Changeset 229093 in webkit

Timestamp:

Feb 28, 2018 9:17:12 AM (6 years ago)

Author:

Brent Fulgham

Message:

Remove network access from the WebContent process sandbox
​https://bugs.webkit.org/show_bug.cgi?id=183192
<rdar://problem/35369115>

Reviewed by Alex Christensen.

Remove the 'system-network', 'allow-network-common', and 'network-client' access from the WebContent process.
That's why we have a Network Process!

• Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
• WebProcess/com.apple.WebProcess.sb.in:

Location:

trunk/Source/WebKit

Files:

• ChangeLog (modified) (1 diff)
• Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb (modified) (2 diffs)
• WebProcess/com.apple.WebProcess.sb.in (modified) (6 diffs)

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2018-02-28  Brent Fulgham  <bfulgham@apple.com>
+
+        Remove network access from the WebContent process sandbox
+        https://bugs.webkit.org/show_bug.cgi?id=183192
+        <rdar://problem/35369115>
+
+        Reviewed by Alex Christensen.
+
+        Remove the 'system-network', 'allow-network-common', and 'network-client' access from the WebContent process.
+        That's why we have a Network Process! 
+
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+        * WebProcess/com.apple.WebProcess.sb.in:
+
 2018-02-27  Tim Horton  <timothy_horton@apple.com>
 

trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb

@@ -230 +230 @@
     (home-literal "/Library/Caches/com.apple.DictionaryServices"))
 
-(allow-network-common)
-
 ; <rdar://problem/8548856> Sub-TLF: Sandbox change for apps for read-only access to the dictionary directory/data
 (allow file-read*
@@ -383 +381 @@
 (awd-log-directory "com.apple.WebKit.WebContent")
 
-(network-client (remote tcp) (remote udp))
-
 ;; Allow ManagedPreference access
 (allow file-read* (literal "/private/var/Managed Preferences/mobile/com.apple.webcontentfilter.plist"))

trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in

@@ -1 @@
-; Copyright (C) 2010-2017 Apple Inc. All rights reserved.
+; Copyright (C) 2010-2018 Apple Inc. All rights reserved.
 ;
 ; Redistribution and use in source and binary forms, with or without
@@ -79 +79 @@
     (literal "/dev/dtracehelper"))
 
+#if __MAC_OS_X_VERSION_MIN_REQUIRED < 101300
 (allow network-outbound
     (literal "/private/var/run/asl_input")
     (literal "/private/var/run/syslog"))
-
+#endif
 
 ;;; Allow creation of core dumps.
@@ -140 +141 @@
         (iokit-property "ggcs")
         (iokit-property "bgcs")))))
-
-
-;;; (system-network) - Allow access to the network.
-(define (system-network)
-    (allow file-read*
-        (literal "/Library/Preferences/com.apple.networkd.plist"))
-    (allow mach-lookup
-        (global-name "com.apple.SystemConfiguration.PPPController")
-        (global-name "com.apple.SystemConfiguration.SCNetworkReachability")
-        (global-name "com.apple.nehelper")
-        (global-name "com.apple.networkd")
-        (global-name "com.apple.nsurlstorage-cache")
-        (global-name "com.apple.symptomsd")
-        (global-name "com.apple.usymptomsd"))
-    (allow network-outbound
-        (control-name "com.apple.netsrc")
-        (control-name "com.apple.network.statistics"))
-    (allow system-socket
-        (require-all (socket-domain AF_SYSTEM)
-        (socket-protocol 2)) ; SYSPROTO_CONTROL
-    (socket-domain AF_ROUTE)))
 
 ;;;
@@ -646 +626 @@
 
 ;; Networking
+#if __MAC_OS_X_VERSION_MIN_REQUIRED < 101300
 (system-network)
 (allow network-outbound
@@ -651 +632 @@
        (literal "/private/var/run/mDNSResponder")
        (remote tcp))
+#endif
 
 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101300
@@ -663 +645 @@
        (global-name "com.apple.system.logger")
        (global-name "com.apple.system.notification_center"))
+#if __MAC_OS_X_VERSION_MIN_REQUIRED < 101300
 (allow network-outbound
        (remote udp))
+#endif
 (allow user-preference-read
     (preference-domain