[webkit-changes] [229093] trunk/Source/WebKit

[bfulgham]

Title: [229093] trunk/Source/WebKit

Revision

229093

Author

bfulg...@apple.com

Date

2018-02-28 09:17:12 -0800 (Wed, 28 Feb 2018)

Log Message

Remove network access from the WebContent process sandbox
https://bugs.webkit.org/show_bug.cgi?id=183192
<rdar://problem/35369115>

Reviewed by Alex Christensen.

Remove the 'system-network', 'allow-network-common', and 'network-client' access from the WebContent process.
That's why we have a Network Process! 

* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
* WebProcess/com.apple.WebProcess.sb.in:

Modified Paths

• trunk/Source/WebKit/ChangeLog
• trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb
• trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in

Diff

Modified: trunk/Source/WebKit/ChangeLog (229092 => 229093)

--- trunk/Source/WebKit/ChangeLog	2018-02-28 16:38:31 UTC (rev 229092)
+++ trunk/Source/WebKit/ChangeLog	2018-02-28 17:17:12 UTC (rev 229093)
@@ -1,3 +1,17 @@
+2018-02-28  Brent Fulgham  <bfulg...@apple.com>
+
+        Remove network access from the WebContent process sandbox
+        https://bugs.webkit.org/show_bug.cgi?id=183192
+        <rdar://problem/35369115>
+
+        Reviewed by Alex Christensen.
+
+        Remove the 'system-network', 'allow-network-common', and 'network-client' access from the WebContent process.
+        That's why we have a Network Process! 
+
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+        * WebProcess/com.apple.WebProcess.sb.in:
+
 2018-02-27  Tim Horton  <timothy_hor...@apple.com>
 
         Ensure target triple is propagated correctly to DerivedSources.make

Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb (229092 => 229093)

--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb	2018-02-28 16:38:31 UTC (rev 229092)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb	2018-02-28 17:17:12 UTC (rev 229093)
@@ -229,8 +229,6 @@
 (allow-create-directory
     (home-literal "/Library/Caches/com.apple.DictionaryServices"))
 
-(allow-network-common)
-
 ; <rdar://problem/8548856> Sub-TLF: Sandbox change for apps for read-only access to the dictionary directory/data
 (allow file-read*
     ; XXX - /Library ought to be allowed in all UI profiles but isn't (CF, MobileSafari)
@@ -382,8 +380,6 @@
 ;; AWD logging
 (awd-log-directory "com.apple.WebKit.WebContent")
 
-(network-client (remote tcp) (remote udp))
-
 ;; Allow ManagedPreference access
 (allow file-read* (literal "/private/var/Managed Preferences/mobile/com.apple.webcontentfilter.plist"))
 

Modified: trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (229092 => 229093)

--- trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in	2018-02-28 16:38:31 UTC (rev 229092)
+++ trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in	2018-02-28 17:17:12 UTC (rev 229093)
@@ -1,4 +1,4 @@
-; Copyright (C) 2010-2017 Apple Inc. All rights reserved.
+; Copyright (C) 2010-2018 Apple Inc. All rights reserved.
 ;
 ; Redistribution and use in source and binary forms, with or without
 ; modification, are permitted provided that the following conditions
@@ -78,11 +78,12 @@
        file-ioctl
     (literal "/dev/dtracehelper"))
 
+#if __MAC_OS_X_VERSION_MIN_REQUIRED < 101300
 (allow network-outbound
     (literal "/private/var/run/asl_input")
     (literal "/private/var/run/syslog"))
+#endif
 
-
 ;;; Allow creation of core dumps.
 (allow file-write-create
     (require-all (prefix "/cores/")
@@ -140,27 +141,6 @@
         (iokit-property "ggcs")
         (iokit-property "bgcs")))))
 
-
-;;; (system-network) - Allow access to the network.
-(define (system-network)
-    (allow file-read*
-        (literal "/Library/Preferences/com.apple.networkd.plist"))
-    (allow mach-lookup
-        (global-name "com.apple.SystemConfiguration.PPPController")
-        (global-name "com.apple.SystemConfiguration.SCNetworkReachability")
-        (global-name "com.apple.nehelper")
-        (global-name "com.apple.networkd")
-        (global-name "com.apple.nsurlstorage-cache")
-        (global-name "com.apple.symptomsd")
-        (global-name "com.apple.usymptomsd"))
-    (allow network-outbound
-        (control-name "com.apple.netsrc")
-        (control-name "com.apple.network.statistics"))
-    (allow system-socket
-        (require-all (socket-domain AF_SYSTEM)
-        (socket-protocol 2)) ; SYSPROTO_CONTROL
-    (socket-domain AF_ROUTE)))
-
 ;;;
 ;;; End rules originally copied from 'system.sb'
 ;;;
@@ -645,11 +625,13 @@
 (system-graphics)
 
 ;; Networking
+#if __MAC_OS_X_VERSION_MIN_REQUIRED < 101300
 (system-network)
 (allow network-outbound
        ;; Local mDNSResponder for DNS, arbitrary outbound TCP
        (literal "/private/var/run/mDNSResponder")
        (remote tcp))
+#endif
 
 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101300
 ;; CFNetwork
@@ -662,8 +644,10 @@
        (global-name "com.apple.GSSCred")
        (global-name "com.apple.system.logger")
        (global-name "com.apple.system.notification_center"))
+#if __MAC_OS_X_VERSION_MIN_REQUIRED < 101300
 (allow network-outbound
        (remote udp))
+#endif
 (allow user-preference-read
     (preference-domain
         "com.apple.Kerberos"

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes