Bug 226546 - [iOS] Fix IOKit sandbox violations
Summary: [iOS] Fix IOKit sandbox violations
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit Misc. (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Per Arne Vollan
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-06-02 11:37 PDT by Per Arne Vollan
Modified: 2021-06-02 13:34 PDT (History)
3 users (show)

See Also:

Attachments
Patch (3.46 KB, patch)
2021-06-02 11:47 PDT, Per Arne Vollan 		no flags Details | Formatted Diff | Diff
Patch (3.21 KB, patch)
2021-06-02 12:04 PDT, Per Arne Vollan 		no flags Details | Formatted Diff | Diff
Patch (3.24 KB, patch)
2021-06-02 12:33 PDT, Per Arne Vollan 		no flags Details | Formatted Diff | Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Per Arne Vollan 2021-06-02 11:37:46 PDT 
Fix IOKit sandbox violations in the WebContent process on iOS.
Comment 1 Per Arne Vollan 2021-06-02 11:38:11 PDT 
<rdar://78523469>
Comment 2 Per Arne Vollan 2021-06-02 11:47:49 PDT 
Created attachment 430379 [details]
Patch
Comment 3 Per Arne Vollan 2021-06-02 12:04:56 PDT 
Created attachment 430386 [details]
Patch
Comment 4 Tim Horton 2021-06-02 12:09:53 PDT 
Comment on attachment 430386 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=430386&action=review

> Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:267
> +#if __IPHONE_OS_VERSION_MIN_REQUIRED <= 150000

1) `<= a major version` is highly unusual and likely to lead to errors in the very near future. Does this need a FIXME + radar about reenabling it for future point updates?
2) what about the iOS-derived platforms that use this sandbox file but do not use __IPHONE_OS_VERSION_MIN_REQUIRED?
Comment 5 Per Arne Vollan 2021-06-02 12:33:25 PDT 
Created attachment 430391 [details]
Patch
Comment 6 Per Arne Vollan 2021-06-02 12:34:07 PDT 
(In reply to Tim Horton from comment #4)
> Comment on attachment 430386 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=430386&action=review
> 
> > Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:267
> > +#if __IPHONE_OS_VERSION_MIN_REQUIRED <= 150000
> 
> 1) `<= a major version` is highly unusual and likely to lead to errors in
> the very near future. Does this need a FIXME + radar about reenabling it for
> future point updates?
> 2) what about the iOS-derived platforms that use this sandbox file but do
> not use __IPHONE_OS_VERSION_MIN_REQUIRED?

I have uploaded a new patch which I think should resolve these issues.

Thanks for reviewing!
Comment 7 Tim Horton 2021-06-02 12:41:38 PDT 
Comment on attachment 430391 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=430391&action=review

> Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:267
> +#if PLATFORM(IOS) && __IPHONE_OS_VERSION_MIN_REQUIRED < 150500

The new version check is odd for a different but very similar reason :) Maybe you meant < 160000?

Also, you definitely still need a FIXME.

Also, is it really OK that you're disabling this security feature for watchOS and tvOS?
Comment 8 Tim Horton 2021-06-02 12:55:25 PDT 
Comment on attachment 430391 [details]
Patch

Per Arne explained both parts elsewhere, I retract my three comments :)
Comment 9 Per Arne Vollan 2021-06-02 13:00:20 PDT 
Comment on attachment 430391 [details]
Patch

Thanks for reviewing!
Comment 10 EWS 2021-06-02 13:34:29 PDT 
Committed r278370 (238397@main): <https://commits.webkit.org/238397@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 430391 [details].