Title: [285562] trunk/Source/WebKit
- Revision
- 285562
- Author
- [email protected]
- Date
- 2021-11-09 20:59:09 -0800 (Tue, 09 Nov 2021)
Log Message
[iOS][GPUP] Remove read access to preferences
https://bugs.webkit.org/show_bug.cgi?id=232439
<rdar://problem/84762138>
Reviewed by Darin Adler.
Based on telemetry, remove access to reading some preference domains in the GPU process' sandbox on iOS.
* Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb:
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (285561 => 285562)
--- trunk/Source/WebKit/ChangeLog 2021-11-10 04:28:04 UTC (rev 285561)
+++ trunk/Source/WebKit/ChangeLog 2021-11-10 04:59:09 UTC (rev 285562)
@@ -1,3 +1,15 @@
+2021-11-09 Per Arne <[email protected]>
+
+ [iOS][GPUP] Remove read access to preferences
+ https://bugs.webkit.org/show_bug.cgi?id=232439
+ <rdar://problem/84762138>
+
+ Reviewed by Darin Adler.
+
+ Based on telemetry, remove access to reading some preference domains in the GPU process' sandbox on iOS.
+
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb:
+
2021-11-09 Per Arne Vollan <[email protected]>
[macOS] Add telemetry for system calls in WP
Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb (285561 => 285562)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb 2021-11-10 04:28:04 UTC (rev 285561)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb 2021-11-10 04:59:09 UTC (rev 285562)
@@ -117,8 +117,7 @@
;; <rdar://problem/11569106>
(allow file-read* (with telemetry) asset-access-filter)
(if (memq 'with-media-playback options)
- (play-media asset-access-filter))
- (mobile-preferences-read "com.apple.MobileAsset")))
+ (play-media asset-access-filter))))
(define-once (play-audio)
(allow mach-lookup (with telemetry)
@@ -169,8 +168,6 @@
"com.apple.coremedia"
"com.apple.corevideo"
"com.apple.itunesstored" ; Needed by MediaPlayer framework
- "com.apple.mobileipod" ; Ditto
- "com.apple.audio.virtualaudio" ; <rdar://problem/57170333>
)
;; AVF needs to see these network preferences:
@@ -192,8 +189,7 @@
(define-once (media-remote)
(mobile-preferences-read
- "com.apple.mediaremote"
- "com.apple.mobileipod")
+ "com.apple.mediaremote")
(allow mach-lookup (with telemetry)
(global-name "com.apple.mediaremoted.xpc"))
)
@@ -235,9 +231,7 @@
(global-name "com.apple.accessibility.mediaaccessibilityd"))
;; <rdar://problem/12250145>
- (mobile-preferences-read "com.apple.mediaaccessibility")
- (mobile-preferences-read "com.apple.mediaaccessibility.public")
-)
+ (mobile-preferences-read "com.apple.mediaaccessibility"))
(define-once (url-translation)
;; For translating http:// & https:// URLs referencing itms:// URLs.
@@ -286,9 +280,7 @@
(xpc-service-name "com.apple.MTLCompilerService"))
(mobile-preferences-read
- "com.apple.Metal" ;; <rdar://problem/25535471>
- "com.apple.opengl" ;; <rdar://problem/23321675>
- )
+ "com.apple.Metal") ;; <rdar://problem/25535471>
)
(define-once (internal-debugging-support)
@@ -318,11 +310,8 @@
;; <rdar://problem/8107758>
(allow file-read* file-map-executable
(subpath "/System/Library/Frameworks")
- (subpath "/System/Library/PrivateFrameworks"))
+ (subpath "/System/Library/PrivateFrameworks")))
- ;; <rdar://problem/32544921>
- (mobile-preferences-read "com.apple.hangtracer"))
-
(define-once (device-access)
(deny file-read* file-write*
(vnode-type BLOCK-DEVICE CHARACTER-DEVICE))
@@ -372,13 +361,7 @@
;; Things required by UIKit
(define-once (uikit-requirements)
(mobile-preferences-read
- "com.apple.UIKit"
- "com.apple.WebUI"
- "com.apple.airplay"
- "com.apple.avkit"
- "com.apple.coreanimation"
- "com.apple.mt"
- "com.apple.preferences.sounds")
+ "com.apple.coreanimation")
(allow mach-lookup
(global-name "com.apple.CARenderServer"))
@@ -412,11 +395,6 @@
(allow file-read-metadata (with telemetry)
(vnode-type DIRECTORY))
-(mobile-preferences-read "com.apple.security")
-
-(with-filter (system-attribute apple-internal)
- (mobile-preferences-read "com.apple.PrototypeTools"))
-
(with-elevated-precedence
(allow file-read* (with telemetry)
(subpath "/usr/lib"
@@ -618,8 +596,6 @@
(url-translation)
-(mobile-preferences-read "com.apple.da")
-
(speech-synthesis-and-voiceover)
;; Permit reading assets via MobileAsset framework.
@@ -633,17 +609,6 @@
(allow file-read* (with telemetry)
(home-subpath "/Library/Caches/com.apple.keyboards"))
-(mobile-preferences-read
- "com.apple.EmojiPreferences"
- ; <rdar://problem/8477596> com.apple.InputModePreferences
- "com.apple.InputModePreferences"
- ; <rdar://problem/8206632> Weather(1038) deny file-read-data ~/Library/Preferences/com.apple.keyboard.plist
- "com.apple.keyboard"
- ; <rdar://problem/9384085>
- "com.apple.Preferences"
- "com.apple.lookup.shared" ; Needed for DataDetector (Spotlight) support
-)
-
;; Silently deny unnecessary accesses caused by MessageUI framework.
;; This can be removed once <rdar://problem/47038102> is resolved.
(deny file-read*
@@ -690,15 +655,10 @@
(home-prefix "/Library/Preferences/com.apple.springboard.plist")
(with no-log))
-;; <rdar://problem/34986314>
-(mobile-preferences-read "com.apple.indigo")
-
;;;
;;; End UIKit-apps.sb content
;;;
-(mobile-preferences-read "com.apple.AdLib.plist")
-
(deny sysctl*)
(allow sysctl-read (with telemetry)
(sysctl-name
@@ -828,11 +788,7 @@
;; Read-only preferences and data
(mobile-preferences-read
- "com.apple.LaunchServices"
- "com.apple.WebFoundation"
- "com.apple.avfoundation.frecents" ;; <rdar://problem/33137029>
- "com.apple.avfoundation.videoperformancehud" ;; <rdar://problem/31594568>
- "com.apple.voiceservices.logging")
+ "com.apple.avfoundation.videoperformancehud") ;; <rdar://problem/31594568>
;; Sandbox extensions
(define (apply-read-and-issue-extension op path-filter)
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
