Context Navigation

← Previous Changeset
Next Changeset →

Changeset 290250 in webkit

Timestamp:

Feb 21, 2022 10:10:40 AM (2 years ago)

Author:

pvollan@apple.com

Message:

[macOS] Remove resource access in sandbox for older OS versions
https://bugs.webkit.org/show_bug.cgi?id=236975

Reviewed by Brent Fulgham.

Remove access to some resources in sandbox for older OS versions. Access to these resources were initially
added in https://trac.webkit.org/changeset/290180/webkit and https://trac.webkit.org/changeset/290066/webkit,
and was only intended to land on a branch.

NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
WebProcess/com.apple.WebProcess.sb.in:

Location:

trunk/Source/WebKit

Files:

: 3 edited

ChangeLog (modified) (1 diff)
NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in (modified) (1 diff)
WebProcess/com.apple.WebProcess.sb.in (modified) (4 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/Source/WebKit/ChangeLog

-                      r290246
+                      r290250
+-02-21  Per Arne Vollan  <pvollan@apple.com>
+        [macOS] Remove resource access in sandbox for older OS versions
+        https://bugs.webkit.org/show_bug.cgi?id=236975
+        Reviewed by Brent Fulgham.
+        Remove access to some resources in sandbox for older OS versions. Access to these resources were initially
+        added in https://trac.webkit.org/changeset/290180/webkit and https://trac.webkit.org/changeset/290066/webkit,
+        and was only intended to land on a branch.
+        * NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
+        * WebProcess/com.apple.WebProcess.sb.in:
 -02-21  Simon Lewis  <simon.lewis@apple.com>

trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in

-                      r289926
+                      r290250
 #if ENABLE(SET_WEBCONTENT_PROCESS_INFORMATION_IN_NETWORK_PROCESS)
 (allow mach-lookup (global-name "com.apple.coreservices.launchservicesd"))
-#endif
-#if !PLATFORM(MAC) || __MAC_OS_X_VERSION_MIN_REQUIRED < 130000
-(allow mach-lookup
-    (global-name
-        "com.apple.analyticsd.messagetracer"
-        "com.apple.appsleep"
-        "com.apple.bsd.dirhelper"
-        "com.apple.espd"
-        "com.apple.secinitd"
-        "com.apple.system.DirectoryService.libinfo_v1"
-        "com.apple.system.logger"
-        "com.apple.system.opendirectoryd.membership"
-        "com.apple.xpc.activity.unmanaged"))
 #endif

trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in

-                      r290183
+                      r290250
 #endif
-#if !PLATFORM(MAC) || __MAC_OS_X_VERSION_MIN_REQUIRED < 130000
-(define (syscall-unix-older-macOS)
-    (syscall-number
-        SYS___pthread_markcancel
-        SYS_abort_with_payload
-        SYS_chmod_extended
-        SYS_connect_nocancel
-        SYS_connectx
-        SYS_fgetattrlist ;; <rdar://problem/50931110>
-        SYS_fileport_makeport
-        SYS_fstat64_extended ;; <rdar://problem/61310019>
-        SYS_getpeername
-        SYS_getsockopt
-        SYS_guarded_write_np
-        SYS_lstat64_extended
-        SYS_lstat_extended
-        SYS_memorystatus_control ;; Needed for memory measurement infrastructure, see <rdar://problem/48647263>
-        SYS_mkdirat
-        SYS_open_dprotected_np ;; <rdar://problem/74473824>
-        SYS_pipe
-        SYS_process_policy
-        SYS_psynch_rw_rdlock ;; <rdar://problem/49060359>
-        SYS_pwrite
-        SYS_quotactl ;; <rdar://problem/49945031>
-        SYS_recvfrom
-        SYS_recvfrom_nocancel
-        SYS_rmdir
-        SYS_select
-        SYS_select_nocancel
-        SYS_sem_post
-        SYS_sem_wait
-        SYS_sendmsg_nocancel
-        SYS_sendto_nocancel
-#if __MAC_OS_X_VERSION_MIN_REQUIRED < 120000
-        SYS_setattrlist ;; rdar://problem/74162777
-#endif
-        SYS_setpriority
-        SYS_setrlimit
-        SYS_setsockopt
-        SYS_shutdown
-        SYS_sigreturn
-        SYS_socketpair
-        SYS_stat64_extended ;; <rdar://problem/50473330>
-        SYS_terminate_with_payload ;; <rdar://problem/50026580>
-        SYS_thread_selfusage
-#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 110000
-        SYS_ulock_wait2 ;; <rdar://problem/58743778>
-#endif
-))
-#endif
 (define (syscall-unix-common)
     (syscall-number
 …
         SYS_kdebug_trace64
         SYS_kdebug_trace_string ;; Needed for performance sampling, see <rdar://problem/48829655>.
-        SYS_kevent ;; <rdar://89072361>
         SYS_kevent_id
         SYS_kevent_qos
 …
         SYS_guarded_pwrite_np
         SYS_kdebug_typefilter
+        SYS_kevent ;; <rdar://89072361>
         SYS_mlock
         SYS_munlock
 …
     (allow syscall-unix
         (syscall-unix-common))
-#if !PLATFORM(MAC) || __MAC_OS_X_VERSION_MIN_REQUIRED < 130000
-    (allow syscall-unix
-        (syscall-unix-older-macOS))
-#endif
     (if (equal? (param "CPU") "arm64")

Note: See TracChangeset for help on using the changeset viewer.