remotes/origin/master differ, using rebase: :040000 040000 2395ff4dee0baa5553080013fa77d6fe00657547 05d6cdad9d46ed4568beb1a9beebcd061f9bfb5e M Source Current branch master is up to date. ERROR: Not all changes have been committed into SVN, however the committed ones (if any) seem to be successfully integrated into the working tree. Please see the above messages for details. Failed to run "['git', 'svn', 'dcommit', '--rmdir']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit Updating OpenSource Current branch master is up to date. Full output: https://webkit-queues.webkit.org/results/10761703
Per Arne Vollan
Comment 6 2019-01-15 11:49:07 PST
Created attachment 359185 [details] Patch
WebKit Commit Bot
Comment 7 2019-01-15 12:28:42 PST
Comment on attachment 359185 [details] Patch Clearing flags on attachment: 359185 Committed r239996: <https://trac.webkit.org/changeset/239996>
Per Arne Vollan
Comment 8 2019-01-18 15:13:38 PST
Reopening to attach new patch.
Per Arne Vollan
Comment 9 2019-01-18 15:13:38 PST
Created attachment 359545 [details] Patch
Sam Weinig
Comment 10 2019-01-19 11:39:19 PST
Comment on attachment 359545 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=359545&action=review > Source/WebKit/ChangeLog:8 > + * WebProcess/com.apple.WebProcess.sb.in: Can you add some explanation as to why this change is being made?
Per Arne Vollan
Comment 11 2019-01-22 10:09:47 PST
Created attachment 359746 [details] Patch
Per Arne Vollan
Comment 12 2019-01-22 10:11:35 PST
(In reply to Sam Weinig from comment #10) > Comment on attachment 359545 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=359545&action=review > > > Source/WebKit/ChangeLog:8 > > + * WebProcess/com.apple.WebProcess.sb.in: > > Can you add some explanation as to why this change is being made? Added explanation in change log. Thanks for reviewing!
Brent Fulgham
Comment 13 2019-01-22 12:31:10 PST
Comment on attachment 359746 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=359746&action=review > Source/WebKit/ChangeLog:8 > + Add a rule to initially deny all calls, since the default is to allow every call. Maybe add: "Later rules allow syscalls that we determined are needed for proper WebKit function. This reduces the API surface available to attackers."
Per Arne Vollan
Comment 14 2019-01-22 12:36:32 PST
Created attachment 359765 [details] Patch
Per Arne Vollan
Comment 15 2019-01-22 12:39:59 PST
(In reply to Brent Fulgham from comment #13) > Comment on attachment 359746 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=359746&action=review > > > Source/WebKit/ChangeLog:8 > > + Add a rule to initially deny all calls, since the default is to allow every call. > > Maybe add: > "Later rules allow syscalls that we determined are needed for proper WebKit > function. This reduces the API surface available to attackers." Done. Thanks for reviewing!
Brent Fulgham
Comment 16 2019-01-22 12:52:08 PST
Comment on attachment 359765 [details] Patch Looks good. r=me.
WebKit Commit Bot
Comment 17 2019-01-22 13:22:40 PST
Comment on attachment 359765 [details] Patch Clearing flags on attachment: 359765 Committed r240289: <https://trac.webkit.org/changeset/240289>
WebKit Commit Bot
Comment 18 2019-01-22 13:22:41 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.