[webkit-reviews] review granted: [Bug 231308] Add AdAttributionDaemon sandbox on iOS : [Attachment 440387] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Oct 6 13:35:06 PDT 2021
Brent Fulgham <bfulgham at webkit.org> has granted Alex Christensen
<achristensen at apple.com>'s request for review:
Bug 231308: Add AdAttributionDaemon sandbox on iOS
https://bugs.webkit.org/show_bug.cgi?id=231308
Attachment 440387: Patch
https://bugs.webkit.org/attachment.cgi?id=440387&action=review
--- Comment #2 from Brent Fulgham <bfulgham at webkit.org> ---
Comment on attachment 440387
--> https://bugs.webkit.org/attachment.cgi?id=440387
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=440387&action=review
>
Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.AdAttributionDaemo
n.sb:26
> +(allow system-audit file-read-metadata)
We might want to limit file-read-metadata to the specific directories we need.
>
Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.AdAttributionDaemo
n.sb:38
> +(require-all (vnode-type DIRECTORY) (literal path))))))
The indenting on this section above is wrong.
>
Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.AdAttributionDaemo
n.sb:65
> +(allow mach-lookup (global-name "com.apple.awdd"))
This can be written as:
(allow mach-lookup
(global-name
"com.apple.analyticsd"
"com.apple.awdd"))
>
Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.AdAttributionDaemo
n.sb:73
> +(allow mach-lookup (global-name "com.apple.lsd.modifydb"))
Ditto -- we can combine these into a single rule.
> Source/WebKit/Scripts/process-entitlements.sh:415
> + cp "${CODE_SIGN_ENTITLEMENTS}" "${WK_PROCESSED_XCENT_FILE}"
Do we not need to sign the AdAttributionDaemon?
More information about the webkit-reviews
mailing list