Title: [256371] trunk
- Revision
- 256371
- Author
- pvol...@apple.com
- Date
- 2020-02-11 14:22:23 -0800 (Tue, 11 Feb 2020)
Log Message
[iOS] Deny mach lookup access to the tccd service in the WebContent process
https://bugs.webkit.org/show_bug.cgi?id=207488
Reviewed by Darin Adler.
Source/WebKit:
As part of sandbox hardening, deny mach lookup access to the tccd service.
Test: fast/sandbox/ios/sandbox-mach-lookup.html
* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
LayoutTests:
* fast/sandbox/ios/sandbox-mach-lookup-expected.txt:
* fast/sandbox/ios/sandbox-mach-lookup.html:
Modified Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (256370 => 256371)
--- trunk/LayoutTests/ChangeLog 2020-02-11 22:13:15 UTC (rev 256370)
+++ trunk/LayoutTests/ChangeLog 2020-02-11 22:22:23 UTC (rev 256371)
@@ -1,3 +1,13 @@
+2020-02-11 Per Arne Vollan <pvol...@apple.com>
+
+ [iOS] Deny mach lookup access to the tccd service in the WebContent process
+ https://bugs.webkit.org/show_bug.cgi?id=207488
+
+ Reviewed by Darin Adler.
+
+ * fast/sandbox/ios/sandbox-mach-lookup-expected.txt:
+ * fast/sandbox/ios/sandbox-mach-lookup.html:
+
2020-02-11 Jason Lawrence <lawrenc...@apple.com>
[ iOS wk2 ] http/wpt/beacon/cors/crossorigin-arraybufferview-no-preflight.html is flaky failing.
Modified: trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-expected.txt (256370 => 256371)
--- trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-expected.txt 2020-02-11 22:13:15 UTC (rev 256370)
+++ trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-expected.txt 2020-02-11 22:22:23 UTC (rev 256371)
@@ -17,4 +17,4 @@
PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.powerlog.plxpclogger.xpc") is false
PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.system.logger") is false
PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.aggregated") is false
-
+PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.tccd") is false
Modified: trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html (256370 => 256371)
--- trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html 2020-02-11 22:13:15 UTC (rev 256370)
+++ trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html 2020-02-11 22:22:23 UTC (rev 256371)
@@ -20,6 +20,7 @@
shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.powerlog.plxpclogger.xpc\")");
shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.system.logger\")");
shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.aggregated\")");
+ shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.tccd\")");
}
</script>
</head>
Modified: trunk/Source/WebKit/ChangeLog (256370 => 256371)
--- trunk/Source/WebKit/ChangeLog 2020-02-11 22:13:15 UTC (rev 256370)
+++ trunk/Source/WebKit/ChangeLog 2020-02-11 22:22:23 UTC (rev 256371)
@@ -1,3 +1,16 @@
+2020-02-11 Per Arne Vollan <pvol...@apple.com>
+
+ [iOS] Deny mach lookup access to the tccd service in the WebContent process
+ https://bugs.webkit.org/show_bug.cgi?id=207488
+
+ Reviewed by Darin Adler.
+
+ As part of sandbox hardening, deny mach lookup access to the tccd service.
+
+ Test: fast/sandbox/ios/sandbox-mach-lookup.html
+
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+
2020-02-11 Eric Carlson <eric.carl...@apple.com>
Support in-band VTT captions when loading media in the GPU Process
Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb (256370 => 256371)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb 2020-02-11 22:13:15 UTC (rev 256370)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb 2020-02-11 22:22:23 UTC (rev 256371)
@@ -605,8 +605,7 @@
(global-name "com.apple.cfprefsd.daemon"))
(allow mach-lookup (with report) (with telemetry)
- (global-name "com.apple.distributed_notifications@1v3")
- (global-name "com.apple.tccd"))
+ (global-name "com.apple.distributed_notifications@1v3"))
(allow ipc-posix-shm-read*
(ipc-posix-name-prefix "apple.cfprefs."))
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes