Changeset 254351 in webkit
- Timestamp:
- Jan 10, 2020 10:54:03 AM (4 years ago)
- Location:
- trunk
- Files:
-
- 10 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r254341 r254351 1 2020-01-10 Brent Fulgham <bfulgham@apple.com> 2 3 Remove 'com.apple.nehelper' from the WebContent sandbox. 4 https://bugs.webkit.org/show_bug.cgi?id=206025 5 <rdar://problem/58453508> 6 7 Reviewed by Per Arne Vollan. 8 9 Now that we generate a dynamic extension for 'com.apple.nehelper' and 'com.apple.nesessionmanager.content-filter', 10 we should remove the blanket allow rules from the sandbox. 11 12 * fast/sandbox/ios/sandbox-mach-lookup-expected.txt: 13 * fast/sandbox/ios/sandbox-mach-lookup.html: 14 * fast/sandbox/mac/sandbox-mach-lookup-expected.txt: 15 * fast/sandbox/mac/sandbox-mach-lookup.html: 16 1 17 2020-01-10 youenn fablet <youenn@apple.com> 2 18 -
trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-expected.txt
r253778 r254351 7 7 PASS internals.hasSandboxMachLookupAccessToXPCServiceName("com.apple.WebKit.WebContent", "com.apple.viewservice") is false 8 8 PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.TextInput") is false 9 PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.nehelper") is false 10 PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.nesessionmanager") is false 11 PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.nesessionmanager.content-filter") is false 9 12 PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.pluginkit.pkd") is false 10 13 PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.system.logger") is false -
trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html
r253778 r254351 10 10 shouldBeFalse("internals.hasSandboxMachLookupAccessToXPCServiceName(\"com.apple.WebKit.WebContent\", \"com.apple.viewservice\")"); 11 11 shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.TextInput\")"); 12 shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.nehelper\")"); 13 shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.nesessionmanager\")"); 14 shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.nesessionmanager.content-filter\")"); 12 15 shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.pluginkit.pkd\")"); 13 16 shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.system.logger\")"); -
trunk/LayoutTests/fast/sandbox/mac/sandbox-mach-lookup-expected.txt
r253848 r254351 5 5 6 6 PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.cfprefsd.agent") is false 7 PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.nehelper") is false 8 PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.nesessionmanager") is false 9 PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.nesessionmanager.content-filter") is false 7 10 PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.system.logger") is false 8 11 -
trunk/LayoutTests/fast/sandbox/mac/sandbox-mach-lookup.html
r253848 r254351 8 8 if (window.internals) { 9 9 shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.cfprefsd.agent\")"); 10 shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.nehelper\")"); 11 shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.nesessionmanager\")"); 12 shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.nesessionmanager.content-filter\")"); 10 13 shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.system.logger\")"); 11 14 } -
trunk/Source/WebKit/ChangeLog
r254347 r254351 1 2020-01-10 Brent Fulgham <bfulgham@apple.com> 2 3 Remove 'com.apple.nehelper' from the WebContent sandbox. 4 https://bugs.webkit.org/show_bug.cgi?id=206025 5 <rdar://problem/58453508> 6 7 Reviewed by Per Arne Vollan. 8 9 Now that we generate a dynamic extension for 'com.apple.nehelper' and 'com.apple.nesessionmanager.content-filter', 10 we should remove the blanket allow rules from the sandbox. 11 12 Tests: fast/sandbox/ios/sandbox-mach-lookup.html, fast/sandbox/mac/sandbox-mach-lookup.html 13 14 * GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in: 15 * Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb: 16 * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb: 17 * WebProcess/com.apple.WebProcess.sb.in: 18 1 19 2020-01-10 Víctor Manuel Jáquez Leal <vjaquez@igalia.com> 2 20 -
trunk/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in
r253761 r254351 691 691 (allow file-read-data (path "/private/var/db/nsurlstoraged/dafsaData.bin")) 692 692 693 ;; Network Extensions / VPN helper.694 (allow mach-lookup695 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101500 || PLATFORM(MACCATALYST)696 (global-name "com.apple.nesessionmanager.content-filter") ;; <rdar://problem/48442387>697 #else698 (global-name "com.apple.nesessionmanager") ;; <rdar://problem/55570995>699 #endif700 (global-name "com.apple.nehelper"))701 702 693 #if PLATFORM(MAC) 703 694 ;; FIXME should be removed when <rdar://problem/9347205> + related radar in Safari is fixed -
trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb
r253761 r254351 476 476 ) 477 477 478 (define-once (network-extensions-support)479 ;; Network Extensions / VPN helper.480 (allow mach-lookup481 (global-name "com.apple.nehelper")482 (global-name "com.apple.nesessionmanager.content-filter")) ;; <rdar://problem/48442387>483 )484 485 478 (deny file-map-executable) 486 479 … … 742 735 ;; Permit reading assets via MobileAsset framework. 743 736 (asset-access 'with-media-playback) 744 745 (network-extensions-support)746 737 747 738 ;; allow 3rd party applications to access nsurlstoraged's top level domain data cache -
trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb
r254306 r254351 485 485 ) 486 486 487 (define-once (network-extensions-support)488 ;; Network Extensions / VPN helper.489 (allow mach-lookup (with report) (with telemetry)490 (global-name "com.apple.nehelper")491 (global-name "com.apple.nesessionmanager.content-filter")) ;; <rdar://problem/48442387>492 )493 494 487 (deny file-map-executable) 495 488 … … 744 737 ;; Permit reading assets via MobileAsset framework. 745 738 (asset-access 'with-media-playback) 746 747 (network-extensions-support)748 739 749 740 ;; allow 3rd party applications to access nsurlstoraged's top level domain data cache -
trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in
r254343 r254351 715 715 (allow file-read-data (path "/private/var/db/nsurlstoraged/dafsaData.bin")) 716 716 717 ;; Network Extensions / VPN helper.718 (allow mach-lookup719 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101500720 (with report) (with telemetry)721 #endif722 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101500 || PLATFORM(MACCATALYST)723 (global-name "com.apple.nesessionmanager.content-filter") ;; <rdar://problem/48442387>724 #else725 (global-name "com.apple.nesessionmanager") ;; <rdar://problem/55570995>726 #endif727 (global-name "com.apple.nehelper"))728 729 717 #if PLATFORM(MAC) 730 718 ;; FIXME should be removed when <rdar://problem/9347205> + related radar in Safari is fixed
Note: See TracChangeset
for help on using the changeset viewer.