-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weβll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Address kernel MIG sandbox telemetry #11777
Address kernel MIG sandbox telemetry #11777
Conversation
EWS run on previous version of this PR (hash 7cdd4ef) |
7cdd4ef
to
275a1c4
Compare
EWS run on previous version of this PR (hash 275a1c4) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
r=me, but please consider whether we should generate local reports, too. I think we maybe should...
@@ -1002,14 +1002,17 @@ | |||
(when (and (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES") (defined? 'mach-kernel-endpoint)) | |||
(allow mach-kernel-endpoint | |||
(apply-message-filter | |||
(allow mach-message-send (with report) (with telemetry)) | |||
(deny mach-message-send (with telemetry)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we not want a report if we deny the message-send? Seems like if we are willing to pay the cost of telemetry, we should try to generate a report, too? Or do you think that will be a perf hit?
@@ -694,10 +694,11 @@ | |||
(when (and (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES") (defined? 'mach-kernel-endpoint)) | |||
(allow mach-kernel-endpoint | |||
(apply-message-filter | |||
(allow mach-message-send (with report) (with telemetry)) | |||
(deny mach-message-send (with telemetry)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ditto: Should we try to get a local report, in case we miss a telemetry window because of other logging?
275a1c4
to
c6fa833
Compare
EWS run on previous version of this PR (hash c6fa833) |
That is a good point. I believe we still will get local reports, since that is the default action on a violation. Thanks for reviewing! |
c6fa833
to
e3caf66
Compare
EWS run on current version of this PR (hash e3caf66) |
https://bugs.webkit.org/show_bug.cgi?id=254234 rdar://106829883 Reviewed by Brent Fulgham. Address kernel MIG sandbox telemetry in the GPU and Network process. This patch also enforces the filters. * Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in: * Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in: * Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb.in: Canonical link: https://commits.webkit.org/263551@main
e3caf66
to
0850093
Compare
Committed 263551@main (0850093): https://commits.webkit.org/263551@main Reviewed commits have been landed. Closing PR #11777 and removing active labels. |
0850093
e3caf66
π§ͺ mac-AS-debug-wk2