[webkit-changes] [254351] trunk

Fri, 10 Jan 2020 10:55:42 -0800

Title: [254351] trunk
Revision
254351
Author
[email protected]
Date
2020-01-10 10:54:03 -0800 (Fri, 10 Jan 2020)

Log Message

Remove 'com.apple.nehelper' from the WebContent sandbox.
https://bugs.webkit.org/show_bug.cgi?id=206025
<rdar://problem/58453508>

Reviewed by Per Arne Vollan.

Now that we generate a dynamic extension for 'com.apple.nehelper' and 'com.apple.nesessionmanager.content-filter',
we should remove the blanket allow rules from the sandbox.

Tests: fast/sandbox/ios/sandbox-mach-lookup.html, fast/sandbox/mac/sandbox-mach-lookup.html

* GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in:
* Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb:
* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
* WebProcess/com.apple.WebProcess.sb.in:

Modified Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (254350 => 254351)


--- trunk/LayoutTests/ChangeLog	2020-01-10 18:50:35 UTC (rev 254350)
+++ trunk/LayoutTests/ChangeLog	2020-01-10 18:54:03 UTC (rev 254351)
@@ -1,3 +1,19 @@
+2020-01-10  Brent Fulgham  <[email protected]>
+
+        Remove 'com.apple.nehelper' from the WebContent sandbox.
+        https://bugs.webkit.org/show_bug.cgi?id=206025
+        <rdar://problem/58453508>
+
+        Reviewed by Per Arne Vollan.
+
+        Now that we generate a dynamic extension for 'com.apple.nehelper' and 'com.apple.nesessionmanager.content-filter',
+        we should remove the blanket allow rules from the sandbox.
+
+        * fast/sandbox/ios/sandbox-mach-lookup-expected.txt:
+        * fast/sandbox/ios/sandbox-mach-lookup.html:
+        * fast/sandbox/mac/sandbox-mach-lookup-expected.txt:
+        * fast/sandbox/mac/sandbox-mach-lookup.html:
+
 2020-01-10  youenn fablet  <[email protected]>
 
         [WTR] Use short heart beat timer as a TestOption

Modified: trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-expected.txt (254350 => 254351)


--- trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-expected.txt	2020-01-10 18:50:35 UTC (rev 254350)
+++ trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-expected.txt	2020-01-10 18:54:03 UTC (rev 254351)
@@ -6,6 +6,9 @@
 PASS internals.hasSandboxMachLookupAccessToXPCServiceName("com.apple.WebKit.WebContent", "com.apple.apple-extension-service") is false
 PASS internals.hasSandboxMachLookupAccessToXPCServiceName("com.apple.WebKit.WebContent", "com.apple.viewservice") is false
 PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.TextInput") is false
+PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.nehelper") is false
+PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.nesessionmanager") is false
+PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.nesessionmanager.content-filter") is false
 PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.pluginkit.pkd") is false
 PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.system.logger") is false

Modified: trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html (254350 => 254351)


--- trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html	2020-01-10 18:50:35 UTC (rev 254350)
+++ trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html	2020-01-10 18:54:03 UTC (rev 254351)
@@ -9,6 +9,9 @@
     shouldBeFalse("internals.hasSandboxMachLookupAccessToXPCServiceName(\"com.apple.WebKit.WebContent\", \"com.apple.apple-extension-service\")");
     shouldBeFalse("internals.hasSandboxMachLookupAccessToXPCServiceName(\"com.apple.WebKit.WebContent\", \"com.apple.viewservice\")");
     shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.TextInput\")");
+    shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.nehelper\")");
+    shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.nesessionmanager\")");
+    shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.nesessionmanager.content-filter\")");
     shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.pluginkit.pkd\")");
     shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.system.logger\")");
 }

Modified: trunk/LayoutTests/fast/sandbox/mac/sandbox-mach-lookup-expected.txt (254350 => 254351)


--- trunk/LayoutTests/fast/sandbox/mac/sandbox-mach-lookup-expected.txt	2020-01-10 18:50:35 UTC (rev 254350)
+++ trunk/LayoutTests/fast/sandbox/mac/sandbox-mach-lookup-expected.txt	2020-01-10 18:54:03 UTC (rev 254351)
@@ -4,5 +4,8 @@
 
 
 PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.cfprefsd.agent") is false
+PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.nehelper") is false
+PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.nesessionmanager") is false
+PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.nesessionmanager.content-filter") is false
 PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.system.logger") is false

Modified: trunk/LayoutTests/fast/sandbox/mac/sandbox-mach-lookup.html (254350 => 254351)


--- trunk/LayoutTests/fast/sandbox/mac/sandbox-mach-lookup.html	2020-01-10 18:50:35 UTC (rev 254350)
+++ trunk/LayoutTests/fast/sandbox/mac/sandbox-mach-lookup.html	2020-01-10 18:54:03 UTC (rev 254351)
@@ -7,6 +7,9 @@
 
 if (window.internals) {
     shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.cfprefsd.agent\")");
+    shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.nehelper\")");
+    shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.nesessionmanager\")");
+    shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.nesessionmanager.content-filter\")");
     shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.system.logger\")");
 }
 </script>

Modified: trunk/Source/WebKit/ChangeLog (254350 => 254351)


--- trunk/Source/WebKit/ChangeLog	2020-01-10 18:50:35 UTC (rev 254350)
+++ trunk/Source/WebKit/ChangeLog	2020-01-10 18:54:03 UTC (rev 254351)
@@ -1,3 +1,21 @@
+2020-01-10  Brent Fulgham  <[email protected]>
+
+        Remove 'com.apple.nehelper' from the WebContent sandbox.
+        https://bugs.webkit.org/show_bug.cgi?id=206025
+        <rdar://problem/58453508>
+
+        Reviewed by Per Arne Vollan.
+
+        Now that we generate a dynamic extension for 'com.apple.nehelper' and 'com.apple.nesessionmanager.content-filter',
+        we should remove the blanket allow rules from the sandbox.
+
+        Tests: fast/sandbox/ios/sandbox-mach-lookup.html, fast/sandbox/mac/sandbox-mach-lookup.html
+
+        * GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in:
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb:
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+        * WebProcess/com.apple.WebProcess.sb.in:
+
 2020-01-10  Víctor Manuel Jáquez Leal  <[email protected]>
 
         Silence compiler warning

Modified: trunk/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in (254350 => 254351)


--- trunk/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in	2020-01-10 18:50:35 UTC (rev 254350)
+++ trunk/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in	2020-01-10 18:54:03 UTC (rev 254351)
@@ -690,15 +690,6 @@
 ;; CFNetwork
 (allow file-read-data (path "/private/var/db/nsurlstoraged/dafsaData.bin"))
 
-;; Network Extensions / VPN helper.
-(allow mach-lookup
-#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101500 || PLATFORM(MACCATALYST)
-    (global-name "com.apple.nesessionmanager.content-filter") ;; <rdar://problem/48442387>
-#else
-    (global-name "com.apple.nesessionmanager") ;; <rdar://problem/55570995>
-#endif
-    (global-name "com.apple.nehelper"))
-
 #if PLATFORM(MAC)
 ;; FIXME should be removed when <rdar://problem/9347205> + related radar in Safari is fixed
 (allow mach-lookup

Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb (254350 => 254351)


--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb	2020-01-10 18:50:35 UTC (rev 254350)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb	2020-01-10 18:54:03 UTC (rev 254351)
@@ -475,13 +475,6 @@
         (home-subpath "/Library/Dictionaries"))
 )
 
-(define-once (network-extensions-support)
-    ;; Network Extensions / VPN helper.
-    (allow mach-lookup
-        (global-name "com.apple.nehelper")
-        (global-name "com.apple.nesessionmanager.content-filter")) ;; <rdar://problem/48442387>
-)
-
 (deny file-map-executable)
 
 (deny file-write-mount file-write-unmount)
@@ -742,8 +735,6 @@
 ;; Permit reading assets via MobileAsset framework.
 (asset-access 'with-media-playback)
 
-(network-extensions-support)
-
 ;; allow 3rd party applications to access nsurlstoraged's top level domain data cache
 (allow-well-known-system-group-container-literal-read
     "/systemgroup.com.apple.nsurlstoragedresources/Library/dafsaData.bin")

Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb (254350 => 254351)


--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb	2020-01-10 18:50:35 UTC (rev 254350)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb	2020-01-10 18:54:03 UTC (rev 254351)
@@ -484,13 +484,6 @@
         (home-subpath "/Library/Dictionaries"))
 )
 
-(define-once (network-extensions-support)
-    ;; Network Extensions / VPN helper.
-    (allow mach-lookup (with report) (with telemetry)
-        (global-name "com.apple.nehelper")
-        (global-name "com.apple.nesessionmanager.content-filter")) ;; <rdar://problem/48442387>
-)
-
 (deny file-map-executable)
 
 (deny file-write-mount file-write-unmount)
@@ -744,8 +737,6 @@
 ;; Permit reading assets via MobileAsset framework.
 (asset-access 'with-media-playback)
 
-(network-extensions-support)
-
 ;; allow 3rd party applications to access nsurlstoraged's top level domain data cache
 (allow-well-known-system-group-container-literal-read
     "/systemgroup.com.apple.nsurlstoragedresources/Library/dafsaData.bin")

Modified: trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (254350 => 254351)


--- trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in	2020-01-10 18:50:35 UTC (rev 254350)
+++ trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in	2020-01-10 18:54:03 UTC (rev 254351)
@@ -714,18 +714,6 @@
 ;; CFNetwork
 (allow file-read-data (path "/private/var/db/nsurlstoraged/dafsaData.bin"))
 
-;; Network Extensions / VPN helper.
-(allow mach-lookup
-#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101500
-    (with report) (with telemetry)
-#endif
-#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101500 || PLATFORM(MACCATALYST)
-    (global-name "com.apple.nesessionmanager.content-filter") ;; <rdar://problem/48442387>
-#else
-    (global-name "com.apple.nesessionmanager") ;; <rdar://problem/55570995>
-#endif
-    (global-name "com.apple.nehelper"))
-
 #if PLATFORM(MAC)
 ;; FIXME should be removed when <rdar://problem/9347205> + related radar in Safari is fixed
 (allow mach-lookup

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to