Title: [283323] trunk/Source/WebKit
- Revision
- 283323
- Author
- pvol...@apple.com
- Date
- 2021-09-30 12:53:27 -0700 (Thu, 30 Sep 2021)
Log Message
[macOS] Reduce sandbox telemetry
https://bugs.webkit.org/show_bug.cgi?id=231026
<rdar://83694937>
Reviewed by Brent Fulgham.
Remove sandbox telemetry for resources that we already see are in use.
* GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in:
* NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (283322 => 283323)
--- trunk/Source/WebKit/ChangeLog 2021-09-30 19:23:43 UTC (rev 283322)
+++ trunk/Source/WebKit/ChangeLog 2021-09-30 19:53:27 UTC (rev 283323)
@@ -1,3 +1,16 @@
+2021-09-30 Per Arne <pvol...@apple.com>
+
+ [macOS] Reduce sandbox telemetry
+ https://bugs.webkit.org/show_bug.cgi?id=231026
+ <rdar://83694937>
+
+ Reviewed by Brent Fulgham.
+
+ Remove sandbox telemetry for resources that we already see are in use.
+
+ * GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in:
+ * NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
+
2021-09-30 Eddy Wong <eddy_w...@apple.com>
Adopt presentationSceneIdentifierForPaymentAuthorizationController delegate call from PassKit
Modified: trunk/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in (283322 => 283323)
--- trunk/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in 2021-09-30 19:23:43 UTC (rev 283322)
+++ trunk/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in 2021-09-30 19:53:27 UTC (rev 283323)
@@ -25,7 +25,7 @@
(deny default (with partial-symbolication))
(deny nvram*)
(deny system-privilege)
-(allow system-audit file-read-metadata (with telemetry))
+(allow system-audit file-read-metadata)
;; Silence spurious logging due to rdar://20117923 and rdar://72366475
(deny system-privilege (privilege-id PRIV_GLOBAL_PROC_INFO) (with no-report))
@@ -41,12 +41,16 @@
(allow mach-register (with telemetry) (local-name-prefix ""))
;;; Allow read access to standard system paths.
+(allow file-read*
+ (require-all
+ (file-mode #o0004)
+ (subpath "/System")))
+
(allow file-read* (with telemetry)
(require-all (file-mode #o0004)
(require-any (subpath "/Library/Filesystems/NetFSPlugins")
(subpath "/Library/Apple/System")
(subpath "/Library/Preferences/Logging") ; Logging Rethink
- (subpath "/System")
(subpath "/private/var/db/dyld")
(subpath "/private/var/db/timezone")
(subpath "/usr/lib")
@@ -68,10 +72,11 @@
(subpath "/usr/appleinternal/lib") ;; <rdar://problem/72317112>
)
+(allow file-read-metadata
+ (literal "/var"))
(allow file-read-metadata (with telemetry)
(literal "/etc")
(literal "/tmp")
- (literal "/var")
(literal "/private/etc/localtime"))
@@ -89,7 +94,8 @@
(literal "/dev/zero"))
(allow file-read*
- file-write-data
+ (literal "/dev/dtracehelper"))
+(allow file-write-data
file-ioctl (with telemetry)
(literal "/dev/dtracehelper"))
@@ -511,7 +517,7 @@
(define (allow-read-directory-and-issue-read-extensions path)
(if path
(begin
- (allow file-read* (with telemetry) (subpath path))
+ (allow file-read* (subpath path))
(allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") (subpath path))))))
(define (allow-read-write-directory-and-issue-read-write-extensions path)
@@ -661,12 +667,14 @@
(allow ipc-posix-shm-read* ipc-posix-shm-write-data (with telemetry)
(ipc-posix-name-regex #"^AudioIO"))
+(allow mach-lookup
+ (global-name "com.apple.audio.AudioComponentRegistrar"))
+
+#if !ENABLE(CFPREFS_DIRECT_MODE)
(allow mach-lookup (with telemetry)
- (global-name "com.apple.audio.AudioComponentRegistrar")
-#if !ENABLE(CFPREFS_DIRECT_MODE)
(global-name "com.apple.cfprefsd.agent")
+)
#endif
-)
(with-filter (system-attribute apple-internal)
(allow mach-lookup
@@ -680,34 +688,36 @@
)
;; Various services required by AppKit and other frameworks
+(allow mach-lookup
+ (global-name "com.apple.audio.audiohald")
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101400 || PLATFORM(MACCATALYST)
+ (global-name "com.apple.CARenderServer") ; Needed for [CAContext remoteContextWithOptions]
+#else
+ (global-name "com.apple.windowserver.active")
+#endif
+ (global-name "com.apple.lsd.mapdb")
+ (global-name "com.apple.fonts")
+ (global-name "com.apple.PowerManagement.control")
+ (global-name "com.apple.trustd.agent")
+ (global-name "com.apple.logd.events"))
+
(allow mach-lookup (with telemetry)
#if __MAC_OS_X_VERSION_MIN_REQUIRED < 101400
(global-name "com.apple.FontObjectsServer")
#endif
- (global-name "com.apple.PowerManagement.control")
(global-name "com.apple.SystemConfiguration.configd")
(global-name "com.apple.assertiond.processassertionconnection")
(global-name "com.apple.audio.toolbox.reporting.service")
(global-name "com.apple.audio.SystemSoundServer-OSX")
- (global-name "com.apple.audio.audiohald")
#if !ENABLE(CFPREFS_DIRECT_MODE)
(global-name "com.apple.cfprefsd.daemon")
#endif
(global-name "com.apple.coreservices.launchservicesd")
- (global-name "com.apple.fonts")
(global-name "com.apple.mediaremoted.xpc")
(global-name "com.apple.logd")
- (global-name "com.apple.logd.events")
- (global-name "com.apple.lsd.mapdb")
(global-name "com.apple.lskdd") ;; <rdar://problem/49123855>
(global-name "com.apple.tccd")
(global-name "com.apple.tccd.system")
- (global-name "com.apple.trustd.agent")
-#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101400 || PLATFORM(MACCATALYST)
- (global-name "com.apple.CARenderServer") ; Needed for [CAContext remoteContextWithOptions]
-#else
- (global-name "com.apple.windowserver.active")
-#endif
)
#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101400 || PLATFORM(MACCATALYST)
@@ -778,8 +788,9 @@
#if PLATFORM(MAC)
;; FIXME should be removed when <rdar://problem/9347205> + related radar in Safari is fixed
+(allow mach-lookup
+ (global-name "com.apple.system.logger"))
(allow mach-lookup (with telemetry)
- (global-name "com.apple.system.logger")
(global-name "com.apple.system.notification_center"))
#endif
@@ -817,6 +828,8 @@
#endif
;; AirPlay
+(allow mach-lookup
+ (global-name "com.apple.coremedia.routingcontext.xpc"))
(allow mach-lookup (with telemetry)
(global-name "com.apple.coremedia.endpoint.xpc")
(global-name "com.apple.coremedia.endpointstream.xpc")
@@ -825,7 +838,6 @@
; <rdar://problem/35509194>
(global-name "com.apple.coremedia.endpointremotecontrolsession.xpc")
(global-name "com.apple.coremedia.routediscoverer.xpc")
- (global-name "com.apple.coremedia.routingcontext.xpc")
(global-name "com.apple.coremedia.volumecontroller.xpc")
)
Modified: trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in (283322 => 283323)
--- trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in 2021-09-30 19:23:43 UTC (rev 283322)
+++ trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in 2021-09-30 19:53:27 UTC (rev 283323)
@@ -62,21 +62,24 @@
(subpath "/usr/appleinternal/lib") ;; <rdar://problem/72317112>
)
+(allow file-read-metadata
+ (literal "/var"))
(allow file-read-metadata (with telemetry)
(literal "/etc")
(literal "/tmp")
- (literal "/var")
(literal "/private/etc/localtime"))
(allow file-read-metadata (with telemetry) (path-ancestors "/System/Volumes/Data/private"))
-(allow file-read* (with telemetry) (literal "/"))
+(allow file-read* (literal "/"))
+(allow file-read*
+ (subpath "/System"))
+
(allow file-read* (with telemetry)
(subpath "/Library/Apple/System")
(subpath "/Library/Filesystems/NetFSPlugins")
(subpath "/Library/Preferences/Logging") ; Logging Rethink
- (subpath "/System")
(subpath "/private/var/db/dyld")
(subpath "/private/var/db/timezone")
(subpath "/usr/lib")
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
