Title: [271949] trunk/Source/WebKit
- Revision
- 271949
- Author
- [email protected]
- Date
- 2021-01-27 06:17:42 -0800 (Wed, 27 Jan 2021)
Log Message
Restrict access to syslog in sandbox
https://bugs.webkit.org/show_bug.cgi?id=220983
<rdar://problem/73512626>
Reviewed by Brent Fulgham.
Only allow syslog access on internal builds on macOS and iOS.
* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
* WebProcess/com.apple.WebProcess.sb.in:
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (271948 => 271949)
--- trunk/Source/WebKit/ChangeLog 2021-01-27 14:13:56 UTC (rev 271948)
+++ trunk/Source/WebKit/ChangeLog 2021-01-27 14:17:42 UTC (rev 271949)
@@ -1,3 +1,16 @@
+2021-01-27 Per Arne <[email protected]>
+
+ Restrict access to syslog in sandbox
+ https://bugs.webkit.org/show_bug.cgi?id=220983
+ <rdar://problem/73512626>
+
+ Reviewed by Brent Fulgham.
+
+ Only allow syslog access on internal builds on macOS and iOS.
+
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+ * WebProcess/com.apple.WebProcess.sb.in:
+
2021-01-27 Antti Koivisto <[email protected]>
Implement visibility based resource load scheduling for low priority resources
Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb (271948 => 271949)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb 2021-01-27 14:13:56 UTC (rev 271948)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb 2021-01-27 14:17:42 UTC (rev 271949)
@@ -649,14 +649,11 @@
(allow sysctl-read sysctl-write
(sysctl-name "vm.footprint_suspend")))
-(allow network-outbound
- (literal "/private/var/run/syslog"))
+(with-filter (system-attribute apple-internal)
+ (allow network-outbound
+ (literal "/private/var/run/syslog"))
+)
-;; Confirm this is unused:
-(allow file-read-metadata
- (with report) (with telemetry-backtrace)
- (literal "/private/var/run/syslog"))
-
(allow mach-lookup
(global-name "com.apple.system.notification_center"))
(allow ipc-posix-shm-read*
Modified: trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (271948 => 271949)
--- trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2021-01-27 14:13:56 UTC (rev 271948)
+++ trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2021-01-27 14:17:42 UTC (rev 271949)
@@ -1240,18 +1240,21 @@
(system-graphics)
;; Networking
+#if __MAC_OS_X_VERSION_MIN_REQUIRED <= 101500
(allow network-outbound
-#if __MAC_OS_X_VERSION_MIN_REQUIRED <= 101500
;; Local mDNSResponder for DNS, arbitrary outbound TCP
;; Note: This is needed for some media playback features. <rdar://problem/38191574>
;; Remove this permission when <rdar://problem/38240572> is fixed.
(literal "/private/var/run/mDNSResponder")
+ (remote tcp)
+)
#endif
- ;; ObjC map_images needs to send logging data to syslog. <rdar://problem/39778918>
+
+;; ObjC map_images needs to send logging data to syslog. <rdar://problem/39778918>
+(with-filter (system-attribute apple-internal)
+ (allow network-outbound
(literal "/private/var/run/syslog")
-#if __MAC_OS_X_VERSION_MIN_REQUIRED <= 101500
- (remote tcp)
-#endif
+ )
)
;; CFNetwork
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
