[Webkit-unassigned] [Bug 184485] Add JIT entitlements to WebContent process and plugin process on macOS

Tue Apr 10 22:52:31 PDT 2018

https://bugs.webkit.org/show_bug.cgi?id=184485

--- Comment #5 from mitz at webkit.org ---
(In reply to Brent Fulgham from comment #4)
> (In reply to mitz from comment #2)
> > The same question I asked in bug 181995 comment 4 applies here.
> 
> Your r- would be much more helpful if you provided a comment explaining why
> you rejected the patch.

It became obvious from my exchange with Ryosuke that the patch didn’t accomplish what it was meant to do, and that it wasn’t tested in any way (it’s understandable if someone doesn’t know how to test that granting the entitlement has the desired effect, but it’s puzzling that someone can’t test whether their patch does in fact add the entitlement).

> 
> It would also be very helpful if you answered the question I posed to you in
> my response to your comment (in bug 181995 comment 5).
> 
> It seems like this patch (like bug 181995) is incomplete. But where should
> the entitlement for the system WebKit go?

The project is not currently set up to sign the macOS Web Content process with entitlements except in production builds with relocatable frameworks, because those require the XPC domain extension private entitlement. That entitlement is not appropriate for any other configuration: it is a private entitlement, so it can’t be used by people outside Apple, and it is adding attack surface which is not needed in Apple products other than Safari Technology Preview. The entitlement in attachment 332041 from bug 181995 also can’t be used by folks outside Apple. The entitlement in attachment 337676 in this bug, on the other hand, seems like it should be given to the Web Content process in all configurations targeting macOS. It seems like there are several combinations of entitlements, each applicable to a different situation, so the project would need to be set up with some custom build settings (similar to the existing WK_WEBCONTENT_SERVICE_NEEDS_XPC_DOMAIN_EXTENSION_ENTITLEMENT) to express which entitlements are needed in a given configuration, and then either a separate entitlements file mapping to each valid combination of entitlements, or a way to generate the entitlements file during build time (in a manner compatible with the Xcode build system) based on what’s needed.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180411/2aa4bf4d/attachment-0002.html>