Changeset 251511 in webkit

Timestamp:

Oct 23, 2019, 5:02:25 PM (6 years ago)

Author:

Brent Fulgham

Message:

[iOS] Stop including 'common.sb'
​https://bugs.webkit.org/show_bug.cgi?id=203318

Reviewed by Per Arne Vollan.

Replace the 'import' of common.sb with the equivalent statements. This is the
first step in a task to remove uneeded sandbox rules.

• Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:

Location:

trunk/Source/WebKit

Files:

• ChangeLog (modified) (1 diff)
• Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb (modified) (1 diff)

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2019-10-23  Brent Fulgham  <bfulgham@apple.com>
+
+        [iOS] Stop including 'common.sb' 
+        https://bugs.webkit.org/show_bug.cgi?id=203318
+
+        Reviewed by Per Arne Vollan.
+
+        Replace the 'import' of common.sb with the equivalent statements. This is the
+        first step in a task to remove uneeded sandbox rules.
+
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+
 2019-10-23  Kate Cheney  <katherine_cheney@apple.com>
 

trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb

@@ -26 +26 @@
 (allow system-audit file-read-metadata)
 
-(import "common.sb")
+;;;
+;;; The following rules were originally contained in 'common.sb'. We are duplicating them here so we can
+;;; remove unneeded sandbox extensions.
+;;;
+
+(import "util.sb")
+(import "carrier-bundle-allowed.sb")
+
+(define-once (allow-read-and-issue-generic-extensions . filters)
+    (allow file-read*
+           (apply require-any filters))
+    (allow file-issue-extension
+        (require-all
+            (extension-class "com.apple.app-sandbox.read")
+            (apply require-any filters))))
+
+(define-once (allow-read-write-and-issue-generic-extensions . filters)
+    (allow file-read* file-write*
+           (apply require-any filters))
+    (allow file-read-metadata
+           (apply require-any filters))
+    (allow file-issue-extension
+        (require-all
+            (extension-class "com.apple.app-sandbox.read-write" "com.apple.app-sandbox.read")
+            (apply require-any filters))))
+
+(define-once (managed-configuration-read-public)
+    (allow file-read*
+           (well-known-system-group-container-subpath "/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo")
+           (front-user-home-subpath "/Library/ConfigurationProfiles/PublicInfo")
+           (front-user-home-subpath "/Library/UserConfigurationProfiles/PublicInfo")))
+
+(define-once (managed-configuration-read . files)
+    (if (null? files)
+        (allow file-read*
+               (well-known-system-group-container-subpath "/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles")
+               (front-user-home-subpath "/Library/ConfigurationProfiles")
+               (front-user-home-subpath "/Library/UserConfigurationProfiles"))
+        (for-each
+            (lambda (file)
+                (allow file-read*
+                    (well-known-system-group-container-literal
+                        (string-append "/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/" file))
+                    (front-user-home-literal
+                        (string-append "/Library/ConfigurationProfiles/" file)
+                        (string-append "/Library/UserConfigurationProfiles/" file))))
+            files)))
+
+(define-once (allow-preferences-common)
+    (allow file-read-metadata
+           (home-literal "")
+           (home-literal "/Library/Preferences")))
+
+(define-once (mobile-preferences-read . domains)
+    (allow-preferences-common)
+    (allow user-preference-read (apply preference-domain domains)))
+
+(define-once (mobile-preferences-read-write . domains)
+    (allow-preferences-common)
+    (allow user-preference-read user-preference-write (apply preference-domain domains)))
+
+(define-once (framebuffer-access)
+    (allow iokit-open
+           (iokit-user-client-class "IOMobileFramebufferUserClient"))
+    (mobile-preferences-read "com.apple.iokit.IOMobileGraphicsFamily"))
+
+(define-once (asset-access . options)
+    (let ((asset-access-filter
+            (require-all
+              (require-any
+                (home-subpath "/Library/Assets")
+                (subpath "/private/var/MobileAsset"))
+              (extension "com.apple.assets.read"))))
+        ;; <rdar://problem/10710883>
+        ;; <rdar://problem/11569106>
+        (allow file-read* asset-access-filter)
+        (if (memq 'with-media-playback options)
+            (play-media asset-access-filter))
+        (allow mach-lookup
+               (global-name "com.apple.mobileassetd" "com.apple.mobileassetd.v2"))
+        (mobile-preferences-read "com.apple.MobileAsset")))
+
+(define-once (mobile-keybag-access)
+     (allow iokit-open
+            (iokit-user-client-class "AppleKeyStoreUserClient")))
+
+(define-once (location-services)
+    (allow mach-lookup
+           (global-name "com.apple.locationd.registration"))
+    (allow-carrier-bundle) ;; <rdar://problem/21192365>
+    (mobile-preferences-read
+        "com.apple.AppSupport"
+        "com.apple.GEO"
+        "com.apple.locationd"))
+
+(define-once (play-audio)
+    (allow mach-lookup
+           (global-name "com.apple.audio.AURemoteIOServer")
+           (xpc-service-name "com.apple.audio.toolbox.reporting.service")))
+
+(define-once (play-media . filters)
+    (if (not (null? filters))
+        ;; <rdar://problem/9875794>
+        (allow file-issue-extension
+            (require-all
+                (apply require-any filters)
+                (extension-class "com.apple.mediaserverd.read"))))
+    (allow file-issue-extension
+        (require-all
+            (extension-class "com.apple.mediaserverd.read")
+            (extension "com.apple.security.exception.files.absolute-path.read-only"
+                       "com.apple.security.exception.files.absolute-path.read-write"
+                       "com.apple.security.exception.files.home-relative-path.read-only"
+                       "com.apple.security.exception.files.home-relative-path.read-write")))
+    (allow file-issue-extension
+        (require-all
+            (extension-class "com.apple.mediaserverd.read-write")
+            (extension "com.apple.security.exception.files.absolute-path.read-write"
+                       "com.apple.security.exception.files.home-relative-path.read-write")))
+    ;; CoreMedia framework.
+    (allow mach-lookup
+           (global-name "com.apple.mediaserverd")
+           (global-name "com.apple.coremedia.admin")
+           (global-name "com.apple.coremedia.asset.xpc")
+           (global-name "com.apple.coremedia.assetcacheinspector")
+           (global-name "com.apple.coremedia.assetimagegenerator.xpc")
+           (global-name "com.apple.coremedia.audiodeviceclock.xpc")
+           (global-name "com.apple.coremedia.audioprocessingtap.xpc")
+           (global-name "com.apple.coremedia.capturesession")      ; Actually for video capture
+           (global-name "com.apple.coremedia.capturesource")       ; Also for video capture (<rdar://problem/15794291>).
+           (global-name "com.apple.coremedia.cpeprotector.xpc")
+           (global-name "com.apple.coremedia.customurlloader.xpc")
+           (global-name "com.apple.coremedia.endpoint.xpc")
+           (global-name "com.apple.coremedia.endpointremotecontrolsession.xpc")
+           (global-name "com.apple.coremedia.figcpecryptor")
+           (global-name "com.apple.coremedia.figcontentkeysession.xpc")
+           (global-name "com.apple.coremedia.formatreader.xpc")
+           (global-name "com.apple.coremedia.player.xpc")
+           (global-name "com.apple.coremedia.remaker")
+           (global-name "com.apple.coremedia.remotequeue")
+           (global-name "com.apple.coremedia.routediscoverer.xpc")
+           (global-name "com.apple.coremedia.routingcontext.xpc")
+           (global-name "com.apple.coremedia.routingsessionmanager.xpc")
+           (global-name "com.apple.coremedia.samplebufferaudiorenderer.xpc")
+           (global-name "com.apple.coremedia.samplebufferrendersynchronizer.xpc")
+           (global-name "com.apple.coremedia.sandboxserver")
+           (global-name "com.apple.coremedia.sandboxserver.xpc")
+           (global-name "com.apple.coremedia.systemcontroller.xpc")
+           (global-name "com.apple.coremedia.sts")
+           ;; <rdar://problem/13239958>
+           (global-name "com.apple.coremedia.videocompositor")
+           (global-name "com.apple.coremedia.visualcontext.xpc")
+           (global-name "com.apple.coremedia.volumecontroller.xpc")
+           (global-name "com.apple.pegasus"))
+    (mobile-preferences-read
+        "com.apple.avfoundation"
+        "com.apple.coreaudio"
+        "com.apple.coremedia"
+        "com.apple.corevideo")
+    ;; Required by the MediaPlayer framework.
+    (allow mach-lookup
+           (global-name "com.apple.airplay.apsynccontroller.xpc")
+           (global-name "com.apple.audio.AudioSession")
+           (global-name "com.apple.springboard.backgroundappservices"))
+    (mobile-preferences-read "com.apple.mobileipod")
+    ;; Needed by the MediaPlayer framework:
+    (allow mach-lookup
+           (global-name "com.apple.itunescloudd.xpc")
+           (global-name "com.apple.itunesstored.xpc"))
+    (mobile-preferences-read "com.apple.itunesstored"))
+
+(define-once (media-remote)
+    (mobile-preferences-read
+        "com.apple.mediaremote"
+        "com.apple.mobileipod")
+    (allow mach-lookup
+           (global-name "com.apple.mediaremoted.xpc")
+           (xpc-service-name "com.apple.MediaPlayer.RemotePlayerService")))
+
+(define-once (url-translation)
+    ;; For translating http:// & https:// URLs referencing itms:// URLs.
+    ;; <rdar://problem/11587338>
+    (allow file-read*
+           (home-literal "/Library/Caches/com.apple.itunesstored/url-resolution.plist")))
+
+;;;
+;;; Declare that the application uses the OpenGL, Metal, and CoreML hardware & frameworks.
+;;;
+(define-once (opengl)
+    (allow iokit-open
+           (iokit-connection "IOGPU")
+           (iokit-user-client-class
+                "AGXCommandQueue"
+                "AGXDevice"
+                "AGXDeviceUserClient"
+                "AGXSharedUserClient"
+                "IOAccelContext"
+                "IOAccelDevice"
+                "IOAccelSharedUserClient"
+                "IOAccelSubmitter2"
+                "IOAccelContext2"
+                "IOAccelDevice2"
+                "IOAccelSharedUserClient2"))
+    (allow sysctl-read
+           (sysctl-name #"kern.bootsessionuuid"))
+    (allow mach-lookup
+           (global-name "com.apple.cvmsServ")
+           (global-name "com.apple.gpumemd.source"))
+    (allow mach-lookup
+           (xpc-service-name-prefix "com.apple.AGXCompilerService"))
+
+    ;; <rdar://problem/25535471>
+    (mobile-preferences-read "com.apple.Metal")
+
+    ;; <rdar://problem/23321675>
+    (mobile-preferences-read "com.apple.opengl"))
+
+(define-once (debugging-support)
+        (allow file-read* file-map-executable
+               (subpath "/Developer"))
+
+        (allow ipc-posix-shm
+               (ipc-posix-name-regex #"^stack-logs")
+               (ipc-posix-name-regex #"^OA-")
+               (ipc-posix-name-regex #"^/FSM-"))
+
+        (allow ipc-posix-shm-read* ipc-posix-shm-write-data ipc-posix-shm-write-unlink
+               (ipc-posix-name-regex #"^gdt-[A-Za-z0-9]+-(c|s)$"))
+
+        (with-filter (system-attribute apple-internal)
+            ;; <rdar://problem/8565035>
+            ;; <rdar://problem/23857452>
+            (allow file-read* file-map-executable
+                   (subpath "/AppleInternal")
+                   (subpath "/usr/local/lib")))
+            (with-elevated-precedence
+                (allow file-read* file-map-executable file-issue-extension
+                   (front-user-home-subpath "/XcodeBuiltProducts")))
+
+        ;; <rdar://problem/8107758>
+        (allow file-read* file-map-executable
+               (subpath "/System/Library/Frameworks")
+               (subpath "/System/Library/PrivateFrameworks"))
+
+        ;; <rdar://problem/32544921>
+        (mobile-preferences-read "com.apple.hangtracer"))
+
+(define-once (device-access)
+    (deny file-read* file-write*
+          (vnode-type BLOCK-DEVICE CHARACTER-DEVICE))
+
+    (allow file-read* file-write-data
+           (literal "/dev/null")
+           (literal "/dev/zero"))
+
+    (allow file-read* file-write-data file-ioctl
+           (literal "/dev/dtracehelper"))
+
+    (allow file-read*
+           (literal "/dev/random")
+           (literal "/dev/urandom"))
+    ;; <rdar://problem/14215718>
+    (deny file-write-data (with no-report)
+          (literal "/dev/random")
+          (literal "/dev/urandom"))
+
+    (allow file-read* file-write-data file-ioctl
+           (literal "/dev/aes_0")))
+
+(define-once (awd-log-directory daemon-name)
+    (let*
+        ((base-directory (home-relative-path "/Library/Logs/awd")))
+        (allow-create-directory (literal base-directory))
+        (allow file-read* file-write*
+            (prefix (string-append base-directory "/awd-" daemon-name ".log")))
+        (allow mach-lookup
+               (global-name "com.apple.awdd"))))
+
+(define-once (logd-diagnostic-paths)
+    (require-any
+        (subpath "/private/var/db/diagnostics")
+        (subpath "/private/var/db/timesync")
+        (subpath "/private/var/db/uuidtext")
+        (subpath "/private/var/userdata/diagnostics")))
+(define-once (logd-diagnostic-client)
+    (with-filter
+        (require-all
+            (require-any
+                (require-entitlement "com.apple.private.logging.diagnostic")
+                (require-entitlement "com.apple.diagnosticd.diagnostic"))
+            (extension "com.apple.logd.read-only"))
+        (allow file-read*
+               (logd-diagnostic-paths))))
+
+(define required-etc-files
+  (literal "/private/etc/fstab"
+           "/private/etc/hosts"
+           "/private/etc/group"
+           "/private/etc/passwd"
+           "/private/etc/protocols"
+           "/private/etc/services"))
+
+(deny file-map-executable)
+
+(deny file-write-mount file-write-unmount)
+
+(allow file-read-metadata (with no-times)
+       (vnode-type DIRECTORY))
+(with-filter (apple-signed-executable?)
+  (allow file-read-metadata
+         (vnode-type DIRECTORY)))
+
+(with-filter (apple-signed-executable?)
+  (managed-configuration-read "CloudConfigurationDetails.plist")
+  (managed-configuration-read "CloudConfigurationSetAsideDetails.plist")
+  (mobile-preferences-read "com.apple.security"))
+
+(with-filter (system-attribute apple-internal)
+  (mobile-preferences-read "com.apple.PrototypeTools"))
+
+(with-elevated-precedence
+    (allow file-read*
+           (subpath "/usr/lib"
+                    "/usr/share"
+                    "/private/var/db/timezone"))
+    (allow-read-and-issue-generic-extensions
+        (subpath "/Library/RegionFeatures"
+                 "/System/Library"))
+    (allow file-issue-extension
+        (require-all
+            (extension-class "com.apple.mediaserverd.read")
+            (subpath "/System/Library")))
+    (let ((hw-identifying-paths
+            (require-any
+                (literal "/System/Library/Caches/apticket.der")
+                (subpath "/System/Library/Caches/com.apple.kernelcaches")
+                (subpath "/System/Library/Caches/com.apple.factorydata"))))
+        (deny file-issue-extension file-read* hw-identifying-paths))
+    
+    (allow file-map-executable
+           (subpath "/System/Library")
+           (subpath "/usr/lib"))
+    (allow file-read-metadata
+           (vnode-type SYMLINK))
+
+    ;;; <rdar://problem/24144418>
+    (allow file-read*
+           (subpath "/private/var/preferences/Logging"))
+
+    (mobile-preferences-read "kCFPreferencesAnyApplication")
+    (allow file-read*
+           (front-user-home-literal "/Library/Preferences/.GlobalPreferences.plist"))
+
+    (allow file-read*
+           (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist"))
+    (allow managed-preference-read (preference-domain "kCFPreferencesAnyApplication"))
+
+    (allow file-read-metadata
+           (home-literal "/Library/Caches/powerlog.launchd"))
+
+    (allow-read-and-issue-generic-extensions (executable-bundle))
+    (allow file-map-executable (executable-bundle))
+
+    ;; <rdar://problem/13963294>
+    (deny file-read-data file-issue-extension file-map-executable
+        (require-all
+            (executable-bundle)
+            (regex #"/[^/]+/SC_Info/")))
+
+    (unless (defined? 'restrictive-extension)
+        (with-filter
+            (extension
+                "com.apple.app-sandbox.read"
+                "com.apple.app-sandbox.read-write"
+                "com.apple.quicklook.readonly"
+                "com.apple.security.exception.files.absolute-path.read-only"
+                "com.apple.security.exception.files.absolute-path.read-write"
+                "com.apple.security.exception.files.home-relative-path.read-only"
+                "com.apple.security.exception.files.home-relative-path.read-write"
+                "com.apple.sharing.airdrop.readonly")
+            (allow file-read* file-read-metadata)
+            (allow file-issue-extension
+                   (extension-class "com.apple.app-sandbox.read"
+                                    "com.apple.mediaserverd.read"
+                                    "com.apple.quicklook.readonly"
+                                    "com.apple.sharing.airdrop.readonly")))
+        (with-filter
+            (extension
+                "com.apple.app-sandbox.read-write"
+                "com.apple.security.exception.files.absolute-path.read-write"
+                "com.apple.security.exception.files.home-relative-path.read-write")
+            (allow file-write*)
+            (allow file-issue-extension
+                   (extension-class "com.apple.app-sandbox.read-write"
+                                    "com.apple.mediaserverd.read-write"))))
+
+    ;; <rdar://problem/16079361>
+    (with-filter (global-name-prefix "")
+        (allow mach-register
+               (extension "com.apple.security.exception.mach-register.global-name")))
+    (with-filter (local-name-prefix "")
+        (allow mach-register
+               (extension "com.apple.security.exception.mach-register.local-name")))
+    (allow-read-and-issue-generic-extensions
+           (extension "com.apple.security.exception.files.absolute-path.read-only")
+           (extension "com.apple.security.exception.files.home-relative-path.read-only"))
+    (allow-read-write-and-issue-generic-extensions
+           (extension "com.apple.security.exception.files.absolute-path.read-write")
+           (extension "com.apple.security.exception.files.home-relative-path.read-write"))
+    (allow iokit-open
+           (extension "com.apple.security.exception.iokit-user-client-class"))
+    (allow managed-preference-read
+           (extension "com.apple.security.exception.managed-preference.read-only"))
+    (allow user-preference-read
+           (extension "com.apple.security.exception.shared-preference.read-only"))
+    (allow user-preference-read user-preference-write
+           (extension "com.apple.security.exception.shared-preference.read-write"))
+
+    (allow file-issue-extension
+          (require-all
+              (extension-class "com.apple.nsurlstorage.extension-cache")
+              (extension "com.apple.security.exception.files.home-relative-path.read-write")
+              (require-any
+                  (prefix "/private/var/root/Library/Caches/")
+                  (front-user-home-prefix "/Library/Caches/"))))
+)
+
+(debugging-support)
+
+(allow file-read*
+    required-etc-files
+    (literal "/"))
+
+(allow file-read*
+       (subpath "/private/var/MobileAsset/PreinstalledAssetsV2/InstallWithOs"))
+
+(device-access)
+
+(allow file-issue-extension
+    (require-all
+        (extension-class "com.apple.app-sandbox.read-write" "com.apple.app-sandbox.read")
+        (extension "com.apple.fileprovider.read-write")))
+
+(when (defined? 'restrictive-extension)
+      (with-filter (require-not (require-entitlement "get-task-allow"))
+          (deny mach-lookup (with no-report)
+                (global-name "com.apple.logd")
+                (global-name "com.apple.logd.events"))))
+
+(allow ipc-posix-shm-read*
+       (ipc-posix-name-prefix "apple.cfprefs."))
+
+;; <rdar://problem/12413942>
+(allow file-read*
+       (well-known-system-group-container-literal "/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist"))
+(allow iokit-get-properties
+       (iokit-property "IORegistryEntryPropertyKeys"))
+
+(allow ipc-posix-sem-open
+       (ipc-posix-name "containermanagerd.fb_check"))
+
+(with-filter (ipc-posix-name "purplebuddy.sentinel")
+    (deny ipc-posix-sem-create ipc-posix-sem-post ipc-posix-sem-unlink ipc-posix-sem-wait)
+    (allow ipc-posix-sem-open))
+
+(allow system-sched
+       (require-entitlement "com.apple.private.kernel.override-cpumon"))
+
+(deny sysctl-read (with no-report)
+      (sysctl-name "sysctl.proc_native"))
+
+(allow file-read-metadata network-outbound
+       (literal "/private/var/run/syslog"))
+
+(if (defined? 'restrictive-extension)
+    (begin
+        (deny mach-lookup (with no-report)
+               (global-name "com.apple.system.notification_center"))
+        (deny ipc-posix-shm-read* (with no-report)
+               (ipc-posix-name "apple.shm.notification_center")))
+; else
+    (begin
+        (allow ipc-posix-shm-read*
+               (ipc-posix-name "apple.shm.notification_center"))))
+
+(logd-diagnostic-client)
+
+(managed-configuration-read-public)
+
+(deny system-info (with no-report)
+      (info-type "net.link.addr"))
+
+(allow file-read*
+       (subpath "/private/var/db/datadetectors/sys"))
+
+(allow-well-known-system-group-container-subpath-read
+       "/systemgroup.com.apple.icloud.findmydevice.managed/Library")
+
+(allow mach-task-name (target self))
+
+(allow process-info-pidinfo (target self))
+(allow process-info-pidfdinfo (target self))
+(allow process-info-pidfileportinfo (target self))
+(allow process-info-setcontrol (target self))
+(allow process-info-dirtycontrol (target self))
+(allow process-info-rusage (target self))
+(allow process-info-codesignature (target self))
+
+(with-filter (apple-signed-executable?)
+    (mobile-preferences-read "com.apple.demo-settings"))
+
+(with-filter (uid 0)
+    (allow file-read*
+           (literal "/private/etc/master.passwd")))
+
+(mobile-preferences-read "com.apple.Accessibility")
+
+;;;
+;;; End common.sb content
+;;;
 
 (deny mach-lookup (xpc-service-name-prefix ""))