Bug 236781

Summary: [macOS][WP] Add required syscall to sandbox
Product: WebKit Reporter: Per Arne Vollan <pvollan>
Component: WebKit Misc.Assignee: Per Arne Vollan <pvollan>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, cdumez, dino, gavin.p, ggaren, mazander, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
cdumez: review+
Patch none

Description Per Arne Vollan 2022-02-17 06:55:47 PST 
Add required syscall to the WebContent process' sandbox on macOS.
Comment 1 Per Arne Vollan 2022-02-17 06:56:11 PST 
<rdar://89072361>
Comment 2 Per Arne Vollan 2022-02-17 06:59:23 PST 
Created attachment 452362 [details]
Patch
Comment 3 Per Arne Vollan 2022-02-17 07:39:30 PST 
Created attachment 452364 [details]
Patch
Comment 4 Per Arne Vollan 2022-02-17 07:41:47 PST 
Thanks for reviewing!
Comment 5 Dean Jackson 2022-02-17 07:45:10 PST 
Comment on attachment 452364 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=452364&action=review

> Source/WebKit/ChangeLog:11
> +        Add required syscall to the WebContent process' sandbox on macOS. This patch also adds back a set of
> +        syscalls that were removed in https://commits.webkit.org/r286778 for current and previous versions
> +        of macOS. These syscalls will be denied going forward.

It would be nice to describe why these syscalls are needed. And when you say they will be denied going forward… when? how? Do you have a bug for that?
Comment 6 Per Arne Vollan 2022-02-17 08:06:05 PST 
(In reply to Dean Jackson from comment #5)
> Comment on attachment 452364 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=452364&action=review
> 
> > Source/WebKit/ChangeLog:11
> > +        Add required syscall to the WebContent process' sandbox on macOS. This patch also adds back a set of
> > +        syscalls that were removed in https://commits.webkit.org/r286778 for current and previous versions
> > +        of macOS. These syscalls will be denied going forward.
> 
> It would be nice to describe why these syscalls are needed. And when you say
> they will be denied going forward… when? how? Do you have a bug for that?

Based on telemetry, these syscalls are actually not believed to be required (except for one). They are added back here, since their removal in r286778 was mainly intended for the next macOS major version. 

Their inclusion is guarded by __MAC_OS_X_VERSION_MIN_REQUIRED < 130000.

Thanks for reviewing!
Comment 7 Per Arne Vollan 2022-02-17 10:51:39 PST 
Created attachment 452388 [details]
Patch
Comment 8 Per Arne Vollan 2022-02-17 13:27:42 PST 
Committed r290066 (?): <https://commits.webkit.org/r290066>