Title: [278831] trunk/Source/WebKit
- Revision
- 278831
- Author
- bfulg...@apple.com
- Date
- 2021-06-14 10:19:38 -0700 (Mon, 14 Jun 2021)
Log Message
[iOS] Tighten the WebAuthn Sandbox
https://bugs.webkit.org/show_bug.cgi?id=226944
<rdar://problem/74721792>
Reviewed by Per Arne Vollan.
Revise the WebAuthn process sandbox to remove the many things originally copied from
the WebContent sandbox that are not needed.
* Resources/SandboxProfiles/ios/com.apple.WebKit.WebAuthn.sb:
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (278830 => 278831)
--- trunk/Source/WebKit/ChangeLog 2021-06-14 16:14:02 UTC (rev 278830)
+++ trunk/Source/WebKit/ChangeLog 2021-06-14 17:19:38 UTC (rev 278831)
@@ -1,3 +1,16 @@
+2021-06-14 Brent Fulgham <bfulg...@apple.com>
+
+ [iOS] Tighten the WebAuthn Sandbox
+ https://bugs.webkit.org/show_bug.cgi?id=226944
+ <rdar://problem/74721792>
+
+ Reviewed by Per Arne Vollan.
+
+ Revise the WebAuthn process sandbox to remove the many things originally copied from
+ the WebContent sandbox that are not needed.
+
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.WebAuthn.sb:
+
2021-06-14 Per Arne <pvol...@apple.com>
[iOS] Sync Accessibility preferences
Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebAuthn.sb (278830 => 278831)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebAuthn.sb 2021-06-14 16:14:02 UTC (rev 278830)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebAuthn.sb 2021-06-14 17:19:38 UTC (rev 278831)
@@ -1,4 +1,4 @@
-; Copyright (C) 2020 Apple Inc. All rights reserved.
+; Copyright (C) 2020-2021 Apple Inc. All rights reserved.
;
; Redistribution and use in source and binary forms, with or without
; modification, are permitted provided that the following conditions
@@ -24,7 +24,6 @@
(version 1)
(deny default (with partial-symbolication))
(deny nvram*)
-(allow system-audit file-read-metadata)
;;;
;;; The following rules were originally contained in 'common.sb'. We are duplicating them here so we can
@@ -33,24 +32,6 @@
(import "util.sb")
-(define-once (allow-read-and-issue-generic-extensions . filters)
- (allow file-read*
- (apply require-any filters))
- (allow file-issue-extension
- (require-all
- (extension-class "com.apple.app-sandbox.read")
- (apply require-any filters))))
-
-(define-once (allow-read-write-and-issue-generic-extensions . filters)
- (allow file-read* file-write*
- (apply require-any filters))
- (allow file-read-metadata
- (apply require-any filters))
- (allow file-issue-extension
- (require-all
- (extension-class "com.apple.app-sandbox.read-write" "com.apple.app-sandbox.read")
- (apply require-any filters))))
-
(define-once (managed-configuration-read-public)
(allow file-read*
(well-known-system-group-container-subpath "/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo")
@@ -57,142 +38,103 @@
(front-user-home-subpath "/Library/ConfigurationProfiles/PublicInfo")
(front-user-home-subpath "/Library/UserConfigurationProfiles/PublicInfo")))
-(define-once (managed-configuration-read . files)
- (if (null? files)
- (allow file-read*
- (well-known-system-group-container-subpath "/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles")
- (front-user-home-subpath "/Library/ConfigurationProfiles")
- (front-user-home-subpath "/Library/UserConfigurationProfiles"))
- (for-each
- (lambda (file)
- (allow file-read*
- (well-known-system-group-container-literal
- (string-append "/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/" file))
- (front-user-home-literal
- (string-append "/Library/ConfigurationProfiles/" file)
- (string-append "/Library/UserConfigurationProfiles/" file))))
- files)))
-
(define-once (allow-preferences-common)
(allow file-read-metadata
- (home-literal "")
- (home-literal "/Library/Preferences")))
+ (home-literal "")
+ (home-literal "/Library/Preferences")))
(define-once (mobile-preferences-read . domains)
(allow-preferences-common)
(allow user-preference-read (apply preference-domain domains)))
-(define-once (mobile-preferences-read-write . domains)
- (allow-preferences-common)
- (allow user-preference-read user-preference-write (apply preference-domain domains)))
+(define-once (internal-debugging-support)
+ (allow file-read* file-map-executable
+ (subpath "/Developer"))
-(define-once (framebuffer-access)
- (allow iokit-open
- (iokit-user-client-class "IOMobileFramebufferUserClient"))
- (mobile-preferences-read "com.apple.iokit.IOMobileGraphicsFamily"))
+ (allow ipc-posix-shm
+ (ipc-posix-name-regex #"^stack-logs")
+ (ipc-posix-name-regex #"^OA-")
+ (ipc-posix-name-regex #"^/FSM-"))
-(define-once (url-translation)
- ;; For translating http:// & https:// URLs referencing itms:// URLs.
- ;; <rdar://problem/11587338>
- (allow file-read*
- (home-literal "/Library/Caches/com.apple.itunesstored/url-resolution.plist")))
+ (allow ipc-posix-shm-read* ipc-posix-shm-write-data ipc-posix-shm-write-unlink
+ (ipc-posix-name-regex #"^gdt-[A-Za-z0-9]+-(c|s)$"))
-(define-once (internal-debugging-support)
+ (with-filter (system-attribute apple-internal)
+ ;; <rdar://problem/8565035>
+ ;; <rdar://problem/23857452>
(allow file-read* file-map-executable
- (subpath "/Developer"))
+ (subpath
+ "/AppleInternal"
+ "/usr/local/lib"
+ "/usr/appleinternal/lib/sanitizers"
+ )
+ )
+ )
+ (with-elevated-precedence
+ (allow file-read* file-map-executable file-issue-extension
+ (front-user-home-subpath "/XcodeBuiltProducts")
+ )
+ )
- (allow ipc-posix-shm
- (ipc-posix-name-regex #"^stack-logs")
- (ipc-posix-name-regex #"^OA-")
- (ipc-posix-name-regex #"^/FSM-"))
+ ;; <rdar://problem/8107758>
+ (allow file-read* file-map-executable
+ (subpath
+ "/System/Library/Frameworks"
+ "/System/Library/PrivateFrameworks"
+ )
+ )
- (allow ipc-posix-shm-read* ipc-posix-shm-write-data ipc-posix-shm-write-unlink
- (ipc-posix-name-regex #"^gdt-[A-Za-z0-9]+-(c|s)$"))
+ ;; <rdar://problem/32544921>
+ (mobile-preferences-read "com.apple.hangtracer")
+)
- (with-filter (system-attribute apple-internal)
- ;; <rdar://problem/8565035>
- ;; <rdar://problem/23857452>
- (allow file-read* file-map-executable
- (subpath "/AppleInternal")
- (subpath "/usr/local/lib")
- (subpath "/usr/appleinternal/lib/sanitizers")))
- (with-elevated-precedence
- (allow file-read* file-map-executable file-issue-extension
- (front-user-home-subpath "/XcodeBuiltProducts")))
-
- ;; <rdar://problem/8107758>
- (allow file-read* file-map-executable
- (subpath "/System/Library/Frameworks")
- (subpath "/System/Library/PrivateFrameworks"))
-
- ;; <rdar://problem/32544921>
- (mobile-preferences-read "com.apple.hangtracer"))
-
(define-once (device-access)
(deny file-read* file-write*
- (vnode-type BLOCK-DEVICE CHARACTER-DEVICE))
+ (vnode-type BLOCK-DEVICE CHARACTER-DEVICE))
(allow file-read* file-write-data
- (literal "/dev/null")
- (literal "/dev/zero"))
+ (literal
+ "/dev/null"
+ "/dev/zero"
+ )
+ )
- (allow file-read* file-write-data file-ioctl
- (literal "/dev/dtracehelper"))
+ (allow file-read*
+ (literal
+ "/dev/random"
+ "/dev/urandom"
+ )
+ )
- (allow file-read*
- (literal "/dev/random")
- (literal "/dev/urandom"))
+ (if (system-attribute apple-internal)
+ (allow file-read* file-write-data file-ioctl
+ (literal "/dev/dtracehelper"))
+ ; else
+ (deny (with no-log) file-read* file-write-data file-ioctl
+ (literal "/dev/dtracehelper"))
+ )
+
;; <rdar://problem/14215718>
(deny file-write-data (with no-report)
- (literal "/dev/random")
- (literal "/dev/urandom"))
+ (literal
+ "/dev/random"
+ "/dev/urandom"
+ )
+ )
(allow file-read* file-write-data file-ioctl
- (literal "/dev/aes_0")))
+ (literal "/dev/aes_0")
+ )
+)
(define required-etc-files
- (literal "/private/etc/fstab"
- "/private/etc/hosts"
- "/private/etc/group"
- "/private/etc/passwd"
- "/private/etc/protocols"
- "/private/etc/services"))
-
-;; Things required by UIKit
-(define-once (uikit-requirements)
- (mobile-preferences-read
- "com.apple.UIKit"
- "com.apple.WebUI"
- "com.apple.airplay"
- "com.apple.avkit"
- "com.apple.coreanimation"
- "com.apple.mt"
- "com.apple.preferences.sounds")
-
- (allow mach-lookup (with report) (with telemetry)
- (global-name "com.apple.frontboard.systemappservices") ; -[UIViewServiceInterface _createProcessAssertion] -> SBSProcessIDForDisplayIdentifier()
+ (literal
+ "/private/etc/hosts"
+ "/private/etc/group"
+ "/private/etc/passwd"
+ "/private/etc/protocols"
+ "/private/etc/services"
)
-
- (allow mach-lookup
- (global-name "com.apple.CARenderServer"))
-
- (allow mach-lookup (with report) (with telemetry)
- (global-name-regex #"^com\.apple\.uikit\.viewservice\..+")
- (xpc-service-name-regex #"\.viewservice$") ;; <rdar://problem/31252371>
- )
-
- ; UIKit-required IOKit nodes.
- (allow iokit-open
- (iokit-user-client-class "IOSurfaceAcceleratorClient")
- (iokit-user-client-class "IOSurfaceSendRight")
- ;; Requires by UIView -> UITextMagnifierRenderer -> UIWindow
- (iokit-user-client-class "IOSurfaceRootUserClient"))
-
- ;; Silence sandbox violations from apps trying to create the empty plist if it doesn't exist.
- ;; <rdar://problem/13796537>
- (deny file-write-create
- (home-prefix "/Library/Preferences/com.apple.UIKit.plist")
- (with no-report))
)
(deny file-map-executable)
@@ -199,26 +141,23 @@
(deny file-write-mount file-write-unmount)
-(allow file-read-metadata
- (vnode-type DIRECTORY))
-
(mobile-preferences-read "com.apple.security")
(with-filter (system-attribute apple-internal)
- (mobile-preferences-read "com.apple.PrototypeTools"))
+ (mobile-preferences-read "com.apple.PrototypeTools")
+)
(with-elevated-precedence
(allow file-read*
- (subpath "/usr/lib"
- "/usr/share"
- "/private/var/db/timezone"))
- (allow-read-and-issue-generic-extensions
- (subpath "/Library/RegionFeatures"
- "/System/Library"))
- (allow file-issue-extension
- (require-all
- (extension-class "com.apple.mediaserverd.read")
- (subpath "/System/Library")))
+ (subpath
+ "/usr/lib"
+ "/usr/share"
+ "/private/var/db/timezone"
+ "/private/var/preferences/Logging" ;;; <rdar://problem/24144418>
+ "/System/Library"
+ )
+ )
+
(let ((hw-identifying-paths
(require-any
(literal "/System/Library/Caches/apticket.der")
@@ -227,29 +166,30 @@
(deny file-issue-extension file-read* hw-identifying-paths))
(allow file-map-executable
- (subpath "/System/Library")
- (subpath "/usr/lib"))
+ (subpath
+ "/System/Library"
+ "/usr/lib"
+ )
+ )
+
(allow file-read-metadata
- (vnode-type SYMLINK))
+ (vnode-type
+ DIRECTORY
+ SYMLINK
+ )
+ )
- ;;; <rdar://problem/24144418>
- (allow file-read*
- (subpath "/private/var/preferences/Logging"))
-
(mobile-preferences-read "kCFPreferencesAnyApplication")
+ (allow managed-preference-read (preference-domain "kCFPreferencesAnyApplication"))
+
(allow file-read*
- (front-user-home-literal "/Library/Preferences/.GlobalPreferences.plist"))
+ (front-user-home-literal "/Library/Preferences/.GlobalPreferences.plist")
+ (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist")
+ )
- (allow file-read*
- (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist"))
- (allow managed-preference-read (preference-domain "kCFPreferencesAnyApplication"))
-
(allow file-read-metadata
- (home-literal "/Library/Caches/powerlog.launchd"))
+ (home-literal "/Library/Caches/powerlog.launchd"))
- (allow-read-and-issue-generic-extensions (executable-bundle))
- (allow file-map-executable (executable-bundle))
-
;; <rdar://problem/13963294>
(deny file-read-data file-issue-extension file-map-executable
(require-all
@@ -256,51 +196,6 @@
(executable-bundle)
(regex #"/[^/]+/SC_Info/")))
- (unless (defined? 'restrictive-extension)
- (with-filter
- (extension
- "com.apple.app-sandbox.read"
- "com.apple.app-sandbox.read-write"
- "com.apple.quicklook.readonly"
- "com.apple.security.exception.files.absolute-path.read-only"
- "com.apple.security.exception.files.absolute-path.read-write"
- "com.apple.security.exception.files.home-relative-path.read-only"
- "com.apple.security.exception.files.home-relative-path.read-write"
- "com.apple.sharing.airdrop.readonly")
- (allow file-read* file-read-metadata)
- (allow file-issue-extension
- (extension-class "com.apple.app-sandbox.read"
- "com.apple.mediaserverd.read"
- "com.apple.quicklook.readonly"
- "com.apple.sharing.airdrop.readonly")))
- (with-filter
- (extension
- "com.apple.app-sandbox.read-write"
- "com.apple.security.exception.files.absolute-path.read-write"
- "com.apple.security.exception.files.home-relative-path.read-write")
- (allow file-write*)
- (allow file-issue-extension
- (extension-class "com.apple.app-sandbox.read-write"
- "com.apple.mediaserverd.read-write"))))
-
- ;; <rdar://problem/16079361>
- (with-filter (global-name-prefix "")
- (allow mach-register
- (extension "com.apple.security.exception.mach-register.global-name")))
- (with-filter (local-name-prefix "")
- (allow mach-register
- (extension "com.apple.security.exception.mach-register.local-name")))
- (allow-read-and-issue-generic-extensions
- (extension "com.apple.security.exception.files.absolute-path.read-only")
- (extension "com.apple.security.exception.files.home-relative-path.read-only"))
- (allow-read-write-and-issue-generic-extensions
- (extension "com.apple.security.exception.files.absolute-path.read-write")
- (extension "com.apple.security.exception.files.home-relative-path.read-write"))
- (allow managed-preference-read
- (extension "com.apple.security.exception.managed-preference.read-only"))
- (allow user-preference-read
- (extension "com.apple.security.exception.shared-preference.read-only"))
-
(allow file-issue-extension
(require-all
(extension-class "com.apple.nsurlstorage.extension-cache")
@@ -314,87 +209,64 @@
(internal-debugging-support)
)
-(allow file-read*
- required-etc-files
- (literal "/"))
+(allow file-read* required-etc-files)
(allow file-read*
- (subpath "/private/var/MobileAsset/PreinstalledAssetsV2/InstallWithOs"))
+ (subpath "/private/var/MobileAsset/PreinstalledAssetsV2/InstallWithOs"))
+(allow file-read-data
+ (literal "/usr/local/lib/log") ; <rdar://problem/36629495>
+)
+
(device-access)
-(allow file-issue-extension
- (require-all
- (extension-class "com.apple.app-sandbox.read-write" "com.apple.app-sandbox.read")
- (extension "com.apple.fileprovider.read-write")))
-
(allow mach-lookup
- (global-name "com.apple.logd")
- (global-name "com.apple.logd.events")
- (global-name "com.apple.distributed_notifications@1v3")
- (global-name "com.apple.aggregated")
- (global-name "com.apple.cfprefsd.daemon"))
+ (global-name
+ "com.apple.cfprefsd.daemon"
+ "com.apple.logd"
+ "com.apple.logd.events"
+ "com.apple.system.notification_center"
+ )
+)
-(allow mach-lookup (with report) (with telemetry)
- (global-name "com.apple.tccd"))
+(with-filter (system-attribute apple-internal)
+ (allow mach-lookup
+ (global-name
+ "com.apple.diagnosticd"
+ "com.apple.system.logger"
+ )
+ )
+)
+(deny mach-lookup (with no-report)
+ (global-name
+ "com.apple.aggregated"
+ )
+)
+
(allow ipc-posix-shm-read*
- (ipc-posix-name-prefix "apple.cfprefs."))
+ (ipc-posix-name-prefix "apple.cfprefs."))
-(allow mach-lookup (with report) (with telemetry)
- (global-name "com.apple.lsd.mapdb"))
-
;; <rdar://problem/12413942>
(allow file-read*
- (well-known-system-group-container-literal "/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist"))
-(allow iokit-get-properties
- (iokit-property "IORegistryEntryPropertyKeys"))
+ (well-known-system-group-container-literal "/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist"))
-(allow ipc-posix-sem-open
- (ipc-posix-name "containermanagerd.fb_check"))
+(allow ipc-posix-shm-read*
+ (ipc-posix-name "apple.shm.notification_center"))
-(with-filter (ipc-posix-name "purplebuddy.sentinel")
+(with-filter
+ (require-all
+ (system-attribute apple-internal)
+ (ipc-posix-name "purplebuddy.sentinel"))
(deny ipc-posix-sem-create ipc-posix-sem-post ipc-posix-sem-unlink ipc-posix-sem-wait)
- (allow ipc-posix-sem-open))
+ (allow ipc-posix-sem-open)
+)
-(allow mach-lookup (with telemetry)
- (global-name "com.apple.runningboard")) ;; Needed by process assertion code (ProcessTaskStateObserver).
-
-(allow system-sched
- (require-entitlement "com.apple.private.kernel.override-cpumon"))
-
-(deny sysctl-read (with no-report)
- (sysctl-name "sysctl.proc_native"))
-
-(with-filter (system-attribute apple-internal)
- (allow sysctl-read sysctl-write
- (sysctl-name "vm.footprint_suspend")))
-
-(allow mach-lookup (with report) (with telemetry)
- (global-name "com.apple.system.logger"))
-
-(allow file-read-metadata
- (literal "/private/var/run/syslog"))
-
-(allow mach-lookup
- (global-name "com.apple.system.notification_center"))
-(allow ipc-posix-shm-read*
- (ipc-posix-name "apple.shm.notification_center"))
-
-(allow mach-lookup (with report) (with telemetry)
- (global-name "com.apple.diagnosticd"))
-
(managed-configuration-read-public)
(deny system-info (with no-report)
- (info-type "net.link.addr"))
+ (info-type "net.link.addr"))
-(allow file-read*
- (subpath "/private/var/db/datadetectors/sys"))
-
-(allow-well-known-system-group-container-subpath-read
- "/systemgroup.com.apple.icloud.findmydevice.managed/Library")
-
(allow mach-task-name (target self))
(allow process-info-pidinfo (target self))
@@ -418,55 +290,20 @@
;;; remove unneeded sandbox extensions.
;;;
-(url-translation)
-
-(mobile-preferences-read "com.apple.da")
-
-;; Access the keyboards
-(allow file-read*
- (home-subpath "/Library/Caches/com.apple.keyboards"))
-
-;; Silently deny unnecessary accesses caused by MessageUI framework.
-;; This can be removed once <rdar://problem/47038102> is resolved.
-(deny file-read*
- (home-literal "/Library/Preferences/com.apple.mobilemail.plist")
- (with no-log))
-
-;; <rdar://problem/12985925> Need read access to /var/mobile/Library/Fonts to all apps
-(allow file-read*
- (home-subpath "/Library/Fonts"))
-
(allow-preferences-common)
;; Home Button
(with-filter (iokit-registry-entry-class "IOPlatformDevice")
- (allow iokit-get-properties
+ (allow iokit-get-properties (with telemetry)
(iokit-property "home-button-type")))
-(uikit-requirements)
-
-;; <rdar://problem/9404009>
-(mobile-preferences-read "kCFPreferencesAnyApplication")
-
-; <rdar://problem/8440231>
-(allow file-read*
- (home-literal "/Library/Caches/DateFormats.plist"))
-; Silently deny writes when CFData attempts to write to the cache directory.
(deny file-write*
- (home-literal "/Library/Caches/DateFormats.plist")
+ (home-literal
+ "/Library/Caches/DateFormats.plist" ; Silently deny writes when CFData attempts to write to the cache directory.
+ "/Library/Preferences/com.apple.springboard.plist" ;; <rdar://problem/9375027>
+ )
(with no-log))
-; CRCopyRestrictionsDictionary periodically tries to CFPreferencesAppSynchronize com.apple.springboard.plist
-; which will attempt to create the plist if it doesn't exist -- from any application. Only SpringBoard is
-; allowed to write its plist; ignore all others, they don't know what they are doing.
-; See <rdar://problem/9375027> for sample backtraces.
-(deny file-write*
- (home-prefix "/Library/Preferences/com.apple.springboard.plist")
- (with no-log))
-
-;; <rdar://problem/34986314>
-(mobile-preferences-read "com.apple.indigo")
-
;;;
;;; End UIKit-apps.sb content
;;;
@@ -504,11 +341,13 @@
"kern.bootargs"
"kern.hostname"
"kern.hv_vmm_present"
+ "kern.maxfilesperproc"
"kern.memorystatus_level"
"kern.osproductversion"
"kern.osrelease"
"kern.osvariant_status"
"kern.osversion"
+ "kern.ostype"
"kern.secure_kernel"
"kern.version"
"vm.footprint_suspend")
@@ -516,173 +355,101 @@
(sysctl-name-prefix "hw.perflevel") ;; <rdar://problem/76782530>
)
-(allow iokit-get-properties
- (iokit-property-regex #"^AAPL,(DisplayPipe|OpenCLdisabled|IOGraphics_LER(|_RegTag_1|_RegTag_0|_Busy_2)|alias-policy|boot-display|display-alias|mux-switch-state|ndrv-dev|primary-display|slot-name)")
- (iokit-property "APTDevice")
- (iokit-property "AVCSupported")
- (iokit-property-regex #"^AppleJPEG(NumCores|Supports(AppleInterchangeFormats|MissingEOI|RSTLogging))")
- (iokit-property "BaseAddressAlignmentRequirement")
- (iokit-property-regex #"^DisplayPipe(PlaneBaseAlignment|StrideRequirements)")
- (iokit-property "HEVCSupported")
- (iokit-property-regex #"IOGVA(BGRAEnc|Codec|EncoderRestricted|Scaler)")
- (iokit-property "IOClassNameOverride")
- (iokit-property "IOPlatformUUID")
- (iokit-property "IOSurfaceAcceleratorCapabilitiesDict")
- (iokit-property "Protocol Characteristics")
- (iokit-property "als-colorCfg") ;; <rdar://problem/52903475>
- (iokit-property "artwork-device-idiom") ;; <rdar://problem/49497720>
- (iokit-property "artwork-device-subtype")
- (iokit-property "artwork-display-gamut") ;; <rdar://problem/49497788>
- (iokit-property "artwork-dynamic-displaymode") ;; <rdar://problem/49497720>
- (iokit-property "artwork-scale-factor") ;; <rdar://problem/49497788>
- (iokit-property-regex #"(canvas-height|canvas-width)")
- (iokit-property "chip-id") ;; <rdar://problem/52903477>
- (iokit-property "class-code")
- (iokit-property "color-accuracy-index")
- (iokit-property "compatible") ;; <rdar://problem/47523516>
- (iokit-property "compatible-device-fallback") ;; <rdar://problem/49497720>
- (iokit-property "device-colors") ;; <rdar://problem/51322072>
- (iokit-property "device-id")
- (iokit-property "device-perf-memory-class")
- (iokit-property "dfr")
- (iokit-property "display-corner-radius") ;; <rdar://problem/50602737>
- (iokit-property "emu")
- (iokit-property "graphics-featureset-class") ;; <rdar://problem/49497720>
- (iokit-property "graphics-featureset-fallbacks") ;; <rdar://problem/51322072>
- (iokit-property "hdcp-hoover-protocol")
- (iokit-property "iommu-present")
- (iokit-property "oled-display") ;; <rdar://problem/51322072>
- (iokit-property "product-description") ;; <rdar://problem/49497788>
- (iokit-property "product-id")
- (iokit-property "region-info") ;; <rdar://problem/52903475>
- (iokit-property "regulatory-model-number") ;; <rdar://problem/52903475>
- (iokit-property "soc-generation") ;; <rdar://problem/52903476>
- (iokit-property "software-behavior")
- (iokit-property "vendor-id")
- (iokit-property "udid-version") ;; <rdar://problem/52903475>
- (iokit-property "ui-pip") ;; <rdar://problem/48867037>
+(with-filter (system-attribute apple-internal)
+ (allow sysctl-read sysctl-write
+ (sysctl-name
+ "vm.footprint_suspend"
+ )
+ )
)
+;; Silence noisy denials
+(deny sysctl-read (with no-report)
+ (sysctl-name
+ "sysctl.proc_native"
+ )
+)
+
;; Read-only preferences and data
-(mobile-preferences-read
- "com.apple.LaunchServices"
- "com.apple.WebFoundation"
- "com.apple.avfoundation.frecents" ;; <rdar://problem/33137029>
- "com.apple.avfoundation.videoperformancehud" ;; <rdar://problem/31594568>
- "com.apple.voiceservices.logging")
+(mobile-preferences-read "com.apple.LaunchServices")
-;; Sandbox extensions
-(define (apply-read-and-issue-extension op path-filter)
- (op file-read* path-filter)
- (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") path-filter)))
-(define (apply-write-and-issue-extension op path-filter)
- (op file-write* path-filter)
- (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") path-filter)))
-(define (read-only-and-issue-extensions path-filter)
- (apply-read-and-issue-extension allow path-filter))
-(define (read-write-and-issue-extensions path-filter)
- (apply-read-and-issue-extension allow path-filter)
- (apply-write-and-issue-extension allow path-filter))
-(read-only-and-issue-extensions (extension "com.apple.app-sandbox.read"))
-(read-write-and-issue-extensions (extension "com.apple.app-sandbox.read-write"))
-
;; Access to client's cache folder & re-vending to CFNetwork.
-(allow file-issue-extension (require-all
- (extension "com.apple.app-sandbox.read-write")
- (extension-class "com.apple.nsurlstorage.extension-cache")))
+(allow file-issue-extension
+ (require-all
+ (extension "com.apple.app-sandbox.read-write")
+ (extension-class "com.apple.nsurlstorage.extension-cache")))
-;; Various services required by CFNetwork and other frameworks
-(allow mach-lookup
- (global-name "com.apple.PowerManagement.control")
- (global-name "com.apple.analyticsd"))
-
(deny file-write-create (vnode-type SYMLINK))
(deny file-read-xattr file-write-xattr (xattr-regex #"^com\.apple\.security\.private\."))
-;; Allow loading injected bundles.
-(allow file-map-executable)
+;; FIXME: Can further restrict the following rules.
+(allow iokit-get-properties (with report) (with telemetry))
+(allow iokit-set-properties (with report) (with telemetry))
-;; Allow ManagedPreference access
-(allow file-read* (literal "/private/var/Managed Preferences/mobile/com.apple.webcontentfilter.plist"))
+(allow file-read* file-write*
+ (home-subpath "/Library/Keychains")) ;; FIXME: This should be removed when <rdar://problem/11599825> is fixed.
-(allow file-read-data
- (literal "/usr/local/lib/log") ; <rdar://problem/36629495>
-)
+(allow file-read*
+ (subpath "/Library/Keychains")
+ (home-literal "/Library/Application Support/SyncServices/Local/ClientsWithChanges/com.apple.Keychain"))
-(allow mach-lookup
- (require-all
- (extension "com.apple.webkit.extension.mach")
- (global-name "com.apple.iphone.axserver-systemwide" "com.apple.tccd" "com.apple.AGXCompilerService")))
+(allow file-read*
+ (subpath "/private/var/containers/Shared/SystemGroup") ;; FIXME<rdar://problem/71137389>
+ (literal "/private/var/preferences/com.apple.networkd.plist"))
-;; These services have been identified as unused during living-on.
-;; This list overrides some definitions above and in common.sb.
-;; FIXME: remove overridden rules once the final list has been
-;; established, see https://bugs.webkit.org/show_bug.cgi?id=193840
-(deny mach-lookup
- (global-name "com.apple.webkit.camera")
-)
-
-;; Allow accesses to HID
-(allow iokit-open
- (iokit-user-client-class "IOHIDLibUserClient"))
-
-;; FIXME: Can further restrict the following rules.
-(allow iokit-get-properties)
-(allow iokit-set-properties)
-
-;; Allow accesses to LocalAuthentication and RemoteService
(allow mach-lookup
- (global-name "com.apple.CoreAuthentication.daemon")
- (global-name "com.apple.remoted"))
+ ;; Allow accesses to the Springboard view services.
+ (global-name
+ "com.apple.frontboard.systemappservices"
+ "com.apple.runningboard"
+ )
-;; Allow accesses to NFC
-(allow mach-lookup
- (global-name "com.apple.nfcd.hwmanager"))
+ ;; Allow accesses to LocalAuthentication and RemoteService
+ (global-name
+ "com.apple.CoreAuthentication.daemon"
+ "com.apple.remoted"
+ "com.apple.tccd"
+ )
-;; Allow accesses to the Springboard view services.
-(allow mach-lookup
- (global-name "com.apple.frontboard.systemappservices"))
+ ;; Allow accesses to the SEP
+ (global-name "com.apple.ctkd.token-client")
-;; Allow accesses to the Keychain service
-(allow mach-lookup
- (global-name "com.apple.securityd"))
+ ;; Allow accesses to NFC
+ (global-name "com.apple.nfcd.hwmanager")
-(allow file-read* file-write* (home-subpath "/Library/Keychains")) ;; FIXME: This should be removed when <rdar://problem/10479685> is fixed.
+ ;; Allow accesses to the Keychain service
+ (global-name "com.apple.securityd")
-(allow file-read*
- (subpath "/Library/Keychains")
- (home-literal "/Library/Application Support/SyncServices/Local/ClientsWithChanges/com.apple.Keychain"))
+ ;; Allow accesses to AAA and the network
+ (global-name
+ "com.apple.AppSSO.service-xpc"
+ "com.apple.nehelper"
+ "com.apple.usymptomsd"
+ "com.apple.dnssd.service"
+ "com.apple.trustd"
+ "com.apple.containermanagerd"
+ "com.apple.mobilegestalt.xpc"
+ )
-;; Allow accesses to the SEP
-(allow mach-lookup
- (global-name "com.apple.ctkd.token-client"))
+ ;; Allow accesses to the ASD
+ (global-name "com.apple.AuthenticationServicesCore.AuthenticationServicesAgent")
+)
-;; Allow accesses to AAA and the network
-(allow mach-lookup
- (global-name "com.apple.nehelper")
- (global-name "com.apple.usymptomsd")
- (global-name "com.apple.dnssd.service")
- (global-name "com.apple.trustd")
- (global-name "com.apple.containermanagerd")
- (global-name "com.apple.mobilegestalt.xpc"))
+(allow iokit-open
+ ;; Allow accesses to HID
+ (iokit-user-client-class "IOHIDLibUserClient")
-(allow file-read*
- (subpath "/private/var/containers/Shared/SystemGroup") ;; FIXME<rdar://problem/71137389>
- (literal "/private/var/preferences/com.apple.networkd.plist"))
+ ;; Allow access to the key store
+ (iokit-user-client-class "AppleKeyStoreUserClient")
+)
-(allow iokit-open
- (iokit-user-client-class "AppleKeyStoreUserClient"))
-
(allow network-outbound
(literal "/private/var/run/mDNSResponder")
(remote tcp)
- (remote udp))
+ (remote udp)
+)
-(allow sysctl-read
- (sysctl-name
- "kern.maxfilesperproc"
- "kern.ostype"))
-
-;; Allow accesses to the ASD
-(allow mach-lookup
- (global-name "com.apple.AuthenticationServicesCore.AuthenticationServicesAgent"))
+(with-filter (system-attribute apple-internal)
+ (allow network-outbound
+ (literal "/private/var/run/syslog"))
+)
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
