Title: [275789] trunk/Source/WebKit
- Revision
- 275789
- Author
- [email protected]
- Date
- 2021-04-09 18:55:26 -0700 (Fri, 09 Apr 2021)
Log Message
[iOS] Correct process-info rules to restrict to self
https://bugs.webkit.org/show_bug.cgi?id=224383
<rdar://problem/66582454>
Reviewed by Eric Carlson.
The sandbox allows 'process-info' by default, so our allow rules have no real impact.
We need to deny access first, as we do on macOS, so that the allow rules have meaning.
I reviewed the macOS sandbox, and made sure the iOS sandbox allows the same items.
* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (275788 => 275789)
--- trunk/Source/WebKit/ChangeLog 2021-04-10 01:00:15 UTC (rev 275788)
+++ trunk/Source/WebKit/ChangeLog 2021-04-10 01:55:26 UTC (rev 275789)
@@ -1,3 +1,18 @@
+2021-04-09 Brent Fulgham <[email protected]>
+
+ [iOS] Correct process-info rules to restrict to self
+ https://bugs.webkit.org/show_bug.cgi?id=224383
+ <rdar://problem/66582454>
+
+ Reviewed by Eric Carlson.
+
+ The sandbox allows 'process-info' by default, so our allow rules have no real impact.
+ We need to deny access first, as we do on macOS, so that the allow rules have meaning.
+
+ I reviewed the macOS sandbox, and made sure the iOS sandbox allows the same items.
+
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+
2021-04-09 Wenson Hsieh <[email protected]>
Web process crashes if image extraction is requested for an element that is pending image extraction
Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb (275788 => 275789)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb 2021-04-10 01:00:15 UTC (rev 275788)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb 2021-04-10 01:55:26 UTC (rev 275789)
@@ -1,4 +1,4 @@
-; Copyright (C) 2010-2020 Apple Inc. All rights reserved.
+; Copyright (C) 2010-2021 Apple Inc. All rights reserved.
;
; Redistribution and use in source and binary forms, with or without
; modification, are permitted provided that the following conditions
@@ -764,6 +764,8 @@
(allow mach-task-name (target self))
+;;; process-info* defaults to allow; deny it and then allow operations we actually need.
+(deny process-info*)
(allow process-info-pidinfo (target self))
(allow process-info-pidfdinfo (target self))
(allow process-info-pidfileportinfo (target self))
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
