Title: [251511] trunk/Source/WebKit
- Revision
- 251511
- Author
- bfulg...@apple.com
- Date
- 2019-10-23 17:02:25 -0700 (Wed, 23 Oct 2019)
Log Message
[iOS] Stop including 'common.sb'
https://bugs.webkit.org/show_bug.cgi?id=203318
Reviewed by Per Arne Vollan.
Replace the 'import' of common.sb with the equivalent statements. This is the
first step in a task to remove uneeded sandbox rules.
* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (251510 => 251511)
--- trunk/Source/WebKit/ChangeLog 2019-10-23 23:37:35 UTC (rev 251510)
+++ trunk/Source/WebKit/ChangeLog 2019-10-24 00:02:25 UTC (rev 251511)
@@ -1,3 +1,15 @@
+2019-10-23 Brent Fulgham <bfulg...@apple.com>
+
+ [iOS] Stop including 'common.sb'
+ https://bugs.webkit.org/show_bug.cgi?id=203318
+
+ Reviewed by Per Arne Vollan.
+
+ Replace the 'import' of common.sb with the equivalent statements. This is the
+ first step in a task to remove uneeded sandbox rules.
+
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+
2019-10-23 Kate Cheney <katherine_che...@apple.com>
Implement dumpResourceLoadStatistics in SQLite ITP Database
Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb (251510 => 251511)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb 2019-10-23 23:37:35 UTC (rev 251510)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb 2019-10-24 00:02:25 UTC (rev 251511)
@@ -25,8 +25,527 @@
(deny default (with partial-symbolication))
(allow system-audit file-read-metadata)
-(import "common.sb")
+;;;
+;;; The following rules were originally contained in 'common.sb'. We are duplicating them here so we can
+;;; remove unneeded sandbox extensions.
+;;;
+(import "util.sb")
+(import "carrier-bundle-allowed.sb")
+
+(define-once (allow-read-and-issue-generic-extensions . filters)
+ (allow file-read*
+ (apply require-any filters))
+ (allow file-issue-extension
+ (require-all
+ (extension-class "com.apple.app-sandbox.read")
+ (apply require-any filters))))
+
+(define-once (allow-read-write-and-issue-generic-extensions . filters)
+ (allow file-read* file-write*
+ (apply require-any filters))
+ (allow file-read-metadata
+ (apply require-any filters))
+ (allow file-issue-extension
+ (require-all
+ (extension-class "com.apple.app-sandbox.read-write" "com.apple.app-sandbox.read")
+ (apply require-any filters))))
+
+(define-once (managed-configuration-read-public)
+ (allow file-read*
+ (well-known-system-group-container-subpath "/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo")
+ (front-user-home-subpath "/Library/ConfigurationProfiles/PublicInfo")
+ (front-user-home-subpath "/Library/UserConfigurationProfiles/PublicInfo")))
+
+(define-once (managed-configuration-read . files)
+ (if (null? files)
+ (allow file-read*
+ (well-known-system-group-container-subpath "/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles")
+ (front-user-home-subpath "/Library/ConfigurationProfiles")
+ (front-user-home-subpath "/Library/UserConfigurationProfiles"))
+ (for-each
+ (lambda (file)
+ (allow file-read*
+ (well-known-system-group-container-literal
+ (string-append "/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/" file))
+ (front-user-home-literal
+ (string-append "/Library/ConfigurationProfiles/" file)
+ (string-append "/Library/UserConfigurationProfiles/" file))))
+ files)))
+
+(define-once (allow-preferences-common)
+ (allow file-read-metadata
+ (home-literal "")
+ (home-literal "/Library/Preferences")))
+
+(define-once (mobile-preferences-read . domains)
+ (allow-preferences-common)
+ (allow user-preference-read (apply preference-domain domains)))
+
+(define-once (mobile-preferences-read-write . domains)
+ (allow-preferences-common)
+ (allow user-preference-read user-preference-write (apply preference-domain domains)))
+
+(define-once (framebuffer-access)
+ (allow iokit-open
+ (iokit-user-client-class "IOMobileFramebufferUserClient"))
+ (mobile-preferences-read "com.apple.iokit.IOMobileGraphicsFamily"))
+
+(define-once (asset-access . options)
+ (let ((asset-access-filter
+ (require-all
+ (require-any
+ (home-subpath "/Library/Assets")
+ (subpath "/private/var/MobileAsset"))
+ (extension "com.apple.assets.read"))))
+ ;; <rdar://problem/10710883>
+ ;; <rdar://problem/11569106>
+ (allow file-read* asset-access-filter)
+ (if (memq 'with-media-playback options)
+ (play-media asset-access-filter))
+ (allow mach-lookup
+ (global-name "com.apple.mobileassetd" "com.apple.mobileassetd.v2"))
+ (mobile-preferences-read "com.apple.MobileAsset")))
+
+(define-once (mobile-keybag-access)
+ (allow iokit-open
+ (iokit-user-client-class "AppleKeyStoreUserClient")))
+
+(define-once (location-services)
+ (allow mach-lookup
+ (global-name "com.apple.locationd.registration"))
+ (allow-carrier-bundle) ;; <rdar://problem/21192365>
+ (mobile-preferences-read
+ "com.apple.AppSupport"
+ "com.apple.GEO"
+ "com.apple.locationd"))
+
+(define-once (play-audio)
+ (allow mach-lookup
+ (global-name "com.apple.audio.AURemoteIOServer")
+ (xpc-service-name "com.apple.audio.toolbox.reporting.service")))
+
+(define-once (play-media . filters)
+ (if (not (null? filters))
+ ;; <rdar://problem/9875794>
+ (allow file-issue-extension
+ (require-all
+ (apply require-any filters)
+ (extension-class "com.apple.mediaserverd.read"))))
+ (allow file-issue-extension
+ (require-all
+ (extension-class "com.apple.mediaserverd.read")
+ (extension "com.apple.security.exception.files.absolute-path.read-only"
+ "com.apple.security.exception.files.absolute-path.read-write"
+ "com.apple.security.exception.files.home-relative-path.read-only"
+ "com.apple.security.exception.files.home-relative-path.read-write")))
+ (allow file-issue-extension
+ (require-all
+ (extension-class "com.apple.mediaserverd.read-write")
+ (extension "com.apple.security.exception.files.absolute-path.read-write"
+ "com.apple.security.exception.files.home-relative-path.read-write")))
+ ;; CoreMedia framework.
+ (allow mach-lookup
+ (global-name "com.apple.mediaserverd")
+ (global-name "com.apple.coremedia.admin")
+ (global-name "com.apple.coremedia.asset.xpc")
+ (global-name "com.apple.coremedia.assetcacheinspector")
+ (global-name "com.apple.coremedia.assetimagegenerator.xpc")
+ (global-name "com.apple.coremedia.audiodeviceclock.xpc")
+ (global-name "com.apple.coremedia.audioprocessingtap.xpc")
+ (global-name "com.apple.coremedia.capturesession") ; Actually for video capture
+ (global-name "com.apple.coremedia.capturesource") ; Also for video capture (<rdar://problem/15794291>).
+ (global-name "com.apple.coremedia.cpeprotector.xpc")
+ (global-name "com.apple.coremedia.customurlloader.xpc")
+ (global-name "com.apple.coremedia.endpoint.xpc")
+ (global-name "com.apple.coremedia.endpointremotecontrolsession.xpc")
+ (global-name "com.apple.coremedia.figcpecryptor")
+ (global-name "com.apple.coremedia.figcontentkeysession.xpc")
+ (global-name "com.apple.coremedia.formatreader.xpc")
+ (global-name "com.apple.coremedia.player.xpc")
+ (global-name "com.apple.coremedia.remaker")
+ (global-name "com.apple.coremedia.remotequeue")
+ (global-name "com.apple.coremedia.routediscoverer.xpc")
+ (global-name "com.apple.coremedia.routingcontext.xpc")
+ (global-name "com.apple.coremedia.routingsessionmanager.xpc")
+ (global-name "com.apple.coremedia.samplebufferaudiorenderer.xpc")
+ (global-name "com.apple.coremedia.samplebufferrendersynchronizer.xpc")
+ (global-name "com.apple.coremedia.sandboxserver")
+ (global-name "com.apple.coremedia.sandboxserver.xpc")
+ (global-name "com.apple.coremedia.systemcontroller.xpc")
+ (global-name "com.apple.coremedia.sts")
+ ;; <rdar://problem/13239958>
+ (global-name "com.apple.coremedia.videocompositor")
+ (global-name "com.apple.coremedia.visualcontext.xpc")
+ (global-name "com.apple.coremedia.volumecontroller.xpc")
+ (global-name "com.apple.pegasus"))
+ (mobile-preferences-read
+ "com.apple.avfoundation"
+ "com.apple.coreaudio"
+ "com.apple.coremedia"
+ "com.apple.corevideo")
+ ;; Required by the MediaPlayer framework.
+ (allow mach-lookup
+ (global-name "com.apple.airplay.apsynccontroller.xpc")
+ (global-name "com.apple.audio.AudioSession")
+ (global-name "com.apple.springboard.backgroundappservices"))
+ (mobile-preferences-read "com.apple.mobileipod")
+ ;; Needed by the MediaPlayer framework:
+ (allow mach-lookup
+ (global-name "com.apple.itunescloudd.xpc")
+ (global-name "com.apple.itunesstored.xpc"))
+ (mobile-preferences-read "com.apple.itunesstored"))
+
+(define-once (media-remote)
+ (mobile-preferences-read
+ "com.apple.mediaremote"
+ "com.apple.mobileipod")
+ (allow mach-lookup
+ (global-name "com.apple.mediaremoted.xpc")
+ (xpc-service-name "com.apple.MediaPlayer.RemotePlayerService")))
+
+(define-once (url-translation)
+ ;; For translating http:// & https:// URLs referencing itms:// URLs.
+ ;; <rdar://problem/11587338>
+ (allow file-read*
+ (home-literal "/Library/Caches/com.apple.itunesstored/url-resolution.plist")))
+
+;;;
+;;; Declare that the application uses the OpenGL, Metal, and CoreML hardware & frameworks.
+;;;
+(define-once (opengl)
+ (allow iokit-open
+ (iokit-connection "IOGPU")
+ (iokit-user-client-class
+ "AGXCommandQueue"
+ "AGXDevice"
+ "AGXDeviceUserClient"
+ "AGXSharedUserClient"
+ "IOAccelContext"
+ "IOAccelDevice"
+ "IOAccelSharedUserClient"
+ "IOAccelSubmitter2"
+ "IOAccelContext2"
+ "IOAccelDevice2"
+ "IOAccelSharedUserClient2"))
+ (allow sysctl-read
+ (sysctl-name #"kern.bootsessionuuid"))
+ (allow mach-lookup
+ (global-name "com.apple.cvmsServ")
+ (global-name "com.apple.gpumemd.source"))
+ (allow mach-lookup
+ (xpc-service-name-prefix "com.apple.AGXCompilerService"))
+
+ ;; <rdar://problem/25535471>
+ (mobile-preferences-read "com.apple.Metal")
+
+ ;; <rdar://problem/23321675>
+ (mobile-preferences-read "com.apple.opengl"))
+
+(define-once (debugging-support)
+ (allow file-read* file-map-executable
+ (subpath "/Developer"))
+
+ (allow ipc-posix-shm
+ (ipc-posix-name-regex #"^stack-logs")
+ (ipc-posix-name-regex #"^OA-")
+ (ipc-posix-name-regex #"^/FSM-"))
+
+ (allow ipc-posix-shm-read* ipc-posix-shm-write-data ipc-posix-shm-write-unlink
+ (ipc-posix-name-regex #"^gdt-[A-Za-z0-9]+-(c|s)$"))
+
+ (with-filter (system-attribute apple-internal)
+ ;; <rdar://problem/8565035>
+ ;; <rdar://problem/23857452>
+ (allow file-read* file-map-executable
+ (subpath "/AppleInternal")
+ (subpath "/usr/local/lib")))
+ (with-elevated-precedence
+ (allow file-read* file-map-executable file-issue-extension
+ (front-user-home-subpath "/XcodeBuiltProducts")))
+
+ ;; <rdar://problem/8107758>
+ (allow file-read* file-map-executable
+ (subpath "/System/Library/Frameworks")
+ (subpath "/System/Library/PrivateFrameworks"))
+
+ ;; <rdar://problem/32544921>
+ (mobile-preferences-read "com.apple.hangtracer"))
+
+(define-once (device-access)
+ (deny file-read* file-write*
+ (vnode-type BLOCK-DEVICE CHARACTER-DEVICE))
+
+ (allow file-read* file-write-data
+ (literal "/dev/null")
+ (literal "/dev/zero"))
+
+ (allow file-read* file-write-data file-ioctl
+ (literal "/dev/dtracehelper"))
+
+ (allow file-read*
+ (literal "/dev/random")
+ (literal "/dev/urandom"))
+ ;; <rdar://problem/14215718>
+ (deny file-write-data (with no-report)
+ (literal "/dev/random")
+ (literal "/dev/urandom"))
+
+ (allow file-read* file-write-data file-ioctl
+ (literal "/dev/aes_0")))
+
+(define-once (awd-log-directory daemon-name)
+ (let*
+ ((base-directory (home-relative-path "/Library/Logs/awd")))
+ (allow-create-directory (literal base-directory))
+ (allow file-read* file-write*
+ (prefix (string-append base-directory "/awd-" daemon-name ".log")))
+ (allow mach-lookup
+ (global-name "com.apple.awdd"))))
+
+(define-once (logd-diagnostic-paths)
+ (require-any
+ (subpath "/private/var/db/diagnostics")
+ (subpath "/private/var/db/timesync")
+ (subpath "/private/var/db/uuidtext")
+ (subpath "/private/var/userdata/diagnostics")))
+(define-once (logd-diagnostic-client)
+ (with-filter
+ (require-all
+ (require-any
+ (require-entitlement "com.apple.private.logging.diagnostic")
+ (require-entitlement "com.apple.diagnosticd.diagnostic"))
+ (extension "com.apple.logd.read-only"))
+ (allow file-read*
+ (logd-diagnostic-paths))))
+
+(define required-etc-files
+ (literal "/private/etc/fstab"
+ "/private/etc/hosts"
+ "/private/etc/group"
+ "/private/etc/passwd"
+ "/private/etc/protocols"
+ "/private/etc/services"))
+
+(deny file-map-executable)
+
+(deny file-write-mount file-write-unmount)
+
+(allow file-read-metadata (with no-times)
+ (vnode-type DIRECTORY))
+(with-filter (apple-signed-executable?)
+ (allow file-read-metadata
+ (vnode-type DIRECTORY)))
+
+(with-filter (apple-signed-executable?)
+ (managed-configuration-read "CloudConfigurationDetails.plist")
+ (managed-configuration-read "CloudConfigurationSetAsideDetails.plist")
+ (mobile-preferences-read "com.apple.security"))
+
+(with-filter (system-attribute apple-internal)
+ (mobile-preferences-read "com.apple.PrototypeTools"))
+
+(with-elevated-precedence
+ (allow file-read*
+ (subpath "/usr/lib"
+ "/usr/share"
+ "/private/var/db/timezone"))
+ (allow-read-and-issue-generic-extensions
+ (subpath "/Library/RegionFeatures"
+ "/System/Library"))
+ (allow file-issue-extension
+ (require-all
+ (extension-class "com.apple.mediaserverd.read")
+ (subpath "/System/Library")))
+ (let ((hw-identifying-paths
+ (require-any
+ (literal "/System/Library/Caches/apticket.der")
+ (subpath "/System/Library/Caches/com.apple.kernelcaches")
+ (subpath "/System/Library/Caches/com.apple.factorydata"))))
+ (deny file-issue-extension file-read* hw-identifying-paths))
+
+ (allow file-map-executable
+ (subpath "/System/Library")
+ (subpath "/usr/lib"))
+ (allow file-read-metadata
+ (vnode-type SYMLINK))
+
+ ;;; <rdar://problem/24144418>
+ (allow file-read*
+ (subpath "/private/var/preferences/Logging"))
+
+ (mobile-preferences-read "kCFPreferencesAnyApplication")
+ (allow file-read*
+ (front-user-home-literal "/Library/Preferences/.GlobalPreferences.plist"))
+
+ (allow file-read*
+ (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist"))
+ (allow managed-preference-read (preference-domain "kCFPreferencesAnyApplication"))
+
+ (allow file-read-metadata
+ (home-literal "/Library/Caches/powerlog.launchd"))
+
+ (allow-read-and-issue-generic-extensions (executable-bundle))
+ (allow file-map-executable (executable-bundle))
+
+ ;; <rdar://problem/13963294>
+ (deny file-read-data file-issue-extension file-map-executable
+ (require-all
+ (executable-bundle)
+ (regex #"/[^/]+/SC_Info/")))
+
+ (unless (defined? 'restrictive-extension)
+ (with-filter
+ (extension
+ "com.apple.app-sandbox.read"
+ "com.apple.app-sandbox.read-write"
+ "com.apple.quicklook.readonly"
+ "com.apple.security.exception.files.absolute-path.read-only"
+ "com.apple.security.exception.files.absolute-path.read-write"
+ "com.apple.security.exception.files.home-relative-path.read-only"
+ "com.apple.security.exception.files.home-relative-path.read-write"
+ "com.apple.sharing.airdrop.readonly")
+ (allow file-read* file-read-metadata)
+ (allow file-issue-extension
+ (extension-class "com.apple.app-sandbox.read"
+ "com.apple.mediaserverd.read"
+ "com.apple.quicklook.readonly"
+ "com.apple.sharing.airdrop.readonly")))
+ (with-filter
+ (extension
+ "com.apple.app-sandbox.read-write"
+ "com.apple.security.exception.files.absolute-path.read-write"
+ "com.apple.security.exception.files.home-relative-path.read-write")
+ (allow file-write*)
+ (allow file-issue-extension
+ (extension-class "com.apple.app-sandbox.read-write"
+ "com.apple.mediaserverd.read-write"))))
+
+ ;; <rdar://problem/16079361>
+ (with-filter (global-name-prefix "")
+ (allow mach-register
+ (extension "com.apple.security.exception.mach-register.global-name")))
+ (with-filter (local-name-prefix "")
+ (allow mach-register
+ (extension "com.apple.security.exception.mach-register.local-name")))
+ (allow-read-and-issue-generic-extensions
+ (extension "com.apple.security.exception.files.absolute-path.read-only")
+ (extension "com.apple.security.exception.files.home-relative-path.read-only"))
+ (allow-read-write-and-issue-generic-extensions
+ (extension "com.apple.security.exception.files.absolute-path.read-write")
+ (extension "com.apple.security.exception.files.home-relative-path.read-write"))
+ (allow iokit-open
+ (extension "com.apple.security.exception.iokit-user-client-class"))
+ (allow managed-preference-read
+ (extension "com.apple.security.exception.managed-preference.read-only"))
+ (allow user-preference-read
+ (extension "com.apple.security.exception.shared-preference.read-only"))
+ (allow user-preference-read user-preference-write
+ (extension "com.apple.security.exception.shared-preference.read-write"))
+
+ (allow file-issue-extension
+ (require-all
+ (extension-class "com.apple.nsurlstorage.extension-cache")
+ (extension "com.apple.security.exception.files.home-relative-path.read-write")
+ (require-any
+ (prefix "/private/var/root/Library/Caches/")
+ (front-user-home-prefix "/Library/Caches/"))))
+)
+
+(debugging-support)
+
+(allow file-read*
+ required-etc-files
+ (literal "/"))
+
+(allow file-read*
+ (subpath "/private/var/MobileAsset/PreinstalledAssetsV2/InstallWithOs"))
+
+(device-access)
+
+(allow file-issue-extension
+ (require-all
+ (extension-class "com.apple.app-sandbox.read-write" "com.apple.app-sandbox.read")
+ (extension "com.apple.fileprovider.read-write")))
+
+(when (defined? 'restrictive-extension)
+ (with-filter (require-not (require-entitlement "get-task-allow"))
+ (deny mach-lookup (with no-report)
+ (global-name "com.apple.logd")
+ (global-name "com.apple.logd.events"))))
+
+(allow ipc-posix-shm-read*
+ (ipc-posix-name-prefix "apple.cfprefs."))
+
+;; <rdar://problem/12413942>
+(allow file-read*
+ (well-known-system-group-container-literal "/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist"))
+(allow iokit-get-properties
+ (iokit-property "IORegistryEntryPropertyKeys"))
+
+(allow ipc-posix-sem-open
+ (ipc-posix-name "containermanagerd.fb_check"))
+
+(with-filter (ipc-posix-name "purplebuddy.sentinel")
+ (deny ipc-posix-sem-create ipc-posix-sem-post ipc-posix-sem-unlink ipc-posix-sem-wait)
+ (allow ipc-posix-sem-open))
+
+(allow system-sched
+ (require-entitlement "com.apple.private.kernel.override-cpumon"))
+
+(deny sysctl-read (with no-report)
+ (sysctl-name "sysctl.proc_native"))
+
+(allow file-read-metadata network-outbound
+ (literal "/private/var/run/syslog"))
+
+(if (defined? 'restrictive-extension)
+ (begin
+ (deny mach-lookup (with no-report)
+ (global-name "com.apple.system.notification_center"))
+ (deny ipc-posix-shm-read* (with no-report)
+ (ipc-posix-name "apple.shm.notification_center")))
+; else
+ (begin
+ (allow ipc-posix-shm-read*
+ (ipc-posix-name "apple.shm.notification_center"))))
+
+(logd-diagnostic-client)
+
+(managed-configuration-read-public)
+
+(deny system-info (with no-report)
+ (info-type "net.link.addr"))
+
+(allow file-read*
+ (subpath "/private/var/db/datadetectors/sys"))
+
+(allow-well-known-system-group-container-subpath-read
+ "/systemgroup.com.apple.icloud.findmydevice.managed/Library")
+
+(allow mach-task-name (target self))
+
+(allow process-info-pidinfo (target self))
+(allow process-info-pidfdinfo (target self))
+(allow process-info-pidfileportinfo (target self))
+(allow process-info-setcontrol (target self))
+(allow process-info-dirtycontrol (target self))
+(allow process-info-rusage (target self))
+(allow process-info-codesignature (target self))
+
+(with-filter (apple-signed-executable?)
+ (mobile-preferences-read "com.apple.demo-settings"))
+
+(with-filter (uid 0)
+ (allow file-read*
+ (literal "/private/etc/master.passwd")))
+
+(mobile-preferences-read "com.apple.Accessibility")
+
+;;;
+;;; End common.sb content
+;;;
+
(deny mach-lookup (xpc-service-name-prefix ""))
(deny lsopen)
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
