Title: [283927] branches/safari-613.1.4-branch/Source/WebKit
- Revision
- 283927
- Author
- [email protected]
- Date
- 2021-10-11 12:52:17 -0700 (Mon, 11 Oct 2021)
Log Message
Cherry-pick r283925. rdar://problem/84111635
[macOS] Grant access in sandbox to 'system-privilege' for root
https://bugs.webkit.org/show_bug.cgi?id=231501
<rdar://83959448>
Reviewed by Brent Fulgham.
When running as root, WebKit processes need access to 'system-privilege'.
* GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in:
* NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
* WebAuthnProcess/mac/com.apple.WebKit.WebAuthnProcess.sb.in:
* WebProcess/com.apple.WebProcess.sb.in:
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@283925 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-613.1.4-branch/Source/WebKit/ChangeLog (283926 => 283927)
--- branches/safari-613.1.4-branch/Source/WebKit/ChangeLog 2021-10-11 19:51:15 UTC (rev 283926)
+++ branches/safari-613.1.4-branch/Source/WebKit/ChangeLog 2021-10-11 19:52:17 UTC (rev 283927)
@@ -1,3 +1,38 @@
+2021-10-11 Alan Coon <[email protected]>
+
+ Cherry-pick r283925. rdar://problem/84111635
+
+ [macOS] Grant access in sandbox to 'system-privilege' for root
+ https://bugs.webkit.org/show_bug.cgi?id=231501
+ <rdar://83959448>
+
+ Reviewed by Brent Fulgham.
+
+ When running as root, WebKit processes need access to 'system-privilege'.
+
+ * GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in:
+ * NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
+ * WebAuthnProcess/mac/com.apple.WebKit.WebAuthnProcess.sb.in:
+ * WebProcess/com.apple.WebProcess.sb.in:
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@283925 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-10-11 Per Arne Vollan <[email protected]>
+
+ [macOS] Grant access in sandbox to 'system-privilege' for root
+ https://bugs.webkit.org/show_bug.cgi?id=231501
+ <rdar://83959448>
+
+ Reviewed by Brent Fulgham.
+
+ When running as root, WebKit processes need access to 'system-privilege'.
+
+ * GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in:
+ * NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
+ * WebAuthnProcess/mac/com.apple.WebKit.WebAuthnProcess.sb.in:
+ * WebProcess/com.apple.WebProcess.sb.in:
+
2021-10-06 Alan Coon <[email protected]>
Revert r283374. rdar://problem/83847918
Modified: branches/safari-613.1.4-branch/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in (283926 => 283927)
--- branches/safari-613.1.4-branch/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in 2021-10-11 19:51:15 UTC (rev 283926)
+++ branches/safari-613.1.4-branch/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in 2021-10-11 19:52:17 UTC (rev 283927)
@@ -24,11 +24,12 @@
(version 1)
(deny default (with partial-symbolication))
(deny nvram*)
-(deny system-privilege)
(allow system-audit file-read-metadata)
-;; Silence spurious logging due to rdar://20117923 and rdar://72366475
-(deny system-privilege (privilege-id PRIV_GLOBAL_PROC_INFO) (with no-report))
+(with-filter (require-not (uid 0))
+ (deny system-privilege)
+ ;; Silence spurious logging due to rdar://20117923 and rdar://72366475
+ (deny system-privilege (privilege-id PRIV_GLOBAL_PROC_INFO) (with no-report)))
#include "Shared/Sandbox/preferences.sb"
Modified: branches/safari-613.1.4-branch/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in (283926 => 283927)
--- branches/safari-613.1.4-branch/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in 2021-10-11 19:51:15 UTC (rev 283926)
+++ branches/safari-613.1.4-branch/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in 2021-10-11 19:52:17 UTC (rev 283927)
@@ -24,18 +24,19 @@
(version 1)
(deny default (with partial-symbolication))
(deny nvram*)
-(deny system-privilege)
(allow system-audit file-read-metadata)
+(with-filter (require-not (uid 0))
+ (deny system-privilege)
+ ;; Silence spurious logging due to rdar://20117923 and rdar://72366475
+ (deny system-privilege (privilege-id PRIV_GLOBAL_PROC_INFO) (with no-report)))
+
(allow system-privilege (with grant)
(require-all
(privilege-id PRIV_NET_PRIVILEGED_SOCKET_DELEGATE)
(require-entitlement "com.apple.private.network.socket-delegate")))
-;; Silence spurious logging due to rdar://20117923 and rdar://72366475
-(deny system-privilege (privilege-id PRIV_GLOBAL_PROC_INFO) (with no-report))
-
#include "Shared/Sandbox/preferences.sb"
#if PLATFORM(MAC)
Modified: branches/safari-613.1.4-branch/Source/WebKit/WebAuthnProcess/mac/com.apple.WebKit.WebAuthnProcess.sb.in (283926 => 283927)
--- branches/safari-613.1.4-branch/Source/WebKit/WebAuthnProcess/mac/com.apple.WebKit.WebAuthnProcess.sb.in 2021-10-11 19:51:15 UTC (rev 283926)
+++ branches/safari-613.1.4-branch/Source/WebKit/WebAuthnProcess/mac/com.apple.WebKit.WebAuthnProcess.sb.in 2021-10-11 19:52:17 UTC (rev 283927)
@@ -26,8 +26,10 @@
(deny nvram*)
(allow system-audit file-read-metadata)
-;; Silence spurious logging due to rdar://20117923 and rdar://72366475
-(deny system-privilege (privilege-id PRIV_GLOBAL_PROC_INFO) (with no-report))
+(with-filter (require-not (uid 0))
+ (deny system-privilege)
+ ;; Silence spurious logging due to rdar://20117923 and rdar://72366475
+ (deny system-privilege (privilege-id PRIV_GLOBAL_PROC_INFO) (with no-report)))
#include "Shared/Sandbox/preferences.sb"
Modified: branches/safari-613.1.4-branch/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (283926 => 283927)
--- branches/safari-613.1.4-branch/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2021-10-11 19:51:15 UTC (rev 283926)
+++ branches/safari-613.1.4-branch/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2021-10-11 19:52:17 UTC (rev 283927)
@@ -24,12 +24,13 @@
(version 1)
(deny default (with partial-symbolication))
(deny nvram*)
-(deny system-privilege)
(allow system-audit file-read-metadata)
-;; Silence spurious logging due to rdar://20117923 and rdar://72366475
-(deny system-privilege (privilege-id PRIV_GLOBAL_PROC_INFO) (with no-report))
-
+(with-filter (require-not (uid 0))
+ (deny system-privilege)
+ ;; Silence spurious logging due to rdar://20117923 and rdar://72366475
+ (deny system-privilege (privilege-id PRIV_GLOBAL_PROC_INFO) (with no-report)))
+
#include "Shared/Sandbox/preferences.sb"
;;;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
