Skip to site navigation (Press enter)

[webkit-changes] [224821] trunk/Source/WebKit

bfulgham Tue, 14 Nov 2017 10:36:55 -0800

Title: [224821] trunk/Source/WebKit

Revision: 224821
Author: [email protected]
Date: 2017-11-14 10:36:27 -0800 (Tue, 14 Nov 2017)

Log Message

Consolidate mach-lookup calls in WebProcess sandbox
https://bugs.webkit.org/show_bug.cgi?id=179650
<rdar://problem/35367154>


Reviewed by Dean Jackson.

Consolidate the various calls to 'allow mach-lookup' imported during Bug 179548 into the main
function in the sandbox profile. Remove some entries that are not needed by WebKit.

Remove the statement to grant global permission to perform mach-lookup for any xpc
service name that was copied into this sandbox profile in Bug 179548. We started blocking
this in macOS 10.13 and want to continue to do so.
        
The earlier "grant global permission" in 'system.sb' apparently allowed some xpc lookups to occur
before we hit the block declaration in the WebContent sandbox. Now that we are consistently blocking
mach lookups we need to add whitelist entries for a few more services to avoid creating new
sandbox violations.

* WebProcess/com.apple.WebProcess.sb.in:

Modified Paths

trunk/Source/WebKit/ChangeLog
trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in

Diff

Modified: trunk/Source/WebKit/ChangeLog (224820 => 224821)


--- trunk/Source/WebKit/ChangeLog	2017-11-14 18:02:41 UTC (rev 224820)
+++ trunk/Source/WebKit/ChangeLog	2017-11-14 18:36:27 UTC (rev 224821)
@@ -1,3 +1,25 @@
+2017-11-10  Brent Fulgham  <[email protected]>
+
+        Consolidate mach-lookup calls in WebProcess sandbox
+        https://bugs.webkit.org/show_bug.cgi?id=179650
+        <rdar://problem/35367154>
+
+        Reviewed by Dean Jackson.
+
+        Consolidate the various calls to 'allow mach-lookup' imported during Bug 179548 into the main
+        function in the sandbox profile. Remove some entries that are not needed by WebKit.
+
+        Remove the statement to grant global permission to perform mach-lookup for any xpc
+        service name that was copied into this sandbox profile in Bug 179548. We started blocking
+        this in macOS 10.13 and want to continue to do so.
+        
+        The earlier "grant global permission" in 'system.sb' apparently allowed some xpc lookups to occur
+        before we hit the block declaration in the WebContent sandbox. Now that we are consistently blocking
+        mach lookups we need to add whitelist entries for a few more services to avoid creating new
+        sandbox violations.
+
+        * WebProcess/com.apple.WebProcess.sb.in:
+
 2017-11-14  Tim Horton  <[email protected]>
 
         Long pressing a phone number with spaces in it results in a link sheet instead of a data detectors sheet

Modified: trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (224820 => 224821)


--- trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in	2017-11-14 18:02:41 UTC (rev 224820)
+++ trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in	2017-11-14 18:36:27 UTC (rev 224821)
@@ -36,9 +36,6 @@
 ;;; Allow registration of per-pid services.
 (allow mach-register (local-name-prefix ""))
 
-;;; Allow lookup of XPC services for backward-compatibility.
-(allow mach-lookup (xpc-service-name-prefix ""))
-
 ;;; Allow read access to standard system paths.
 (allow file-read*
     (require-all (file-mode #o0004)
@@ -97,29 +94,6 @@
     (ipc-posix-name "apple.shm.notification_center")
     (ipc-posix-name-prefix "apple.cfprefs."))
 
-(allow mach-lookup
-    (global-name "com.apple.appsleep")
-    (global-name "com.apple.bsd.dirhelper")
-    (global-name "com.apple.cfprefsd.agent")
-    (global-name "com.apple.cfprefsd.daemon")
-    (global-name "com.apple.diagnosticd")
-    (global-name "com.apple.dyld.closured")
-    (global-name "com.apple.espd")
-    (global-name "com.apple.logd")
-    (global-name "com.apple.logd.events")
-    (global-name "com.apple.secinitd")
-    (global-name "com.apple.system.DirectoryService.libinfo_v1")
-    (global-name "com.apple.system.logger")
-    (global-name "com.apple.system.notification_center")
-    (global-name "com.apple.system.opendirectoryd.libinfo")
-    (global-name "com.apple.system.opendirectoryd.membership")
-    (global-name "com.apple.trustd")
-    (global-name "com.apple.trustd.agent")
-    (global-name "com.apple.xpc.activity.unmanaged")
-    (global-name "com.apple.xpcd")
-    (local-name "com.apple.cfprefsd.agent"))
-
-
 ;;; Allow mostly harmless operations.
 (allow sysctl-read)
 
@@ -357,6 +331,7 @@
 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101300
 (deny mach-lookup (xpc-service-name-prefix ""))
 (allow mach-lookup
+    (xpc-service-name "com.apple.PerformanceAnalysis.animationperfd")
     (xpc-service-name "com.apple.accessibility.mediaaccessibilityd")
     (xpc-service-name "com.apple.audio.SandboxHelper")
     (xpc-service-name "com.apple.coremedia.videodecoder")
@@ -363,7 +338,10 @@
     (xpc-service-name "com.apple.coremedia.videoencoder")
     (xpc-service-name-regex #"\.apple-extension-service$")
     (xpc-service-name "com.apple.hiservices-xpcservice")
+    (xpc-service-name "com.apple.ist.ds.appleconnect2.HelperService")
     (xpc-service-name "com.apple.print.normalizerd")
+    (xpc-service-name "com.apple.securityd.xpc")
+    (xpc-service-name "com.apple.signpost.signpost-notificationd")
 )
 #endif
 
@@ -561,14 +539,19 @@
        (global-name "com.apple.audio.SystemSoundServer-OSX")
 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101300
        (global-name "com.apple.analyticsd")
+       (global-name "com.apple.audio.AudioComponentRegistrar")
 #endif
        (global-name "com.apple.audio.audiohald")
        (global-name "com.apple.audio.coreaudiod")
        (global-name "com.apple.awdd")
        (global-name "com.apple.cfnetwork.AuthBrokerAgent")
+       (global-name "com.apple.cfprefsd.agent")
+       (global-name "com.apple.cfprefsd.daemon")
        (global-name "com.apple.cookied")
        (global-name "com.apple.coreservices.launchservicesd")
+       (global-name "com.apple.diagnosticd")
        (global-name "com.apple.dock.server")
+       (global-name "com.apple.dyld.closured")
        (global-name "com.apple.fonts")
        (global-name "com.apple.iconservices")
        (global-name "com.apple.iconservices.store")
@@ -575,18 +558,25 @@
 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101200
        (global-name "com.apple.mediaremoted.xpc")
 #endif
+       (global-name "com.apple.logd")
+       (global-name "com.apple.logd.events")
        (global-name "com.apple.lsd.mapdb")
+       (global-name "com.apple.mobileassetd")
        (global-name "com.apple.nesessionmanager.flow-divert-token")
        (global-name "com.apple.speech.speechsynthesisd")
        (global-name "com.apple.speech.synthesis.console")
+       (global-name "com.apple.system.DirectoryService.libinfo_v1")
+       (global-name "com.apple.system.logger")
        (global-name "com.apple.system.opendirectoryd.api")
+       (global-name "com.apple.systemstats.analysis")
        (global-name "com.apple.tccd")
        (global-name "com.apple.tccd.system")
+       (global-name "com.apple.trustd")
+       (global-name "com.apple.trustd.agent")
        (global-name "com.apple.window_proxies")
        (global-name "com.apple.windowserver.active")
-#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101300
-       (global-name "com.apple.audio.AudioComponentRegistrar")
-#endif
+       (global-name "com.apple.xpc.activity.unmanaged")
+       (global-name "com.apple.xpcd")
 )
 
 ;; Security framework

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes