Title: [290996] trunk/Source/WebKit
- Revision
- 290996
- Author
- commit-qu...@webkit.org
- Date
- 2022-03-08 09:15:30 -0800 (Tue, 08 Mar 2022)
Log Message
Expand adattributiond sandbox to prevent sandbox exceptions during main functionality
https://bugs.webkit.org/show_bug.cgi?id=237580
<rdar://89855243>
Patch by Alex Christensen <achristen...@webkit.org> on 2022-03-08
Reviewed by Per Arne Vollan.
* Resources/SandboxProfiles/ios/com.apple.WebKit.adattributiond.sb:
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (290995 => 290996)
--- trunk/Source/WebKit/ChangeLog 2022-03-08 17:03:09 UTC (rev 290995)
+++ trunk/Source/WebKit/ChangeLog 2022-03-08 17:15:30 UTC (rev 290996)
@@ -1,5 +1,15 @@
2022-03-08 Alex Christensen <achristen...@webkit.org>
+ Expand adattributiond sandbox to prevent sandbox exceptions during main functionality
+ https://bugs.webkit.org/show_bug.cgi?id=237580
+ <rdar://89855243>
+
+ Reviewed by Per Arne Vollan.
+
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.adattributiond.sb:
+
+2022-03-08 Alex Christensen <achristen...@webkit.org>
+
WebSocket.send() should synchronously update bufferedAmount
https://bugs.webkit.org/show_bug.cgi?id=235707
Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.adattributiond.sb (290995 => 290996)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.adattributiond.sb 2022-03-08 17:03:09 UTC (rev 290995)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.adattributiond.sb 2022-03-08 17:15:30 UTC (rev 290996)
@@ -45,33 +45,37 @@
(define (system-network)
(allow file-read*
- (literal "/Library/Preferences/com.apple.networkd.plist")
- (literal "/private/var/db/nsurlstoraged/dafsaData.bin"))
+ (literal "/Library/Preferences/com.apple.networkd.plist")
+ (literal "/private/var/db/nsurlstoraged/dafsaData.bin"))
(deny mach-lookup (with telemetry)
- (global-name "com.apple.SystemConfiguration.PPPController")
- (global-name "com.apple.SystemConfiguration.SCNetworkReachability")
- (global-name "com.apple.networkd")
- (global-name "com.apple.nsurlstorage-cache")
- (global-name "com.apple.symptomsd"))
+ (global-name "com.apple.SystemConfiguration.PPPController")
+ (global-name "com.apple.SystemConfiguration.SCNetworkReachability")
+ (global-name "com.apple.networkd")
+ (global-name "com.apple.nsurlstorage-cache")
+ (global-name "com.apple.symptomsd"))
(allow mach-lookup
- (global-name "com.apple.dnssd.service")
- (global-name "com.apple.nehelper")
- (global-name "com.apple.nesessionmanager")
- (global-name "com.apple.usymptomsd"))
+ (global-name "com.apple.trustd")
+ (global-name "com.apple.trustd.agent")
+ (global-name "com.apple.system.notification_center")
+ (global-name "com.apple.logd")
+ (global-name "com.apple.dnssd.service")
+ (global-name "com.apple.nehelper")
+ (global-name "com.apple.nesessionmanager")
+ (global-name "com.apple.usymptomsd"))
(allow network-outbound
- (control-name "com.apple.netsrc"))
+ (control-name "com.apple.netsrc"))
(deny system-socket (with telemetry)
- (socket-domain AF_ROUTE))
+ (socket-domain AF_ROUTE))
(allow system-socket
- (require-all (socket-domain AF_SYSTEM)
+ (require-all (socket-domain AF_SYSTEM)
(socket-protocol 2))) ; SYSPROTO_CONTROL
(allow mach-lookup
- (global-name "com.apple.AppSSO.service-xpc"))
+ (global-name "com.apple.AppSSO.service-xpc"))
(deny ipc-posix-shm-read-data (with telemetry)
(ipc-posix-name "/com.apple.AppSSO.version")))
(allow file-read* file-write*
- (subpath "/var/mobile/Library/com.apple.webkit.adattributiond"))
+ (subpath "/private/var/mobile/Library/com.apple.webkit.adattributiond"))
(allow file-read* file-map-executable
(subpath "/System/Library/Frameworks")
@@ -118,6 +122,7 @@
;; Various services required by CFNetwork and other frameworks
(allow mach-lookup
(global-name
+ "com.apple.containermanagerd"
"com.apple.usymptomsd"
"com.apple.cookied"
"com.apple.distributed_notifications@Uv3"
@@ -125,17 +130,36 @@
"com.apple.lsd.mapdb"
"com.apple.lsd.modifydb"))
+;; <rdar://problem/10642881>
+(allow file-read*
+ (literal "/private/var/preferences/com.apple.networkd.plist"))
+
+(allow file-read-data
+ (literal "/System/Library/CoreServices/SystemVersion.plist")
+ (literal "/usr/lib/log")
+ (literal "/usr/local/lib/log")) ; <rdar://problem/36629495>
+
;; Security framework
(allow mach-lookup (global-name "com.apple.SecurityServer")
-(global-name "com.apple.ocspd"))
+ (global-name "com.apple.ocspd"))
(allow file-read*
+ (literal "/dev/urandom")
+ (literal "/private/etc/master.passwd")
+ (subpath "/private/var/preferences/Logging")
(subpath "/Library/Keychains")
(subpath "/private/var/db/mds")
(literal "/Library/Preferences/com.apple.security.plist")
(home-literal "/Library/Preferences/com.apple.security.plist"))
-(allow file-read* (subpath "/usr/share/zoneinfo"))
+;;; Allow reading internal profiles on development builds
+(allow file-read*
+ (require-all (file-mode #o0004)
+ (subpath "/AppleInternal/Library/Preferences/Logging")
+ (system-attribute apple-internal)))
+
+(allow file-read* (subpath "/usr/share"))
+
(allow file-read* (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains"))
(allow ipc-posix-shm-read-data
@@ -142,6 +166,8 @@
(ipc-posix-name "com.apple.AppleDatabaseChanged"))
(allow ipc-posix-shm-write-data
(ipc-posix-name "com.apple.AppleDatabaseChanged"))
+(allow ipc-posix-shm-read*
+ (ipc-posix-name "apple.shm.notification_center")) ;; Needed by os_log_create
;; Read-only preferences and data
(allow file-read*
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes