The WebKit Networking sandboxes include ‘common.sb’ on iOS, and 'system.sb' on macOS. This enables lots of things we don’t want. This patch replaces the 'include' with a copy/paste of the contents of the relevant sandbox include file. I removed definitions that were not referenced in the existing Network sandbox, but did not otherwise edit the contents. There are duplicates and redundancies after this patch, which I will remove as a follow-up step once we confirm that this has no regressions.
<rdar://problem/58095870>
Created attachment 386257 [details] Patch
Comment on attachment 386257 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=386257&action=review > Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:585 > -(allow mach-lookup > +(allow mach-lookup (with report) (with telemetry) These changes are not mentioned in the change log. Accidentally included in this patch?
Comment on attachment 386257 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=386257&action=review >> Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:585 >> +(allow mach-lookup (with report) (with telemetry) > > These changes are not mentioned in the change log. Accidentally included in this patch? I should have mentioned them. I wanted to capture telemetry on a few things we are not sure we need.
The Mac-debug-wk1 test failures cannot be due to this change, since the Sandbox is not used in WK1 builds at all.
Created attachment 386913 [details] Patch
The API test failures cannot be related, because the iOS Simulator does not use or honor sandbox rules. We do not run API tests on device (at least in EWS).
Created attachment 387018 [details] Patch
Comment on attachment 387018 [details] Patch R=me.
Comment on attachment 387018 [details] Patch Clearing flags on attachment: 387018 Committed r254174: <https://trac.webkit.org/changeset/254174>
All reviewed patches have been landed. Closing bug.
It looks like the changes in https://trac.webkit.org/changeset/254174/webkit broke 80 tests on Catalina wk2. Tracking in https://bugs.webkit.org/show_bug.cgi?id=205932
(In reply to Truitt Savell from comment #12) > It looks like the changes in https://trac.webkit.org/changeset/254174/webkit > > broke 80 tests on Catalina wk2. > > Tracking in https://bugs.webkit.org/show_bug.cgi?id=205932 Truitt, can you roll it out while I investigate? These failures make it look like webrtc requires graphics features in the network process, which is unexpected!
Reverted r254174 for reason: Broke 80 tests on Catalina Committed r254204: <https://trac.webkit.org/changeset/254204>
Oh, I'm wrong! This is about sysctl-read values that were allowed by the global access call, but were NOT blocked by the global blocking declaration. Sandbox: com.apple.WebKit(35422) deny(1) sysctl-read net.routetable.0.0.3.0 I'll see if any others come up.
Committed r254209: <https://trac.webkit.org/changeset/254209>