Changeset 208611 in webkit


Ignore:
Timestamp:
Nov 11, 2016 2:16:40 PM (7 years ago)
Author:
Brent Fulgham
Message:

Get rid of old sandbox rules for OS's we no longer support
https://bugs.webkit.org/show_bug.cgi?id=164638

Reviewed by Simon Fraser.

Clean up the various sandbox profiles to get rid of rules that applied to operating system
versions we no longer support, or were added in support of bugs that have long since been
fixed.

This should introduce no change in behavior.

  • DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in:
  • NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
  • PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in:
  • Resources/PlugInSandboxProfiles/com.oracle.java.JavaAppletPlugin.sb:
  • WebProcess/com.apple.WebProcess.sb.in:
Location:
trunk/Source/WebKit2
Files:
6 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/WebKit2/ChangeLog

    r208609 r208611  
     12016-11-11  Brent Fulgham  <bfulgham@apple.com>
     2
     3        Get rid of old sandbox rules for OS's we no longer support
     4        https://bugs.webkit.org/show_bug.cgi?id=164638
     5
     6        Reviewed by Simon Fraser.
     7
     8        Clean up the various sandbox profiles to get rid of rules that applied to operating system
     9        versions we no longer support, or were added in support of bugs that have long since been
     10        fixed.
     11
     12        This should introduce no change in behavior.
     13
     14        * DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in:
     15        * NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
     16        * PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in:
     17        * Resources/PlugInSandboxProfiles/com.oracle.java.JavaAppletPlugin.sb:
     18        * WebProcess/com.apple.WebProcess.sb.in:
     19
    1202016-11-11  Brady Eidson  <beidson@apple.com>
    221

  • trunk/Source/WebKit2/DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in

    r198977 r208611  
    1 ; Copyright (C) 2014 Apple Inc. All rights reserved.
     1; Copyright (C) 2014-2016 Apple Inc. All rights reserved.
    22;
    33; Redistribution and use in source and binary forms, with or without
     
    8989    (deny file-write-create (vnode-type SYMLINK)))
    9090
    91 ;; FIXME: Should be removed once <rdar://problem/16329087> is fixed.
    92 (deny file-write-xattr (xattr "com.apple.quarantine") (with no-log))
    93 
    9491;; Reserve a namespace for additional protected extended attributes.
    9592(deny file-read-xattr file-write-xattr (xattr-regex #"^com\.apple\.security\.private\."))

  • trunk/Source/WebKit2/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in

    r202389 r208611  
    155155    (deny file-write-create (vnode-type SYMLINK)))
    156156
    157 ;; FIXME: Should be removed once <rdar://problem/16329087> is fixed.
    158 (deny file-write-xattr (xattr "com.apple.quarantine") (with no-log))
    159 
    160157;; Reserve a namespace for additional protected extended attributes.
    161158(deny file-read-xattr file-write-xattr (xattr-regex #"^com\.apple\.security\.private\."))

  • trunk/Source/WebKit2/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in

    r208589 r208611  
    7878(if (not (defined? 'os-version))
    7979    (define os-version (param "_OS_VERSION")))
    80 
    81 ;; OS X 10.7 (Lion) compatibility
    82 (if (not (defined? 'ipc-posix-shm*))
    83     (define ipc-posix-shm* ipc-posix-shm))
    84 (if (not (defined? 'ipc-posix-shm-read*))
    85     (define ipc-posix-shm-read* ipc-posix-shm))
    86 (if (not (defined? 'ipc-posix-shm-write-data))
    87     (define ipc-posix-shm-write-data ipc-posix-shm))
    8880
    8981;; Graphics
     
    248240    (global-name-regex #"_OpenStep$"))
    249241
    250 (if (equal? os-version "10.7")
    251     (allow mach-lookup
    252         (global-name "com.apple.system.DirectoryService.membership_v1")))
    253 
    254242;; Configuration directories
    255243(allow file-read* (subpath (param "PLUGIN_PATH")))
     
    355343    (allow device-microphone))
    356344
    357 (if (equal? os-version "10.7")
    358     (allow ipc-posix-shm)
    359     (begin
    360         (if (equal? os-version "10.8")
    361             (allow ipc-posix-shm*
    362                 (ipc-posix-name "_CS_GSHMEMLOCK")
    363                 (ipc-posix-name "_CS_DSHMEMLOCK")))
    364         (allow ipc-posix-shm*
    365             (ipc-posix-name-regex #"^AudioIO")
    366             (ipc-posix-name-regex #"^CFPBS:")
    367             (ipc-posix-name "com.apple.ColorSync.Gen.lock")
    368             (ipc-posix-name "com.apple.ColorSync.Disp.lock")
    369             (ipc-posix-name "com.apple.ColorSync.Gray2.2")
    370             (ipc-posix-name "com.apple.ColorSync.sRGB")
    371             (ipc-posix-name "com.apple.ColorSync.GenGray")
    372             (ipc-posix-name "com.apple.ColorSync.GenRGB")
    373             (ipc-posix-name-regex #"^com\.apple\.cs\.")
    374             (ipc-posix-name-regex #"^ls\."))
    375         (allow ipc-posix-shm-read*
    376             (ipc-posix-name-regex #"^/tmp/com\.apple\.csseed\.")
    377             (ipc-posix-name "FNetwork.defaultStorageSession")
    378             (ipc-posix-name "apple.shm.notification_center"))))
    379 
    380345;; Silently block access to some resources
    381346(deny file-read* file-write* (with no-log)
     
    383348    (subpath "/Network/Applications")
    384349    (home-library-preferences-regex #"/com\.apple\.internetconfig(priv)?\.plist")
    385 
    386     ;; FIXME: Should be removed after <rdar://problem/9422957> is fixed.
    387     (home-library-literal "/Caches/Cache.db")
    388350
    389351    ;; FIXME: Should be removed after <rdar://problem/10463881> is fixed.

  • trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.oracle.java.JavaAppletPlugin.sb

    r165657 r208611  
    3333    (global-name "com.apple.coreservices.launchservicesd")
    3434    (global-name-regex #"^PlaceHolderServerName-"))
    35 
    36 (if (equal? os-version "10.7")
    37     (begin
    38         (allow mach-lookup
    39             (global-name-regex #"^com\.apple\.java\.jrs\.carenderserver"))
    40         (allow file-read* file-write*
    41             (home-library-subpath "/Caches/net.java.openjdk.cmd"))))
    4235
    4336(allow file-read*

  • trunk/Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in

    r208589 r208611  
    147147
    148148;; ColorSync
    149 ;; FIXME: Remove names with underscores when possible (see <rdar://problem/13072721>).
    150149(allow ipc-posix-shm*
    151     (ipc-posix-name "_CS_GSHMEMLOCK")
    152     (ipc-posix-name "_CS_DSHMEMLOCK")
    153     (ipc-posix-name "_CSGRAYPROFILE")
    154     (ipc-posix-name "_CSRGBPROFILE")
    155     (ipc-posix-name "_CSGENGPROFILE")
    156     (ipc-posix-name "_CSGENRPROFILE")
    157150    (ipc-posix-name "com.apple.ColorSync.Gen.lock")
    158151    (ipc-posix-name "com.apple.ColorSync.Disp.lock")
     
    282275        (deny file-write-create (vnode-type SYMLINK)))
    283276
    284 ;; FIXME: Should be removed once <rdar://problem/16329087> is fixed.
    285 (deny file-write-xattr (xattr "com.apple.quarantine") (with no-log))
    286 
    287277;; Reserve a namespace for additional protected extended attributes.
    288278(deny file-read-xattr file-write-xattr (xattr-regex #"^com\.apple\.security\.private\."))
Note: See TracChangeset for help on using the changeset viewer.