- Revision
- 209280
- Author
- [email protected]
- Date
- 2016-12-02 15:21:22 -0800 (Fri, 02 Dec 2016)
Log Message
[Mac] Update sandbox profiles to use modern syntax and avoid duplication
https://bugs.webkit.org/show_bug.cgi?id=165332
<rdar://problem/26898991>
Reviewed by Anders Carlsson.
Update the Mac sandbox profiles to reflect that modern Cocoa applications
communicate with cfprefsd, rather than plists on disk (and have done so
for the past several releases).
Get rid of some duplicated rules, as well as old compatibility rules that
are never triggered under supported operating systems.
* DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in:
* NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
* PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in:
* WebProcess/com.apple.WebProcess.sb.in:
Modified Paths
Diff
Modified: trunk/Source/WebKit2/ChangeLog (209279 => 209280)
--- trunk/Source/WebKit2/ChangeLog 2016-12-02 23:07:41 UTC (rev 209279)
+++ trunk/Source/WebKit2/ChangeLog 2016-12-02 23:21:22 UTC (rev 209280)
@@ -1,3 +1,23 @@
+2016-12-02 Brent Fulgham <[email protected]>
+
+ [Mac] Update sandbox profiles to use modern syntax and avoid duplication
+ https://bugs.webkit.org/show_bug.cgi?id=165332
+ <rdar://problem/26898991>
+
+ Reviewed by Anders Carlsson.
+
+ Update the Mac sandbox profiles to reflect that modern Cocoa applications
+ communicate with cfprefsd, rather than plists on disk (and have done so
+ for the past several releases).
+
+ Get rid of some duplicated rules, as well as old compatibility rules that
+ are never triggered under supported operating systems.
+
+ * DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in:
+ * NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
+ * PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in:
+ * WebProcess/com.apple.WebProcess.sb.in:
+
2016-12-02 Gustavo Sverzut Barbieri <[email protected]>
Fix build break when disabling some features.
Modified: trunk/Source/WebKit2/DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in (209279 => 209280)
--- trunk/Source/WebKit2/DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in 2016-12-02 23:07:41 UTC (rev 209279)
+++ trunk/Source/WebKit2/DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in 2016-12-02 23:21:22 UTC (rev 209280)
@@ -37,12 +37,21 @@
(define (home-literal home-relative-literal)
(literal (string-append (param "HOME_DIR") home-relative-literal)))
+;; IOKit user clients
+(allow iokit-open
+ (iokit-user-client-class "RootDomainUserClient"))
+
;; Security framework
(allow mach-lookup
(global-name "com.apple.SecurityServer"))
+(allow user-preference-read
+ (preference-domain
+ "com.apple.security"
+ "com.apple.security.revocation"))
(allow file-read*
(subpath "/private/var/db/mds")
(literal "/private/var/db/DetachedSignatures")
+ ; The following are needed until <rdar://problem/11134688> is resolved.
(literal "/Library/Preferences/com.apple.security.plist")
(literal "/Library/Preferences/com.apple.security.revocation.plist")
(home-literal "/Library/Preferences/com.apple.security.plist")
@@ -55,16 +64,14 @@
(allow file* (subpath (param "DARWIN_USER_TEMP_DIR"))))
;; Read-only preferences and data
+(allow user-preference-read
+ (preference-domain
+ "kCFPreferencesAnyApplication"))
(allow file-read*
;; Basic system paths
(subpath "/Library/Frameworks")
(subpath "/Library/Managed Preferences")
- ;; System and user preferences
- (literal "/Library/Preferences/.GlobalPreferences.plist")
- (home-literal "/Library/Preferences/.GlobalPreferences.plist")
- (home-regex #"/Library/Preferences/ByHost/\.GlobalPreferences\.")
-
;; On-disk WebKit2 framework location, to account for debug installations
;; outside of /System/Library/Frameworks
(subpath (param "WEBKIT2_FRAMEWORK_DIR")))
Modified: trunk/Source/WebKit2/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in (209279 => 209280)
--- trunk/Source/WebKit2/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in 2016-12-02 23:07:41 UTC (rev 209279)
+++ trunk/Source/WebKit2/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in 2016-12-02 23:21:22 UTC (rev 209280)
@@ -38,6 +38,12 @@
(literal (string-append (param "HOME_DIR") home-relative-literal)))
;; Read-only preferences and data
+(allow user-preference-read
+ (preference-domain
+ "kCFPreferencesAnyApplication"
+ "com.apple.DownloadAssessment"
+ "com.apple.WebFoundation"
+ "com.apple.networkConnect"))
(allow file-read*
;; Basic system paths
(subpath "/Library/Frameworks")
@@ -46,13 +52,7 @@
(literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains")
;; System and user preferences
- (literal "/Library/Preferences/.GlobalPreferences.plist")
(regex #"^/Library/Managed Preferences/[^/]+/com\.apple\.networkConnect\.plist$")
- (home-literal "/Library/Preferences/.GlobalPreferences.plist")
- (home-regex #"/Library/Preferences/ByHost/\.GlobalPreferences\.")
- (home-regex #"/Library/Preferences/ByHost/com\.apple\.networkConnect\.")
- (home-literal "/Library/Preferences/com.apple.DownloadAssessment.plist")
- (home-literal "/Library/Preferences/com.apple.WebFoundation.plist")
;; On-disk WebKit2 framework location, to account for debug installations
;; outside of /System/Library/Frameworks
@@ -115,6 +115,13 @@
(allow file-read* file-write* (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
+(allow user-preference-read
+ (preference-domain
+ "com.apple.crypto"
+ "com.apple.security"
+ "com.apple.security.common"
+ "com.apple.security.revocation"))
+
(allow file-read*
#if __MAC_OS_X_VERSION_MIN_REQUIRED < 101240
(subpath "/Library/Keychains")
@@ -121,7 +128,8 @@
#endif
(subpath "/private/var/db/mds")
(literal "/private/var/db/DetachedSignatures")
- (literal "/Library/Preferences/com.apple.crypto.plist")
+
+ ; The following are needed until <rdar://problem/11134688> is resolved.
(literal "/Library/Preferences/com.apple.security.plist")
(literal "/Library/Preferences/com.apple.security.common.plist")
(literal "/Library/Preferences/com.apple.security.revocation.plist")
@@ -146,13 +154,12 @@
(global-name "com.apple.system.notification_center"))
(allow network-outbound
(remote udp))
+(allow user-preference-read
+ (preference-domain
+ "com.apple.GSS"
+ "com.apple.Kerberos"
+ "edu.mit.Kerberos"))
(allow file-read*
- (home-subpath "/Library/Preferences/com.apple.Kerberos.plist")
- (home-subpath "/Library/Preferences/com.apple.GSS.plist")
- (home-subpath "/Library/Preferences/edu.mit.Kerberos")
- (literal "/Library/Preferences/com.apple.Kerberos.plist")
- (literal "/Library/Preferences/com.apple.GSS.plist")
- (literal "/Library/Preferences/edu.mit.Kerberos")
(literal "/private/etc/krb5.conf")
(literal "/private/etc/services")
(literal "/private/etc/host")
Modified: trunk/Source/WebKit2/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in (209279 => 209280)
--- trunk/Source/WebKit2/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in 2016-12-02 23:07:41 UTC (rev 209279)
+++ trunk/Source/WebKit2/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in 2016-12-02 23:21:22 UTC (rev 209280)
@@ -78,33 +78,16 @@
(if (not (defined? 'os-version))
(define os-version (param "_OS_VERSION")))
-;; Graphics
-(if (defined? 'system-graphics)
- (system-graphics)
- (begin
- (shared-preferences-read
- "com.apple.opengl"
- "com.nvidia.OpenGL")
- (allow mach-lookup (global-name "com.apple.cvmsServ"))
- (allow iokit-open
- (iokit-connection "IOAccelerator")
- (iokit-user-client-class "IOAccelerationUserClient")
- (iokit-user-client-class "IOSurfaceRootUserClient")
- (iokit-user-client-class "IOSurfaceSendRight")
- (iokit-user-client-class "IOFramebufferSharedUserClient")
- (iokit-user-client-class "AppleSNBFBUserClient")
- (iokit-user-client-class "AGPMClient")
- (iokit-user-client-class "AppleGraphicsControlClient")
- (iokit-user-client-class "AppleGraphicsPolicyClient"))))
+(system-graphics)
;; Read-only preferences
(shared-preferences-read
".GlobalPreferences"
+ "com.apple.ATS"
"com.apple.Bluetooth"
"com.apple.CoreGraphics"
+ "com.apple.HIToolbox"
"com.apple.QuickTime"
- "com.apple.HIToolbox"
- "com.apple.ATS"
"com.apple.driver.AppleBluetoothMultitouch.mouse"
"com.apple.driver.AppleBluetoothMultitouch.trackpad"
"com.apple.driver.AppleHIDMouse"
@@ -250,21 +233,7 @@
(if (defined? 'mach-register)
(allow mach-register (global-name-regex #"^_oglprof_attach_<[0-9]+>$")))
-;; Networking
-(if (defined? 'system-network)
- (system-network)
- (begin
- (allow file-read* (literal "/Library/Preferences/com.apple.networkd.plist"))
- (allow mach-lookup
- (global-name "com.apple.SystemConfiguration.SCNetworkReachability")
- (global-name "com.apple.networkd"))
- (allow network-outbound
- (control-name "com.apple.netsrc")
- (control-name "com.apple.network.statistics"))
- (allow system-socket
- (require-all (socket-domain AF_SYSTEM)
- (socket-protocol 2)) ; SYSPROTO_CONTROL
- (socket-domain AF_ROUTE))))
+(system-network)
(allow network-outbound
;; Local mDNSResponder for DNS, arbitrary outbound TCP and UDP
Modified: trunk/Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in (209279 => 209280)
--- trunk/Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in 2016-12-02 23:07:41 UTC (rev 209279)
+++ trunk/Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in 2016-12-02 23:21:22 UTC (rev 209280)
@@ -56,26 +56,6 @@
(literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains")
;; System and user preferences
- (literal "/Library/Preferences/.GlobalPreferences.plist")
- (home-literal "/Library/Preferences/.GlobalPreferences.plist")
- (home-regex #"/Library/Preferences/ByHost/\.GlobalPreferences\.")
- (home-regex #"/Library/Preferences/ByHost/com\.apple\.HIToolbox\.")
- (home-regex #"/Library/Preferences/ByHost/com\.apple\.networkConnect\.")
- (home-literal "/Library/Preferences/com.apple.ATS.plist")
- (home-literal "/Library/Preferences/com.apple.CoreGraphics.plist")
- (home-literal "/Library/Preferences/com.apple.DownloadAssessment.plist")
- (home-literal "/Library/Preferences/com.apple.HIToolbox.plist")
- (home-literal "/Library/Preferences/com.apple.LaunchServices.plist")
- (home-literal "/Library/Preferences/com.apple.MultitouchSupport.plist") ;; FIXME: Remove when <rdar://problem/13011633> is fixed.
- (home-literal "/Library/Preferences/com.apple.QTKit.plist")
- (home-literal "/Library/Preferences/com.apple.WebFoundation.plist")
- (home-literal "/Library/Preferences/com.apple.avfoundation.plist")
- (home-literal "/Library/Preferences/com.apple.coremedia.plist")
- (home-literal "/Library/Preferences/com.apple.speech.voice.prefs.plist")
- (home-literal "/Library/Preferences/com.apple.systemsound.plist")
- (home-literal "/Library/Preferences/com.apple.universalaccess.plist")
- (home-literal "/Library/Preferences/com.apple.lookup.shared.plist")
- (home-regex #"/Library/Preferences/com\.apple\.driver\.(AppleBluetoothMultitouch\.mouse|AppleBluetoothMultitouch\.trackpad|AppleHIDMouse)\.plist$")
(home-literal "/.CFUserTextEncoding")
;; FIXME: This should be removed when <rdar://problem/8957845> is fixed.
@@ -92,6 +72,38 @@
(home-subpath "/Library/Dictionaries"))
+;; Preferences support
+(allow user-preference-read
+ (preference-domain
+ "kCFPreferencesAnyApplication"
+ "com.apple.ATS"
+ "com.apple.CoreGraphics"
+ "com.apple.DownloadAssessment"
+ "com.apple.HIToolbox"
+ "com.apple.LaunchServices"
+ "com.apple.MultitouchSupport" ;; FIXME: Remove when <rdar://problem/13011633> is fixed.
+ "com.apple.QTKit"
+ "com.apple.ServicesMenu.Services" ;; Needed for NSAttributedString <rdar://problem/10844321>
+ "com.apple.WebFoundation"
+ "com.apple.avfoundation"
+ "com.apple.coremedia"
+ "com.apple.crypto"
+ "com.apple.driver.AppleBluetoothMultitouch.mouse"
+ "com.apple.driver.AppleBluetoothMultitouch.trackpad"
+ "com.apple.driver.AppleHIDMouse"
+ "com.apple.lookup.shared"
+ "com.apple.mediaaccessibility"
+ "com.apple.networkConnect"
+ "com.apple.security"
+ "com.apple.security.common"
+ "com.apple.security.revocation"
+ "com.apple.speech.voice.prefs"
+ "com.apple.systemsound"
+ "com.apple.universalaccess"
+ "edu.mit.Kerberos"
+ "pbs" ;; Needed for NSAttributedString <rdar://problem/10844321>
+))
+
;; On-disk WebKit2 framework location, to account for debug installations outside of /System/Library/Frameworks,
;; and to allow issuing extensions.
(allow-read-directory-and-issue-read-extensions (param "WEBKIT2_FRAMEWORK_DIR"))
@@ -121,8 +133,8 @@
(allow mach-register (global-name-regex #"^_oglprof_attach_<[0-9]+>$")))
;; MediaAccessibility
-(allow file-read* (home-literal "/Library/Preferences/com.apple.mediaaccessibility.plist"))
-(allow file-read* file-write* (home-literal "/Library/Preferences/com.apple.mediaaccessibility.public.plist"))
+(allow user-preference-read user-preference-write
+ (preference-domain "com.apple.mediaaccessibility.public"))
(if (positive? (string-length (param "DARWIN_USER_CACHE_DIR")))
(allow file* (subpath (param "DARWIN_USER_CACHE_DIR"))))
@@ -170,6 +182,7 @@
#if __MAC_OS_X_VERSION_MIN_REQUIRED < 101200
(global-name "com.apple.FontServer")
#endif
+ (global-name "com.apple.PowerManagement.control")
(global-name "com.apple.SystemConfiguration.configd")
(global-name "com.apple.SystemConfiguration.PPPController")
(global-name "com.apple.audio.SystemSoundServer-OSX")
@@ -177,32 +190,31 @@
(global-name "com.apple.audio.audiohald")
(global-name "com.apple.audio.coreaudiod")
(global-name "com.apple.awdd")
+ (global-name "com.apple.cfnetwork.AuthBrokerAgent")
(global-name "com.apple.cookied")
+ (global-name "com.apple.coreservices.launchservicesd")
(global-name "com.apple.dock.server")
(global-name "com.apple.fonts")
+ (global-name "com.apple.iconservices")
+ (global-name "com.apple.iconservices.store")
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101200
+ (global-name "com.apple.mediaremoted.xpc")
+#endif
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101100
+ (global-name "com.apple.nesessionmanager.flow-divert-token")
+#endif
+ (global-name "com.apple.speech.speechsynthesisd")
+ (global-name "com.apple.speech.synthesis.console")
(global-name "com.apple.system.opendirectoryd.api")
(global-name "com.apple.tccd")
(global-name "com.apple.tccd.system")
(global-name "com.apple.window_proxies")
(global-name "com.apple.windowserver.active")
- (global-name "com.apple.cfnetwork.AuthBrokerAgent")
- (global-name "com.apple.PowerManagement.control")
- (global-name "com.apple.speech.speechsynthesisd")
- (global-name "com.apple.speech.synthesis.console")
- (global-name "com.apple.coreservices.launchservicesd")
- (global-name "com.apple.iconservices")
- (global-name "com.apple.iconservices.store")
-#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101100
- (global-name "com.apple.nesessionmanager.flow-divert-token")
-#endif
-#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101200
- (global-name "com.apple.mediaremoted.xpc")
-#endif
)
;; Security framework
(allow mach-lookup
- (global-name "com.apple.ctkd.token-client")
+ (global-name "com.apple.ctkd.token-client")
(global-name "com.apple.ocspd")
(global-name "com.apple.securityd.xpc")
(global-name "com.apple.CoreAuthentication.agent.libxpc")
@@ -220,7 +232,7 @@
#endif
(subpath "/private/var/db/mds")
(literal "/private/var/db/DetachedSignatures")
- (literal "/Library/Preferences/com.apple.crypto.plist")
+ ; The following are needed until <rdar://problem/11134688> is resolved.
(literal "/Library/Preferences/com.apple.security.plist")
(literal "/Library/Preferences/com.apple.security.common.plist")
(literal "/Library/Preferences/com.apple.security.revocation.plist")
@@ -251,10 +263,6 @@
(literal "/private/var/run/mDNSResponder")
(remote tcp))
-;; Needed for NSAttributedString, <rdar://problem/10844321>.
-(allow file-read*
- (home-literal "/Library/Preferences/pbs.plist")
- (home-literal "/Library/Preferences/com.apple.ServicesMenu.Services.plist"))
(allow mach-lookup
(global-name "com.apple.pbs.fetch_services"))
@@ -266,13 +274,12 @@
(global-name "com.apple.system.notification_center"))
(allow network-outbound
(remote udp))
+(allow user-preference-read
+ (preference-domain
+ "com.apple.Kerberos"
+ "com.apple.GSS"))
+
(allow file-read*
- (home-subpath "/Library/Preferences/com.apple.Kerberos.plist")
- (home-subpath "/Library/Preferences/com.apple.GSS.plist")
- (home-subpath "/Library/Preferences/edu.mit.Kerberos")
- (literal "/Library/Preferences/com.apple.Kerberos.plist")
- (literal "/Library/Preferences/com.apple.GSS.plist")
- (literal "/Library/Preferences/edu.mit.Kerberos")
(literal "/private/etc/krb5.conf")
(literal "/private/etc/services")
(literal "/private/etc/host")
@@ -293,9 +300,10 @@
;; Deny access needed for unnecessary NSApplication initialization.
;; FIXME: This can be removed once <rdar://problem/13011633> is fixed.
(deny file-read* (with no-log)
- (home-literal "/Library/Preferences/com.apple.speech.recognition.AppleSpeechRecognition.prefs.plist")
(subpath "/Library/InputManagers")
(home-subpath "/Library/InputManagers"))
+(deny user-preference-read (with no-log)
+ (preference-domain "com.apple.speech.recognition.AppleSpeechRecognition.prefs"))
(deny mach-lookup (with no-log)
(global-name "com.apple.coreservices.appleevents")
(global-name "com.apple.pasteboard.1")
