[webkit-changes] [283925] trunk/Source/WebKit

Mon, 11 Oct 2021 12:42:34 -0700

Title: [283925] trunk/Source/WebKit
Revision
283925
Author
[email protected]
Date
2021-10-11 12:41:44 -0700 (Mon, 11 Oct 2021)

Log Message

[macOS] Grant access in sandbox to 'system-privilege' for root
https://bugs.webkit.org/show_bug.cgi?id=231501
<rdar://83959448>

Reviewed by Brent Fulgham.

When running as root, WebKit processes need access to 'system-privilege'.

* GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in:
* NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
* WebAuthnProcess/mac/com.apple.WebKit.WebAuthnProcess.sb.in:
* WebProcess/com.apple.WebProcess.sb.in:

Modified Paths

Diff

Modified: trunk/Source/WebKit/ChangeLog (283924 => 283925)


--- trunk/Source/WebKit/ChangeLog	2021-10-11 19:37:42 UTC (rev 283924)
+++ trunk/Source/WebKit/ChangeLog	2021-10-11 19:41:44 UTC (rev 283925)
@@ -1,3 +1,18 @@
+2021-10-11  Per Arne Vollan <[email protected]>
+
+        [macOS] Grant access in sandbox to 'system-privilege' for root
+        https://bugs.webkit.org/show_bug.cgi?id=231501
+        <rdar://83959448>
+
+        Reviewed by Brent Fulgham.
+
+        When running as root, WebKit processes need access to 'system-privilege'.
+
+        * GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in:
+        * NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
+        * WebAuthnProcess/mac/com.apple.WebKit.WebAuthnProcess.sb.in:
+        * WebProcess/com.apple.WebProcess.sb.in:
+
 2021-10-11  Simon Fraser  <[email protected]>
 
         Smooth-scroll animations should run in the UI process on iOS

Modified: trunk/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in (283924 => 283925)


--- trunk/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in	2021-10-11 19:37:42 UTC (rev 283924)
+++ trunk/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in	2021-10-11 19:41:44 UTC (rev 283925)
@@ -24,11 +24,12 @@
 (version 1)
 (deny default (with partial-symbolication))
 (deny nvram*)
-(deny system-privilege)
 (allow system-audit file-read-metadata)
 
-;; Silence spurious logging due to rdar://20117923 and rdar://72366475
-(deny system-privilege (privilege-id PRIV_GLOBAL_PROC_INFO) (with no-report))
+(with-filter (require-not (uid 0))
+    (deny system-privilege)
+    ;; Silence spurious logging due to rdar://20117923 and rdar://72366475
+    (deny system-privilege (privilege-id PRIV_GLOBAL_PROC_INFO) (with no-report)))
 
 #include "Shared/Sandbox/preferences.sb"

Modified: trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in (283924 => 283925)


--- trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in	2021-10-11 19:37:42 UTC (rev 283924)
+++ trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in	2021-10-11 19:41:44 UTC (rev 283925)
@@ -24,18 +24,19 @@
 (version 1)
 (deny default (with partial-symbolication))
 (deny nvram*)
-(deny system-privilege)
 
 (allow system-audit file-read-metadata)
 
+(with-filter (require-not (uid 0))
+    (deny system-privilege)
+    ;; Silence spurious logging due to rdar://20117923 and rdar://72366475
+    (deny system-privilege (privilege-id PRIV_GLOBAL_PROC_INFO) (with no-report)))
+
 (allow system-privilege (with grant)
     (require-all
         (privilege-id PRIV_NET_PRIVILEGED_SOCKET_DELEGATE)
         (require-entitlement "com.apple.private.network.socket-delegate")))
  
-;; Silence spurious logging due to rdar://20117923 and rdar://72366475
-(deny system-privilege (privilege-id PRIV_GLOBAL_PROC_INFO) (with no-report))
-
 #include "Shared/Sandbox/preferences.sb"
 
 #if PLATFORM(MAC)

Modified: trunk/Source/WebKit/WebAuthnProcess/mac/com.apple.WebKit.WebAuthnProcess.sb.in (283924 => 283925)


--- trunk/Source/WebKit/WebAuthnProcess/mac/com.apple.WebKit.WebAuthnProcess.sb.in	2021-10-11 19:37:42 UTC (rev 283924)
+++ trunk/Source/WebKit/WebAuthnProcess/mac/com.apple.WebKit.WebAuthnProcess.sb.in	2021-10-11 19:41:44 UTC (rev 283925)
@@ -26,8 +26,10 @@
 (deny nvram*)
 (allow system-audit file-read-metadata)
 
-;; Silence spurious logging due to rdar://20117923 and rdar://72366475
-(deny system-privilege (privilege-id PRIV_GLOBAL_PROC_INFO) (with no-report))
+(with-filter (require-not (uid 0))
+    (deny system-privilege)
+    ;; Silence spurious logging due to rdar://20117923 and rdar://72366475
+    (deny system-privilege (privilege-id PRIV_GLOBAL_PROC_INFO) (with no-report)))
 
 #include "Shared/Sandbox/preferences.sb"

Modified: trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (283924 => 283925)


--- trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in	2021-10-11 19:37:42 UTC (rev 283924)
+++ trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in	2021-10-11 19:41:44 UTC (rev 283925)
@@ -24,12 +24,13 @@
 (version 1)
 (deny default (with partial-symbolication))
 (deny nvram*)
-(deny system-privilege)
 (allow system-audit file-read-metadata)
 
-;; Silence spurious logging due to rdar://20117923 and rdar://72366475
-(deny system-privilege (privilege-id PRIV_GLOBAL_PROC_INFO) (with no-report))
- 
+(with-filter (require-not (uid 0))
+    (deny system-privilege)
+    ;; Silence spurious logging due to rdar://20117923 and rdar://72366475
+    (deny system-privilege (privilege-id PRIV_GLOBAL_PROC_INFO) (with no-report)))
+
 #include "Shared/Sandbox/preferences.sb"
 
 ;;;

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to