Changeset 254351 in webkit


Ignore:
Timestamp:
Jan 10, 2020 10:54:03 AM (4 years ago)
Author:
Brent Fulgham
Message:

Remove 'com.apple.nehelper' from the WebContent sandbox.
https://bugs.webkit.org/show_bug.cgi?id=206025
<rdar://problem/58453508>

Reviewed by Per Arne Vollan.

Now that we generate a dynamic extension for 'com.apple.nehelper' and 'com.apple.nesessionmanager.content-filter',
we should remove the blanket allow rules from the sandbox.

Tests: fast/sandbox/ios/sandbox-mach-lookup.html, fast/sandbox/mac/sandbox-mach-lookup.html

  • GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in:
  • Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb:
  • Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
  • WebProcess/com.apple.WebProcess.sb.in:
Location:
trunk
Files:
10 edited

Legend:

Unmodified
Added
Removed

  • trunk/LayoutTests/ChangeLog

    r254341 r254351  
     12020-01-10  Brent Fulgham  <bfulgham@apple.com>
     2
     3        Remove 'com.apple.nehelper' from the WebContent sandbox.
     4        https://bugs.webkit.org/show_bug.cgi?id=206025
     5        <rdar://problem/58453508>
     6
     7        Reviewed by Per Arne Vollan.
     8
     9        Now that we generate a dynamic extension for 'com.apple.nehelper' and 'com.apple.nesessionmanager.content-filter',
     10        we should remove the blanket allow rules from the sandbox.
     11
     12        * fast/sandbox/ios/sandbox-mach-lookup-expected.txt:
     13        * fast/sandbox/ios/sandbox-mach-lookup.html:
     14        * fast/sandbox/mac/sandbox-mach-lookup-expected.txt:
     15        * fast/sandbox/mac/sandbox-mach-lookup.html:
     16
    1172020-01-10  youenn fablet  <youenn@apple.com>
    218

  • trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-expected.txt

    r253778 r254351  
    77PASS internals.hasSandboxMachLookupAccessToXPCServiceName("com.apple.WebKit.WebContent", "com.apple.viewservice") is false
    88PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.TextInput") is false
     9PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.nehelper") is false
     10PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.nesessionmanager") is false
     11PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.nesessionmanager.content-filter") is false
    912PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.pluginkit.pkd") is false
    1013PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.system.logger") is false

  • trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html

    r253778 r254351  
    1010    shouldBeFalse("internals.hasSandboxMachLookupAccessToXPCServiceName(\"com.apple.WebKit.WebContent\", \"com.apple.viewservice\")");
    1111    shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.TextInput\")");
     12    shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.nehelper\")");
     13    shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.nesessionmanager\")");
     14    shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.nesessionmanager.content-filter\")");
    1215    shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.pluginkit.pkd\")");
    1316    shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.system.logger\")");

  • trunk/LayoutTests/fast/sandbox/mac/sandbox-mach-lookup-expected.txt

    r253848 r254351  
    55
    66PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.cfprefsd.agent") is false
     7PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.nehelper") is false
     8PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.nesessionmanager") is false
     9PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.nesessionmanager.content-filter") is false
    710PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.system.logger") is false
    811

  • trunk/LayoutTests/fast/sandbox/mac/sandbox-mach-lookup.html

    r253848 r254351  
    88if (window.internals) {
    99    shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.cfprefsd.agent\")");
     10    shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.nehelper\")");
     11    shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.nesessionmanager\")");
     12    shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.nesessionmanager.content-filter\")");
    1013    shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.system.logger\")");
    1114}

  • trunk/Source/WebKit/ChangeLog

    r254347 r254351  
     12020-01-10  Brent Fulgham  <bfulgham@apple.com>
     2
     3        Remove 'com.apple.nehelper' from the WebContent sandbox.
     4        https://bugs.webkit.org/show_bug.cgi?id=206025
     5        <rdar://problem/58453508>
     6
     7        Reviewed by Per Arne Vollan.
     8
     9        Now that we generate a dynamic extension for 'com.apple.nehelper' and 'com.apple.nesessionmanager.content-filter',
     10        we should remove the blanket allow rules from the sandbox.
     11
     12        Tests: fast/sandbox/ios/sandbox-mach-lookup.html, fast/sandbox/mac/sandbox-mach-lookup.html
     13
     14        * GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in:
     15        * Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb:
     16        * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
     17        * WebProcess/com.apple.WebProcess.sb.in:
     18
    1192020-01-10  Víctor Manuel Jáquez Leal  <vjaquez@igalia.com>
    220

  • trunk/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in

    r253761 r254351  
    691691(allow file-read-data (path "/private/var/db/nsurlstoraged/dafsaData.bin"))
    692692
    693 ;; Network Extensions / VPN helper.
    694 (allow mach-lookup
    695 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101500 || PLATFORM(MACCATALYST)
    696     (global-name "com.apple.nesessionmanager.content-filter") ;; <rdar://problem/48442387>
    697 #else
    698     (global-name "com.apple.nesessionmanager") ;; <rdar://problem/55570995>
    699 #endif
    700     (global-name "com.apple.nehelper"))
    701 
    702693#if PLATFORM(MAC)
    703694;; FIXME should be removed when <rdar://problem/9347205> + related radar in Safari is fixed

  • trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb

    r253761 r254351  
    476476)
    477477
    478 (define-once (network-extensions-support)
    479     ;; Network Extensions / VPN helper.
    480     (allow mach-lookup
    481         (global-name "com.apple.nehelper")
    482         (global-name "com.apple.nesessionmanager.content-filter")) ;; <rdar://problem/48442387>
    483 )
    484 
    485478(deny file-map-executable)
    486479
     
    742735;; Permit reading assets via MobileAsset framework.
    743736(asset-access 'with-media-playback)
    744 
    745 (network-extensions-support)
    746737
    747738;; allow 3rd party applications to access nsurlstoraged's top level domain data cache

  • trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb

    r254306 r254351  
    485485)
    486486
    487 (define-once (network-extensions-support)
    488     ;; Network Extensions / VPN helper.
    489     (allow mach-lookup (with report) (with telemetry)
    490         (global-name "com.apple.nehelper")
    491         (global-name "com.apple.nesessionmanager.content-filter")) ;; <rdar://problem/48442387>
    492 )
    493 
    494487(deny file-map-executable)
    495488
     
    744737;; Permit reading assets via MobileAsset framework.
    745738(asset-access 'with-media-playback)
    746 
    747 (network-extensions-support)
    748739
    749740;; allow 3rd party applications to access nsurlstoraged's top level domain data cache

  • trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in

    r254343 r254351  
    715715(allow file-read-data (path "/private/var/db/nsurlstoraged/dafsaData.bin"))
    716716
    717 ;; Network Extensions / VPN helper.
    718 (allow mach-lookup
    719 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101500
    720     (with report) (with telemetry)
    721 #endif
    722 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101500 || PLATFORM(MACCATALYST)
    723     (global-name "com.apple.nesessionmanager.content-filter") ;; <rdar://problem/48442387>
    724 #else
    725     (global-name "com.apple.nesessionmanager") ;; <rdar://problem/55570995>
    726 #endif
    727     (global-name "com.apple.nehelper"))
    728 
    729717#if PLATFORM(MAC)
    730718;; FIXME should be removed when <rdar://problem/9347205> + related radar in Safari is fixed
Note: See TracChangeset for help on using the changeset viewer.