Title: [254209] trunk/Source/WebKit
- Revision
- 254209
- Author
- [email protected]
- Date
- 2020-01-08 11:36:34 -0800 (Wed, 08 Jan 2020)
Log Message
Network process sandboxes should not include 'common.sb' or 'system.sb'
https://bugs.webkit.org/show_bug.cgi?id=205521
<rdar://problem/58095870>
Reviewed by Per Arne Vollan.
This patch replaces the 'include' with a copy/paste of the contents of the relevant
sandbox include file. I removed definitions that were not referenced in the existing
Network sandbox, but did not otherwise edit the contents. There are duplicates and
redundancies after this patch, which I will remove as a follow-up step once we confirm
that this has no regressions.
I also updated the sandbox to generate telemetry for some mach connections that we think
are unneeded, or that should be targeted for removal.
No new tests. There should be no change in behavior.
* NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
* Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (254208 => 254209)
--- trunk/Source/WebKit/ChangeLog 2020-01-08 19:26:04 UTC (rev 254208)
+++ trunk/Source/WebKit/ChangeLog 2020-01-08 19:36:34 UTC (rev 254209)
@@ -1,3 +1,25 @@
+2020-01-08 Brent Fulgham <[email protected]>
+
+ Network process sandboxes should not include 'common.sb' or 'system.sb'
+ https://bugs.webkit.org/show_bug.cgi?id=205521
+ <rdar://problem/58095870>
+
+ Reviewed by Per Arne Vollan.
+
+ This patch replaces the 'include' with a copy/paste of the contents of the relevant
+ sandbox include file. I removed definitions that were not referenced in the existing
+ Network sandbox, but did not otherwise edit the contents. There are duplicates and
+ redundancies after this patch, which I will remove as a follow-up step once we confirm
+ that this has no regressions.
+
+ I also updated the sandbox to generate telemetry for some mach connections that we think
+ are unneeded, or that should be targeted for removal.
+
+ No new tests. There should be no change in behavior.
+
+ * NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:
+
2020-01-08 David Kilzer <[email protected]>
IPC::Connection::sendMessage() should use CRASH_WITH_INFO()
Modified: trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in (254208 => 254209)
--- trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in 2020-01-08 19:26:04 UTC (rev 254208)
+++ trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in 2020-01-08 19:36:34 UTC (rev 254209)
@@ -25,7 +25,144 @@
(deny default (with partial-symbolication))
(allow system-audit file-read-metadata)
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101500
+;;;
+;;; The following rules were originally contained in 'common.sb'. We are duplicating them here so we can
+;;; remove unneeded sandbox extensions.
+;;;
+
+(allow mach-register (local-name-prefix ""))
+
+(allow mach-lookup (xpc-service-name-prefix ""))
+
+(allow system-automount
+ (process-attribute is-platform-binary))
+
+(allow file-map-executable
+ (subpath "/Library/Apple/System/Library/Frameworks")
+ (subpath "/Library/Apple/System/Library/PrivateFrameworks")
+ (subpath "/System/Library/Frameworks")
+ (subpath "/System/Library/PrivateFrameworks")
+ (subpath "/usr/lib")
+ (literal "/usr/local/lib/sanitizers"))
+
+(allow file-read-metadata
+ (literal "/etc")
+ (literal "/tmp")
+ (literal "/var")
+ (literal "/private/etc/localtime"))
+
+(allow file-read-metadata (path-ancestors "/System/Volumes/Data/private"))
+
+(allow file-read* (literal "/"))
+
+(allow file-read*
+ (subpath "/Library/Apple/System")
+ (subpath "/Library/Filesystems/NetFSPlugins")
+ (subpath "/Library/Preferences/Logging") ; Logging Rethink
+ (subpath "/System")
+ (subpath "/private/var/db/dyld")
+ (subpath "/private/var/db/timezone")
+ (subpath "/usr/lib")
+ (subpath "/usr/share"))
+
+(allow file-read*
+ (literal "/dev/autofs_nowait")
+ (literal "/dev/random")
+ (literal "/dev/urandom")
+ (literal "/private/etc/master.passwd")
+ (literal "/private/etc/passwd")
+ (literal "/private/etc/protocols")
+ (literal "/private/etc/services"))
+
+(allow file-read*
+ file-write-data
+ (literal "/dev/null")
+ (literal "/dev/zero"))
+
+(allow file-read*
+ file-write-data
+ file-ioctl
+ (literal "/dev/dtracehelper"))
+
+(allow file-read*
+ (literal "/usr/local/lib/sanitizers"))
+
+(allow file-write-create
+ (require-all (prefix "/cores/")
+ (vnode-type REGULAR-FILE)))
+
+(allow file-read*
+ (require-all (subpath "/AppleInternal/Library/Preferences/Logging")
+ (system-attribute apple-internal)))
+
+(allow file-read* file-map-executable
+ (require-all (subpath "/usr/local/lib/log")
+ (system-attribute apple-internal)))
+
+(allow network-outbound
+ (literal "/private/var/run/syslog"))
+
+(allow ipc-posix-shm-read*
+ (ipc-posix-name "apple.shm.notification_center")
+ (ipc-posix-name-prefix "apple.cfprefs."))
+
+(allow mach-lookup (with report) (with telemetry)
+ (global-name "com.apple.analyticsd")
+ (global-name "com.apple.analyticsd.messagetracer")
+ (global-name "com.apple.appsleep")
+ (global-name "com.apple.bsd.dirhelper")
+ (global-name "com.apple.cfprefsd.agent")
+ (global-name "com.apple.cfprefsd.daemon")
+ (global-name "com.apple.diagnosticd")
+ (global-name "com.apple.espd")
+ (global-name "com.apple.logd")
+ (global-name "com.apple.logd.events")
+ (global-name "com.apple.secinitd")
+ (global-name "com.apple.system.DirectoryService.libinfo_v1")
+ (global-name "com.apple.system.logger")
+ (global-name "com.apple.system.notification_center")
+ (global-name "com.apple.system.opendirectoryd.libinfo")
+ (global-name "com.apple.system.opendirectoryd.membership")
+ (global-name "com.apple.trustd")
+ (global-name "com.apple.trustd.agent")
+ (global-name "com.apple.xpc.activity.unmanaged")
+ (local-name "com.apple.cfprefsd.agent"))
+
+(with-filter (system-attribute apple-internal)
+ (allow mach-lookup (global-name "com.apple.internal.objc_trace")))
+
+(define (system-network)
+ (allow file-read*
+ (literal "/Library/Preferences/com.apple.networkd.plist")
+ (literal "/private/var/db/nsurlstoraged/dafsaData.bin"))
+ (allow mach-lookup
+ (global-name "com.apple.SystemConfiguration.PPPController")
+ (global-name "com.apple.SystemConfiguration.SCNetworkReachability")
+ (global-name "com.apple.nehelper")
+ (global-name "com.apple.nesessionmanager")
+ (global-name "com.apple.networkd")
+ (global-name "com.apple.nsurlstorage-cache")
+ (global-name "com.apple.symptomsd")
+ (global-name "com.apple.usymptomsd"))
+ (allow network-outbound
+ (control-name "com.apple.netsrc")
+ (control-name "com.apple.network.statistics"))
+ (allow system-socket
+ (require-all (socket-domain AF_SYSTEM)
+ (socket-protocol 2)) ; SYSPROTO_CONTROL
+ (socket-domain AF_ROUTE))
+ (allow mach-lookup
+ (global-name "com.apple.AppSSO.service-xpc"))
+ (allow ipc-posix-shm-read-data
+ (ipc-posix-name "/com.apple.AppSSO.version")))
+
+;;;
+;;; End rules originally copied from 'system.sb'
+;;;
+#else
(import "system.sb")
+#endif
;;; process-info* defaults to allow; deny it and then allow operations we actually need.
(deny process-info*)
@@ -38,8 +175,11 @@
"hw.availcpu"
"hw.ncpu"
"hw.model"
+ "kern.maxfilesperproc"
"kern.memorystatus_level"
- "vm.footprint_suspend"))
+ "vm.footprint_suspend")
+ (sysctl-name-regex #"^net.routetable")
+)
(deny iokit-get-properties)
@@ -133,10 +273,8 @@
;; IOKit user clients
(allow iokit-open
-#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101500
- (with report) (with telemetry)
-#endif
- (iokit-user-client-class "RootDomainUserClient"))
+ (iokit-user-client-class "RootDomainUserClient") ; Used by PowerObserver
+)
;; cookied.
;; FIXME: Update for <rdar://problem/13642852>.
Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb (254208 => 254209)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb 2020-01-08 19:26:04 UTC (rev 254208)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb 2020-01-08 19:36:34 UTC (rev 254209)
@@ -25,8 +25,530 @@
(deny default (with partial-symbolication))
(allow system-audit file-read-metadata)
-(import "common.sb")
+;;;
+;;; The following rules were originally contained in 'common.sb'. We are duplicating them here so we can
+;;; remove unneeded sandbox extensions.
+;;;
+(import "util.sb")
+
+(define-once (allow-read-and-issue-generic-extensions . filters)
+ (allow file-read*
+ (apply require-any filters))
+ (allow file-issue-extension
+ (require-all
+ ;; APP_SANDBOX_READ - default for sandbox_issue_extension() & sandbox_issue_fs_extension().
+ (extension-class "com.apple.app-sandbox.read")
+ (apply require-any filters))))
+
+(define-once (allow-read-write-and-issue-generic-extensions . filters)
+ (allow file-read* file-write*
+ (apply require-any filters))
+ (allow file-read-metadata
+ (apply require-any filters))
+ (allow file-issue-extension
+ (require-all
+ (extension-class "com.apple.app-sandbox.read-write" "com.apple.app-sandbox.read")
+ (apply require-any filters))))
+
+(define-once (allow-network-common)
+ ;; <rdar://problem/8645367>
+ (allow system-socket (require-all (socket-domain AF_SYSTEM) (socket-protocol 2)))
+ (allow network-outbound
+ (control-name "com.apple.network.statistics")
+ (control-name "com.apple.netsrc"))
+
+ (allow sysctl-read
+ (sysctl-name "kern.ipc.maxsockbuf")
+ (sysctl-name "kern.nisdomainname")
+ (sysctl-name-prefix "net.routetable.")
+ (sysctl-name "net.statistics"))
+
+ ;; <rdar://problem/10642881>
+ (allow file-read*
+ (literal "/private/var/preferences/com.apple.networkd.plist"))
+
+ ;; <rdar://problem/27580907>
+ (allow file-read*
+ (literal "/private/var/Managed Preferences/mobile/com.apple.SystemConfiguration.plist"))
+
+ ;; <rdar://problem/13679154>
+ (allow file-read*
+ (literal "/private/var/preferences/com.apple.NetworkStatistics.plist"))
+
+ ;; <rdar://problem/15711661>
+ (allow mach-lookup
+ (global-name "com.apple.nesessionmanager"))
+
+ ;; <rdar://problem/7693463>
+ (allow system-socket (socket-domain AF_ROUTE))
+
+ (if gizmo?
+ (with-filter
+ (require-any
+ (require-entitlement "com.apple.security.network.client")
+ (require-entitlement "com.apple.security.network.server"))
+ (allow network-outbound (literal "/private/var/run/mDNSResponder")))
+ (allow network-outbound (literal "/private/var/run/mDNSResponder")))
+
+ ;; <rdar://problem/10962803>
+ ;; <rdar://problem/13238730>
+ (allow mach-lookup
+ (global-name "com.apple.SystemConfiguration.configd")
+ (global-name "com.apple.SystemConfiguration.helper")
+ (global-name "com.apple.SystemConfiguration.SCNetworkReachability")
+ (global-name "com.apple.SystemConfiguration.DNSConfiguration")
+ (global-name "com.apple.SystemConfiguration.PPPController")
+ (global-name "com.apple.SystemConfiguration.NetworkInformation"))
+
+ ;; <rdar://problem/11792470>
+ ;; <rdar://problem/13305819>
+ (allow mach-lookup
+ (global-name "com.apple.commcenter.xpc")
+ (global-name "com.apple.commcenter.cupolicy.xpc"))
+
+ (allow mach-lookup
+ (global-name "com.apple.securityd")
+ (global-name "com.apple.trustd"))
+ (allow file-read*
+ (literal "/private/var/preferences/com.apple.security.plist"))
+
+ ;; <rdar://problem/13301795>
+ (allow mach-lookup
+ (global-name "com.apple.usymptomsd")
+ (global-name "com.apple.symptomsd")
+ (global-name "com.apple.symptoms.symptomsd.managed_events")) ; <rdar://problem/32768772>
+
+ (with-filter (entitlement-is-present "com.apple.private.networkextension.configuration")
+ (allow file-read* (literal "/private/var/preferences/com.apple.networkextension.plist")))
+
+ (with-filter (apple-signed-executable?)
+ (allow file-read* (literal "/private/var/preferences/com.apple.networkextension.uuidcache.plist")))
+
+ (allow mach-lookup
+ (global-name "com.apple.AppSSO.service-xpc"))
+ (allow ipc-posix-shm-read-data
+ (ipc-posix-name "/com.apple.AppSSO.version"))
+
+ ;; <rdar://problem/30452093>
+ (multipath-tcp))
+
+(define-once (network-client . filters)
+ (allow-network-common)
+
+ ;; <rdar://problem/9193431>
+ (allow mach-lookup
+ (global-name "com.apple.networkd"))
+
+ ;; <rdar://problem/20094008>
+ ;; <rdar://problem/24689958>
+ (with-filter (require-any
+ (require-entitlement "com.apple.networkd.advisory_socket")
+ (require-entitlement "com.apple.networkd.disable_opportunistic")
+ (require-entitlement "com.apple.networkd.modify_settings")
+ (require-entitlement "com.apple.networkd.persistent_interface")
+ (require-entitlement "com.apple.networkd_privileged"))
+ (allow mach-lookup
+ (global-name "com.apple.networkd_privileged")))
+
+ ;; <rdar://problem/20201593>
+ (with-filter (require-any
+ (apple-signed-executable?)
+ (require-entitlement "com.apple.authkit.client")
+ (require-entitlement "com.apple.authkit.client.private")
+ (require-entitlement "com.apple.authkit.client.internal"))
+ (allow mach-lookup
+ (global-name "com.apple.ak.anisette.xpc")
+ (global-name "com.apple.ak.auth.xpc")))
+
+ ;; <rdar://problem/15897781>
+ (allow mach-lookup
+ (global-name "com.apple.nsurlsessiond"))
+ (allow file-issue-extension
+ (require-all
+ (executable-bundle)
+ (extension-class "com.apple.nsurlsessiond.readonly")))
+
+ ;; <rdar://problem/20617514>
+ (when gizmo?
+ (allow mach-lookup
+ (global-name "com.apple.nsurlsessiond.NSURLSessionProxyService")
+ (global-name "com.apple.sharingd.NSURLSessionProxyService")))
+
+ ;; <rdar://problem/15608009>
+ (allow mach-lookup
+ (global-name "com.apple.nsurlstorage-cache"))
+
+ ;; <rdar://problem/10423007>
+ (allow mach-lookup
+ (global-name "com.apple.cfnetwork.AuthBrokerAgent")
+ (global-name "com.apple.cfnetwork.cfnetworkagent"))
+
+ ;; <rdar://problem/12620714>
+ (deny file-write-create (with no-report)
+ (home-prefix "/Library/Logs/CrashReporter/CFNetwork_"))
+
+ (allow mach-lookup
+ (global-name "com.apple.cookied"))
+
+ ;; <rdar://problem/17910466>
+ (allow mach-lookup
+ (global-name "com.apple.accountsd.accountmanager"))
+
+ ;; GSS-API
+ (allow mach-lookup
+ (global-name "com.apple.GSSCred"))
+
+ ;; <rdar://problem/17853959>
+ (mobile-keybag-access)
+
+ (allow mach-lookup
+ (global-name "com.apple.nehelper"))
+
+ (allow-well-known-system-group-container-literal-read
+ "/systemgroup.com.apple.nsurlstoragedresources/Library/dafsaData.bin")
+
+ ;; <rdar://problem/33277999>
+ (mobile-preferences-read "com.apple.CFNetwork")
+
+ (if (null? filters)
+ (allow network-outbound)
+ ; else
+ (allow network-outbound (apply require-any filters))))
+
+(define-once (multipath-tcp)
+ (allow system-socket (socket-domain 39)))
+
+(define-once (managed-configuration-read-public)
+ (allow file-read*
+ (well-known-system-group-container-subpath "/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo")
+ (front-user-home-subpath "/Library/ConfigurationProfiles/PublicInfo")
+ (front-user-home-subpath "/Library/UserConfigurationProfiles/PublicInfo"))
+ (allow mach-lookup
+ (global-name "com.apple.managedconfiguration.profiled.public")))
+
+(define-once (allow-preferences-common)
+ (allow file-read-metadata
+ (home-literal "")
+ (home-literal "/Library/Preferences")))
+
+(define-once (mobile-preferences-read . domains)
+ (allow-preferences-common)
+ (allow user-preference-read (apply preference-domain domains)))
+
+(define-once (mobile-keybag-access)
+ (allow iokit-open (with report) (with telemetry)
+ (iokit-user-client-class "AppleKeyStoreUserClient")))
+
+(define-once (debugging-support)
+ ;; <rdar://problem/8379706>
+ ;; <rdar://problem/12868101>
+ ;; <rdar://problem/22766887>
+ ;; <rdar://problem/22880365>
+ (allow file-read* file-map-executable
+ (subpath "/Developer"))
+
+ ;; <rdar://problem/7674121>
+ ;; <rdar://problem/9151290>
+ (allow ipc-posix-shm
+ (ipc-posix-name-regex #"^stack-logs")
+ (ipc-posix-name-regex #"^OA-")
+ (ipc-posix-name-regex #"^/FSM-"))
+
+ (with-filter (system-attribute apple-internal)
+ ;; <rdar://problem/8565035>
+ ;; <rdar://problem/23857452>
+ (allow file-read* file-map-executable
+ (subpath "/AppleInternal")
+ (subpath "/usr/local/lib")))
+ (with-elevated-precedence
+ (allow file-read* file-map-executable file-issue-extension
+ (front-user-home-subpath "/XcodeBuiltProducts")))
+
+ ;; <rdar://problem/8107758>
+ (allow file-read* file-map-executable
+ (subpath "/System/Library/Frameworks")
+ (subpath "/System/Library/PrivateFrameworks"))
+
+ ;; <rdar://problem/11455762>
+ (allow mach-lookup
+ (global-name "com.apple.hangtracerd"))
+ ;; <rdar://problem/32544921>
+ (mobile-preferences-read "com.apple.hangtracer")
+
+ ;; <rdar://problem/9090627>
+ (with-filter (apple-signed-executable?)
+ (allow mach-lookup
+ (global-name "com.apple.ReportCrash.SimulateCrash"))))
+
+(define-once (logd-diagnostic-paths)
+ (require-any
+ (subpath "/private/var/db/diagnostics")
+ (subpath "/private/var/db/timesync")
+ (subpath "/private/var/db/uuidtext")
+ (subpath "/private/var/userdata/diagnostics")))
+(define-once (logd-diagnostic-client)
+ (with-filter
+ (require-all
+ (require-any
+ (require-entitlement "com.apple.private.logging.diagnostic")
+ (require-entitlement "com.apple.diagnosticd.diagnostic"))
+ (extension "com.apple.logd.read-only"))
+ (allow file-read*
+ (logd-diagnostic-paths))))
+
+(define required-etc-files
+ (literal "/private/etc/fstab"
+ "/private/etc/hosts"
+ "/private/etc/group"
+ "/private/etc/passwd"
+ "/private/etc/protocols"
+ "/private/etc/services"))
+
+(define-once (allow-multi-instance-xpc-services)
+ ;; <rdar://problem/46716068>
+ (allow mach-lookup
+ (with telemetry)
+ (with message "Create a radar and set it as a blocker to rdar://problem/48527566")
+ (xpc-service-name "com.apple.WebKit.Networking"
+ "com.apple.WebKit.WebContent")
+))
+
+(allow sysctl-read
+ (sysctl-name "kern.bootsessionuuid"))
+
+(deny file-map-executable)
+(deny file-write-mount file-write-unmount)
+(allow file-read-metadata
+ (vnode-type DIRECTORY))
+
+(mobile-preferences-read "com.apple.security")
+
+(with-elevated-precedence
+ ;; System files.
+ (allow file-read*
+ (subpath "/usr/lib"
+ "/usr/share"
+ "/private/var/db/timezone"))
+ (allow-read-and-issue-generic-extensions
+ (subpath "/Library/RegionFeatures"
+ "/System/Library"))
+
+ (allow file-map-executable
+ (subpath "/System/Library")
+ (subpath "/usr/lib"))
+
+ (allow file-read-metadata
+ (vnode-type SYMLINK))
+
+ (allow file-read*
+ (subpath "/private/var/preferences/Logging"))
+
+ (mobile-preferences-read "kCFPreferencesAnyApplication")
+ (allow file-read*
+ (front-user-home-literal "/Library/Preferences/.GlobalPreferences.plist"))
+
+ (allow file-read*
+ (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist"))
+ (allow managed-preference-read (preference-domain "kCFPreferencesAnyApplication"))
+
+ (allow file-read-metadata
+ (home-literal "/Library/Caches/powerlog.launchd"))
+
+ (allow-read-and-issue-generic-extensions (executable-bundle))
+ (allow file-map-executable (executable-bundle))
+
+ (deny file-read-data file-issue-extension file-map-executable
+ (require-all
+ (executable-bundle)
+ (regex #"/[^/]+/SC_Info/")))
+
+ (with-filter (global-name-prefix "")
+ (allow mach-lookup
+ (extension "com.apple.security.exception.mach-lookup.global-name"))
+ (allow mach-register
+ (extension "com.apple.security.exception.mach-register.global-name")))
+ (with-filter (local-name-prefix "")
+ (allow mach-lookup
+ (extension "com.apple.security.exception.mach-lookup.local-name"))
+ (allow mach-register
+ (extension "com.apple.security.exception.mach-register.local-name")))
+ (allow-read-and-issue-generic-extensions
+ (extension "com.apple.security.exception.files.absolute-path.read-only")
+ (extension "com.apple.security.exception.files.home-relative-path.read-only"))
+ (allow-read-write-and-issue-generic-extensions
+ (extension "com.apple.security.exception.files.absolute-path.read-write")
+ (extension "com.apple.security.exception.files.home-relative-path.read-write"))
+ (allow iokit-open
+ (extension "com.apple.security.exception.iokit-user-client-class"))
+ (allow managed-preference-read
+ (extension "com.apple.security.exception.managed-preference.read-only"))
+ (allow user-preference-read
+ (extension "com.apple.security.exception.shared-preference.read-only"))
+ (allow user-preference-read user-preference-write
+ (extension "com.apple.security.exception.shared-preference.read-write"))
+ (allow sysctl-read
+ (extension "com.apple.security.exception.sysctl.read-only"))
+ (allow sysctl-read sysctl-write
+ (extension "com.apple.security.exception.sysctl.read-write"))
+
+ (allow file-issue-extension
+ (require-all
+ (extension-class "com.apple.nsurlstorage.extension-cache")
+ (extension "com.apple.security.exception.files.home-relative-path.read-write")
+ (require-any
+ (prefix "/private/var/root/Library/Caches/")
+ (front-user-home-prefix "/Library/Caches/"))))
+
+ (with-filter (require-entitlement "com.apple.security.exception.process-info")
+ (allow process-info-pidinfo process-info-pidfdinfo process-info-pidfileportinfo process-info-rusage process-info-codesignature)
+ (allow sysctl-read
+ (sysctl-name-prefix "kern.proc.")
+ (sysctl-name-prefix "kern.procargs2."))))
+
+(debugging-support)
+
+(allow file-read*
+ required-etc-files
+ (literal "/"))
+
+(allow mach-lookup (with report) (with telemetry)
+ (global-name "com.apple.logd")
+ (global-name "com.apple.logd.events"))
+
+(allow mach-lookup (with report) (with telemetry)
+ (global-name "com.apple.cfprefsd.daemon")
+ (global-name "com.apple.cfprefsd.agent")
+ (local-name "com.apple.cfprefsd.agent"))
+(allow ipc-posix-shm-read*
+ (ipc-posix-name-prefix "apple.cfprefs."))
+
+(allow mach-lookup (with report) (with telemetry)
+ (global-name "com.apple.runningboard"))
+
+(allow-multi-instance-xpc-services)
+
+(allow system-sched
+ (require-entitlement "com.apple.private.kernel.override-cpumon"))
+
+(allow sysctl-read (with report) (with telemetry)
+ (sysctl-name "hw.activecpu")
+ (sysctl-name "hw.busfrequency")
+ (sysctl-name "hw.busfrequency_compat")
+ (sysctl-name "hw.byteorder")
+ (sysctl-name "hw.cachelinesize")
+ (sysctl-name "hw.cachelinesize_compat")
+ (sysctl-name "hw.cpu64bit_capable")
+ (sysctl-name "hw.cpufamily")
+ (sysctl-name "hw.cpufrequency")
+ (sysctl-name "hw.cpufrequency_compat")
+ (sysctl-name "hw.cpufrequency_max")
+ (sysctl-name "hw.cpusubtype")
+ (sysctl-name "hw.cputype")
+ (sysctl-name "hw.l1dcachesize")
+ (sysctl-name "hw.l1dcachesize_compat")
+ (sysctl-name "hw.l1icachesize")
+ (sysctl-name "hw.l1icachesize_compat")
+ (sysctl-name "hw.l2cachesize")
+ (sysctl-name "hw.l2cachesize_compat")
+ (sysctl-name "hw.l2settings")
+ (sysctl-name "hw.l3cachesize")
+ (sysctl-name "hw.l3cachesize_compat")
+ (sysctl-name "hw.l3settings")
+ (sysctl-name "hw.logicalcpu")
+ (sysctl-name "hw.logicalcpu_max")
+ (sysctl-name "hw.machine")
+ (sysctl-name "hw.memsize")
+ (sysctl-name "hw.pagesize")
+ (sysctl-name "hw.pagesize_compat")
+ (sysctl-name "hw.physicalcpu")
+ (sysctl-name "hw.physicalcpu_max")
+ (sysctl-name "hw.physmem")
+ (sysctl-name "hw.tbfrequency")
+ (sysctl-name "hw.tbfrequency_compat")
+ (sysctl-name "hw.usermem")
+ (sysctl-name "hw.vectorunit")
+ (sysctl-name "kern.bootargs")
+ (sysctl-name "kern.boottime")
+ (sysctl-name "kern.clockrate")
+ (sysctl-name "kern.development")
+ (sysctl-name "kern.hostid")
+ (sysctl-name "kern.hostname")
+ (sysctl-name "kern.maxproc")
+ (sysctl-name "kern.maxvnodes")
+ (sysctl-name-prefix "kern.monotonicclock")
+ (sysctl-name "kern.monotoniclock_offset_usecs")
+ (sysctl-name "kern.ngroups")
+ (sysctl-name "kern.osproductversion")
+ (sysctl-name "kern.osrelease")
+ (sysctl-name "kern.ostype")
+ (sysctl-name "kern.osvariant_status")
+ (sysctl-name "kern.osversion")
+ (sysctl-name "kern.saved_ids")
+ (sysctl-name "kern.secure_kernel")
+ (sysctl-name "kern.usrstack")
+ (sysctl-name "kern.usrstack64")
+ (sysctl-name "kern.version")
+ (sysctl-name "kern.waketime")
+ (sysctl-name "security.mac.sandbox.sentinel")
+ (sysctl-name "sysctl.name2oid")
+ (sysctl-name "vm.loadavg")
+ (sysctl-name-prefix "kern.argmax")
+ (sysctl-name-prefix "kern.proc.pid.")
+)
+
+(with-filter (system-attribute apple-internal)
+ (allow sysctl-read
+ (sysctl-name "kern.dtrace.dof_mode"))
+ (allow sysctl-read sysctl-write
+ (sysctl-name "vm.footprint_suspend")))
+
+(allow mach-lookup (with report) (with telemetry)
+ (global-name "com.apple.system.logger"))
+(allow file-read-metadata network-outbound (with report) (with telemetry)
+ (literal "/private/var/run/syslog"))
+
+(allow mach-lookup (with report) (with telemetry)
+ (global-name "com.apple.system.notification_center"))
+(allow ipc-posix-shm-read* (with report) (with telemetry)
+ (ipc-posix-name "apple.shm.notification_center"))
+
+(allow mach-lookup (with report) (with telemetry)
+ (global-name "com.apple.distributed_notifications@1v3"))
+
+(allow mach-lookup (with report) (with telemetry)
+ (global-name "com.apple.diagnosticd"))
+
+(logd-diagnostic-client)
+
+(managed-configuration-read-public)
+
+(allow mach-lookup (with report) (with telemetry)
+ (global-name "com.apple.ctkd.token-client"))
+
+(deny system-info (with no-report)
+ (info-type "net.link.addr"))
+
+(allow mach-lookup (with report) (with telemetry)
+ (global-name "com.apple.system.libinfo.muser"))
+
+(allow mach-task-name (target self))
+
+(allow process-info-pidinfo (target self))
+(allow process-info-pidfdinfo (target self))
+(allow process-info-pidfileportinfo (target self))
+(allow process-info-setcontrol (target self))
+(allow process-info-dirtycontrol (target self))
+(allow process-info-rusage (target self))
+(allow process-info-codesignature (target self))
+
+(allow mach-lookup (with report) (with telemetry)
+ (global-name "com.apple.analyticsd"))
+
+;;;
+;;; End rules originally copied from 'common.sb'
+;;;
+
(deny mach-lookup (xpc-service-name-prefix ""))
(deny lsopen)
@@ -37,6 +559,7 @@
"hw.availcpu"
"hw.ncpu"
"hw.model"
+ "kern.maxfilesperproc"
"kern.memorystatus_level"
"vm.footprint_suspend"))
@@ -55,11 +578,12 @@
;; enough access to make it possible.
;; IOKit user clients
-(allow iokit-open (with report) (with telemetry)
- (iokit-user-client-class "RootDomainUserClient"))
+(allow iokit-open
+ (iokit-user-client-class "RootDomainUserClient") ;; Needed by PowerObserver
+)
;; Various services required by CFNetwork and other frameworks
-(allow mach-lookup
+(allow mach-lookup (with report) (with telemetry)
(global-name "com.apple.PowerManagement.control"))
(network-client (remote tcp) (remote udp))
@@ -73,16 +597,16 @@
)
;; Security framework
-(allow mach-lookup
+(allow mach-lookup (with report) (with telemetry)
(global-name "com.apple.ocspd")
(global-name "com.apple.securityd"))
;; PassKit framework
-(allow mach-lookup
+(allow mach-lookup (with report) (with telemetry)
(global-name "com.apple.passd.in-app-payment")
(global-name "com.apple.passd.library"))
-(allow mach-lookup
+(allow mach-lookup (with report) (with telemetry)
(global-name "com.apple.FileCoordination")
(global-name "com.apple.dmd.policy")
(global-name "com.apple.siri.context.service")
@@ -89,7 +613,7 @@
(global-name "com.apple.ctcategories.service"))
(deny file-write-create
- (vnode-type SYMLINK))
+ (vnode-type SYMLINK))
;; FIXME should be removed when <rdar://problem/30498072> is fixed.
(allow network*
@@ -99,17 +623,17 @@
(remote tcp))
;; Various services required by system frameworks
-(allow mach-lookup
+(allow mach-lookup (with report) (with telemetry)
(global-name "com.apple.lsd.mapdb")
(global-name "com.apple.analyticsd")
(global-name "com.apple.AppSSO.service-xpc"))
;; For reporting progress for active downloads <rdar://problem/44405661>
-(allow mach-lookup
+(allow mach-lookup (with report) (with telemetry)
(global-name "com.apple.ProgressReporting"))
;; <rdar://problem/47598758>
-(allow mach-lookup
+(allow mach-lookup (with report) (with telemetry)
(global-name "com.apple.nesessionmanager.content-filter"))
;; Various shared memory accesses required by system frameworks
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
