Permissive logging should be removed.
rdar://problem/47256325
Created attachment 359177 [details] Patch
Comment on attachment 359177 [details] Patch r=me
Comment on attachment 359177 [details] Patch Thanks for reviewing!
Comment on attachment 359177 [details] Patch Rejecting attachment 359177 [details] from commit-queue. Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.webkit.org', '--bot-id=webkit-cq-03', 'land-attachment', '--force-clean', '--non-interactive', '--parent-command=commit-queue', 359177, '--port=mac']" exit_code: 2 cwd: /Volumes/Data/EWS/WebKit Logging in as commit-queue@webkit.org... Fetching: https://bugs.webkit.org/attachment.cgi?id=359177&action=edit Fetching: https://bugs.webkit.org/show_bug.cgi?id=193454&ctype=xml&excludefield=attachmentdata Processing 1 patch from 1 bug. Updating working directory Processing patch 359177 from bug 193454. Fetching: https://bugs.webkit.org/attachment.cgi?id=359177 Failed to run "['git', 'svn', 'dcommit', '--rmdir']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit Committing to http://svn.webkit.org/repository/webkit/trunk ... M Source/WebKit/ChangeLog ERROR from SVN: Item is out of date: File '/trunk/Source/WebKit/ChangeLog' is out of date W: 36daec2617e38d540319bb3ec9fb084f5711df76 and refs/remotes/origin/master differ, using rebase: :040000 040000 2395ff4dee0baa5553080013fa77d6fe00657547 05d6cdad9d46ed4568beb1a9beebcd061f9bfb5e M Source Current branch master is up to date. ERROR: Not all changes have been committed into SVN, however the committed ones (if any) seem to be successfully integrated into the working tree. Please see the above messages for details. Failed to run "['git', 'svn', 'dcommit', '--rmdir']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit Committing to http://svn.webkit.org/repository/webkit/trunk ... M Source/WebKit/ChangeLog ERROR from SVN: Item is out of date: File '/trunk/Source/WebKit/ChangeLog' is out of date W: 36daec2617e38d540319bb3ec9fb084f5711df76 and refs/remotes/origin/master differ, using rebase: :040000 040000 2395ff4dee0baa5553080013fa77d6fe00657547 05d6cdad9d46ed4568beb1a9beebcd061f9bfb5e M Source Current branch master is up to date. ERROR: Not all changes have been committed into SVN, however the committed ones (if any) seem to be successfully integrated into the working tree. Please see the above messages for details. Failed to run "['git', 'svn', 'dcommit', '--rmdir']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit Updating OpenSource Current branch master is up to date. Full output: https://webkit-queues.webkit.org/results/10761703
Created attachment 359185 [details] Patch
Comment on attachment 359185 [details] Patch Clearing flags on attachment: 359185 Committed r239996: <https://trac.webkit.org/changeset/239996>
Reopening to attach new patch.
Created attachment 359545 [details] Patch
Comment on attachment 359545 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=359545&action=review > Source/WebKit/ChangeLog:8 > + * WebProcess/com.apple.WebProcess.sb.in: Can you add some explanation as to why this change is being made?
Created attachment 359746 [details] Patch
(In reply to Sam Weinig from comment #10) > Comment on attachment 359545 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=359545&action=review > > > Source/WebKit/ChangeLog:8 > > + * WebProcess/com.apple.WebProcess.sb.in: > > Can you add some explanation as to why this change is being made? Added explanation in change log. Thanks for reviewing!
Comment on attachment 359746 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=359746&action=review > Source/WebKit/ChangeLog:8 > + Add a rule to initially deny all calls, since the default is to allow every call. Maybe add: "Later rules allow syscalls that we determined are needed for proper WebKit function. This reduces the API surface available to attackers."
Created attachment 359765 [details] Patch
(In reply to Brent Fulgham from comment #13) > Comment on attachment 359746 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=359746&action=review > > > Source/WebKit/ChangeLog:8 > > + Add a rule to initially deny all calls, since the default is to allow every call. > > Maybe add: > "Later rules allow syscalls that we determined are needed for proper WebKit > function. This reduces the API surface available to attackers." Done. Thanks for reviewing!
Comment on attachment 359765 [details] Patch Looks good. r=me.
Comment on attachment 359765 [details] Patch Clearing flags on attachment: 359765 Committed r240289: <https://trac.webkit.org/changeset/240289>
All reviewed patches have been landed. Closing bug.