Address kernel MIG sandbox telemetry #11777

pvollan · 2023-03-21T22:25:24Z

`0850093`

Address kernel MIG sandbox telemetry
https://bugs.webkit.org/show_bug.cgi?id=254234
rdar://106829883

Reviewed by Brent Fulgham.

Address kernel MIG sandbox telemetry in the GPU and Network process. This patch also enforces the filters.

* Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in:
* Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
* Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb.in:

Canonical link: https://commits.webkit.org/263551@main

e3caf66

Misc	iOS, tvOS & watchOS	macOS	Linux	Windows
✅ 🧪 style	✅ 🛠 ios	✅ 🛠 mac	✅ 🛠 wpe	✅ 🛠 wincairo
	✅ 🛠 ios-sim	✅ 🛠 mac-AS-debug	✅ 🧪 wpe-wk2
✅ 🧪 webkitperl	✅ 🧪 ios-wk2	✅ 🧪 api-mac	✅ 🛠 gtk
	✅ 🧪 ios-wk2-wpt		✅ 🧪 gtk-wk2
	✅ 🧪 api-ios	✅ 🧪 mac-wk2	✅ 🧪 api-gtk
	✅ 🛠 tv	~~🧪 mac-AS-debug-wk2~~
	✅ 🛠 tv-sim
✅ 🛠 🧪 merge	✅ 🛠 watch
	✅ 🛠 watch-sim

webkit-early-warning-system · 2023-03-21T22:26:29Z

EWS run on previous version of this PR (hash 7cdd4ef)

Misc	iOS, tvOS & watchOS	macOS	Linux	Windows
✅ 🧪 style	✅ 🛠 ios	✅ 🛠 mac	✅ 🛠 wpe	⏳ 🛠 wincairo
	✅ 🛠 ios-sim	✅ 🛠 mac-AS-debug	~~🧪 wpe-wk2~~
✅ 🧪 webkitperl	~~🧪 ios-wk2~~	✅ 🧪 api-mac	✅ 🛠 gtk
	~~🧪 api-ios~~	~~🧪 mac-wk1~~	~~🧪 gtk-wk2~~
	⏳ 🛠 tv	~~🧪 mac-wk2~~	~~🧪 api-gtk~~
	✅ 🛠 tv-sim	~~🧪 mac-AS-debug-wk2~~
	⏳ 🛠 watch	✅ 🧪 mac-wk2-stress
	✅ 🛠 watch-sim

webkit-early-warning-system · 2023-03-21T22:55:19Z

EWS run on previous version of this PR (hash 275a1c4)

Misc	iOS, tvOS & watchOS	macOS	Linux	Windows
✅ 🧪 style	✅ 🛠 ios	✅ 🛠 mac	✅ 🛠 wpe	✅ 🛠 wincairo
	✅ 🛠 ios-sim	✅ 🛠 mac-AS-debug	✅ 🧪 wpe-wk2
✅ 🧪 webkitperl	✅ 🧪 ios-wk2	✅ 🧪 api-mac	✅ 🛠 gtk
	✅ 🧪 api-ios	✅ 🧪 mac-wk1	✅ 🧪 gtk-wk2
	✅ 🛠 tv	✅ 🧪 mac-wk2	✅ 🧪 api-gtk
	✅ 🛠 tv-sim	✅ 🧪 mac-AS-debug-wk2
	✅ 🛠 watch	✅ 🧪 mac-wk2-stress
	✅ 🛠 watch-sim

brentfulgham

r=me, but please consider whether we should generate local reports, too. I think we maybe should...

brentfulgham · 2023-03-21T22:55:27Z

Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in

@@ -1002,14 +1002,17 @@
 (when (and (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES") (defined? 'mach-kernel-endpoint))
    (allow mach-kernel-endpoint
        (apply-message-filter
-            (allow mach-message-send (with report) (with telemetry))
+            (deny mach-message-send (with telemetry))


Do we not want a report if we deny the message-send? Seems like if we are willing to pay the cost of telemetry, we should try to generate a report, too? Or do you think that will be a perf hit?

brentfulgham · 2023-03-21T22:55:52Z

Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in

@@ -694,10 +694,11 @@
 (when (and (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES") (defined? 'mach-kernel-endpoint))
    (allow mach-kernel-endpoint
        (apply-message-filter
-            (allow mach-message-send (with report) (with telemetry))
+            (deny mach-message-send (with telemetry))


Ditto: Should we try to get a local report, in case we miss a telemetry window because of other logging?

webkit-early-warning-system · 2023-03-23T15:27:51Z

EWS run on previous version of this PR (hash c6fa833)

Misc	iOS, tvOS & watchOS	macOS	Linux	Windows
✅ 🧪 style	✅ 🛠 ios	✅ 🛠 mac	✅ 🛠 wpe	✅ 🛠 wincairo
	✅ 🛠 ios-sim	✅ 🛠 mac-AS-debug	✅ 🧪 wpe-wk2
✅ 🧪 webkitperl	✅ 🧪 ios-wk2	✅ 🧪 api-mac	✅ 🛠 gtk
	⏳ 🧪 ios-wk2-wpt	✅ 🧪 mac-wk1	✅ 🧪 gtk-wk2
	✅ 🧪 api-ios	✅ 🧪 mac-wk2	⏳ 🧪 api-gtk
	✅ 🛠 tv	✅ 🧪 mac-AS-debug-wk2
	✅ 🛠 tv-sim	✅ 🧪 mac-wk2-stress
	✅ 🛠 watch
	✅ 🛠 watch-sim

pvollan · 2023-03-23T15:28:06Z

r=me, but please consider whether we should generate local reports, too. I think we maybe should...

That is a good point. I believe we still will get local reports, since that is the default action on a violation.

Thanks for reviewing!

webkit-early-warning-system · 2023-05-01T13:50:42Z

EWS run on current version of this PR (hash e3caf66)

Misc	iOS, tvOS & watchOS	macOS	Linux	Windows
✅ 🧪 style	✅ 🛠 ios	✅ 🛠 mac	✅ 🛠 wpe	✅ 🛠 wincairo
	✅ 🛠 ios-sim	✅ 🛠 mac-AS-debug	✅ 🧪 wpe-wk2
✅ 🧪 webkitperl	✅ 🧪 ios-wk2	✅ 🧪 api-mac	✅ 🛠 gtk
	✅ 🧪 ios-wk2-wpt		✅ 🧪 gtk-wk2
	✅ 🧪 api-ios	✅ 🧪 mac-wk2	✅ 🧪 api-gtk
	✅ 🛠 tv	~~🧪 mac-AS-debug-wk2~~
	✅ 🛠 tv-sim
✅ 🛠 🧪 merge	✅ 🛠 watch
	✅ 🛠 watch-sim

https://bugs.webkit.org/show_bug.cgi?id=254234 rdar://106829883 Reviewed by Brent Fulgham. Address kernel MIG sandbox telemetry in the GPU and Network process. This patch also enforces the filters. * Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in: * Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in: * Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb.in: Canonical link: https://commits.webkit.org/263551@main

webkit-commit-queue · 2023-05-01T15:21:09Z

Committed 263551@main (0850093): https://commits.webkit.org/263551@main

Reviewed commits have been landed. Closing PR #11777 and removing active labels.

pvollan requested a review from brentfulgham as a code owner March 21, 2023 22:25

pvollan self-assigned this Mar 21, 2023

pvollan added the WebKit Misc. For miscellaneous bugs in the WebKit framework (and not JavaScriptCore or WebCore). label Mar 21, 2023

pvollan requested review from cdumez, geoffreygaren, szewai, johnwilander and gavin-apple March 21, 2023 22:27

pvollan force-pushed the eng/Address-kernel-MIG-sandbox-telemetry branch from 7cdd4ef to 275a1c4 Compare March 21, 2023 22:53

brentfulgham approved these changes Mar 21, 2023

View reviewed changes

pvollan force-pushed the eng/Address-kernel-MIG-sandbox-telemetry branch from 275a1c4 to c6fa833 Compare March 23, 2023 15:27

pvollan force-pushed the eng/Address-kernel-MIG-sandbox-telemetry branch from c6fa833 to e3caf66 Compare May 1, 2023 13:50

pvollan added the merge-queue Applied to send a pull request to merge-queue label May 1, 2023

webkit-commit-queue force-pushed the eng/Address-kernel-MIG-sandbox-telemetry branch from e3caf66 to 0850093 Compare May 1, 2023 15:21

webkit-commit-queue removed the merge-queue Applied to send a pull request to merge-queue label May 1, 2023

webkit-commit-queue merged commit 0850093 into WebKit:main May 1, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Address kernel MIG sandbox telemetry #11777

Address kernel MIG sandbox telemetry #11777

pvollan commented Mar 21, 2023 •

edited by webkit-early-warning-system

webkit-early-warning-system commented Mar 21, 2023 •

edited

webkit-early-warning-system commented Mar 21, 2023 •

edited

brentfulgham left a comment

brentfulgham Mar 21, 2023

brentfulgham Mar 21, 2023

webkit-early-warning-system commented Mar 23, 2023 •

edited

pvollan commented Mar 23, 2023

webkit-early-warning-system commented May 1, 2023 •

edited

webkit-commit-queue commented May 1, 2023

Address kernel MIG sandbox telemetry #11777

Address kernel MIG sandbox telemetry #11777

Conversation

pvollan commented Mar 21, 2023 • edited by webkit-early-warning-system

0850093

webkit-early-warning-system commented Mar 21, 2023 • edited

webkit-early-warning-system commented Mar 21, 2023 • edited

brentfulgham left a comment

Choose a reason for hiding this comment

brentfulgham Mar 21, 2023

Choose a reason for hiding this comment

brentfulgham Mar 21, 2023

Choose a reason for hiding this comment

webkit-early-warning-system commented Mar 23, 2023 • edited

pvollan commented Mar 23, 2023

webkit-early-warning-system commented May 1, 2023 • edited

webkit-commit-queue commented May 1, 2023

pvollan commented Mar 21, 2023 •

edited by webkit-early-warning-system

`0850093`

webkit-early-warning-system commented Mar 21, 2023 •

edited

webkit-early-warning-system commented Mar 21, 2023 •

edited

webkit-early-warning-system commented Mar 23, 2023 •

edited

webkit-early-warning-system commented May 1, 2023 •

edited