Diff
Modified: trunk/Source/WebKit/ChangeLog (283186 => 283187)
--- trunk/Source/WebKit/ChangeLog 2021-09-28 19:06:44 UTC (rev 283186)
+++ trunk/Source/WebKit/ChangeLog 2021-09-28 19:15:02 UTC (rev 283187)
@@ -1,3 +1,26 @@
+2021-09-28 Brent Fulgham <[email protected]>
+
+ Explicitly deny 'system-privilege' in the sandbox profile as a hardening measure
+ https://bugs.webkit.org/show_bug.cgi?id=230782
+ <rdar://problem/66582813>
+
+ Reviewed by Per Arne Vollan.
+
+ Although we do not need 'system-privilege', the default sandbox state includes it as a convenience
+ for backwards-compatibility.
+
+ Update our sandboxes to tell the kernel we don't need the support, except for one case in the
+ Networking process.
+
+ * GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in:
+ * NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb:
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.WebAuthn.sb:
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:
+ * WebAuthnProcess/mac/com.apple.WebKit.WebAuthnProcess.sb.in:
+ * WebProcess/com.apple.WebProcess.sb.in:
+
2021-09-28 Sihui Liu <[email protected]>
Make StorageManager available in Worker
Modified: trunk/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in (283186 => 283187)
--- trunk/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in 2021-09-28 19:06:44 UTC (rev 283186)
+++ trunk/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in 2021-09-28 19:15:02 UTC (rev 283187)
@@ -24,8 +24,12 @@
(version 1)
(deny default (with partial-symbolication))
(deny nvram*)
+(deny system-privilege)
(allow system-audit file-read-metadata (with telemetry))
+;; Silence spurious logging due to rdar://20117923 and rdar://72366475
+(deny system-privilege (privilege-id PRIV_GLOBAL_PROC_INFO) (with no-report))
+
#include "Shared/Sandbox/preferences.sb"
;;;
Modified: trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in (283186 => 283187)
--- trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in 2021-09-28 19:06:44 UTC (rev 283186)
+++ trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in 2021-09-28 19:15:02 UTC (rev 283187)
@@ -24,8 +24,18 @@
(version 1)
(deny default (with partial-symbolication))
(deny nvram*)
+(deny system-privilege)
+
(allow system-audit file-read-metadata)
+(allow system-privilege (with grant)
+ (require-all
+ (privilege-id PRIV_NET_PRIVILEGED_SOCKET_DELEGATE)
+ (require-entitlement "com.apple.private.network.socket-delegate")))
+
+;; Silence spurious logging due to rdar://20117923 and rdar://72366475
+(deny system-privilege (privilege-id PRIV_GLOBAL_PROC_INFO) (with no-report))
+
#include "Shared/Sandbox/preferences.sb"
#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101500
Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb (283186 => 283187)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb 2021-09-28 19:06:44 UTC (rev 283186)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb 2021-09-28 19:15:02 UTC (rev 283187)
@@ -24,8 +24,12 @@
(version 1)
(deny default (with partial-symbolication))
(deny nvram*)
+(deny system-privilege)
(allow system-audit file-read-metadata)
+;; Silence spurious logging due to rdar://20117923 and rdar://72366475
+(deny system-privilege (privilege-id PRIV_GLOBAL_PROC_INFO) (with no-report))
+
;;;
;;; The following rules were originally contained in 'common.sb'. We are duplicating them here so we can
;;; remove unneeded sandbox extensions.
Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb (283186 => 283187)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb 2021-09-28 19:06:44 UTC (rev 283186)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb 2021-09-28 19:15:02 UTC (rev 283187)
@@ -24,8 +24,17 @@
(version 1)
(deny default (with partial-symbolication))
(deny nvram*)
+(deny system-privilege)
(allow system-audit file-read-metadata)
+(allow system-privilege (with grant)
+ (require-all
+ (privilege-id PRIV_NET_PRIVILEGED_SOCKET_DELEGATE)
+ (require-entitlement "com.apple.private.network.socket-delegate")))
+
+;; Silence spurious logging due to rdar://20117923 and rdar://72366475
+(deny system-privilege (privilege-id PRIV_GLOBAL_PROC_INFO) (with no-report))
+
;;;
;;; The following rules were originally contained in 'common.sb'. We are duplicating them here so we can
;;; remove unneeded sandbox extensions.
Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebAuthn.sb (283186 => 283187)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebAuthn.sb 2021-09-28 19:06:44 UTC (rev 283186)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebAuthn.sb 2021-09-28 19:15:02 UTC (rev 283187)
@@ -24,7 +24,11 @@
(version 1)
(deny default (with partial-symbolication))
(deny nvram*)
+(deny system-privilege)
+;; Silence spurious logging due to rdar://20117923 and rdar://72366475
+(deny system-privilege (privilege-id PRIV_GLOBAL_PROC_INFO) (with no-report))
+
;;;
;;; The following rules were originally contained in 'common.sb'. We are duplicating them here so we can
;;; remove unneeded sandbox extensions.
Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in (283186 => 283187)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in 2021-09-28 19:06:44 UTC (rev 283186)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in 2021-09-28 19:15:02 UTC (rev 283187)
@@ -24,8 +24,12 @@
(version 1)
(deny default (with partial-symbolication))
(deny nvram*)
+(deny system-privilege)
(allow system-audit file-read-metadata)
+;; Silence spurious logging due to rdar://20117923 and rdar://72366475
+(deny system-privilege (privilege-id PRIV_GLOBAL_PROC_INFO) (with no-report))
+
;;;
;;; The following rules were originally contained in 'common.sb'. We are duplicating them here so we can
;;; remove unneeded sandbox extensions.
Modified: trunk/Source/WebKit/WebAuthnProcess/mac/com.apple.WebKit.WebAuthnProcess.sb.in (283186 => 283187)
--- trunk/Source/WebKit/WebAuthnProcess/mac/com.apple.WebKit.WebAuthnProcess.sb.in 2021-09-28 19:06:44 UTC (rev 283186)
+++ trunk/Source/WebKit/WebAuthnProcess/mac/com.apple.WebKit.WebAuthnProcess.sb.in 2021-09-28 19:15:02 UTC (rev 283187)
@@ -26,6 +26,9 @@
(deny nvram*)
(allow system-audit file-read-metadata)
+;; Silence spurious logging due to rdar://20117923 and rdar://72366475
+(deny system-privilege (privilege-id PRIV_GLOBAL_PROC_INFO) (with no-report))
+
#include "Shared/Sandbox/preferences.sb"
;;;
Modified: trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (283186 => 283187)
--- trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2021-09-28 19:06:44 UTC (rev 283186)
+++ trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2021-09-28 19:15:02 UTC (rev 283187)
@@ -24,8 +24,12 @@
(version 1)
(deny default (with partial-symbolication))
(deny nvram*)
+(deny system-privilege)
(allow system-audit file-read-metadata)
+;; Silence spurious logging due to rdar://20117923 and rdar://72366475
+(deny system-privilege (privilege-id PRIV_GLOBAL_PROC_INFO) (with no-report))
+
#include "Shared/Sandbox/preferences.sb"
;;;
