Changeset 216941 in webkit

Timestamp:

May 16, 2017 12:09:05 PM (7 years ago)

Author:

Brent Fulgham

Message:

[WK2][macOS] Adopt a whitelist for XPC services
​https://bugs.webkit.org/show_bug.cgi?id=172151
<rdar://problem/31916325>

Reviewed by Alex Christensen.

• DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in:
• NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
• PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in:
• WebProcess/com.apple.WebProcess.sb.in:

Location:

trunk/Source/WebKit2

Files:

• ChangeLog (modified) (1 diff)
• DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in (modified) (2 diffs)
• NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in (modified) (2 diffs)
• PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in (modified) (2 diffs)
• WebProcess/com.apple.WebProcess.sb.in (modified) (2 diffs)

trunk/Source/WebKit2/ChangeLog

@@ +1 @@
+2017-05-16  Brent Fulgham  <bfulgham@apple.com>
+
+        [WK2][macOS] Adopt a whitelist for XPC services
+        https://bugs.webkit.org/show_bug.cgi?id=172151
+        <rdar://problem/31916325>
+
+        Reviewed by Alex Christensen.
+
+        * DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in:
+        * NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
+        * PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in:
+        * WebProcess/com.apple.WebProcess.sb.in:
+
 2017-05-16  Timothy Horton  <timothy_horton@apple.com>
 

trunk/Source/WebKit2/DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in

@@ -44 +44 @@
 
 (deny iokit-get-properties)
+#endif
+
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101300
+(deny mach-lookup (xpc-service-name-prefix ""))
 #endif
 
@@ -103 +107 @@
 (allow system-fsctl (fsctl-command (_IO "h" 47)))
 
-#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101300
 ;; Various services required by CFNetwork and other frameworks
 (allow mach-lookup
-    (global-name "com.apple.analyticsd"))
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101300
+    (global-name "com.apple.analyticsd")
 #endif
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101100
+    (global-name "com.apple.lsd.mapdb")
+#endif
+)
 
 ;; Sandbox extensions

trunk/Source/WebKit2/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in

@@ -46 +46 @@
 #endif
 
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101300
+(deny mach-lookup (xpc-service-name-prefix ""))
+#endif
+
 ;; Utility functions for home directory relative path filters
 (define (home-regex home-relative-regex)
@@ -150 +154 @@
     (global-name "com.apple.cfnetwork.AuthBrokerAgent")
 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101100
+    (global-name "com.apple.lsd.mapdb")
     (global-name "com.apple.nesessionmanager.flow-divert-token")
 #endif

trunk/Source/WebKit2/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in

@@ -75 +75 @@
 #endif
 
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101300
+(deny mach-lookup (xpc-service-name-prefix ""))
+#endif
+
 ;; Utility functions
 (define (home-literal home-relative-literal)
@@ -308 +312 @@
     (global-name "com.apple.coreservices.launchservicesd")
     (global-name "com.apple.fonts")
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101100
+    (global-name "com.apple.lsd.mapdb")
+#endif
     (global-name "com.apple.ocspd")
     (global-name "com.apple.pasteboard.1")

trunk/Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in

@@ -130 +130 @@
 #endif
 
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101300
+(deny mach-lookup (xpc-service-name-prefix ""))
+(allow mach-lookup
+    (xpc-service-name "com.apple.accessibility.mediaaccessibilityd")
+    (xpc-service-name "com.apple.audio.SandboxHelper")
+    (xpc-service-name "com.apple.coremedia.videodecoder")
+    (xpc-service-name-regex #"\.apple-extension-service$")
+)
+#endif
+
 ;; Utility functions for home directory relative path filters
 (define (home-regex home-relative-regex)
@@ -341 +351 @@
 #endif
 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101100
+       (global-name "com.apple.lsd.mapdb")
        (global-name "com.apple.nesessionmanager.flow-divert-token")
 #endif