Changeset 208611 in webkit
- Timestamp:
- Nov 11, 2016 2:16:40 PM (7 years ago)
- Location:
- trunk/Source/WebKit2
- Files:
-
- 6 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebKit2/ChangeLog
r208609 r208611 1 2016-11-11 Brent Fulgham <bfulgham@apple.com> 2 3 Get rid of old sandbox rules for OS's we no longer support 4 https://bugs.webkit.org/show_bug.cgi?id=164638 5 6 Reviewed by Simon Fraser. 7 8 Clean up the various sandbox profiles to get rid of rules that applied to operating system 9 versions we no longer support, or were added in support of bugs that have long since been 10 fixed. 11 12 This should introduce no change in behavior. 13 14 * DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in: 15 * NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in: 16 * PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in: 17 * Resources/PlugInSandboxProfiles/com.oracle.java.JavaAppletPlugin.sb: 18 * WebProcess/com.apple.WebProcess.sb.in: 19 1 20 2016-11-11 Brady Eidson <beidson@apple.com> 2 21 -
trunk/Source/WebKit2/DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in
r198977 r208611 1 ; Copyright (C) 2014 Apple Inc. All rights reserved.1 ; Copyright (C) 2014-2016 Apple Inc. All rights reserved. 2 2 ; 3 3 ; Redistribution and use in source and binary forms, with or without … … 89 89 (deny file-write-create (vnode-type SYMLINK))) 90 90 91 ;; FIXME: Should be removed once <rdar://problem/16329087> is fixed.92 (deny file-write-xattr (xattr "com.apple.quarantine") (with no-log))93 94 91 ;; Reserve a namespace for additional protected extended attributes. 95 92 (deny file-read-xattr file-write-xattr (xattr-regex #"^com\.apple\.security\.private\.")) -
trunk/Source/WebKit2/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in
r202389 r208611 155 155 (deny file-write-create (vnode-type SYMLINK))) 156 156 157 ;; FIXME: Should be removed once <rdar://problem/16329087> is fixed.158 (deny file-write-xattr (xattr "com.apple.quarantine") (with no-log))159 160 157 ;; Reserve a namespace for additional protected extended attributes. 161 158 (deny file-read-xattr file-write-xattr (xattr-regex #"^com\.apple\.security\.private\.")) -
trunk/Source/WebKit2/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in
r208589 r208611 78 78 (if (not (defined? 'os-version)) 79 79 (define os-version (param "_OS_VERSION"))) 80 81 ;; OS X 10.7 (Lion) compatibility82 (if (not (defined? 'ipc-posix-shm*))83 (define ipc-posix-shm* ipc-posix-shm))84 (if (not (defined? 'ipc-posix-shm-read*))85 (define ipc-posix-shm-read* ipc-posix-shm))86 (if (not (defined? 'ipc-posix-shm-write-data))87 (define ipc-posix-shm-write-data ipc-posix-shm))88 80 89 81 ;; Graphics … … 248 240 (global-name-regex #"_OpenStep$")) 249 241 250 (if (equal? os-version "10.7")251 (allow mach-lookup252 (global-name "com.apple.system.DirectoryService.membership_v1")))253 254 242 ;; Configuration directories 255 243 (allow file-read* (subpath (param "PLUGIN_PATH"))) … … 355 343 (allow device-microphone)) 356 344 357 (if (equal? os-version "10.7")358 (allow ipc-posix-shm)359 (begin360 (if (equal? os-version "10.8")361 (allow ipc-posix-shm*362 (ipc-posix-name "_CS_GSHMEMLOCK")363 (ipc-posix-name "_CS_DSHMEMLOCK")))364 (allow ipc-posix-shm*365 (ipc-posix-name-regex #"^AudioIO")366 (ipc-posix-name-regex #"^CFPBS:")367 (ipc-posix-name "com.apple.ColorSync.Gen.lock")368 (ipc-posix-name "com.apple.ColorSync.Disp.lock")369 (ipc-posix-name "com.apple.ColorSync.Gray2.2")370 (ipc-posix-name "com.apple.ColorSync.sRGB")371 (ipc-posix-name "com.apple.ColorSync.GenGray")372 (ipc-posix-name "com.apple.ColorSync.GenRGB")373 (ipc-posix-name-regex #"^com\.apple\.cs\.")374 (ipc-posix-name-regex #"^ls\."))375 (allow ipc-posix-shm-read*376 (ipc-posix-name-regex #"^/tmp/com\.apple\.csseed\.")377 (ipc-posix-name "FNetwork.defaultStorageSession")378 (ipc-posix-name "apple.shm.notification_center"))))379 380 345 ;; Silently block access to some resources 381 346 (deny file-read* file-write* (with no-log) … … 383 348 (subpath "/Network/Applications") 384 349 (home-library-preferences-regex #"/com\.apple\.internetconfig(priv)?\.plist") 385 386 ;; FIXME: Should be removed after <rdar://problem/9422957> is fixed.387 (home-library-literal "/Caches/Cache.db")388 350 389 351 ;; FIXME: Should be removed after <rdar://problem/10463881> is fixed. -
trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.oracle.java.JavaAppletPlugin.sb
r165657 r208611 33 33 (global-name "com.apple.coreservices.launchservicesd") 34 34 (global-name-regex #"^PlaceHolderServerName-")) 35 36 (if (equal? os-version "10.7")37 (begin38 (allow mach-lookup39 (global-name-regex #"^com\.apple\.java\.jrs\.carenderserver"))40 (allow file-read* file-write*41 (home-library-subpath "/Caches/net.java.openjdk.cmd"))))42 35 43 36 (allow file-read* -
trunk/Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in
r208589 r208611 147 147 148 148 ;; ColorSync 149 ;; FIXME: Remove names with underscores when possible (see <rdar://problem/13072721>).150 149 (allow ipc-posix-shm* 151 (ipc-posix-name "_CS_GSHMEMLOCK")152 (ipc-posix-name "_CS_DSHMEMLOCK")153 (ipc-posix-name "_CSGRAYPROFILE")154 (ipc-posix-name "_CSRGBPROFILE")155 (ipc-posix-name "_CSGENGPROFILE")156 (ipc-posix-name "_CSGENRPROFILE")157 150 (ipc-posix-name "com.apple.ColorSync.Gen.lock") 158 151 (ipc-posix-name "com.apple.ColorSync.Disp.lock") … … 282 275 (deny file-write-create (vnode-type SYMLINK))) 283 276 284 ;; FIXME: Should be removed once <rdar://problem/16329087> is fixed.285 (deny file-write-xattr (xattr "com.apple.quarantine") (with no-log))286 287 277 ;; Reserve a namespace for additional protected extended attributes. 288 278 (deny file-read-xattr file-write-xattr (xattr-regex #"^com\.apple\.security\.private\."))
Note: See TracChangeset
for help on using the changeset viewer.