Title: [254204] trunk/Source/WebKit
- Revision
- 254204
- Author
- [email protected]
- Date
- 2020-01-08 09:13:39 -0800 (Wed, 08 Jan 2020)
Log Message
Unreviewed, rolling out r254174.
Broke 80 tests on Catalina
Reverted changeset:
"Network process sandboxes should not include 'common.sb' or
'system.sb'"
https://bugs.webkit.org/show_bug.cgi?id=205521
https://trac.webkit.org/changeset/254174
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (254203 => 254204)
--- trunk/Source/WebKit/ChangeLog 2020-01-08 17:02:37 UTC (rev 254203)
+++ trunk/Source/WebKit/ChangeLog 2020-01-08 17:13:39 UTC (rev 254204)
@@ -1,3 +1,16 @@
+2020-01-08 Truitt Savell <[email protected]>
+
+ Unreviewed, rolling out r254174.
+
+ Broke 80 tests on Catalina
+
+ Reverted changeset:
+
+ "Network process sandboxes should not include 'common.sb' or
+ 'system.sb'"
+ https://bugs.webkit.org/show_bug.cgi?id=205521
+ https://trac.webkit.org/changeset/254174
+
2020-01-08 Wenson Hsieh <[email protected]>
Add support for encoding WebCore::Font over IPC for DisplayList::DrawGlyphs
Modified: trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in (254203 => 254204)
--- trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in 2020-01-08 17:02:37 UTC (rev 254203)
+++ trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in 2020-01-08 17:13:39 UTC (rev 254204)
@@ -25,144 +25,7 @@
(deny default (with partial-symbolication))
(allow system-audit file-read-metadata)
-#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101500
-;;;
-;;; The following rules were originally contained in 'common.sb'. We are duplicating them here so we can
-;;; remove unneeded sandbox extensions.
-;;;
-
-(allow mach-register (local-name-prefix ""))
-
-(allow mach-lookup (xpc-service-name-prefix ""))
-
-(allow system-automount
- (process-attribute is-platform-binary))
-
-(allow file-map-executable
- (subpath "/Library/Apple/System/Library/Frameworks")
- (subpath "/Library/Apple/System/Library/PrivateFrameworks")
- (subpath "/System/Library/Frameworks")
- (subpath "/System/Library/PrivateFrameworks")
- (subpath "/usr/lib")
- (literal "/usr/local/lib/sanitizers"))
-
-(allow file-read-metadata
- (literal "/etc")
- (literal "/tmp")
- (literal "/var")
- (literal "/private/etc/localtime"))
-
-(allow file-read-metadata (path-ancestors "/System/Volumes/Data/private"))
-
-(allow file-read* (literal "/"))
-
-(allow file-read*
- (subpath "/Library/Apple/System")
- (subpath "/Library/Filesystems/NetFSPlugins")
- (subpath "/Library/Preferences/Logging") ; Logging Rethink
- (subpath "/System")
- (subpath "/private/var/db/dyld")
- (subpath "/private/var/db/timezone")
- (subpath "/usr/lib")
- (subpath "/usr/share"))
-
-(allow file-read*
- (literal "/dev/autofs_nowait")
- (literal "/dev/random")
- (literal "/dev/urandom")
- (literal "/private/etc/master.passwd")
- (literal "/private/etc/passwd")
- (literal "/private/etc/protocols")
- (literal "/private/etc/services"))
-
-(allow file-read*
- file-write-data
- (literal "/dev/null")
- (literal "/dev/zero"))
-
-(allow file-read*
- file-write-data
- file-ioctl
- (literal "/dev/dtracehelper"))
-
-(allow file-read*
- (literal "/usr/local/lib/sanitizers"))
-
-(allow file-write-create
- (require-all (prefix "/cores/")
- (vnode-type REGULAR-FILE)))
-
-(allow file-read*
- (require-all (subpath "/AppleInternal/Library/Preferences/Logging")
- (system-attribute apple-internal)))
-
-(allow file-read* file-map-executable
- (require-all (subpath "/usr/local/lib/log")
- (system-attribute apple-internal)))
-
-(allow network-outbound
- (literal "/private/var/run/syslog"))
-
-(allow ipc-posix-shm-read*
- (ipc-posix-name "apple.shm.notification_center")
- (ipc-posix-name-prefix "apple.cfprefs."))
-
-(allow mach-lookup (with report) (with telemetry)
- (global-name "com.apple.analyticsd")
- (global-name "com.apple.analyticsd.messagetracer")
- (global-name "com.apple.appsleep")
- (global-name "com.apple.bsd.dirhelper")
- (global-name "com.apple.cfprefsd.agent")
- (global-name "com.apple.cfprefsd.daemon")
- (global-name "com.apple.diagnosticd")
- (global-name "com.apple.espd")
- (global-name "com.apple.logd")
- (global-name "com.apple.logd.events")
- (global-name "com.apple.secinitd")
- (global-name "com.apple.system.DirectoryService.libinfo_v1")
- (global-name "com.apple.system.logger")
- (global-name "com.apple.system.notification_center")
- (global-name "com.apple.system.opendirectoryd.libinfo")
- (global-name "com.apple.system.opendirectoryd.membership")
- (global-name "com.apple.trustd")
- (global-name "com.apple.trustd.agent")
- (global-name "com.apple.xpc.activity.unmanaged")
- (local-name "com.apple.cfprefsd.agent"))
-
-(with-filter (system-attribute apple-internal)
- (allow mach-lookup (global-name "com.apple.internal.objc_trace")))
-
-(define (system-network)
- (allow file-read*
- (literal "/Library/Preferences/com.apple.networkd.plist")
- (literal "/private/var/db/nsurlstoraged/dafsaData.bin"))
- (allow mach-lookup
- (global-name "com.apple.SystemConfiguration.PPPController")
- (global-name "com.apple.SystemConfiguration.SCNetworkReachability")
- (global-name "com.apple.nehelper")
- (global-name "com.apple.nesessionmanager")
- (global-name "com.apple.networkd")
- (global-name "com.apple.nsurlstorage-cache")
- (global-name "com.apple.symptomsd")
- (global-name "com.apple.usymptomsd"))
- (allow network-outbound
- (control-name "com.apple.netsrc")
- (control-name "com.apple.network.statistics"))
- (allow system-socket
- (require-all (socket-domain AF_SYSTEM)
- (socket-protocol 2)) ; SYSPROTO_CONTROL
- (socket-domain AF_ROUTE))
- (allow mach-lookup
- (global-name "com.apple.AppSSO.service-xpc"))
- (allow ipc-posix-shm-read-data
- (ipc-posix-name "/com.apple.AppSSO.version")))
-
-;;;
-;;; End rules originally copied from 'system.sb'
-;;;
-#else
(import "system.sb")
-#endif
;;; process-info* defaults to allow; deny it and then allow operations we actually need.
(deny process-info*)
Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb (254203 => 254204)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb 2020-01-08 17:02:37 UTC (rev 254203)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb 2020-01-08 17:13:39 UTC (rev 254204)
@@ -25,531 +25,8 @@
(deny default (with partial-symbolication))
(allow system-audit file-read-metadata)
-;;;
-;;; The following rules were originally contained in 'common.sb'. We are duplicating them here so we can
-;;; remove unneeded sandbox extensions.
-;;;
+(import "common.sb")
-(import "util.sb")
-
-(define-once (allow-read-and-issue-generic-extensions . filters)
- (allow file-read*
- (apply require-any filters))
- (allow file-issue-extension
- (require-all
- ;; APP_SANDBOX_READ - default for sandbox_issue_extension() & sandbox_issue_fs_extension().
- (extension-class "com.apple.app-sandbox.read")
- (apply require-any filters))))
-
-(define-once (allow-read-write-and-issue-generic-extensions . filters)
- (allow file-read* file-write*
- (apply require-any filters))
- (allow file-read-metadata
- (apply require-any filters))
- (allow file-issue-extension
- (require-all
- (extension-class "com.apple.app-sandbox.read-write" "com.apple.app-sandbox.read")
- (apply require-any filters))))
-
-(define-once (allow-network-common)
- ;; <rdar://problem/8645367>
- (allow system-socket (require-all (socket-domain AF_SYSTEM) (socket-protocol 2)))
- (allow network-outbound
- (control-name "com.apple.network.statistics")
- (control-name "com.apple.netsrc"))
-
- (allow sysctl-read
- (sysctl-name "kern.ipc.maxsockbuf")
- (sysctl-name "kern.nisdomainname")
- (sysctl-name-prefix "net.routetable.")
- (sysctl-name "net.statistics"))
-
- ;; <rdar://problem/10642881>
- (allow file-read*
- (literal "/private/var/preferences/com.apple.networkd.plist"))
-
- ;; <rdar://problem/27580907>
- (allow file-read*
- (literal "/private/var/Managed Preferences/mobile/com.apple.SystemConfiguration.plist"))
-
- ;; <rdar://problem/13679154>
- (allow file-read*
- (literal "/private/var/preferences/com.apple.NetworkStatistics.plist"))
-
- ;; <rdar://problem/15711661>
- (allow mach-lookup
- (global-name "com.apple.nesessionmanager"))
-
- ;; <rdar://problem/7693463>
- (allow system-socket (socket-domain AF_ROUTE))
-
- (if gizmo?
- (with-filter
- (require-any
- (require-entitlement "com.apple.security.network.client")
- (require-entitlement "com.apple.security.network.server"))
- (allow network-outbound (literal "/private/var/run/mDNSResponder")))
- (allow network-outbound (literal "/private/var/run/mDNSResponder")))
-
- ;; <rdar://problem/10962803>
- ;; <rdar://problem/13238730>
- (allow mach-lookup
- (global-name "com.apple.SystemConfiguration.configd")
- (global-name "com.apple.SystemConfiguration.helper")
- (global-name "com.apple.SystemConfiguration.SCNetworkReachability")
- (global-name "com.apple.SystemConfiguration.DNSConfiguration")
- (global-name "com.apple.SystemConfiguration.PPPController")
- (global-name "com.apple.SystemConfiguration.NetworkInformation"))
-
- ;; <rdar://problem/11792470>
- ;; <rdar://problem/13305819>
- (allow mach-lookup
- (global-name "com.apple.commcenter.xpc")
- (global-name "com.apple.commcenter.cupolicy.xpc"))
-
- (allow mach-lookup
- (global-name "com.apple.securityd")
- (global-name "com.apple.trustd"))
- (allow file-read*
- (literal "/private/var/preferences/com.apple.security.plist"))
-
- ;; <rdar://problem/13301795>
- (allow mach-lookup
- (global-name "com.apple.usymptomsd")
- (global-name "com.apple.symptomsd")
- (global-name "com.apple.symptoms.symptomsd.managed_events")) ; <rdar://problem/32768772>
-
- (with-filter (entitlement-is-present "com.apple.private.networkextension.configuration")
- (allow file-read* (literal "/private/var/preferences/com.apple.networkextension.plist")))
-
- (with-filter (apple-signed-executable?)
- (allow file-read* (literal "/private/var/preferences/com.apple.networkextension.uuidcache.plist")))
-
- (allow mach-lookup
- (global-name "com.apple.AppSSO.service-xpc"))
- (allow ipc-posix-shm-read-data
- (ipc-posix-name "/com.apple.AppSSO.version"))
-
- ;; <rdar://problem/30452093>
- (multipath-tcp))
-
-(define-once (network-client . filters)
- (allow-network-common)
-
- ;; <rdar://problem/9193431>
- (allow mach-lookup
- (global-name "com.apple.networkd"))
-
- ;; <rdar://problem/20094008>
- ;; <rdar://problem/24689958>
- (with-filter (require-any
- (require-entitlement "com.apple.networkd.advisory_socket")
- (require-entitlement "com.apple.networkd.disable_opportunistic")
- (require-entitlement "com.apple.networkd.modify_settings")
- (require-entitlement "com.apple.networkd.persistent_interface")
- (require-entitlement "com.apple.networkd_privileged"))
- (allow mach-lookup
- (global-name "com.apple.networkd_privileged")))
-
- ;; <rdar://problem/20201593>
- (with-filter (require-any
- (apple-signed-executable?)
- (require-entitlement "com.apple.authkit.client")
- (require-entitlement "com.apple.authkit.client.private")
- (require-entitlement "com.apple.authkit.client.internal"))
- (allow mach-lookup
- (global-name "com.apple.ak.anisette.xpc")
- (global-name "com.apple.ak.auth.xpc")))
-
- ;; <rdar://problem/15897781>
- (allow mach-lookup
- (global-name "com.apple.nsurlsessiond"))
- (allow file-issue-extension
- (require-all
- (executable-bundle)
- (extension-class "com.apple.nsurlsessiond.readonly")))
-
- ;; <rdar://problem/20617514>
- (when gizmo?
- (allow mach-lookup
- (global-name "com.apple.nsurlsessiond.NSURLSessionProxyService")
- (global-name "com.apple.sharingd.NSURLSessionProxyService")))
-
- ;; <rdar://problem/15608009>
- (allow mach-lookup
- (global-name "com.apple.nsurlstorage-cache"))
-
- ;; <rdar://problem/10423007>
- (allow mach-lookup
- (global-name "com.apple.cfnetwork.AuthBrokerAgent")
- (global-name "com.apple.cfnetwork.cfnetworkagent"))
-
- ;; <rdar://problem/12620714>
- (deny file-write-create (with no-report)
- (home-prefix "/Library/Logs/CrashReporter/CFNetwork_"))
-
- (allow mach-lookup
- (global-name "com.apple.cookied"))
-
- ;; <rdar://problem/17910466>
- (allow mach-lookup
- (global-name "com.apple.accountsd.accountmanager"))
-
- ;; GSS-API
- (allow mach-lookup
- (global-name "com.apple.GSSCred"))
-
- ;; <rdar://problem/17853959>
- (mobile-keybag-access)
-
- (allow mach-lookup
- (global-name "com.apple.nehelper"))
-
- (allow-well-known-system-group-container-literal-read
- "/systemgroup.com.apple.nsurlstoragedresources/Library/dafsaData.bin")
-
- ;; <rdar://problem/33277999>
- (mobile-preferences-read "com.apple.CFNetwork")
-
- (if (null? filters)
- (allow network-outbound)
- ; else
- (allow network-outbound (apply require-any filters))))
-
-(define-once (multipath-tcp)
- (allow system-socket (socket-domain 39)))
-
-(define-once (managed-configuration-read-public)
- (allow file-read*
- (well-known-system-group-container-subpath "/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo")
- (front-user-home-subpath "/Library/ConfigurationProfiles/PublicInfo")
- (front-user-home-subpath "/Library/UserConfigurationProfiles/PublicInfo"))
- (allow mach-lookup
- (global-name "com.apple.managedconfiguration.profiled.public")))
-
-(define-once (allow-preferences-common)
- (allow file-read-metadata
- (home-literal "")
- (home-literal "/Library/Preferences")))
-
-(define-once (mobile-preferences-read . domains)
- (allow-preferences-common)
- (allow user-preference-read (apply preference-domain domains)))
-
-(define-once (mobile-keybag-access)
- (allow iokit-open (with report) (with telemetry)
- (iokit-user-client-class "AppleKeyStoreUserClient")))
-
-(define-once (debugging-support)
- ;; <rdar://problem/8379706>
- ;; <rdar://problem/12868101>
- ;; <rdar://problem/22766887>
- ;; <rdar://problem/22880365>
- (allow file-read* file-map-executable
- (subpath "/Developer"))
-
- ;; <rdar://problem/7674121>
- ;; <rdar://problem/9151290>
- (allow ipc-posix-shm
- (ipc-posix-name-regex #"^stack-logs")
- (ipc-posix-name-regex #"^OA-")
- (ipc-posix-name-regex #"^/FSM-"))
-
- (with-filter (system-attribute apple-internal)
- ;; <rdar://problem/8565035>
- ;; <rdar://problem/23857452>
- (allow file-read* file-map-executable
- (subpath "/AppleInternal")
- (subpath "/usr/local/lib")))
- (with-elevated-precedence
- (allow file-read* file-map-executable file-issue-extension
- (front-user-home-subpath "/XcodeBuiltProducts")))
-
- ;; <rdar://problem/8107758>
- (allow file-read* file-map-executable
- (subpath "/System/Library/Frameworks")
- (subpath "/System/Library/PrivateFrameworks"))
-
- ;; <rdar://problem/11455762>
- (allow mach-lookup
- (global-name "com.apple.hangtracerd"))
- ;; <rdar://problem/32544921>
- (mobile-preferences-read "com.apple.hangtracer")
-
- ;; <rdar://problem/9090627>
- (with-filter (apple-signed-executable?)
- (allow mach-lookup
- (global-name "com.apple.ReportCrash.SimulateCrash"))))
-
-(define-once (logd-diagnostic-paths)
- (require-any
- (subpath "/private/var/db/diagnostics")
- (subpath "/private/var/db/timesync")
- (subpath "/private/var/db/uuidtext")
- (subpath "/private/var/userdata/diagnostics")))
-(define-once (logd-diagnostic-client)
- (with-filter
- (require-all
- (require-any
- (require-entitlement "com.apple.private.logging.diagnostic")
- (require-entitlement "com.apple.diagnosticd.diagnostic"))
- (extension "com.apple.logd.read-only"))
- (allow file-read*
- (logd-diagnostic-paths))))
-
-(define required-etc-files
- (literal "/private/etc/fstab"
- "/private/etc/hosts"
- "/private/etc/group"
- "/private/etc/passwd"
- "/private/etc/protocols"
- "/private/etc/services"))
-
-(define-once (allow-multi-instance-xpc-services)
- ;; <rdar://problem/46716068>
- (allow mach-lookup
- (with telemetry)
- (with message "Create a radar and set it as a blocker to rdar://problem/48527566")
- (xpc-service-name "com.apple.WebKit.Networking"
- "com.apple.WebKit.WebContent")
-))
-
-(allow sysctl-read
- (sysctl-name "kern.bootsessionuuid"))
-
-(deny file-map-executable)
-(deny file-write-mount file-write-unmount)
-(allow file-read-metadata
- (vnode-type DIRECTORY))
-
-(mobile-preferences-read "com.apple.security")
-
-(with-elevated-precedence
- ;; System files.
- (allow file-read*
- (subpath "/usr/lib"
- "/usr/share"
- "/private/var/db/timezone"))
- (allow-read-and-issue-generic-extensions
- (subpath "/Library/RegionFeatures"
- "/System/Library"))
-
- (allow file-map-executable
- (subpath "/System/Library")
- (subpath "/usr/lib"))
-
- (allow file-read-metadata
- (vnode-type SYMLINK))
-
- (allow file-read*
- (subpath "/private/var/preferences/Logging"))
-
- (mobile-preferences-read "kCFPreferencesAnyApplication")
- (allow file-read*
- (front-user-home-literal "/Library/Preferences/.GlobalPreferences.plist"))
-
- (allow file-read*
- (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist"))
- (allow managed-preference-read (preference-domain "kCFPreferencesAnyApplication"))
-
- (allow file-read-metadata
- (home-literal "/Library/Caches/powerlog.launchd"))
-
- (allow-read-and-issue-generic-extensions (executable-bundle))
- (allow file-map-executable (executable-bundle))
-
- (deny file-read-data file-issue-extension file-map-executable
- (require-all
- (executable-bundle)
- (regex #"/[^/]+/SC_Info/")))
-
- (with-filter (global-name-prefix "")
- (allow mach-lookup
- (extension "com.apple.security.exception.mach-lookup.global-name"))
- (allow mach-register
- (extension "com.apple.security.exception.mach-register.global-name")))
- (with-filter (local-name-prefix "")
- (allow mach-lookup
- (extension "com.apple.security.exception.mach-lookup.local-name"))
- (allow mach-register
- (extension "com.apple.security.exception.mach-register.local-name")))
- (allow-read-and-issue-generic-extensions
- (extension "com.apple.security.exception.files.absolute-path.read-only")
- (extension "com.apple.security.exception.files.home-relative-path.read-only"))
- (allow-read-write-and-issue-generic-extensions
- (extension "com.apple.security.exception.files.absolute-path.read-write")
- (extension "com.apple.security.exception.files.home-relative-path.read-write"))
- (allow iokit-open
- (extension "com.apple.security.exception.iokit-user-client-class"))
- (allow managed-preference-read
- (extension "com.apple.security.exception.managed-preference.read-only"))
- (allow user-preference-read
- (extension "com.apple.security.exception.shared-preference.read-only"))
- (allow user-preference-read user-preference-write
- (extension "com.apple.security.exception.shared-preference.read-write"))
- (allow sysctl-read
- (extension "com.apple.security.exception.sysctl.read-only"))
- (allow sysctl-read sysctl-write
- (extension "com.apple.security.exception.sysctl.read-write"))
-
- (allow file-issue-extension
- (require-all
- (extension-class "com.apple.nsurlstorage.extension-cache")
- (extension "com.apple.security.exception.files.home-relative-path.read-write")
- (require-any
- (prefix "/private/var/root/Library/Caches/")
- (front-user-home-prefix "/Library/Caches/"))))
-
- (with-filter (require-entitlement "com.apple.security.exception.process-info")
- (allow process-info-pidinfo process-info-pidfdinfo process-info-pidfileportinfo process-info-rusage process-info-codesignature)
- (allow sysctl-read
- (sysctl-name-prefix "kern.proc.")
- (sysctl-name-prefix "kern.procargs2."))))
-
-(debugging-support)
-
-(allow file-read*
- required-etc-files
- (literal "/"))
-
-(allow mach-lookup (with report) (with telemetry)
- (global-name "com.apple.logd")
- (global-name "com.apple.logd.events"))
-
-(allow mach-lookup (with report) (with telemetry)
- (global-name "com.apple.cfprefsd.daemon")
- (global-name "com.apple.cfprefsd.agent")
- (local-name "com.apple.cfprefsd.agent"))
-(allow ipc-posix-shm-read*
- (ipc-posix-name-prefix "apple.cfprefs."))
-
-(allow mach-lookup (with report) (with telemetry)
- (global-name "com.apple.runningboard"))
-
-(allow-multi-instance-xpc-services)
-
-(allow system-sched
- (require-entitlement "com.apple.private.kernel.override-cpumon"))
-
-(allow sysctl-read (with report) (with telemetry)
- (sysctl-name "hw.activecpu")
- (sysctl-name "hw.busfrequency")
- (sysctl-name "hw.busfrequency_compat")
- (sysctl-name "hw.byteorder")
- (sysctl-name "hw.cachelinesize")
- (sysctl-name "hw.cachelinesize_compat")
- (sysctl-name "hw.cpu64bit_capable")
- (sysctl-name "hw.cpufamily")
- (sysctl-name "hw.cpufrequency")
- (sysctl-name "hw.cpufrequency_compat")
- (sysctl-name "hw.cpufrequency_max")
- (sysctl-name "hw.cpusubtype")
- (sysctl-name "hw.cputype")
- (sysctl-name "hw.l1dcachesize")
- (sysctl-name "hw.l1dcachesize_compat")
- (sysctl-name "hw.l1icachesize")
- (sysctl-name "hw.l1icachesize_compat")
- (sysctl-name "hw.l2cachesize")
- (sysctl-name "hw.l2cachesize_compat")
- (sysctl-name "hw.l2settings")
- (sysctl-name "hw.l3cachesize")
- (sysctl-name "hw.l3cachesize_compat")
- (sysctl-name "hw.l3settings")
- (sysctl-name "hw.logicalcpu")
- (sysctl-name "hw.logicalcpu_max")
- (sysctl-name "hw.machine")
- (sysctl-name "hw.memsize")
- (sysctl-name "hw.pagesize")
- (sysctl-name "hw.pagesize_compat")
- (sysctl-name "hw.physicalcpu")
- (sysctl-name "hw.physicalcpu_max")
- (sysctl-name "hw.physmem")
- (sysctl-name "hw.tbfrequency")
- (sysctl-name "hw.tbfrequency_compat")
- (sysctl-name "hw.usermem")
- (sysctl-name "hw.vectorunit")
- (sysctl-name "kern.bootargs")
- (sysctl-name "kern.boottime")
- (sysctl-name "kern.clockrate")
- (sysctl-name "kern.development")
- (sysctl-name "kern.hostid")
- (sysctl-name "kern.hostname")
- (sysctl-name "kern.maxfilesperproc")
- (sysctl-name "kern.maxproc")
- (sysctl-name "kern.maxvnodes")
- (sysctl-name-prefix "kern.monotonicclock")
- (sysctl-name "kern.monotoniclock_offset_usecs")
- (sysctl-name "kern.ngroups")
- (sysctl-name "kern.osproductversion")
- (sysctl-name "kern.osrelease")
- (sysctl-name "kern.ostype")
- (sysctl-name "kern.osvariant_status")
- (sysctl-name "kern.osversion")
- (sysctl-name "kern.saved_ids")
- (sysctl-name "kern.secure_kernel")
- (sysctl-name "kern.usrstack")
- (sysctl-name "kern.usrstack64")
- (sysctl-name "kern.version")
- (sysctl-name "kern.waketime")
- (sysctl-name "security.mac.sandbox.sentinel")
- (sysctl-name "sysctl.name2oid")
- (sysctl-name "vm.loadavg")
- (sysctl-name-prefix "kern.argmax")
- (sysctl-name-prefix "kern.proc.pid.")
-)
-
-(with-filter (system-attribute apple-internal)
- (allow sysctl-read
- (sysctl-name "kern.dtrace.dof_mode"))
- (allow sysctl-read sysctl-write
- (sysctl-name "vm.footprint_suspend")))
-
-(allow mach-lookup (with report) (with telemetry)
- (global-name "com.apple.system.logger"))
-(allow file-read-metadata network-outbound (with report) (with telemetry)
- (literal "/private/var/run/syslog"))
-
-(allow mach-lookup (with report) (with telemetry)
- (global-name "com.apple.system.notification_center"))
-(allow ipc-posix-shm-read* (with report) (with telemetry)
- (ipc-posix-name "apple.shm.notification_center"))
-
-(allow mach-lookup (with report) (with telemetry)
- (global-name "com.apple.distributed_notifications@1v3"))
-
-(allow mach-lookup (with report) (with telemetry)
- (global-name "com.apple.diagnosticd"))
-
-(logd-diagnostic-client)
-
-(managed-configuration-read-public)
-
-(allow mach-lookup (with report) (with telemetry)
- (global-name "com.apple.ctkd.token-client"))
-
-(deny system-info (with no-report)
- (info-type "net.link.addr"))
-
-(allow mach-lookup (with report) (with telemetry)
- (global-name "com.apple.system.libinfo.muser"))
-
-(allow mach-task-name (target self))
-
-(allow process-info-pidinfo (target self))
-(allow process-info-pidfdinfo (target self))
-(allow process-info-pidfileportinfo (target self))
-(allow process-info-setcontrol (target self))
-(allow process-info-dirtycontrol (target self))
-(allow process-info-rusage (target self))
-(allow process-info-codesignature (target self))
-
-(allow mach-lookup (with report) (with telemetry)
- (global-name "com.apple.analyticsd"))
-
-;;;
-;;; End rules originally copied from 'common.sb'
-;;;
-
(deny mach-lookup (xpc-service-name-prefix ""))
(deny lsopen)
@@ -582,7 +59,7 @@
(iokit-user-client-class "RootDomainUserClient"))
;; Various services required by CFNetwork and other frameworks
-(allow mach-lookup (with report) (with telemetry)
+(allow mach-lookup
(global-name "com.apple.PowerManagement.control"))
(network-client (remote tcp) (remote udp))
@@ -596,16 +73,16 @@
)
;; Security framework
-(allow mach-lookup (with report) (with telemetry)
+(allow mach-lookup
(global-name "com.apple.ocspd")
(global-name "com.apple.securityd"))
;; PassKit framework
-(allow mach-lookup (with report) (with telemetry)
+(allow mach-lookup
(global-name "com.apple.passd.in-app-payment")
(global-name "com.apple.passd.library"))
-(allow mach-lookup (with report) (with telemetry)
+(allow mach-lookup
(global-name "com.apple.FileCoordination")
(global-name "com.apple.dmd.policy")
(global-name "com.apple.siri.context.service")
@@ -612,7 +89,7 @@
(global-name "com.apple.ctcategories.service"))
(deny file-write-create
- (vnode-type SYMLINK))
+ (vnode-type SYMLINK))
;; FIXME should be removed when <rdar://problem/30498072> is fixed.
(allow network*
@@ -622,17 +99,17 @@
(remote tcp))
;; Various services required by system frameworks
-(allow mach-lookup (with report) (with telemetry)
+(allow mach-lookup
(global-name "com.apple.lsd.mapdb")
(global-name "com.apple.analyticsd")
(global-name "com.apple.AppSSO.service-xpc"))
;; For reporting progress for active downloads <rdar://problem/44405661>
-(allow mach-lookup (with report) (with telemetry)
+(allow mach-lookup
(global-name "com.apple.ProgressReporting"))
;; <rdar://problem/47598758>
-(allow mach-lookup (with report) (with telemetry)
+(allow mach-lookup
(global-name "com.apple.nesessionmanager.content-filter"))
;; Various shared memory accesses required by system frameworks
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
