RESOLVED FIXED Bug 216042
[iOS] AGX compiler service sandbox violation
https://bugs.webkit.org/show_bug.cgi?id=216042
Summary [iOS] AGX compiler service sandbox violation
Per Arne Vollan
Reported 2020-09-01 10:04:33 PDT
For a set of devices, mach-lookup sandbox violations have been observed for an AGX compiler service. For these devices, we currently issue an extension for one AGX compiler service, but this is not sufficient since this is an exact match. The extension should match the prefix of the service name provided.
Attachments
Patch (4.40 KB, patch)
2020-09-01 10:28 PDT, Per Arne Vollan
no flags
Patch (5.30 KB, patch)
2020-09-01 13:02 PDT, Per Arne Vollan
no flags
Per Arne Vollan
Comment 1 2020-09-01 10:06:25 PDT
Per Arne Vollan
Comment 2 2020-09-01 10:28:40 PDT
Brent Fulgham
Comment 3 2020-09-01 11:43:32 PDT
Comment on attachment 407693 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=407693&action=review r=me > Source/WebKit/Shared/Cocoa/SandboxExtensionCocoa.mm:97 > + extensionFlags |= SANDBOX_EXTENSION_PREFIXMATCH; Can you double-check we do not have any other "xpc-service-prefix" rules that aren't set with this flag?
Brent Fulgham
Comment 4 2020-09-01 11:47:19 PDT
(In reply to Brent Fulgham from comment #3) > Comment on attachment 407693 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=407693&action=review > > r=me > > > Source/WebKit/Shared/Cocoa/SandboxExtensionCocoa.mm:97 > > + extensionFlags |= SANDBOX_EXTENSION_PREFIXMATCH; > > Can you double-check we do not have any other "xpc-service-prefix" rules > that aren't set with this flag? I just checked and don't see any others.
Per Arne Vollan
Comment 5 2020-09-01 13:02:11 PDT
Per Arne Vollan
Comment 6 2020-09-01 13:10:18 PDT
(In reply to Brent Fulgham from comment #3) > Comment on attachment 407693 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=407693&action=review > > r=me > > > Source/WebKit/Shared/Cocoa/SandboxExtensionCocoa.mm:97 > > + extensionFlags |= SANDBOX_EXTENSION_PREFIXMATCH; > > Can you double-check we do not have any other "xpc-service-prefix" rules > that aren't set with this flag? I had to change the patch to issue an array of AGX extensions, since the prefix match did not work as expected. Thanks for reviewing!
Brent Fulgham
Comment 7 2020-09-01 13:27:46 PDT
Comment on attachment 407706 [details] Patch r=me. It's a shame we have to handle them individually, but this makes sense.
Per Arne Vollan
Comment 8 2020-09-01 13:30:17 PDT
(In reply to Brent Fulgham from comment #7) > Comment on attachment 407706 [details] > Patch > > r=me. It's a shame we have to handle them individually, but this makes sense. Thanks for reviewing!
EWS
Comment 9 2020-09-01 14:25:48 PDT
Committed r266411: <https://trac.webkit.org/changeset/266411> All reviewed patches have been landed. Closing bug and clearing flags on attachment 407706 [details].
Jon Lee
Comment 10 2020-09-01 16:22:46 PDT
*** Bug 216033 has been marked as a duplicate of this bug. ***
Matt Hutchinson
Comment 11 2020-10-07 02:40:58 PDT
Hi I have seen that this issue has reappeared in iPasOS 14.2 Thanks
Note You need to log in before you can comment on or make changes to this bug.