Title: [283204] trunk/Source/WebKit
- Revision
- 283204
- Author
- bfulg...@apple.com
- Date
- 2021-09-28 17:26:36 -0700 (Tue, 28 Sep 2021)
Log Message
Remove unused "com.apple.security.exception.file*" rules from WebKit sandboxes
https://bugs.webkit.org/show_bug.cgi?id=230918
<rdar://problem/66585844>
Reviewed by Per Arne Vollan.
The Sandbox implementation provides a mechanism where apps can extend the default app
sandbox with entitled extension properties attached to their binary at signing time.
WebKit does not need or use this feature. However, the rules were imported to our custom
sandbox when we stopped using the system one. We should remove these rules since we don't
need them, and they add to the size and complexity of the sandbox rule set.
* Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb:
* Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:
* Resources/SandboxProfiles/ios/com.apple.WebKit.WebAuthn.sb:
* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (283203 => 283204)
--- trunk/Source/WebKit/ChangeLog 2021-09-29 00:25:04 UTC (rev 283203)
+++ trunk/Source/WebKit/ChangeLog 2021-09-29 00:26:36 UTC (rev 283204)
@@ -1,3 +1,22 @@
+2021-09-28 Brent Fulgham <bfulg...@apple.com>
+
+ Remove unused "com.apple.security.exception.file*" rules from WebKit sandboxes
+ https://bugs.webkit.org/show_bug.cgi?id=230918
+ <rdar://problem/66585844>
+
+ Reviewed by Per Arne Vollan.
+
+ The Sandbox implementation provides a mechanism where apps can extend the default app
+ sandbox with entitled extension properties attached to their binary at signing time.
+ WebKit does not need or use this feature. However, the rules were imported to our custom
+ sandbox when we stopped using the system one. We should remove these rules since we don't
+ need them, and they add to the size and complexity of the sandbox rule set.
+
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb:
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.WebAuthn.sb:
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:
+
2021-09-28 BJ Burg <bb...@apple.com>
[Cocoa] Add SPI to select a tab created by _WKInspectorExtension
Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb (283203 => 283204)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb 2021-09-29 00:25:04 UTC (rev 283203)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb 2021-09-29 00:26:36 UTC (rev 283204)
@@ -131,18 +131,6 @@
(require-all
(apply require-any filters)
(extension-class "com.apple.mediaserverd.read"))))
- (allow file-issue-extension
- (require-all
- (extension-class "com.apple.mediaserverd.read")
- (extension "com.apple.security.exception.files.absolute-path.read-only"
- "com.apple.security.exception.files.absolute-path.read-write"
- "com.apple.security.exception.files.home-relative-path.read-only"
- "com.apple.security.exception.files.home-relative-path.read-write")))
- (allow file-issue-extension
- (require-all
- (extension-class "com.apple.mediaserverd.read-write")
- (extension "com.apple.security.exception.files.absolute-path.read-write"
- "com.apple.security.exception.files.home-relative-path.read-write")))
;; CoreMedia framework.
(allow mach-lookup (with telemetry)
(global-name "com.apple.coremedia.admin")
@@ -484,23 +472,15 @@
(extension
"com.apple.app-sandbox.read"
"com.apple.app-sandbox.read-write"
- "com.apple.quicklook.readonly"
- "com.apple.security.exception.files.absolute-path.read-only"
- "com.apple.security.exception.files.absolute-path.read-write"
- "com.apple.security.exception.files.home-relative-path.read-only"
- "com.apple.security.exception.files.home-relative-path.read-write"
"com.apple.sharing.airdrop.readonly")
(allow file-read* file-read-metadata (with telemetry))
(allow file-issue-extension
(extension-class "com.apple.app-sandbox.read"
"com.apple.mediaserverd.read"
- "com.apple.quicklook.readonly"
"com.apple.sharing.airdrop.readonly")))
(with-filter
(extension
- "com.apple.app-sandbox.read-write"
- "com.apple.security.exception.files.absolute-path.read-write"
- "com.apple.security.exception.files.home-relative-path.read-write")
+ "com.apple.app-sandbox.read-write")
(allow file-write* (with telemetry))
(allow file-issue-extension (with telemetry)
(extension-class "com.apple.app-sandbox.read-write"
@@ -507,12 +487,6 @@
"com.apple.mediaserverd.read-write"))))
;; <rdar://problem/16079361>
- (allow-read-and-issue-generic-extensions
- (extension "com.apple.security.exception.files.absolute-path.read-only")
- (extension "com.apple.security.exception.files.home-relative-path.read-only"))
- (allow-read-write-and-issue-generic-extensions
- (extension "com.apple.security.exception.files.absolute-path.read-write")
- (extension "com.apple.security.exception.files.home-relative-path.read-write"))
(allow managed-preference-read
(extension "com.apple.security.exception.managed-preference.read-only"))
(allow user-preference-read
Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb (283203 => 283204)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb 2021-09-29 00:25:04 UTC (rev 283203)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb 2021-09-29 00:26:36 UTC (rev 283204)
@@ -366,12 +366,6 @@
(allow mach-lookup
(extension "com.apple.security.exception.mach-lookup.local-name"))
)
- (allow-read-and-issue-generic-extensions
- (extension "com.apple.security.exception.files.absolute-path.read-only")
- (extension "com.apple.security.exception.files.home-relative-path.read-only"))
- (allow-read-write-and-issue-generic-extensions
- (extension "com.apple.security.exception.files.absolute-path.read-write")
- (extension "com.apple.security.exception.files.home-relative-path.read-write"))
(allow managed-preference-read
(extension "com.apple.security.exception.managed-preference.read-only"))
(allow user-preference-read
Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebAuthn.sb (283203 => 283204)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebAuthn.sb 2021-09-29 00:25:04 UTC (rev 283203)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebAuthn.sb 2021-09-29 00:26:36 UTC (rev 283204)
@@ -207,14 +207,6 @@
(require-all
(executable-bundle)
(regex #"/[^/]+/SC_Info/")))
-
- (allow file-issue-extension
- (require-all
- (extension-class "com.apple.nsurlstorage.extension-cache")
- (extension "com.apple.security.exception.files.home-relative-path.read-write")
- (require-any
- (prefix "/private/var/root/Library/Caches/")
- (front-user-home-prefix "/Library/Caches/"))))
)
(with-filter (system-attribute apple-internal)
Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in (283203 => 283204)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in 2021-09-29 00:25:04 UTC (rev 283203)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in 2021-09-29 00:26:36 UTC (rev 283204)
@@ -143,18 +143,6 @@
(require-all
(apply require-any filters)
(extension-class "com.apple.mediaserverd.read"))))
- (allow file-issue-extension
- (require-all
- (extension-class "com.apple.mediaserverd.read")
- (extension "com.apple.security.exception.files.absolute-path.read-only"
- "com.apple.security.exception.files.absolute-path.read-write"
- "com.apple.security.exception.files.home-relative-path.read-only"
- "com.apple.security.exception.files.home-relative-path.read-write")))
- (allow file-issue-extension
- (require-all
- (extension-class "com.apple.mediaserverd.read-write")
- (extension "com.apple.security.exception.files.absolute-path.read-write"
- "com.apple.security.exception.files.home-relative-path.read-write")))
(mobile-preferences-read
"com.apple.avfoundation"
@@ -606,23 +594,15 @@
(extension
"com.apple.app-sandbox.read"
"com.apple.app-sandbox.read-write"
- "com.apple.quicklook.readonly"
- "com.apple.security.exception.files.absolute-path.read-only"
- "com.apple.security.exception.files.absolute-path.read-write"
- "com.apple.security.exception.files.home-relative-path.read-only"
- "com.apple.security.exception.files.home-relative-path.read-write"
"com.apple.sharing.airdrop.readonly")
(allow file-read* file-read-metadata)
(allow file-issue-extension
(extension-class "com.apple.app-sandbox.read"
"com.apple.mediaserverd.read"
- "com.apple.quicklook.readonly"
"com.apple.sharing.airdrop.readonly")))
(with-filter
(extension
- "com.apple.app-sandbox.read-write"
- "com.apple.security.exception.files.absolute-path.read-write"
- "com.apple.security.exception.files.home-relative-path.read-write")
+ "com.apple.app-sandbox.read-write")
(allow file-write*)
(allow file-issue-extension
(extension-class "com.apple.app-sandbox.read-write"
@@ -629,24 +609,10 @@
"com.apple.mediaserverd.read-write"))))
;; <rdar://problem/16079361>
- (allow-read-and-issue-generic-extensions
- (extension "com.apple.security.exception.files.absolute-path.read-only")
- (extension "com.apple.security.exception.files.home-relative-path.read-only"))
- (allow-read-write-and-issue-generic-extensions
- (extension "com.apple.security.exception.files.absolute-path.read-write")
- (extension "com.apple.security.exception.files.home-relative-path.read-write"))
(allow managed-preference-read
(extension "com.apple.security.exception.managed-preference.read-only"))
(allow user-preference-read
(extension "com.apple.security.exception.shared-preference.read-only"))
-
- (allow file-issue-extension
- (require-all
- (extension-class "com.apple.nsurlstorage.extension-cache")
- (extension "com.apple.security.exception.files.home-relative-path.read-write")
- (require-any
- (prefix "/private/var/root/Library/Caches/")
- (front-user-home-prefix "/Library/Caches/"))))
)
(with-filter (system-attribute apple-internal)
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
