[webkit-changes] [288887] branches/safari-614.1.1-branch/Source/WebKit

Tue, 01 Feb 2022 09:45:50 -0800

Title: [288887] branches/safari-614.1.1-branch/Source/WebKit
Revision
288887
Author
[email protected]
Date
2022-02-01 09:44:53 -0800 (Tue, 01 Feb 2022)

Log Message

Cherry-pick r288860. rdar://problem/88081007

    [iOS] Clean up some issues in the 'com.apple.WebKit.adattributiond.sb' sandbox
    https://bugs.webkit.org/show_bug.cgi?id=235929
    <rdar://88081007>

    Patch by Brent Fulgham <[email protected]> on 2022-01-31
    Reviewed by Alex Christensen.

    Revise a few syntax issues in the sandbox.

    * Resources/SandboxProfiles/ios/com.apple.WebKit.adattributiond.sb:

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@288860 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Modified Paths

Diff

Modified: branches/safari-614.1.1-branch/Source/WebKit/ChangeLog (288886 => 288887)


--- branches/safari-614.1.1-branch/Source/WebKit/ChangeLog	2022-02-01 17:41:36 UTC (rev 288886)
+++ branches/safari-614.1.1-branch/Source/WebKit/ChangeLog	2022-02-01 17:44:53 UTC (rev 288887)
@@ -1,3 +1,34 @@
+2022-02-01  Russell Epstein  <[email protected]>
+
+        Cherry-pick r288860. rdar://problem/88081007
+
+    [iOS] Clean up some issues in the 'com.apple.WebKit.adattributiond.sb' sandbox
+    https://bugs.webkit.org/show_bug.cgi?id=235929
+    <rdar://88081007>
+    
+    Patch by Brent Fulgham <[email protected]> on 2022-01-31
+    Reviewed by Alex Christensen.
+    
+    Revise a few syntax issues in the sandbox.
+    
+    * Resources/SandboxProfiles/ios/com.apple.WebKit.adattributiond.sb:
+    
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@288860 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2022-01-31  Brent Fulgham  <[email protected]>
+
+            [iOS] Clean up some issues in the 'com.apple.WebKit.adattributiond.sb' sandbox
+            https://bugs.webkit.org/show_bug.cgi?id=235929
+            <rdar://88081007>
+
+            Reviewed by Alex Christensen.
+
+            Revise a few syntax issues in the sandbox.
+
+            * Resources/SandboxProfiles/ios/com.apple.WebKit.adattributiond.sb:
+
 2022-01-27  Russell Epstein  <[email protected]>
 
         Cherry-pick r288658. rdar://problem/87999257

Modified: branches/safari-614.1.1-branch/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.adattributiond.sb (288886 => 288887)


--- branches/safari-614.1.1-branch/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.adattributiond.sb	2022-02-01 17:41:36 UTC (rev 288886)
+++ branches/safari-614.1.1-branch/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.adattributiond.sb	2022-02-01 17:44:53 UTC (rev 288887)
@@ -25,7 +25,7 @@
 (deny default (with partial-symbolication))
 (allow system-audit file-read-metadata)
 
-(import "system.sb")
+(import "util.sb")
 
 (define (allow-read-write-directory-contents path)
     (if path
@@ -43,18 +43,36 @@
             (allow file-read* (subpath path))
             (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") (subpath path))))))
 
-;; Utility functions for home directory relative path filters
-(define (home-regex home-relative-regex)
-    (regex (string-append "^" (regex-quote (param "HOME_DIR")) home-relative-regex)))
+(define (system-network)
+    (allow file-read*
+         (literal "/Library/Preferences/com.apple.networkd.plist")
+         (literal "/private/var/db/nsurlstoraged/dafsaData.bin"))
+    (deny mach-lookup (with telemetry)
+         (global-name "com.apple.SystemConfiguration.PPPController")
+         (global-name "com.apple.SystemConfiguration.SCNetworkReachability")
+         (global-name "com.apple.networkd")
+         (global-name "com.apple.nsurlstorage-cache")
+         (global-name "com.apple.symptomsd"))
+    (allow mach-lookup
+         (global-name "com.apple.dnssd.service")
+         (global-name "com.apple.nehelper")
+         (global-name "com.apple.nesessionmanager")
+         (global-name "com.apple.usymptomsd"))
+    (allow network-outbound
+         (control-name "com.apple.netsrc"))
+    (deny system-socket (with telemetry)
+          (socket-domain AF_ROUTE))
+    (allow system-socket
+         (require-all (socket-domain AF_SYSTEM)
+                      (socket-protocol 2))) ; SYSPROTO_CONTROL
+    (allow mach-lookup
+         (global-name "com.apple.AppSSO.service-xpc"))
+    (deny ipc-posix-shm-read-data (with telemetry)
+         (ipc-posix-name "/com.apple.AppSSO.version")))
 
-(define (home-subpath home-relative-subpath)
-    (subpath (string-append (param "HOME_DIR") home-relative-subpath)))
+(allow file-read* file-write*
+    (subpath "/var/mobile/Library/com.apple.webkit.addattributiond"))
 
-(define (home-literal home-relative-literal)
-    (literal (string-append (param "HOME_DIR") home-relative-literal)))
-
-(allow file-read* file-write* (home-subpath "/var/mobile/Library/com.apple.webkit.addattributiond/Version1"))
-
 (allow-read-write-directory-contents (param "DARWIN_USER_CACHE_DIR"))
 (allow-read-write-directory-contents (param "DARWIN_USER_TEMP_DIR"))
 

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to