Title: [224830] trunk/Source/WebKit
- Revision
- 224830
- Author
- [email protected]
- Date
- 2017-11-14 12:09:55 -0800 (Tue, 14 Nov 2017)
Log Message
Consolidate sysctl-read rules in WebProcess sandbox
https://bugs.webkit.org/show_bug.cgi?id=179674
<rdar://problem/35367154>
Reviewed by Dean Jackson.
Consolidate the various calls to 'allow sysctl-read' imported during Bug 179548 into
the main function in the sandbox profile.
Remove the statement to grant global sysctl-read permissions that was copied into this
sandbox profile in an earlier checkin. We started blocking the blanket read permissions in
macOS 10.13, and want to continue to do so.
The earlier "grant global read access" in 'system.sb' apparently allowed some sysctl reads
to occur before we hit the block declaration in the WebContent sandbox. Now that we are
consistently blocking systcl reads from the start, we need to add whitelist entries for a
few more entries to avoid creating new sandbox violations.
* WebProcess/com.apple.WebProcess.sb.in:
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (224829 => 224830)
--- trunk/Source/WebKit/ChangeLog 2017-11-14 20:06:28 UTC (rev 224829)
+++ trunk/Source/WebKit/ChangeLog 2017-11-14 20:09:55 UTC (rev 224830)
@@ -1,3 +1,25 @@
+2017-11-14 Brent Fulgham <[email protected]>
+
+ Consolidate sysctl-read rules in WebProcess sandbox
+ https://bugs.webkit.org/show_bug.cgi?id=179674
+ <rdar://problem/35367154>
+
+ Reviewed by Dean Jackson.
+
+ Consolidate the various calls to 'allow sysctl-read' imported during Bug 179548 into
+ the main function in the sandbox profile.
+
+ Remove the statement to grant global sysctl-read permissions that was copied into this
+ sandbox profile in an earlier checkin. We started blocking the blanket read permissions in
+ macOS 10.13, and want to continue to do so.
+
+ The earlier "grant global read access" in 'system.sb' apparently allowed some sysctl reads
+ to occur before we hit the block declaration in the WebContent sandbox. Now that we are
+ consistently blocking systcl reads from the start, we need to add whitelist entries for a
+ few more entries to avoid creating new sandbox violations.
+
+ * WebProcess/com.apple.WebProcess.sb.in:
+
2017-11-14 Alex Christensen <[email protected]>
Remove WebKit CFURLConnection code
Modified: trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (224829 => 224830)
--- trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2017-11-14 20:06:28 UTC (rev 224829)
+++ trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2017-11-14 20:09:55 UTC (rev 224830)
@@ -94,10 +94,6 @@
(ipc-posix-name "apple.shm.notification_center")
(ipc-posix-name-prefix "apple.cfprefs."))
-;;; Allow mostly harmless operations.
-(allow sysctl-read)
-
-
;;; (system-graphics) - Allow access to graphics hardware.
(define (system-graphics)
;; Preferences
@@ -181,11 +177,26 @@
(deny sysctl*)
(allow sysctl-read
(sysctl-name
- "hw.availcpu"
+ "hw.busfrequency_max"
+ "hw.cputype"
+ "hw.l2cachesize"
+ "hw.machine"
+ "hw.memsize"
+ "hw.model"
"hw.ncpu"
- "hw.model"
+ "hw.vectorunit"
+ "kern.hostname"
+ "kern.maxfilesperproc"
"kern.memorystatus_level"
- "vm.footprint_suspend"))
+ "kern.safeboot"
+ "kern.version"
+ "vm.footprint_suspend")
+ (sysctl-name-regex #"^hw.(active|avail)cpu")
+ (sysctl-name-regex #"^hw.(logical|physical)cpu_max")
+ (sysctl-name-regex #"^hw.optional\.")
+ (sysctl-name-regex #"^kern.os(release|type|variant_status|version)")
+ (sysctl-name-regex #"^net.routetable")
+)
(deny iokit-get-properties)
(allow iokit-get-properties
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
