Diff
Modified: trunk/LayoutTests/ChangeLog (253777 => 253778)
--- trunk/LayoutTests/ChangeLog 2019-12-19 19:48:34 UTC (rev 253777)
+++ trunk/LayoutTests/ChangeLog 2019-12-19 20:00:24 UTC (rev 253778)
@@ -1,5 +1,20 @@
2019-12-19 Brent Fulgham <bfulg...@apple.com>
+ WebContent process does not need access to 'com.apple.system.logger'
+ https://bugs.webkit.org/show_bug.cgi?id=205411
+ <rdar://problem/56966080>
+
+ Reviewed by Per Arne Vollan.
+
+ * TestExpectations:
+ * fast/sandbox/ios/sandbox-mach-lookup-expected.txt:
+ * fast/sandbox/ios/sandbox-mach-lookup.html:
+ * fast/sandbox/mac/sandbox-mach-lookup-expected.txt: Added.
+ * fast/sandbox/mac/sandbox-mach-lookup.html: Added.
+ * platform/mac-wk2/TestExpectations:
+
+2019-12-19 Brent Fulgham <bfulg...@apple.com>
+
Deny mach lookup access to "com.apple.TextInput" in the WebContent process
https://bugs.webkit.org/show_bug.cgi?id=205423
<rdar://problem/56990842>
Modified: trunk/LayoutTests/TestExpectations (253777 => 253778)
--- trunk/LayoutTests/TestExpectations 2019-12-19 19:48:34 UTC (rev 253777)
+++ trunk/LayoutTests/TestExpectations 2019-12-19 20:00:24 UTC (rev 253778)
@@ -29,6 +29,7 @@
fast/forms/textarea/ios [ Skip ]
fast/forms/watchos [ Skip ]
fast/sandbox/ios [ Skip ]
+fast/sandbox/mac [ Skip ]
fast/viewport/watchos [ Skip ]
fast/visual-viewport/watchos [ Skip ]
fast/visual-viewport/tiled-drawing [ Skip ]
Modified: trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-expected.txt (253777 => 253778)
--- trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-expected.txt 2019-12-19 19:48:34 UTC (rev 253777)
+++ trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-expected.txt 2019-12-19 20:00:24 UTC (rev 253778)
@@ -5,6 +5,7 @@
PASS internals.hasSandboxMachLookupAccessToXPCServiceName("com.apple.WebKit.WebContent", "com.apple.apple-extension-service") is false
PASS internals.hasSandboxMachLookupAccessToXPCServiceName("com.apple.WebKit.WebContent", "com.apple.viewservice") is false
+PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.TextInput") is false
PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.pluginkit.pkd") is false
-PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.TextInput") is false
+PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.system.logger") is false
Modified: trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html (253777 => 253778)
--- trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html 2019-12-19 19:48:34 UTC (rev 253777)
+++ trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html 2019-12-19 20:00:24 UTC (rev 253778)
@@ -8,8 +8,9 @@
if (window.internals) {
shouldBeFalse("internals.hasSandboxMachLookupAccessToXPCServiceName(\"com.apple.WebKit.WebContent\", \"com.apple.apple-extension-service\")");
shouldBeFalse("internals.hasSandboxMachLookupAccessToXPCServiceName(\"com.apple.WebKit.WebContent\", \"com.apple.viewservice\")");
+ shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.TextInput\")");
shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.pluginkit.pkd\")");
- shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.TextInput\")");
+ shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.system.logger\")");
}
</script>
</head>
Added: trunk/LayoutTests/fast/sandbox/mac/sandbox-mach-lookup-expected.txt (0 => 253778)
--- trunk/LayoutTests/fast/sandbox/mac/sandbox-mach-lookup-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/sandbox/mac/sandbox-mach-lookup-expected.txt 2019-12-19 20:00:24 UTC (rev 253778)
@@ -0,0 +1,7 @@
+Regression tests for mach lookup sandbox changes on macOS
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.system.logger") is false
+
Added: trunk/LayoutTests/fast/sandbox/mac/sandbox-mach-lookup.html (0 => 253778)
--- trunk/LayoutTests/fast/sandbox/mac/sandbox-mach-lookup.html (rev 0)
+++ trunk/LayoutTests/fast/sandbox/mac/sandbox-mach-lookup.html 2019-12-19 20:00:24 UTC (rev 253778)
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+<script>
+description('Regression tests for mach lookup sandbox changes on macOS');
+
+if (window.internals) {
+ shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.system.logger\")");
+}
+</script>
+</head>
+<body>
+</body>
Modified: trunk/LayoutTests/platform/mac-wk2/TestExpectations (253777 => 253778)
--- trunk/LayoutTests/platform/mac-wk2/TestExpectations 2019-12-19 19:48:34 UTC (rev 253777)
+++ trunk/LayoutTests/platform/mac-wk2/TestExpectations 2019-12-19 20:00:24 UTC (rev 253778)
@@ -12,6 +12,7 @@
editing/undo-manager [ Pass ]
editing/pasteboard/dom-paste [ Pass ]
fast/forms/select/mac-wk2 [ Pass ]
+fast/sandbox/mac [ Pass ]
fast/visual-viewport/tiled-drawing [ Pass ]
fast/web-share [ Pass ]
scrollingcoordinator [ Pass ]
Modified: trunk/Source/WebKit/ChangeLog (253777 => 253778)
--- trunk/Source/WebKit/ChangeLog 2019-12-19 19:48:34 UTC (rev 253777)
+++ trunk/Source/WebKit/ChangeLog 2019-12-19 20:00:24 UTC (rev 253778)
@@ -1,5 +1,21 @@
2019-12-19 Brent Fulgham <bfulg...@apple.com>
+ WebContent process does not need access to 'com.apple.system.logger'
+ https://bugs.webkit.org/show_bug.cgi?id=205411
+ <rdar://problem/56966080>
+
+ Reviewed by Per Arne Vollan.
+
+ Telemetry and thorough testing has confirmed that we do not need access to this
+ mach service, and so should remove it.
+
+ Tested by fast/sandbox.
+
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+ * WebProcess/com.apple.WebProcess.sb.in:
+
+2019-12-19 Brent Fulgham <bfulg...@apple.com>
+
Deny mach lookup access to "com.apple.TextInput" in the WebContent process
https://bugs.webkit.org/show_bug.cgi?id=205423
<rdar://problem/56990842>
Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb (253777 => 253778)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb 2019-12-19 19:48:34 UTC (rev 253777)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb 2019-12-19 20:00:24 UTC (rev 253778)
@@ -664,9 +664,6 @@
(allow sysctl-read sysctl-write
(sysctl-name "vm.footprint_suspend")))
-(allow mach-lookup (with report) (with telemetry)
- (global-name "com.apple.system.logger"))
-
(allow file-read-metadata network-outbound
(literal "/private/var/run/syslog"))
Modified: trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (253777 => 253778)
--- trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2019-12-19 19:48:34 UTC (rev 253777)
+++ trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2019-12-19 20:00:24 UTC (rev 253778)
@@ -600,7 +600,6 @@
(global-name "com.apple.iconservices.store")
(global-name "com.apple.mobileassetd")
(global-name "com.apple.powerlog.plxpclogger.xpc")
- (global-name "com.apple.system.logger")
)
;; Various services required by AppKit and other frameworks
@@ -702,7 +701,6 @@
#if PLATFORM(MAC)
;; FIXME should be removed when <rdar://problem/9347205> + related radar in Safari is fixed
(allow mach-lookup
- (global-name "com.apple.system.logger")
(global-name "com.apple.system.notification_center"))
#endif
