In Bug 205443 we did work to extend access to non-web-browsing services to the WebContent process only when needed. This was lost in the transition to the GPU Process, and should be added back. <rdar://problem/68366888>
Created attachment 427166 [details] Patch
Created attachment 427169 [details] Patch
Comment on attachment 427169 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=427169&action=review > Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb:727 > +(deny mach-lookup (with telemetry-backtrace) I think the other services should be denied as well. > Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb:952 > + "com.apple.lsd.open" I wonder if these are needed in the GPU process. Do we have telemetry for this?
Comment on attachment 427169 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=427169&action=review >> Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb:727 >> +(deny mach-lookup (with telemetry-backtrace) > > I think the other services should be denied as well. (in the case where they are not tied to the extension)
Created attachment 427204 [details] Patch
Comment on attachment 427204 [details] Patch R=me
Committed r276721 (237125@main): <https://commits.webkit.org/237125@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 427204 [details].