For a set of devices, mach-lookup sandbox violations have been observed for an AGX compiler service. For these devices, we currently issue an extension for one AGX compiler service, but this is not sufficient since this is an exact match. The extension should match the prefix of the service name provided.
<rdar://problem/68111667>
Created attachment 407693 [details] Patch
Comment on attachment 407693 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=407693&action=review r=me > Source/WebKit/Shared/Cocoa/SandboxExtensionCocoa.mm:97 > + extensionFlags |= SANDBOX_EXTENSION_PREFIXMATCH; Can you double-check we do not have any other "xpc-service-prefix" rules that aren't set with this flag?
(In reply to Brent Fulgham from comment #3) > Comment on attachment 407693 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=407693&action=review > > r=me > > > Source/WebKit/Shared/Cocoa/SandboxExtensionCocoa.mm:97 > > + extensionFlags |= SANDBOX_EXTENSION_PREFIXMATCH; > > Can you double-check we do not have any other "xpc-service-prefix" rules > that aren't set with this flag? I just checked and don't see any others.
Created attachment 407706 [details] Patch
(In reply to Brent Fulgham from comment #3) > Comment on attachment 407693 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=407693&action=review > > r=me > > > Source/WebKit/Shared/Cocoa/SandboxExtensionCocoa.mm:97 > > + extensionFlags |= SANDBOX_EXTENSION_PREFIXMATCH; > > Can you double-check we do not have any other "xpc-service-prefix" rules > that aren't set with this flag? I had to change the patch to issue an array of AGX extensions, since the prefix match did not work as expected. Thanks for reviewing!
Comment on attachment 407706 [details] Patch r=me. It's a shame we have to handle them individually, but this makes sense.
(In reply to Brent Fulgham from comment #7) > Comment on attachment 407706 [details] > Patch > > r=me. It's a shame we have to handle them individually, but this makes sense. Thanks for reviewing!
Committed r266411: <https://trac.webkit.org/changeset/266411> All reviewed patches have been landed. Closing bug and clearing flags on attachment 407706 [details].
*** Bug 216033 has been marked as a duplicate of this bug. ***
Hi I have seen that this issue has reappeared in iPasOS 14.2 Thanks