[macOS] Update sandboxes for revised OpenCL calls and streaming media
authorbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 26 Jul 2018 00:29:56 +0000 (00:29 +0000)
committerbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 26 Jul 2018 00:29:56 +0000 (00:29 +0000)
https://bugs.webkit.org/show_bug.cgi?id=188013
<rdar://problem/42594262>

Reviewed by Eric Carlson.

Testing logs from recent Mojave builds shows that OpenCL is checking more CPU-specific values as part of WebKit
painting operations. We need to allow these checks in the sandbox to support these more optimized drawing operations.

I also corrected some sandbox violations I found while investigating streaming media issues.

* WebProcess/com.apple.WebProcess.sb.in:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@234223 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit/ChangeLog
Source/WebKit/WebProcess/com.apple.WebProcess.sb.in

index 482ed99..a7252ee 100644 (file)
@@ -1,3 +1,18 @@
+2018-07-25  Brent Fulgham  <bfulgham@apple.com>
+
+        [macOS] Update sandboxes for revised OpenCL calls and streaming media
+        https://bugs.webkit.org/show_bug.cgi?id=188013
+        <rdar://problem/42594262>
+
+        Reviewed by Eric Carlson.
+
+        Testing logs from recent Mojave builds shows that OpenCL is checking more CPU-specific values as part of WebKit
+        painting operations. We need to allow these checks in the sandbox to support these more optimized drawing operations.
+
+        I also corrected some sandbox violations I found while investigating streaming media issues.
+
+        * WebProcess/com.apple.WebProcess.sb.in:
+
 2018-07-25  Jeremy Jones  <jeremyj@apple.com>
 
         Mask AVBackgroundView to the corner radius.
index bd2b740..1213fa2 100644 (file)
         "hw.byteorder"
         "hw.busfrequency_max"
         "hw.cputype"
-        "hw.l2cachesize"
         "hw.machine"
         "hw.memsize"
         "hw.model"
         "kern.memorystatus_level"
         "kern.safeboot"
         "kern.version"
+        "machdep.cpu.brand_string"
         "security.mac.sandbox.sentinel"
         "vm.footprint_suspend")
     (sysctl-name-regex #"^hw.(active|avail)cpu")
-    (sysctl-name-regex #"^hw.(busfrequency|cachelinesize|cpufrequency|pagesize|tbfrequency)_compat")
+    (sysctl-name-regex #"^hw.(busfrequency|cachelinesize|cpufrequency(|_max)|pagesize|tbfrequency)(|_compat)")
+    (sysctl-name-regex #"^hw.l.+cachesize")
     (sysctl-name-regex #"^hw.(logical|physical)cpu_max")
     (sysctl-name-regex #"^hw.optional\.")
     (sysctl-name-regex #"^kern.os(release|type|variant_status|version)")
     (iokit-property-regex #"^IOName(|Match(|ed))")
     (iokit-property "IOOCDBundleName")
     (iokit-property "IOPCITunnelled")
+    (iokit-property "IOPCITunnelCompatible")
     (iokit-property "IOPMStrictTreeOrder")
     (iokit-property "IOParentMatch")
     (iokit-property-regex #"^IOPCI((Class|Primary|Property|)Match|Express(Capabilities|Link(Status|Capabilities))|MSIMode|Resourced|Tunnelled)")
 (allow file-read*
     (literal "/Library/Preferences/com.apple.ViewBridge.plist"))
 
+; FIXME: This is needed for some security framework calls (that use non-CFPreferences readers)
+(allow file-read-data
+    (literal "/Library/Preferences/com.apple.security.plist")
+    (home-subpath "/Library/Preferences/com.apple.security.plist"))
+
 ;; On-disk WebKit2 framework location, to account for debug installations outside of /System/Library/Frameworks,
 ;; and to allow issuing extensions.
 (allow-read-directory-and-issue-read-extensions (param "WEBKIT2_FRAMEWORK_DIR"))
        (global-name "com.apple.analyticsd")
        (global-name "com.apple.audio.AudioComponentRegistrar")
 #endif
+       (global-name "com.apple.assertiond.processassertionconnection")
        (global-name "com.apple.audio.audiohald")
        (global-name "com.apple.audio.coreaudiod")
        (global-name "com.apple.awdd")
        (global-name "com.apple.cfnetwork.AuthBrokerAgent")
        (global-name "com.apple.cfprefsd.agent")
        (global-name "com.apple.cfprefsd.daemon")
+       (global-name "com.apple.cmio.registerassistantservice") ;; Needed by CoreMedia for plugin drivers
        (global-name "com.apple.cookied")
        (global-name "com.apple.coreservices.launchservicesd")
        (global-name "com.apple.diagnosticd")
        (global-name "com.apple.lsd.mapdb")
        (global-name "com.apple.mobileassetd")
        (global-name "com.apple.nesessionmanager.flow-divert-token")
+       (global-name "com.apple.powerlog.plxpclogger.xpc")
        (global-name "com.apple.speech.speechsynthesisd")
        (global-name "com.apple.speech.synthesis.console")
        (global-name "com.apple.system.DirectoryService.libinfo_v1")
        (global-name "com.apple.xpcd")
 )
 
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101400
+(deny mach-lookup (with no-log)
+    (global-name "com.apple.ViewBridgeAuxiliary")
+    (global-name "com.apple.windowserver.active"))
+#endif
+
+
 ;; Needed to support encrypted media playback <rdar://problem/40038478>
 (allow mach-lookup
-    (global-name "com.apple.SecurityServer"))
+    (global-name "com.apple.SecurityServer")
+    (global-name "com.apple.ocspd"))
 
 (allow file-read* file-write* (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.