[21] [WebKit] Add webcontent_sandbox_entitlements to Mac Catalyst variant
Severity: Low | Component: WebKit build-time entitlements | 3f1ad2f
Rated Low because the diff adds webcontent_sandbox_entitlements to maccatalyst_process_webcontent_shared_entitlements; pre-fix every Catalyst-hosted WebContent process attempted to mutate sandbox state flags it was not entitled to and was terminated by the kernel/sandboxd, which manifested as embedded content failing to load.
The shared helper is wired into the Mac Catalyst path. No runtime code changes.
Source/WebKit/Scripts/process-entitlements.sh
Sandbox-hardening regression on Mac Catalyst: a missing entitlement caused every WebContent process to be killed during sandbox initialisation.
Patch Details
The Catalyst entitlement path now calls the existing webcontent_sandbox_entitlements helper at build time.
Background
Mutating sandbox state flags (e.g., BlockIOKitInWebContentSandbox, BlockUserInstalledFonts, EnableExperimentalSandbox) is gated by com.apple.private.security.mutable-state-flags / enable-state-flags entitlements. Without them, the kernel/sandboxd denies the operation and terminates the calling process.
Analysis
The shared helper that grants those rights was hooked into the Mac and iOS WebContent variants but not into the Catalyst variant. Every Catalyst-hosted WebContent process (e.g., News.app on macOS) attempted to mutate state flags it was not entitled to and crashed during sandbox initialisation.