[webkit-changes] [171322] trunk/Source/WebKit2

[oliver]

Title: [171322] trunk/Source/WebKit2

Revision

171322

Author

oli...@apple.com

Date

2014-07-21 17:10:11 -0700 (Mon, 21 Jul 2014)

Log Message

Correct sandbox profiles to fix some excess privileges
https://bugs.webkit.org/show_bug.cgi?id=135134
<rdar://problem/17741886>
<rdar://problem/17739080>

Reviewed by Alexey Proskuryakov.

This cleans up our sandbox profiles to fix a few issues - the profiles
no longer allow us to issue file extension we have the ability to consume,
and tightens some of the other file access rules.

This means we have to addd some rules to allow us to access things
that we previously had access to due to lax file system restrictions.

Some of the features were fixable simply by using entitlements on the
process rather than custom rules.

* Configurations/WebContent-iOS.entitlements:
* Resources/SandboxProfiles/ios/com.apple.WebKit.Databases.sb:
* Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:
* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:

Modified Paths

• trunk/Source/WebKit2/ChangeLog
• trunk/Source/WebKit2/Configurations/WebContent-iOS.entitlements
• trunk/Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.Databases.sb
• trunk/Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb
• trunk/Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb

Diff

Modified: trunk/Source/WebKit2/ChangeLog (171321 => 171322)

--- trunk/Source/WebKit2/ChangeLog	2014-07-22 00:09:19 UTC (rev 171321)
+++ trunk/Source/WebKit2/ChangeLog	2014-07-22 00:10:11 UTC (rev 171322)
@@ -1,3 +1,27 @@
+2014-07-21  Oliver Hunt  <oli...@apple.com>
+
+        Correct sandbox profiles to fix some excess privileges
+        https://bugs.webkit.org/show_bug.cgi?id=135134
+        <rdar://problem/17741886>
+        <rdar://problem/17739080>
+
+        Reviewed by Alexey Proskuryakov.
+
+        This cleans up our sandbox profiles to fix a few issues - the profiles
+        no longer allow us to issue file extension we have the ability to consume,
+        and tightens some of the other file access rules.
+
+        This means we have to addd some rules to allow us to access things
+        that we previously had access to due to lax file system restrictions.
+
+        Some of the features were fixable simply by using entitlements on the
+        process rather than custom rules.
+
+        * Configurations/WebContent-iOS.entitlements:
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.Databases.sb:
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+
 2014-07-21  Simon Fraser  <simon.fra...@apple.com>
 
         [iOS WK2] Turn off position:fixed behavior when the keyboard is up

Modified: trunk/Source/WebKit2/Configurations/WebContent-iOS.entitlements (171321 => 171322)

--- trunk/Source/WebKit2/Configurations/WebContent-iOS.entitlements	2014-07-22 00:09:19 UTC (rev 171321)
+++ trunk/Source/WebKit2/Configurations/WebContent-iOS.entitlements	2014-07-22 00:10:11 UTC (rev 171322)
@@ -10,6 +10,10 @@
 	<true/>
 	<key>com.apple.private.webinspector.proxy-application</key>
 	<true/>
+	<key>com.apple.locationd.authorizeapplications</key>
+	<true/>
+	<key>com.apple.locationd.effective_bundle</key>
+	<true/>
 	<key>seatbelt-profiles</key>
 	<array>
 		<string>com.apple.WebKit.WebContent</string>

Modified: trunk/Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.Databases.sb (171321 => 171322)

--- trunk/Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.Databases.sb	2014-07-22 00:09:19 UTC (rev 171321)
+++ trunk/Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.Databases.sb	2014-07-22 00:10:11 UTC (rev 171322)
@@ -28,20 +28,4 @@
 (import "common.sb")
 (import "removed-dev-nodes.sb")
 
-;; Sandbox extensions
-(define (apply-read-and-issue-extension op path-filter)
-    (op file-read* path-filter)
-    (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") path-filter)))
-(define (apply-write-and-issue-extension op path-filter)
-    (op file-write* path-filter)
-    (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") path-filter)))
-(define (read-only-and-issue-extensions path-filter)
-    (apply-read-and-issue-extension allow path-filter))
-(define (read-write-and-issue-extensions path-filter)
-    (apply-read-and-issue-extension allow path-filter)
-    (apply-write-and-issue-extension allow path-filter))
-(read-only-and-issue-extensions (extension "com.apple.app-sandbox.read"))
-(read-write-and-issue-extensions (extension "com.apple.app-sandbox.read-write"))
-
-(if (defined? 'vnode-type)
-    (deny file-write-create (vnode-type SYMLINK)))
+(allow file-read* file-write* (extension "com.apple.app-sandbox.read-write"))

Modified: trunk/Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb (171321 => 171322)

--- trunk/Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb	2014-07-22 00:09:19 UTC (rev 171321)
+++ trunk/Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb	2014-07-22 00:10:11 UTC (rev 171322)
@@ -36,8 +36,10 @@
 (allow file-read* (extension "com.apple.webkit.read"))
 
 ;; Access to client's cache folder & re-vending to CFNetwork.
-(allow file-read* file-write* (extension "com.apple.nsurlstorage.extension-cache"))
-(allow file-issue-extension (extension-class "com.apple.nsurlstorage.extension-cache"))
+;; FIXME: Remove the webkti specific extension classes <rdar://problem/17755931>
+(allow file-issue-extension (require-all
+    (require-any (extension "com.apple.webkit.read-write") (extension "com.apple.app-sandbox.read-write"))
+    (extension-class "com.apple.nsurlstorage.extension-cache")))
 
 ;; App sandbox extensions
 (allow file-read* file-write* (extension "com.apple.app-sandbox.read-write"))

Modified: trunk/Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb (171321 => 171322)

--- trunk/Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb	2014-07-22 00:09:19 UTC (rev 171321)
+++ trunk/Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb	2014-07-22 00:10:11 UTC (rev 171322)
@@ -36,12 +36,15 @@
 ;; This is too generous -- <rdar://problem/17496756>
 (apple-cookie-access 'with-read-write)
 
+;; Access to media controls
 (play-media)
+(media-remote)
 
 ;; Read-only preferences and data
 (mobile-preferences-read
     "com.apple.LaunchServices"
-    "com.apple.WebFoundation")
+    "com.apple.WebFoundation"
+    "com.apple.mobileipod")
 
 ;; Sandbox extensions
 (define (apply-read-and-issue-extension op path-filter)
@@ -66,8 +69,11 @@
             (extension "com.apple.app-sandbox.read-write"))))
 
 
-(allow file-read* file-write* (extension "com.apple.nsurlstorage.extension-cache"))
-(allow file-issue-extension (extension-class "com.apple.nsurlstorage.extension-cache"))
+;; Access to client's cache folder & re-vending to CFNetwork.
+;; FIXME: Remove the webkti specific extension classes <rdar://problem/17755931>
+(allow file-issue-extension (require-all
+    (require-any (extension "com.apple.webkit.read-write") (extension "com.apple.app-sandbox.read-write"))
+    (extension-class "com.apple.nsurlstorage.extension-cache")))
 
 ;; Access to own cache & temp folders.
 (allow file-read* (extension "com.apple.webkit.read"))

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes