RESOLVED WONTFIX 206906
Limit access to 'com.apple.SecurityService' and 'com.apple.ocspd' to systems that require it 
https://bugs.webkit.org/show_bug.cgi?id=206906
Summary Limit access to 'com.apple.SecurityService' and 'com.apple.ocspd' to systems ...
Brent Fulgham
Reported 2020-01-28 14:16:08 PST
Make use of the Sandbox parameter features to allow WebKit to hint to the sandbox that it is running on a version of macOS that can benefit from updated system components.
Attachments
Patch (4.11 KB, patch)
2020-01-28 15:25 PST, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Patch (4.14 KB, patch)
2020-01-28 18:24 PST, Brent Fulgham 		ap: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2020-01-28 15:21:29 PST
<rdar://problem/58971886>
Brent Fulgham
Comment 2 2020-01-28 15:25:00 PST
Created attachment 389077 [details] Patch
Per Arne Vollan
Comment 3 2020-01-28 15:38:44 PST
Comment on attachment 389077 [details] Patch R=me.
Alexey Proskuryakov
Comment 4 2020-01-28 18:05:21 PST
Comment on attachment 389077 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=389077&action=review > Source/WebKit/Shared/mac/AuxiliaryProcessMac.mm:622 > + if (osVersionParts.size() < 3 || osVersionParts[2].toInt() <= 3) The logic looks wrong here. It seems exceeding unlikely that you are getting the right set of versions here. This means that 10.14.3 and 10.15.3 both need the parameter, but .4 updates do not. > Source/WebKit/Shared/mac/AuxiliaryProcessMac.mm:623 > + sandboxParameters.addParameter("_OS_NEEDS_EME_QUIRK", "YES"); We control all parameter names, what is the need for the leading underscore?
Brent Fulgham
Comment 5 2020-01-28 18:24:32 PST
Created attachment 389100 [details] Patch
Brent Fulgham
Comment 6 2020-01-28 18:33:39 PST
Comment on attachment 389077 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=389077&action=review >> Source/WebKit/Shared/mac/AuxiliaryProcessMac.mm:622 >> + if (osVersionParts.size() < 3 || osVersionParts[2].toInt() <= 3) > > The logic looks wrong here. It seems exceeding unlikely that you are getting the right set of versions here. > > This means that 10.14.3 and 10.15.3 both need the parameter, but .4 updates do not. Doh! >> Source/WebKit/Shared/mac/AuxiliaryProcessMac.mm:623 >> + sandboxParameters.addParameter("_OS_NEEDS_EME_QUIRK", "YES"); > > We control all parameter names, what is the need for the leading underscore? Consistency with the other parameters that work like this. _OS_VERSION
Alexey Proskuryakov
Comment 7 2020-01-28 19:56:59 PST
Comment on attachment 389100 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=389100&action=review > Source/WebKit/Shared/mac/AuxiliaryProcessMac.mm:621 > + if (osVersionParts[0].toInt() == 10 && osVersionParts[1].toInt() <= 15) { Can you put this into an #if block too, so that it’s easier to remove in the future? > Source/WebKit/WebProcess/com.apple.WebProcess.sb.in:674 > +(if (equal? (param "_OS_NEEDS_EME_QUIRK") "YES") Did you check how this behaves on old OS versions? I vaguely remember that profile may fail to compile when an undefined param is used.
Brent Fulgham
Comment 8 2020-01-29 10:16:01 PST
After talking with a few other people, we're going to do this slightly differently.
Note You need to log in before you can comment on or make changes to this bug.