Title: [208611] trunk/Source/WebKit2
- Revision
- 208611
- Author
- [email protected]
- Date
- 2016-11-11 14:16:40 -0800 (Fri, 11 Nov 2016)
Log Message
Get rid of old sandbox rules for OS's we no longer support
https://bugs.webkit.org/show_bug.cgi?id=164638
Reviewed by Simon Fraser.
Clean up the various sandbox profiles to get rid of rules that applied to operating system
versions we no longer support, or were added in support of bugs that have long since been
fixed.
This should introduce no change in behavior.
* DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in:
* NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
* PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in:
* Resources/PlugInSandboxProfiles/com.oracle.java.JavaAppletPlugin.sb:
* WebProcess/com.apple.WebProcess.sb.in:
Modified Paths
Diff
Modified: trunk/Source/WebKit2/ChangeLog (208610 => 208611)
--- trunk/Source/WebKit2/ChangeLog 2016-11-11 21:59:33 UTC (rev 208610)
+++ trunk/Source/WebKit2/ChangeLog 2016-11-11 22:16:40 UTC (rev 208611)
@@ -1,3 +1,22 @@
+2016-11-11 Brent Fulgham <[email protected]>
+
+ Get rid of old sandbox rules for OS's we no longer support
+ https://bugs.webkit.org/show_bug.cgi?id=164638
+
+ Reviewed by Simon Fraser.
+
+ Clean up the various sandbox profiles to get rid of rules that applied to operating system
+ versions we no longer support, or were added in support of bugs that have long since been
+ fixed.
+
+ This should introduce no change in behavior.
+
+ * DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in:
+ * NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
+ * PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in:
+ * Resources/PlugInSandboxProfiles/com.oracle.java.JavaAppletPlugin.sb:
+ * WebProcess/com.apple.WebProcess.sb.in:
+
2016-11-11 Brady Eidson <[email protected]>
IndexedDB 2.0: "close pending flag" and firing blocked events all need fixing.
Modified: trunk/Source/WebKit2/DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in (208610 => 208611)
--- trunk/Source/WebKit2/DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in 2016-11-11 21:59:33 UTC (rev 208610)
+++ trunk/Source/WebKit2/DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in 2016-11-11 22:16:40 UTC (rev 208611)
@@ -1,4 +1,4 @@
-; Copyright (C) 2014 Apple Inc. All rights reserved.
+; Copyright (C) 2014-2016 Apple Inc. All rights reserved.
;
; Redistribution and use in source and binary forms, with or without
; modification, are permitted provided that the following conditions
@@ -88,8 +88,5 @@
(if (defined? 'vnode-type)
(deny file-write-create (vnode-type SYMLINK)))
-;; FIXME: Should be removed once <rdar://problem/16329087> is fixed.
-(deny file-write-xattr (xattr "com.apple.quarantine") (with no-log))
-
;; Reserve a namespace for additional protected extended attributes.
(deny file-read-xattr file-write-xattr (xattr-regex #"^com\.apple\.security\.private\."))
Modified: trunk/Source/WebKit2/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in (208610 => 208611)
--- trunk/Source/WebKit2/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in 2016-11-11 21:59:33 UTC (rev 208610)
+++ trunk/Source/WebKit2/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in 2016-11-11 22:16:40 UTC (rev 208611)
@@ -154,9 +154,6 @@
(if (defined? 'vnode-type)
(deny file-write-create (vnode-type SYMLINK)))
-;; FIXME: Should be removed once <rdar://problem/16329087> is fixed.
-(deny file-write-xattr (xattr "com.apple.quarantine") (with no-log))
-
;; Reserve a namespace for additional protected extended attributes.
(deny file-read-xattr file-write-xattr (xattr-regex #"^com\.apple\.security\.private\."))
Modified: trunk/Source/WebKit2/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in (208610 => 208611)
--- trunk/Source/WebKit2/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in 2016-11-11 21:59:33 UTC (rev 208610)
+++ trunk/Source/WebKit2/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in 2016-11-11 22:16:40 UTC (rev 208611)
@@ -78,14 +78,6 @@
(if (not (defined? 'os-version))
(define os-version (param "_OS_VERSION")))
-;; OS X 10.7 (Lion) compatibility
-(if (not (defined? 'ipc-posix-shm*))
- (define ipc-posix-shm* ipc-posix-shm))
-(if (not (defined? 'ipc-posix-shm-read*))
- (define ipc-posix-shm-read* ipc-posix-shm))
-(if (not (defined? 'ipc-posix-shm-write-data))
- (define ipc-posix-shm-write-data ipc-posix-shm))
-
;; Graphics
(if (defined? 'system-graphics)
(system-graphics)
@@ -247,10 +239,6 @@
(local-name "com.apple.tsm.portname")
(global-name-regex #"_OpenStep$"))
-(if (equal? os-version "10.7")
- (allow mach-lookup
- (global-name "com.apple.system.DirectoryService.membership_v1")))
-
;; Configuration directories
(allow file-read* (subpath (param "PLUGIN_PATH")))
(allow file-read* (subpath (param "WEBKIT2_FRAMEWORK_DIR")))
@@ -354,29 +342,6 @@
(define (webkit-microphone)
(allow device-microphone))
-(if (equal? os-version "10.7")
- (allow ipc-posix-shm)
- (begin
- (if (equal? os-version "10.8")
- (allow ipc-posix-shm*
- (ipc-posix-name "_CS_GSHMEMLOCK")
- (ipc-posix-name "_CS_DSHMEMLOCK")))
- (allow ipc-posix-shm*
- (ipc-posix-name-regex #"^AudioIO")
- (ipc-posix-name-regex #"^CFPBS:")
- (ipc-posix-name "com.apple.ColorSync.Gen.lock")
- (ipc-posix-name "com.apple.ColorSync.Disp.lock")
- (ipc-posix-name "com.apple.ColorSync.Gray2.2")
- (ipc-posix-name "com.apple.ColorSync.sRGB")
- (ipc-posix-name "com.apple.ColorSync.GenGray")
- (ipc-posix-name "com.apple.ColorSync.GenRGB")
- (ipc-posix-name-regex #"^com\.apple\.cs\.")
- (ipc-posix-name-regex #"^ls\."))
- (allow ipc-posix-shm-read*
- (ipc-posix-name-regex #"^/tmp/com\.apple\.csseed\.")
- (ipc-posix-name "FNetwork.defaultStorageSession")
- (ipc-posix-name "apple.shm.notification_center"))))
-
;; Silently block access to some resources
(deny file-read* file-write* (with no-log)
(subpath "/Network/Library")
@@ -383,9 +348,6 @@
(subpath "/Network/Applications")
(home-library-preferences-regex #"/com\.apple\.internetconfig(priv)?\.plist")
- ;; FIXME: Should be removed after <rdar://problem/9422957> is fixed.
- (home-library-literal "/Caches/Cache.db")
-
;; FIXME: Should be removed after <rdar://problem/10463881> is fixed.
(home-library-preferences-literal "/com.apple.LaunchServices.QuarantineEventsV2")
(home-library-preferences-literal "/com.apple.LaunchServices.QuarantineEventsV2-journal"))
Modified: trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.oracle.java.JavaAppletPlugin.sb (208610 => 208611)
--- trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.oracle.java.JavaAppletPlugin.sb 2016-11-11 21:59:33 UTC (rev 208610)
+++ trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.oracle.java.JavaAppletPlugin.sb 2016-11-11 22:16:40 UTC (rev 208611)
@@ -33,13 +33,6 @@
(global-name "com.apple.coreservices.launchservicesd")
(global-name-regex #"^PlaceHolderServerName-"))
-(if (equal? os-version "10.7")
- (begin
- (allow mach-lookup
- (global-name-regex #"^com\.apple\.java\.jrs\.carenderserver"))
- (allow file-read* file-write*
- (home-library-subpath "/Caches/net.java.openjdk.cmd"))))
-
(allow file-read*
(literal "/dev/fd")
(literal "/usr/bin")
Modified: trunk/Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in (208610 => 208611)
--- trunk/Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in 2016-11-11 21:59:33 UTC (rev 208610)
+++ trunk/Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in 2016-11-11 22:16:40 UTC (rev 208611)
@@ -146,14 +146,7 @@
(ipc-posix-name-regex #"^WebKit Test-"))
;; ColorSync
-;; FIXME: Remove names with underscores when possible (see <rdar://problem/13072721>).
(allow ipc-posix-shm*
- (ipc-posix-name "_CS_GSHMEMLOCK")
- (ipc-posix-name "_CS_DSHMEMLOCK")
- (ipc-posix-name "_CSGRAYPROFILE")
- (ipc-posix-name "_CSRGBPROFILE")
- (ipc-posix-name "_CSGENGPROFILE")
- (ipc-posix-name "_CSGENRPROFILE")
(ipc-posix-name "com.apple.ColorSync.Gen.lock")
(ipc-posix-name "com.apple.ColorSync.Disp.lock")
(ipc-posix-name "com.apple.ColorSync.Gray2.2")
@@ -281,9 +274,6 @@
(if (defined? 'vnode-type)
(deny file-write-create (vnode-type SYMLINK)))
-;; FIXME: Should be removed once <rdar://problem/16329087> is fixed.
-(deny file-write-xattr (xattr "com.apple.quarantine") (with no-log))
-
;; Reserve a namespace for additional protected extended attributes.
(deny file-read-xattr file-write-xattr (xattr-regex #"^com\.apple\.security\.private\."))
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
