Title: [259470] trunk/Source/WebKit
- Revision
- 259470
- Author
- bfulg...@apple.com
- Date
- 2020-04-03 10:43:21 -0700 (Fri, 03 Apr 2020)
Log Message
Remove unneeded sandbox access to some file paths
https://bugs.webkit.org/show_bug.cgi?id=209938
<rdar://problem/59529620>
Reviewed by Per Arne Vollan.
Remove unnecessary access to some locations in /etc. These may have been needed in
the past, but the WebContent process no longer requires this access. We should
remove it.
* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
* WebProcess/com.apple.WebProcess.sb.in:
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (259469 => 259470)
--- trunk/Source/WebKit/ChangeLog 2020-04-03 17:37:46 UTC (rev 259469)
+++ trunk/Source/WebKit/ChangeLog 2020-04-03 17:43:21 UTC (rev 259470)
@@ -1,3 +1,18 @@
+2020-04-03 Brent Fulgham <bfulg...@apple.com>
+
+ Remove unneeded sandbox access to some file paths
+ https://bugs.webkit.org/show_bug.cgi?id=209938
+ <rdar://problem/59529620>
+
+ Reviewed by Per Arne Vollan.
+
+ Remove unnecessary access to some locations in /etc. These may have been needed in
+ the past, but the WebContent process no longer requires this access. We should
+ remove it.
+
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+ * WebProcess/com.apple.WebProcess.sb.in:
+
2020-04-03 Per Arne Vollan <pvol...@apple.com>
[iOS] Deny mach lookup access to the runningboard service in the WebContent process
Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb (259469 => 259470)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb 2020-04-03 17:37:46 UTC (rev 259469)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb 2020-04-03 17:43:21 UTC (rev 259470)
@@ -320,7 +320,6 @@
(literal "/private/etc/fstab"
"/private/etc/hosts"
"/private/etc/group"
- "/private/etc/passwd"
"/private/etc/protocols"
"/private/etc/services"))
@@ -515,6 +514,9 @@
required-etc-files
(literal "/"))
+(deny file* (with report)
+ (literal "/private/etc/passwd"))
+
(allow file-read*
(subpath "/private/var/MobileAsset/PreinstalledAssetsV2/InstallWithOs"))
Modified: trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (259469 => 259470)
--- trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2020-04-03 17:37:46 UTC (rev 259469)
+++ trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2020-04-03 17:43:21 UTC (rev 259470)
@@ -72,7 +72,13 @@
(allow file-read*
(literal "/dev/autofs_nowait")
(literal "/dev/random")
- (literal "/dev/urandom")
+ (literal "/dev/urandom"))
+
+(deny file-read*
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101500
+ (with telemetry-backtrace)
+ (with report)
+#endif
(literal "/private/etc/master.passwd")
(literal "/private/etc/passwd"))
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes