[webkit-changes] [213544] trunk/Source/WebKit2

Tue, 07 Mar 2017 14:54:12 -0800

Title: [213544] trunk/Source/WebKit2
Revision
213544
Author
[email protected]
Date
2017-03-07 14:53:17 -0800 (Tue, 07 Mar 2017)

Log Message

[Mac][iOS][WK2] Whitelist sysctl-read
https://bugs.webkit.org/show_bug.cgi?id=169306
<rdar://problem/16371458>

Reviewed by Alex Christensen.

Limit access to the 'sysctl' call to read-only cases of the very small
set of operations we actually use.

* DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in:
* NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
* PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in:
* Resources/SandboxProfiles/ios/com.apple.WebKit.Databases.sb:
* Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:
* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
* WebProcess/com.apple.WebProcess.sb.in:

Modified Paths

Diff

Modified: trunk/Source/WebKit2/ChangeLog (213543 => 213544)


--- trunk/Source/WebKit2/ChangeLog	2017-03-07 22:44:53 UTC (rev 213543)
+++ trunk/Source/WebKit2/ChangeLog	2017-03-07 22:53:17 UTC (rev 213544)
@@ -1,3 +1,22 @@
+2017-03-07  Brent Fulgham  <[email protected]>
+
+        [Mac][iOS][WK2] Whitelist sysctl-read
+        https://bugs.webkit.org/show_bug.cgi?id=169306
+        <rdar://problem/16371458>
+
+        Reviewed by Alex Christensen.
+
+        Limit access to the 'sysctl' call to read-only cases of the very small
+        set of operations we actually use.
+
+        * DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in:
+        * NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
+        * PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in:
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.Databases.sb:
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+        * WebProcess/com.apple.WebProcess.sb.in:
+
 2017-03-07  Alex Christensen  <[email protected]>
 
         [Content Extensions] Rename "Domain" to "Condition" where appropriate

Modified: trunk/Source/WebKit2/DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in (213543 => 213544)


--- trunk/Source/WebKit2/DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in	2017-03-07 22:44:53 UTC (rev 213543)
+++ trunk/Source/WebKit2/DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in	2017-03-07 22:53:17 UTC (rev 213544)
@@ -32,6 +32,16 @@
 (allow process-info-pidinfo)
 (allow process-info-setcontrol (target self))
 
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101100
+(deny sysctl*)
+(allow sysctl-read
+    (sysctl-name
+        "hw.availcpu"
+        "hw.ncpu"
+        "hw.model"
+        "kern.memorystatus_level"))
+#endif
+
 ;; Utility functions for home directory relative path filters
 (define (home-regex home-relative-regex)
   (regex (string-append "^" (regex-quote (param "HOME_DIR")) home-relative-regex)))

Modified: trunk/Source/WebKit2/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in (213543 => 213544)


--- trunk/Source/WebKit2/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in	2017-03-07 22:44:53 UTC (rev 213543)
+++ trunk/Source/WebKit2/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in	2017-03-07 22:53:17 UTC (rev 213544)
@@ -32,6 +32,16 @@
 (allow process-info-pidinfo)
 (allow process-info-setcontrol (target self))
 
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101100
+(deny sysctl*)
+(allow sysctl-read
+    (sysctl-name
+        "hw.availcpu"
+        "hw.ncpu"
+        "hw.model"
+        "kern.memorystatus_level"))
+#endif
+
 ;; Utility functions for home directory relative path filters
 (define (home-regex home-relative-regex)
   (regex (string-append "^" (regex-quote (param "HOME_DIR")) home-relative-regex)))

Modified: trunk/Source/WebKit2/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in (213543 => 213544)


--- trunk/Source/WebKit2/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in	2017-03-07 22:44:53 UTC (rev 213543)
+++ trunk/Source/WebKit2/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in	2017-03-07 22:53:17 UTC (rev 213544)
@@ -1,4 +1,4 @@
-; Copyright (C) 2013-2016 Apple Inc. All rights reserved.
+; Copyright (C) 2013-2017 Apple Inc. All rights reserved.
 ;
 ; Redistribution and use in source and binary forms, with or without
 ; modification, are permitted provided that the following conditions
@@ -32,6 +32,16 @@
 (allow process-info-pidinfo)
 (allow process-info-setcontrol (target self))
 
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101100
+(deny sysctl*)
+(allow sysctl-read
+    (sysctl-name
+        "hw.availcpu"
+        "hw.ncpu"
+        "hw.model"
+        "kern.memorystatus_level"))
+#endif
+
 ;; Utility functions
 (define (home-literal home-relative-literal)
     (literal (string-append (param "HOME_DIR") home-relative-literal)))

Modified: trunk/Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.Databases.sb (213543 => 213544)


--- trunk/Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.Databases.sb	2017-03-07 22:44:53 UTC (rev 213543)
+++ trunk/Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.Databases.sb	2017-03-07 22:53:17 UTC (rev 213544)
@@ -29,3 +29,11 @@
 (import "removed-dev-nodes.sb")
 
 (allow file-read* file-write* (extension "com.apple.app-sandbox.read-write"))
+
+(deny sysctl*)
+(allow sysctl-read
+    (sysctl-name
+        "hw.availcpu"
+        "hw.ncpu"
+        "hw.model"
+        "kern.memorystatus_level"))

Modified: trunk/Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb (213543 => 213544)


--- trunk/Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb	2017-03-07 22:44:53 UTC (rev 213543)
+++ trunk/Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb	2017-03-07 22:53:17 UTC (rev 213544)
@@ -28,6 +28,14 @@
 (import "common.sb")
 (import "removed-dev-nodes.sb")
 
+(deny sysctl*)
+(allow sysctl-read
+    (sysctl-name
+        "hw.availcpu"
+        "hw.ncpu"
+        "hw.model"
+        "kern.memorystatus_level"))
+
 ;; Access to client's cache folder & re-vending to CFNetwork.
 ;; FIXME: Remove the webkit specific extension classes <rdar://problem/17755931>
 (allow file-issue-extension (require-all

Modified: trunk/Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb (213543 => 213544)


--- trunk/Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb	2017-03-07 22:44:53 UTC (rev 213543)
+++ trunk/Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb	2017-03-07 22:53:17 UTC (rev 213544)
@@ -34,6 +34,14 @@
 (play-media)
 (media-remote)
 
+(deny sysctl*)
+(allow sysctl-read
+    (sysctl-name
+        "hw.availcpu"
+        "hw.ncpu"
+        "hw.model"
+        "kern.memorystatus_level"))
+
 ;; Read-only preferences and data
 (mobile-preferences-read
     "com.apple.LaunchServices"

Modified: trunk/Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in (213543 => 213544)


--- trunk/Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in	2017-03-07 22:44:53 UTC (rev 213543)
+++ trunk/Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in	2017-03-07 22:53:17 UTC (rev 213544)
@@ -35,6 +35,16 @@
 (allow process-codesigning-status*)
 #endif
 
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101100
+(deny sysctl*)
+(allow sysctl-read
+    (sysctl-name
+        "hw.availcpu"
+        "hw.ncpu"
+        "hw.model"
+        "kern.memorystatus_level"))
+#endif
+
 ;; Utility functions for home directory relative path filters
 (define (home-regex home-relative-regex)
   (regex (string-append "^" (regex-quote (param "HOME_DIR")) home-relative-regex)))

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to