Upgrade to sandbox version 3 on iOS and macOS #6864
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
EWS run on previous version of this PR (hash a76df67) |
pvollan
added
the
WebKit Misc.
webkit-ews-buildbot
added
the
merging-blocked
pvollan
removed
the
merging-blocked
pvollan
force-pushed
the
eng/Upgrade-to-sandbox-version-3-on-iOS-and-macOS
branch
from
a76df67
to
0210043
Compare
webkit-ews-buildbot
added
the
merging-blocked
pvollan
removed
the
merging-blocked
pvollan
force-pushed
the
eng/Upgrade-to-sandbox-version-3-on-iOS-and-macOS
branch
from
0210043
to
4cca556
Compare
|
EWS run on previous version of this PR (hash 4cca556)
|
webkit-ews-buildbot
added
the
merging-blocked
pvollan
removed
the
merging-blocked
pvollan
force-pushed
the
eng/Upgrade-to-sandbox-version-3-on-iOS-and-macOS
branch
from
4cca556
to
e4481f1
Compare
|
EWS run on previous version of this PR (hash e4481f1)
|
webkit-ews-buildbot
added
the
merging-blocked
pvollan
removed
the
merging-blocked
pvollan
force-pushed
the
eng/Upgrade-to-sandbox-version-3-on-iOS-and-macOS
branch
from
e4481f1
to
5dabc34
Compare
|
EWS run on previous version of this PR (hash 5dabc34)
|
pvollan
force-pushed
the
eng/Upgrade-to-sandbox-version-3-on-iOS-and-macOS
branch
from
5dabc34
to
f5ab65a
Compare
|
EWS run on previous version of this PR (hash f5ab65a)
|
webkit-ews-buildbot
added
the
merging-blocked
pvollan
removed
the
merging-blocked
pvollan
force-pushed
the
eng/Upgrade-to-sandbox-version-3-on-iOS-and-macOS
branch
from
f5ab65a
to
f3ab20e
Compare
|
EWS run on previous version of this PR (hash f3ab20e)
|
pvollan
force-pushed
the
eng/Upgrade-to-sandbox-version-3-on-iOS-and-macOS
branch
from
f3ab20e
to
f8c5031
Compare
|
EWS run on previous version of this PR (hash f8c5031)
|
webkit-ews-buildbot
added
the
merging-blocked
brentfulgham
approved these changes
Nov 30, 2022
Source/WTF/wtf/PlatformUse.h
Outdated
| @@ -375,3 +375,8 @@ | |||
| #if PLATFORM(COCOA) && (HAVE(CGSTYLE_CREATE_SHADOW2) || HAVE(CGSTYLE_COLORMATRIX_BLUR)) | |||
| #define USE_GRAPHICS_CONTEXT_FILTERS 1 | |||
| #endif | |||
|
|
|||
| #if (PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 140000) \ | |||
| || ((PLATFORM(IOS) || PLATFORM(MACCATALYST)) && __IPHONE_OS_VERSION_MIN_REQUIRED >= 170000) | |||
There was a problem hiding this comment.
I am always confused by when to use PLATFORM(IOS_FAMILY) versus PLATFORM(IOS). I believe that this rule means that USE_SANDBOX_VERSION_3 will be undefined for watchOS and tvOS. Is this your intention?
There was a problem hiding this comment.
I am always confused by when to use
PLATFORM(IOS_FAMILY)versusPLATFORM(IOS). I believe that this rule means that USE_SANDBOX_VERSION_3 will be undefined for watchOS and tvOS. Is this your intention?
That is a good point. The intention is for also watchOS and tvOS to have version 3. I have removed this from the latest patch, and will enable in a separate patch.
Thanks for reviewing!
|
|
||
| (with-filter (mac-policy-name "Sandbox") | ||
| (allow system-mac-syscall (mac-syscall-number 5))) | ||
| #endif | ||
|
|
||
| ;;; | ||
| ;;; The following rules were originally contained in 'common.sb'. We are duplicating them here so we can | ||
| ;;; remove unneeded sandbox extensions. | ||
| ;;; |
There was a problem hiding this comment.
Perhaps this comment should move to Shared/Sandbox/iOS/common.sb, too?
There was a problem hiding this comment.
There are still quite a few rules that were not moved to Shared/Sandbox/iOS/common.sb in this patch, so I think we may leave the comment for now. However, we should move all the common rules to the new file including the comment. I will address that in a separate patch.
Thanks for reviewing!
|
|
||
| (allow system-privilege (with grant) | ||
| (require-all | ||
| (privilege-id PRIV_NET_PRIVILEGED_SOCKET_DELEGATE) | ||
| (require-entitlement "com.apple.private.network.socket-delegate"))) | ||
|
|
||
| ;; Silence spurious logging due to rdar://20117923 and rdar://72366475 | ||
| (deny system-privilege (privilege-id PRIV_GLOBAL_PROC_INFO) (with no-report)) | ||
|
|
||
| ;;; | ||
| ;;; The following rules were originally contained in 'common.sb'. We are duplicating them here so we can | ||
| ;;; remove unneeded sandbox extensions. | ||
| ;;; |
There was a problem hiding this comment.
Ditto: Perhaps move the comment to Shared/Sandbox/iOS/common.sb as well?
| (deny system-privilege (privilege-id PRIV_GLOBAL_PROC_INFO) (with no-report)) | ||
| #if USE(SANDBOX_VERSION_3) | ||
| (allow dynamic-code-generation) | ||
| #endif | ||
|
|
||
| ;;; | ||
| ;;; The following rules were originally contained in 'common.sb'. We are duplicating them here so we can | ||
| ;;; remove unneeded sandbox extensions. | ||
| ;;; |
There was a problem hiding this comment.
Ditto: move comment to Shared/Sandbox/iOS/common.sb.
pvollan
added
merge-queue
pvollan
force-pushed
the
eng/Upgrade-to-sandbox-version-3-on-iOS-and-macOS
branch
from
f8c5031
to
509c22f
Compare
|
EWS run on current version of this PR (hash 509c22f)
|
π§ͺ style
|
EWS run on current version of this PR (hash 509c22f)
|
webkit-ews-buildbot
added
the
merging-blocked
pvollan
added
unsafe-merge-queue
https://bugs.webkit.org/show_bug.cgi?id=248399 rdar://102719029 Reviewed by Brent Fulgham. Upgrade to sandbox version 3 on iOS and macOS. This patch should not introduce any behavior change, since the resources with implicit access in version 1 has been explicitly allowed. Also, this patch adds more sandbox include files to be able to share common rules. * Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in: * Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in: * Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in: * Source/WebKit/Shared/Sandbox/iOS/common.sb * Source/WebKit/Shared/Sandbox/macOS/common.sb: * Source/WebKit/Shared/Sandbox/util.sb * Source/WebKit/WebKit.xcodeproj/project.pbxproj: * Source/WebKit/WebProcess/com.apple.WebProcess.sb.in: Canonical link: https://commits.webkit.org/257272@main
webkit-early-warning-system
force-pushed
the
eng/Upgrade-to-sandbox-version-3-on-iOS-and-macOS
branch
from
509c22f
to
129d762
Compare
|
Committed 257272@main (129d762): https://commits.webkit.org/257272@main Reviewed commits have been landed. Closing PR #6864 and removing active labels. |
webkit-commit-queue
removed
the
unsafe-merge-queue
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
129d762
509c22f
π§ͺ api-gtkπ§ͺ mac-wk1