Skip to site navigation (Press enter)

[webkit-changes] [290250] trunk/Source/WebKit

pvollan Mon, 21 Feb 2022 10:10:49 -0800

Title: [290250] trunk/Source/WebKit

Revision: 290250
Author: pvol...@apple.com
Date: 2022-02-21 10:10:40 -0800 (Mon, 21 Feb 2022)

Log Message

[macOS] Remove resource access in sandbox for older OS versions
https://bugs.webkit.org/show_bug.cgi?id=236975


Reviewed by Brent Fulgham.

Remove access to some resources in sandbox for older OS versions. Access to these resources were initially
added in https://trac.webkit.org/changeset/290180/webkit and https://trac.webkit.org/changeset/290066/webkit,
and was only intended to land on a branch.

* NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
* WebProcess/com.apple.WebProcess.sb.in:

Modified Paths

trunk/Source/WebKit/ChangeLog
trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in
trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in

Diff

Modified: trunk/Source/WebKit/ChangeLog (290249 => 290250)


--- trunk/Source/WebKit/ChangeLog	2022-02-21 18:07:18 UTC (rev 290249)
+++ trunk/Source/WebKit/ChangeLog	2022-02-21 18:10:40 UTC (rev 290250)
@@ -1,3 +1,17 @@
+2022-02-21  Per Arne Vollan  <pvol...@apple.com>
+
+        [macOS] Remove resource access in sandbox for older OS versions
+        https://bugs.webkit.org/show_bug.cgi?id=236975
+
+        Reviewed by Brent Fulgham.
+
+        Remove access to some resources in sandbox for older OS versions. Access to these resources were initially
+        added in https://trac.webkit.org/changeset/290180/webkit and https://trac.webkit.org/changeset/290066/webkit,
+        and was only intended to land on a branch.
+
+        * NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
+        * WebProcess/com.apple.WebProcess.sb.in:
+
 2022-02-21  Simon Lewis  <simon.le...@apple.com>
 
         Change IPC encoding of boolean type to use one bit

Modified: trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in (290249 => 290250)


--- trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in	2022-02-21 18:07:18 UTC (rev 290249)
+++ trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in	2022-02-21 18:10:40 UTC (rev 290250)
@@ -114,20 +114,6 @@
 (allow mach-lookup (global-name "com.apple.coreservices.launchservicesd"))
 #endif
 
-#if !PLATFORM(MAC) || __MAC_OS_X_VERSION_MIN_REQUIRED < 130000
-(allow mach-lookup
-    (global-name
-        "com.apple.analyticsd.messagetracer"
-        "com.apple.appsleep"
-        "com.apple.bsd.dirhelper"
-        "com.apple.espd"
-        "com.apple.secinitd"
-        "com.apple.system.DirectoryService.libinfo_v1"
-        "com.apple.system.logger"
-        "com.apple.system.opendirectoryd.membership"
-        "com.apple.xpc.activity.unmanaged"))
-#endif
-
 #if !ENABLE(CFPREFS_DIRECT_MODE)
 (allow mach-lookup
     (global-name "com.apple.cfprefsd.agent")

Modified: trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (290249 => 290250)


--- trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in	2022-02-21 18:07:18 UTC (rev 290249)
+++ trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in	2022-02-21 18:10:40 UTC (rev 290250)
@@ -1872,57 +1872,6 @@
 (disable-syscall-inference)
 #endif
 
-#if !PLATFORM(MAC) || __MAC_OS_X_VERSION_MIN_REQUIRED < 130000
-(define (syscall-unix-older-macOS)
-    (syscall-number
-        SYS___pthread_markcancel
-        SYS_abort_with_payload
-        SYS_chmod_extended
-        SYS_connect_nocancel
-        SYS_connectx
-        SYS_fgetattrlist ;; <rdar://problem/50931110>
-        SYS_fileport_makeport
-        SYS_fstat64_extended ;; <rdar://problem/61310019>
-        SYS_getpeername
-        SYS_getsockopt
-        SYS_guarded_write_np
-        SYS_lstat64_extended
-        SYS_lstat_extended
-        SYS_memorystatus_control ;; Needed for memory measurement infrastructure, see <rdar://problem/48647263>
-        SYS_mkdirat
-        SYS_open_dprotected_np ;; <rdar://problem/74473824>
-        SYS_pipe
-        SYS_process_policy
-        SYS_psynch_rw_rdlock ;; <rdar://problem/49060359>
-        SYS_pwrite
-        SYS_quotactl ;; <rdar://problem/49945031>
-        SYS_recvfrom
-        SYS_recvfrom_nocancel
-        SYS_rmdir
-        SYS_select
-        SYS_select_nocancel
-        SYS_sem_post
-        SYS_sem_wait
-        SYS_sendmsg_nocancel
-        SYS_sendto_nocancel
-#if __MAC_OS_X_VERSION_MIN_REQUIRED < 120000
-        SYS_setattrlist ;; rdar://problem/74162777
-#endif
-        SYS_setpriority
-        SYS_setrlimit
-        SYS_setsockopt
-        SYS_shutdown
-        SYS_sigreturn
-        SYS_socketpair
-        SYS_stat64_extended ;; <rdar://problem/50473330>
-        SYS_terminate_with_payload ;; <rdar://problem/50026580>
-        SYS_thread_selfusage
-#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 110000
-        SYS_ulock_wait2 ;; <rdar://problem/58743778>
-#endif
-))
-#endif
-
 (define (syscall-unix-common)
     (syscall-number
         SYS___disable_threadsignal
@@ -1970,7 +1919,6 @@
         SYS_kdebug_trace
         SYS_kdebug_trace64
         SYS_kdebug_trace_string ;; Needed for performance sampling, see <rdar://problem/48829655>.
-        SYS_kevent ;; <rdar://89072361>
         SYS_kevent_id
         SYS_kevent_qos
         SYS_kqueue ;; See <rdar://problem/88241768>. Remove after <rdar://56634240> is resolved.
@@ -2046,6 +1994,7 @@
         SYS_guarded_open_np
         SYS_guarded_pwrite_np
         SYS_kdebug_typefilter
+        SYS_kevent ;; <rdar://89072361>
         SYS_mlock
         SYS_munlock
         SYS_necp_client_action
@@ -2078,11 +2027,6 @@
     (allow syscall-unix
         (syscall-unix-common))
 
-#if !PLATFORM(MAC) || __MAC_OS_X_VERSION_MIN_REQUIRED < 130000
-    (allow syscall-unix
-        (syscall-unix-older-macOS))
-#endif
-
     (if (equal? (param "CPU") "arm64")
         (begin
             (allow syscall-unix

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes