WebKit Bugzilla
Attachment 345803 Details for
Bug 188013
: [macOS] Update sandboxes for revised OpenCL calls and streaming media
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-188013-20180725165859.patch (text/plain), 4.98 KB, created by
Brent Fulgham
on 2018-07-25 16:59:00 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Brent Fulgham
Created:
2018-07-25 16:59:00 PDT
Size:
4.98 KB
patch
obsolete
>Subversion Revision: 234210 >diff --git a/Source/WebKit/ChangeLog b/Source/WebKit/ChangeLog >index 8c7275650d5f0a31618f64b1bf71b95f222b91f2..2321af7ac64532eab940e793ed07bf08747aa931 100644 >--- a/Source/WebKit/ChangeLog >+++ b/Source/WebKit/ChangeLog >@@ -1,3 +1,18 @@ >+2018-07-25 Brent Fulgham <bfulgham@apple.com> >+ >+ [macOS] Update sandboxes for revised OpenCL calls and streaming media >+ https://bugs.webkit.org/show_bug.cgi?id=188013 >+ <rdar://problem/42594262> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Testing logs from recent Mojave builds shows that OpenCL is checking more CPU-specific values as part of WebKit >+ painting operations. We need to allow these checks in the sandbox to support these more optimized drawing operations. >+ >+ I also corrected some sandbox violations I found while investigating streaming media issues. >+ >+ * WebProcess/com.apple.WebProcess.sb.in: >+ > 2018-07-25 Alex Christensen <achristensen@webkit.org> > > Use CompletionHandler for policy decisions >diff --git a/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in b/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in >index bd2b7407cd3d7ec432bfc8575471eedfe490688a..1213fa2ddb9f0ca06a6eb1417968441888ba0af7 100644 >--- a/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in >+++ b/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in >@@ -165,7 +165,6 @@ > "hw.byteorder" > "hw.busfrequency_max" > "hw.cputype" >- "hw.l2cachesize" > "hw.machine" > "hw.memsize" > "hw.model" >@@ -176,10 +175,12 @@ > "kern.memorystatus_level" > "kern.safeboot" > "kern.version" >+ "machdep.cpu.brand_string" > "security.mac.sandbox.sentinel" > "vm.footprint_suspend") > (sysctl-name-regex #"^hw.(active|avail)cpu") >- (sysctl-name-regex #"^hw.(busfrequency|cachelinesize|cpufrequency|pagesize|tbfrequency)_compat") >+ (sysctl-name-regex #"^hw.(busfrequency|cachelinesize|cpufrequency(|_max)|pagesize|tbfrequency)(|_compat)") >+ (sysctl-name-regex #"^hw.l.+cachesize") > (sysctl-name-regex #"^hw.(logical|physical)cpu_max") > (sysctl-name-regex #"^hw.optional\.") > (sysctl-name-regex #"^kern.os(release|type|variant_status|version)") >@@ -260,6 +261,7 @@ > (iokit-property-regex #"^IOName(|Match(|ed))") > (iokit-property "IOOCDBundleName") > (iokit-property "IOPCITunnelled") >+ (iokit-property "IOPCITunnelCompatible") > (iokit-property "IOPMStrictTreeOrder") > (iokit-property "IOParentMatch") > (iokit-property-regex #"^IOPCI((Class|Primary|Property|)Match|Express(Capabilities|Link(Status|Capabilities))|MSIMode|Resourced|Tunnelled)") >@@ -492,6 +494,11 @@ > (allow file-read* > (literal "/Library/Preferences/com.apple.ViewBridge.plist")) > >+; FIXME: This is needed for some security framework calls (that use non-CFPreferences readers) >+(allow file-read-data >+ (literal "/Library/Preferences/com.apple.security.plist") >+ (home-subpath "/Library/Preferences/com.apple.security.plist")) >+ > ;; On-disk WebKit2 framework location, to account for debug installations outside of /System/Library/Frameworks, > ;; and to allow issuing extensions. > (allow-read-directory-and-issue-read-extensions (param "WEBKIT2_FRAMEWORK_DIR")) >@@ -573,12 +580,14 @@ > (global-name "com.apple.analyticsd") > (global-name "com.apple.audio.AudioComponentRegistrar") > #endif >+ (global-name "com.apple.assertiond.processassertionconnection") > (global-name "com.apple.audio.audiohald") > (global-name "com.apple.audio.coreaudiod") > (global-name "com.apple.awdd") > (global-name "com.apple.cfnetwork.AuthBrokerAgent") > (global-name "com.apple.cfprefsd.agent") > (global-name "com.apple.cfprefsd.daemon") >+ (global-name "com.apple.cmio.registerassistantservice") ;; Needed by CoreMedia for plugin drivers > (global-name "com.apple.cookied") > (global-name "com.apple.coreservices.launchservicesd") > (global-name "com.apple.diagnosticd") >@@ -593,6 +602,7 @@ > (global-name "com.apple.lsd.mapdb") > (global-name "com.apple.mobileassetd") > (global-name "com.apple.nesessionmanager.flow-divert-token") >+ (global-name "com.apple.powerlog.plxpclogger.xpc") > (global-name "com.apple.speech.speechsynthesisd") > (global-name "com.apple.speech.synthesis.console") > (global-name "com.apple.system.DirectoryService.libinfo_v1") >@@ -613,9 +623,17 @@ > (global-name "com.apple.xpcd") > ) > >+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101400 >+(deny mach-lookup (with no-log) >+ (global-name "com.apple.ViewBridgeAuxiliary") >+ (global-name "com.apple.windowserver.active")) >+#endif >+ >+ > ;; Needed to support encrypted media playback <rdar://problem/40038478> > (allow mach-lookup >- (global-name "com.apple.SecurityServer")) >+ (global-name "com.apple.SecurityServer") >+ (global-name "com.apple.ocspd")) > > (allow file-read* file-write* (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed. >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=345803">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 188013
: 345803