Bug 209815 - [macOS] Add additional IPC permission needed by Security.framework
Summary: [macOS] Add additional IPC permission needed by Security.framework
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit2 (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Brent Fulgham
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2020-03-31 09:48 PDT by Brent Fulgham
Modified: 2020-03-31 10:40 PDT (History)
2 users (show)

See Also:


Attachments
Patch (1.63 KB, patch)
2020-03-31 09:50 PDT, Brent Fulgham
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Brent Fulgham 2020-03-31 09:48:21 PDT
WebKit's Network sandbox needs the ipc-posix-shm-write-create permission to properly interact with the 'com.apple.AppleDatabaseChanged' name.
Comment 1 Brent Fulgham 2020-03-31 09:48:34 PDT
<rdar://problem/60892378>
Comment 2 Brent Fulgham 2020-03-31 09:50:15 PDT
Created attachment 395052 [details]
Patch
Comment 3 Per Arne Vollan 2020-03-31 09:53:38 PDT
Comment on attachment 395052 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=395052&action=review

R=me.

> Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:359
> -(allow ipc-posix-shm-read* ipc-posix-shm-write-data
> +(allow ipc-posix-shm-read* ipc-posix-shm-write-create ipc-posix-shm-write-data
>         (ipc-posix-name "com.apple.AppleDatabaseChanged"))

Does older macOS versions still need ipc-posix-shm-write-data?
Comment 4 Brent Fulgham 2020-03-31 10:13:19 PDT
Comment on attachment 395052 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=395052&action=review

>> Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:359
>>         (ipc-posix-name "com.apple.AppleDatabaseChanged"))
> 
> Does older macOS versions still need ipc-posix-shm-write-data?

Yes -- this is entirely about needing to add *-create, not about taking anything else away.

It's possible we could have left the old rule for pre-10.15 systems, but I don't think the extra complexity in the sandbox is worth it.
Comment 5 EWS 2020-03-31 10:40:44 PDT
Committed r259300: <https://trac.webkit.org/changeset/259300>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 395052 [details].