225111 – [iOS] [GPU] The UI process should issue mach sandbox extensions to 'iconservices'

Bug 225111 - [iOS] [GPU] The UI process should issue mach sandbox extensions to 'iconservices'

Summary: [iOS] [GPU] The UI process should issue mach sandbox extensions to 'iconservi...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKit Misc. (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Brent Fulgham

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2021-04-27 10:41 PDT by Brent Fulgham
Modified:	2021-04-28 10:27 PDT (History)
CC List:	2 users (show)

See Also:

Attachments
Patch (9.14 KB, patch) 2021-04-27 10:52 PDT, Brent Fulgham	ews-feeder: commit-queue-	Details \| Formatted Diff \| Diff
Patch (9.15 KB, patch) 2021-04-27 10:56 PDT, Brent Fulgham	no flags	Details \| Formatted Diff \| Diff
Patch (9.24 KB, patch) 2021-04-27 15:33 PDT, Brent Fulgham	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Brent Fulgham 2021-04-27 10:41:39 PDT

In Bug 205443 we did work to extend access to non-web-browsing services to the WebContent process only when needed. This was lost in the transition to the GPU Process, and should be added back.

<rdar://problem/68366888>

Comment 1 Brent Fulgham 2021-04-27 10:52:02 PDT

Created attachment 427166 [details]
Patch

Comment 2 Brent Fulgham 2021-04-27 10:56:32 PDT

Created attachment 427169 [details]
Patch

Comment 3 Per Arne Vollan 2021-04-27 11:46:27 PDT

Comment on attachment 427169 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=427169&action=review

> Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb:727
> +(deny mach-lookup (with telemetry-backtrace)

I think the other services should be denied as well.

> Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb:952
> +            "com.apple.lsd.open"

I wonder if these are needed in the GPU process. Do we have telemetry for this?

Comment 4 Per Arne Vollan 2021-04-27 12:22:26 PDT

Comment on attachment 427169 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=427169&action=review

>> Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb:727
>> +(deny mach-lookup (with telemetry-backtrace)
> 
> I think the other services should be denied as well.

(in the case where they are not tied to the extension)

Comment 5 Brent Fulgham 2021-04-27 15:33:42 PDT

Created attachment 427204 [details]
Patch

Comment 6 Per Arne Vollan 2021-04-27 17:03:41 PDT

Comment on attachment 427204 [details]
Patch

R=me

Comment 7 EWS 2021-04-28 10:27:42 PDT

Committed r276721 (237125@main): <https://commits.webkit.org/237125@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 427204 [details].