Changeset 141445 in webkit

Timestamp:

Jan 31, 2013, 11:05:30 AM (13 years ago)

Author:

ap@apple.com

Message:

WebProcess sandbox profile overhaul.

Reviewed by Sam Weinig.

Moves some rules together by susbystem for easier maintenance.

Addresses <rdar://problem/9276393>, <rdar://problem/10844321>, <rdar://problem/12408537>,
<rdar://problem/12558524>.

• WebProcess/com.apple.WebProcess.sb.in:

Location:

trunk/Source/WebKit2

Files:

• ChangeLog (modified) (1 diff)
• WebProcess/com.apple.WebProcess.sb.in (modified) (11 diffs)

trunk/Source/WebKit2/ChangeLog

@@ +1 @@
+2013-01-31  Alexey Proskuryakov  <ap@apple.com>
+
+        WebProcess sandbox profile overhaul.
+
+        Reviewed by Sam Weinig.
+
+        Moves some rules together by susbystem for easier maintenance.
+
+        Addresses <rdar://problem/9276393>, <rdar://problem/10844321>, <rdar://problem/12408537>,
+        <rdar://problem/12558524>.
+
+        * WebProcess/com.apple.WebProcess.sb.in:
+
 2013-01-31  Simon Hausmann  <simon.hausmann@digia.com>
 

trunk/Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in

@@ -4 +4 @@
 
 (import "system.sb")
-(import "com.apple.corefoundation.sb")
-
-;; Distributed notifications, local pasteboard client
-(corefoundation)
 
 ;; Utility functions for home directory relative path filters
@@ -25 +21 @@
             (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") (subpath path))))))
 
+#if __MAC_OS_X_VERSION_MIN_REQUIRED == 1070
+;; Low level networking. Defined in system.sb on newer OS versions.
+(define (system-network)
+  (allow file-read*
+         (literal "/Library/Preferences/com.apple.networkd.plist"))
+  (allow mach-lookup
+         (global-name "com.apple.SystemConfiguration.PPPController") ;; FIXME (13121943): Is this necessary?
+         (global-name "com.apple.SystemConfiguration.SCNetworkReachability")
+         (global-name "com.apple.networkd"))
+  (allow network-outbound
+         (control-name "com.apple.netsrc")
+         (control-name "com.apple.network.statistics"))
+  (allow system-socket
+         (require-all (socket-domain AF_SYSTEM)
+                      (socket-protocol 2)) ; SYSPROTO_CONTROL
+         (socket-domain AF_ROUTE)))
+#endif
+
 ;; Read-only preferences and data
 (allow file-read*
@@ -32 +46 @@
        (subpath "/Library/Frameworks")
        (subpath "/Library/Managed Preferences")
-       (subpath "/private/var/db/mds")
-       (subpath "/private/var/db/DetachedSignatures")
        (regex #"^/private/etc/(hosts|group|passwd)$")
-
-       ;; FIXME: This should be removed when <rdar://problem/10479685> is fixed.
-       (subpath "/Library/Keychains")
 
        ;; System and user preferences
        (literal "/Library/Preferences/.GlobalPreferences.plist")
-       (literal "/Library/Preferences/com.apple.crypto.plist")
-       (literal "/Library/Preferences/com.apple.networkd.plist")
-       (literal "/Library/Preferences/com.apple.security.plist")
-       (literal "/Library/Preferences/com.apple.security.common.plist")
-       (literal "/Library/Preferences/com.apple.security.revocation.plist")
        (regex #"^/Library/Managed Preferences/[^/]+/com\.apple\.networkConnect\.plist$")
        (home-literal "/Library/Preferences/.GlobalPreferences.plist")
@@ -59 +63 @@
        (home-literal "/Library/Preferences/com.apple.avfoundation.plist")
        (home-literal "/Library/Preferences/com.apple.coremedia.plist")
-       (home-literal "/Library/Preferences/com.apple.security.plist")
-       (home-literal "/Library/Preferences/com.apple.security.revocation.plist")
-       (home-literal "/Library/Preferences/com.apple.speech.recognition.AppleSpeechRecognition.prefs.plist")
-       (home-literal "/Library/Application Support/SyncServices/Local/ClientsWithChanges/com.apple.Keychain")
        (home-regex #"/Library/Preferences/com\.apple\.driver\.(AppleBluetoothMultitouch\.mouse|AppleBluetoothMultitouch\.trackpad|AppleHIDMouse)\.plist$")
 
@@ -102 +102 @@
 (allow file*
        (home-regex #"/Library/Preferences/ByHost/com\.apple\.HIToolbox\.")
-       (home-regex #"/Library/Preferences/com\.apple\.WebProcess\.")
-
-       ;; FIXME: This should be removed when <rdar://problem/10479685> is fixed.
-       (home-subpath "/Library/Keychains"))
-
-;; Non-user Security mds caches
-(allow file*
-    (subpath "/private/var/db/mds/system"))
+       (home-regex #"/Library/Preferences/com\.apple\.WebProcess\."))
 
 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 1080
@@ -140 +133 @@
 ;; Various services required by AppKit and other frameworks
 (allow mach-lookup
-       (global-name "com.apple.CoreServices.coreservicesd")
        (global-name "com.apple.DiskArbitration.diskarbitrationd")
        (global-name "com.apple.FileCoordination")
        (global-name "com.apple.FontObjectsServer")
        (global-name "com.apple.FontServer")
-       (global-name "com.apple.SecurityServer")
        (global-name "com.apple.SystemConfiguration.configd")
        (global-name "com.apple.SystemConfiguration.PPPController") ;; FIXME (13121943): Is this necessary?
-       (global-name "com.apple.SystemConfiguration.SCNetworkReachability")
        (global-name "com.apple.audio.VDCAssistant")
        (global-name "com.apple.audio.audiohald")
@@ -154 +144 @@
        (global-name "com.apple.cookied")
        (global-name "com.apple.cvmsServ")
-       (global-name "com.apple.networkd")
        (global-name "com.apple.dock.server")
-       (global-name "com.apple.ocspd")
-       (global-name "com.apple.pasteboard.1")
        (global-name "com.apple.system.opendirectoryd.api")
        (global-name "com.apple.tccd")
@@ -165 +152 @@
        (global-name "com.apple.cfnetwork.AuthBrokerAgent")
        (global-name "com.apple.PowerManagement.control")
-       (global-name "com.apple.speech.recognitionserver")
 
 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 1090
        (global-name "com.apple.coreservices.launchservicesd")
 #endif
-
-       ;; FIXME: This should be removed when <rdar://problem/9276393> is fixed.
-       (global-name "com.apple.metadata.mds"))
-
-(allow system-socket (socket-domain AF_ROUTE))
-(allow system-socket (require-all (socket-domain AF_SYSTEM) (socket-protocol 2))) ; SYSPROTO_CONTROL
+)
+
+;; Security framework
+(allow mach-lookup
+       (global-name "com.apple.ocspd")
+       (global-name "com.apple.SecurityServer"))
+(allow file-read* file-write* (home-subpath "/Library/Keychains")) ;; FIXME: This should be removed when <rdar://problem/10479685> is fixed.
+(allow file-read*
+       (subpath "/Library/Keychains")
+       (subpath "/private/var/db/mds")
+       (literal "/private/var/db/DetachedSignatures")
+       (literal "/Library/Preferences/com.apple.crypto.plist")
+       (literal "/Library/Preferences/com.apple.security.plist")
+       (literal "/Library/Preferences/com.apple.security.common.plist")
+       (literal "/Library/Preferences/com.apple.security.revocation.plist")
+       (home-literal "/Library/Application Support/SyncServices/Local/ClientsWithChanges/com.apple.Keychain")
+       (home-literal "/Library/Preferences/com.apple.security.plist")
+       (home-literal "/Library/Preferences/com.apple.security.revocation.plist"))
+
+;; CoreFoundation. We don't import com.apple.corefoundation.sb, because it allows unnecessary access to pasteboard.
+(allow mach-lookup
+    (global-name-regex #"^com.apple.distributed_notifications")                                                       
+    (global-name "com.apple.CoreServices.coreservicesd"))
+(allow file-read-data
+     (literal "/dev/autofs_nowait")) ; Used by CF to circumvent automount triggers
+
+;; Networking
+(system-network)
 (allow network-outbound
-       ;; Kernel controls
-       (control-name "com.apple.network.statistics")
-       (control-name "com.apple.netsrc")
-
        ;; Local mDNSResponder for DNS, arbitrary outbound TCP
        (literal "/private/var/run/mDNSResponder")
        (remote tcp))
+
+;; Needed for NSAttributedString, <rdar://problem/10844321>.
+(allow file-read*
+       (home-literal "/Library/Preferences/pbs.plist")
+       (home-literal "/Library/Preferences/com.apple.ServicesMenu.Services.plist"))
+(allow mach-lookup
+       (global-name "com.apple.pbs.fetch_services"))
 
 ;; FIXME should be removed when <rdar://problem/9347205> + related radar in Safari is fixed
@@ -203 +214 @@
         (literal "/private/etc/host"))
 
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 1080
+(deny file-write-create (vnode-type SYMLINK))
+#endif
+
 (deny file-read* file-write* (with no-log)
-       ;; FIXME: Should be removed after <rdar://problem/9422957> is fixed.
-       (home-literal "/Library/Caches/Cache.db")
+#if __MAC_OS_X_VERSION_MIN_REQUIRED <= 1080
+       (home-literal "/Library/Caches/Cache.db") ;; <rdar://problem/9422957>
+#endif
 
        ;; FIXME: Should be removed after <rdar://problem/10463881> is fixed.
@@ -211 +227 @@
        (home-literal "/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2-journal"))
 
+;; Deny access needed for unnecessary NSApplication initialization.
+;; FIXME: This can be removed once <rdar://problem/13011633> is fixed.
 (deny file-read* (with no-log)
-       ;; FIXME: This should not be necessary once <rdar://problem/13011633> is fixed.
+       (home-literal "/Library/Preferences/com.apple.speech.recognition.AppleSpeechRecognition.prefs.plist")
        (subpath "/Library/Components")
        (subpath "/Library/Keyboard Layouts")
@@ -224 +242 @@
 #endif
        )
-
 (deny mach-lookup (with no-log)
-       (global-name "com.apple.coreservices.appleevents"))
+       (global-name "com.apple.coreservices.appleevents")
+       (global-name "com.apple.pasteboard.1")
+       (global-name "com.apple.speech.recognitionserver"))
 
 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 1090