RESOLVED FIXED209815
[macOS] Add additional IPC permission needed by Security.framework 
https://bugs.webkit.org/show_bug.cgi?id=209815
Summary [macOS] Add additional IPC permission needed by Security.framework
Brent Fulgham
Reported 2020-03-31 09:48:21 PDT
WebKit's Network sandbox needs the ipc-posix-shm-write-create permission to properly interact with the 'com.apple.AppleDatabaseChanged' name.
Attachments
Patch (1.63 KB, patch)
2020-03-31 09:50 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Brent Fulgham
Comment 1 2020-03-31 09:48:34 PDT
<rdar://problem/60892378>
Brent Fulgham
Comment 2 2020-03-31 09:50:15 PDT
Created attachment 395052 [details] Patch
Per Arne Vollan
Comment 3 2020-03-31 09:53:38 PDT
Comment on attachment 395052 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=395052&action=review R=me. > Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:359 > -(allow ipc-posix-shm-read* ipc-posix-shm-write-data > +(allow ipc-posix-shm-read* ipc-posix-shm-write-create ipc-posix-shm-write-data > (ipc-posix-name "com.apple.AppleDatabaseChanged")) Does older macOS versions still need ipc-posix-shm-write-data?
Brent Fulgham
Comment 4 2020-03-31 10:13:19 PDT
Comment on attachment 395052 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=395052&action=review >> Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:359 >> (ipc-posix-name "com.apple.AppleDatabaseChanged")) > > Does older macOS versions still need ipc-posix-shm-write-data? Yes -- this is entirely about needing to add *-create, not about taking anything else away. It's possible we could have left the old rule for pre-10.15 systems, but I don't think the extra complexity in the sandbox is worth it.
EWS
Comment 5 2020-03-31 10:40:44 PDT
Committed r259300: <https://trac.webkit.org/changeset/259300> All reviewed patches have been landed. Closing bug and clearing flags on attachment 395052 [details].
Note You need to log in before you can comment on or make changes to this bug.