[webkit-changes] [259470] trunk/Source/WebKit

[bfulgham]

Title: [259470] trunk/Source/WebKit

Revision

259470

Author

bfulg...@apple.com

Date

2020-04-03 10:43:21 -0700 (Fri, 03 Apr 2020)

Log Message

Remove unneeded sandbox access to some file paths
https://bugs.webkit.org/show_bug.cgi?id=209938
<rdar://problem/59529620>

Reviewed by Per Arne Vollan.

Remove unnecessary access to some locations in /etc. These may have been needed in
the past, but the WebContent process no longer requires this access. We should
remove it.

* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
* WebProcess/com.apple.WebProcess.sb.in:

Modified Paths

• trunk/Source/WebKit/ChangeLog
• trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb
• trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in

Diff

Modified: trunk/Source/WebKit/ChangeLog (259469 => 259470)

--- trunk/Source/WebKit/ChangeLog	2020-04-03 17:37:46 UTC (rev 259469)
+++ trunk/Source/WebKit/ChangeLog	2020-04-03 17:43:21 UTC (rev 259470)
@@ -1,3 +1,18 @@
+2020-04-03  Brent Fulgham  <bfulg...@apple.com>
+
+        Remove unneeded sandbox access to some file paths
+        https://bugs.webkit.org/show_bug.cgi?id=209938
+        <rdar://problem/59529620>
+
+        Reviewed by Per Arne Vollan.
+
+        Remove unnecessary access to some locations in /etc. These may have been needed in
+        the past, but the WebContent process no longer requires this access. We should
+        remove it.
+
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+        * WebProcess/com.apple.WebProcess.sb.in:
+
 2020-04-03  Per Arne Vollan  <pvol...@apple.com>
 
         [iOS] Deny mach lookup access to the runningboard service in the WebContent process

Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb (259469 => 259470)

--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb	2020-04-03 17:37:46 UTC (rev 259469)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb	2020-04-03 17:43:21 UTC (rev 259470)
@@ -320,7 +320,6 @@
   (literal "/private/etc/fstab"
            "/private/etc/hosts"
            "/private/etc/group"
-           "/private/etc/passwd"
            "/private/etc/protocols"
            "/private/etc/services"))
 
@@ -515,6 +514,9 @@
     required-etc-files
     (literal "/"))
 
+(deny file* (with report)
+    (literal "/private/etc/passwd"))
+
 (allow file-read*
        (subpath "/private/var/MobileAsset/PreinstalledAssetsV2/InstallWithOs"))
 

Modified: trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (259469 => 259470)

--- trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in	2020-04-03 17:37:46 UTC (rev 259469)
+++ trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in	2020-04-03 17:43:21 UTC (rev 259470)
@@ -72,7 +72,13 @@
 (allow file-read*
     (literal "/dev/autofs_nowait")
     (literal "/dev/random")
-    (literal "/dev/urandom")
+    (literal "/dev/urandom"))
+
+(deny file-read*
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101500
+    (with telemetry-backtrace)
+    (with report)
+#endif
     (literal "/private/etc/master.passwd")
     (literal "/private/etc/passwd"))
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes