Skip to site navigation (Press enter)

[webkit-changes] [271815] trunk/Source/WebKit

pvollan Mon, 25 Jan 2021 14:10:34 -0800

Title: [271815] trunk/Source/WebKit

Revision: 271815
Author: [email protected]
Date: 2021-01-25 14:09:52 -0800 (Mon, 25 Jan 2021)

Log Message

[macOS] Restrict access to dtracehelper
https://bugs.webkit.org/show_bug.cgi?id=220927
<rdar://70350947>


Reviewed by Brent Fulgham.

Only allow access to dtracehelper for internal installs.

* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
* WebProcess/com.apple.WebProcess.sb.in:

Modified Paths

trunk/Source/WebKit/ChangeLog
trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb
trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in

Diff

Modified: trunk/Source/WebKit/ChangeLog (271814 => 271815)


--- trunk/Source/WebKit/ChangeLog	2021-01-25 21:37:54 UTC (rev 271814)
+++ trunk/Source/WebKit/ChangeLog	2021-01-25 22:09:52 UTC (rev 271815)
@@ -1,3 +1,16 @@
+2021-01-25  Per Arne Vollan  <[email protected]>
+
+        [macOS] Restrict access to dtracehelper
+        https://bugs.webkit.org/show_bug.cgi?id=220927
+        <rdar://70350947>
+
+        Reviewed by Brent Fulgham.
+
+        Only allow access to dtracehelper for internal installs.
+
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+        * WebProcess/com.apple.WebProcess.sb.in:
+
 2021-01-25  Chris Dumez  <[email protected]>
 
         Update availability annotations to match the macOS 11.0 and iOS 14.0 GM SDKs

Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb (271814 => 271815)


--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb	2021-01-25 21:37:54 UTC (rev 271814)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb	2021-01-25 22:09:52 UTC (rev 271815)
@@ -314,8 +314,10 @@
            (literal "/dev/null")
            (literal "/dev/zero"))
 
-    (allow file-read* file-write-data file-ioctl
-           (literal "/dev/dtracehelper"))
+    (with-filter (system-attribute apple-internal)
+        (allow file-read* file-write-data file-ioctl
+            (literal "/dev/dtracehelper"))
+    )
 
     (allow file-read*
            (literal "/dev/random")

Modified: trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (271814 => 271815)


--- trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in	2021-01-25 21:37:54 UTC (rev 271814)
+++ trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in	2021-01-25 22:09:52 UTC (rev 271815)
@@ -81,13 +81,12 @@
     (literal "/dev/null")
     (literal "/dev/zero"))
 
-(allow file-read*
-       file-write-data
-       file-ioctl
-#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 110000
-    (with telemetry-backtrace)
-#endif
-    (literal "/dev/dtracehelper"))
+(with-filter (system-attribute apple-internal)
+    (allow file-read*
+           file-write-data
+           file-ioctl
+        (literal "/dev/dtracehelper"))
+)
 
 ;;; Allow creation of core dumps.
 (allow file-write-create

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes