Title: [231057] trunk/Source/WebKit
- Revision
- 231057
- Author
- [email protected]
- Date
- 2018-04-26 11:20:50 -0700 (Thu, 26 Apr 2018)
Log Message
Remove access to keychain from the WebContent process
https://bugs.webkit.org/show_bug.cgi?id=184428
<rdar://problem/13150903>
Part 3.
Tighten WebContent Process' sandbox profile to all Security.framework services.
Reviewed by Brent Fulgham.
* WebProcess/com.apple.WebProcess.sb.in:
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (231056 => 231057)
--- trunk/Source/WebKit/ChangeLog 2018-04-26 18:17:55 UTC (rev 231056)
+++ trunk/Source/WebKit/ChangeLog 2018-04-26 18:20:50 UTC (rev 231057)
@@ -1,3 +1,17 @@
+2018-04-26 Jiewen Tan <[email protected]>
+
+ Remove access to keychain from the WebContent process
+ https://bugs.webkit.org/show_bug.cgi?id=184428
+ <rdar://problem/13150903>
+
+ Part 3.
+
+ Tighten WebContent Process' sandbox profile to all Security.framework services.
+
+ Reviewed by Brent Fulgham.
+
+ * WebProcess/com.apple.WebProcess.sb.in:
+
2018-04-26 Youenn Fablet <[email protected]>
Make cross origin redirection error messages consistent between SubresourceLoader and NetworkLoadChecker
Modified: trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (231056 => 231057)
--- trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2018-04-26 18:17:55 UTC (rev 231056)
+++ trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2018-04-26 18:20:50 UTC (rev 231057)
@@ -365,7 +365,6 @@
(xpc-service-name "com.apple.hiservices-xpcservice")
(xpc-service-name "com.apple.ist.ds.appleconnect2.HelperService")
(xpc-service-name "com.apple.print.normalizerd")
- (xpc-service-name "com.apple.securityd.xpc")
(xpc-service-name "com.apple.signpost.signpost-notificationd")
)
#endif
@@ -469,9 +468,6 @@
"com.apple.driver.AppleHIDMouse"
"com.apple.lookup.shared"
"com.apple.networkConnect"
- "com.apple.security"
- "com.apple.security.common"
- "com.apple.security.revocation"
"com.apple.speech.voice.prefs"
"com.apple.systemsound"
"com.apple.universalaccess"
@@ -600,40 +596,11 @@
(global-name "com.apple.xpcd")
)
-;; Security framework
-(allow mach-lookup
- (global-name "com.apple.ctkd.token-client")
- (global-name "com.apple.ocspd")
- (global-name "com.apple.securityd.xpc")
- (global-name "com.apple.CoreAuthentication.agent.libxpc")
- (global-name "com.apple.SecurityServer"))
-
-;; FIXME: This should be removed when <rdar://problem/10479685> is fixed.
-;; Restrict AppSandboxed processes from creating /Library/Keychains, but allow access to the contents of /Library/Keychains:
-(allow file-read-data file-read-metadata file-write*
- (subpath "/Library/Keychains"))
-
-;; Do permit creating per-user keychains
-(allow file-read* file-write*
- (home-subpath "/Library/Keychains"))
-
-;; Except deny access to new-style iOS Keychain folders which are UUIDs.
-(deny file-read* file-write*
- (regex (string-append "/Library/Keychains/" (uuid-regex-string) "(/|$)"))
- (home-regex (string-append "/Library/Keychains/" (uuid-regex-string) "(/|$)")))
-
(allow file-read* file-write* (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
(allow file-read*
(subpath "/private/var/db/mds")
- (literal "/private/var/db/DetachedSignatures")
- ; The following are needed until <rdar://problem/11134688> is resolved.
- (literal "/Library/Preferences/com.apple.security.plist")
- (literal "/Library/Preferences/com.apple.security.common.plist")
- (literal "/Library/Preferences/com.apple.security.revocation.plist")
- (home-literal "/Library/Application Support/SyncServices/Local/ClientsWithChanges/com.apple.Keychain")
- (home-literal "/Library/Preferences/com.apple.security.plist")
- (home-literal "/Library/Preferences/com.apple.security.revocation.plist"))
+ (literal "/private/var/db/DetachedSignatures"))
(allow ipc-posix-shm-read* ipc-posix-shm-write-data
(ipc-posix-name "com.apple.AppleDatabaseChanged"))
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
