[webkit-changes] [283195] trunk/Source/WebKit

[bfulgham]

Title: [283195] trunk/Source/WebKit

Revision

283195

Author

bfulg...@apple.com

Date

2021-09-28 14:16:29 -0700 (Tue, 28 Sep 2021)

Log Message

Remove redundant sandbox exception rules for registering mach extensions
https://bugs.webkit.org/show_bug.cgi?id=230909
<rdar://problem/66583587>

Reviewed by Per Arne Vollan.

The Sandbox implementation offers a mechanism for apps to extend their sandbox at compile
time. WebKit does not use those extensions in its sandbox design, so we should remove those
unused rules. They are left-over from importing the global App Sandbox rules long ago, and
are not needed by WebKit.

* Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb:
* Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:
* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:

Modified Paths

• trunk/Source/WebKit/ChangeLog
• trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb
• trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb
• trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in

Diff

Modified: trunk/Source/WebKit/ChangeLog (283194 => 283195)

--- trunk/Source/WebKit/ChangeLog	2021-09-28 21:13:01 UTC (rev 283194)
+++ trunk/Source/WebKit/ChangeLog	2021-09-28 21:16:29 UTC (rev 283195)
@@ -1,3 +1,20 @@
+2021-09-28  Brent Fulgham  <bfulg...@apple.com>
+
+        Remove redundant sandbox exception rules for registering mach extensions
+        https://bugs.webkit.org/show_bug.cgi?id=230909
+        <rdar://problem/66583587>
+
+        Reviewed by Per Arne Vollan.
+
+        The Sandbox implementation offers a mechanism for apps to extend their sandbox at compile
+        time. WebKit does not use those extensions in its sandbox design, so we should remove those
+        unused rules. They are left-over from importing the global App Sandbox rules long ago, and
+        are not needed by WebKit.
+
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb:
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:
+
 2021-09-28  Kate Cheney  <katherine_che...@apple.com>
 
         PCM: different bundleID entries will override each other

Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb (283194 => 283195)

--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb	2021-09-28 21:13:01 UTC (rev 283194)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb	2021-09-28 21:16:29 UTC (rev 283195)
@@ -507,12 +507,6 @@
                                     "com.apple.mediaserverd.read-write"))))
 
     ;; <rdar://problem/16079361>
-    (with-filter (global-name-prefix "")
-        (allow mach-register (with telemetry)
-               (extension "com.apple.security.exception.mach-register.global-name")))
-    (with-filter (local-name-prefix "")
-        (allow mach-register (with telemetry)
-               (extension "com.apple.security.exception.mach-register.local-name")))
     (allow-read-and-issue-generic-extensions
            (extension "com.apple.security.exception.files.absolute-path.read-only")
            (extension "com.apple.security.exception.files.home-relative-path.read-only"))

Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb (283194 => 283195)

--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb	2021-09-28 21:13:01 UTC (rev 283194)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb	2021-09-28 21:16:29 UTC (rev 283195)
@@ -361,14 +361,11 @@
 
     (with-filter (global-name-prefix "")
         (allow mach-lookup
-               (extension "com.apple.security.exception.mach-lookup.global-name"))
-        (allow mach-register
-               (extension "com.apple.security.exception.mach-register.global-name")))
+               (extension "com.apple.security.exception.mach-lookup.global-name")))
     (with-filter (local-name-prefix "")
         (allow mach-lookup
                (extension "com.apple.security.exception.mach-lookup.local-name"))
-        (allow mach-register
-               (extension "com.apple.security.exception.mach-register.local-name")))
+    )
     (allow-read-and-issue-generic-extensions
            (extension "com.apple.security.exception.files.absolute-path.read-only")
            (extension "com.apple.security.exception.files.home-relative-path.read-only"))

Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in (283194 => 283195)

--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in	2021-09-28 21:13:01 UTC (rev 283194)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in	2021-09-28 21:16:29 UTC (rev 283195)
@@ -629,12 +629,6 @@
                                     "com.apple.mediaserverd.read-write"))))
 
     ;; <rdar://problem/16079361>
-    (with-filter (global-name-prefix "")
-        (allow mach-register
-               (extension "com.apple.security.exception.mach-register.global-name")))
-    (with-filter (local-name-prefix "")
-        (allow mach-register
-               (extension "com.apple.security.exception.mach-register.local-name")))
     (allow-read-and-issue-generic-extensions
            (extension "com.apple.security.exception.files.absolute-path.read-only")
            (extension "com.apple.security.exception.files.home-relative-path.read-only"))

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes