Changeset 259470 in webkit


Ignore:
Timestamp:
Apr 3, 2020 10:43:21 AM (4 years ago)
Author:
Brent Fulgham
Message:

Remove unneeded sandbox access to some file paths
https://bugs.webkit.org/show_bug.cgi?id=209938
<rdar://problem/59529620>

Reviewed by Per Arne Vollan.

Remove unnecessary access to some locations in /etc. These may have been needed in
the past, but the WebContent process no longer requires this access. We should
remove it.

  • Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
  • WebProcess/com.apple.WebProcess.sb.in:
Location:
trunk/Source/WebKit
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/WebKit/ChangeLog

    r259469 r259470  
     12020-04-03  Brent Fulgham  <bfulgham@apple.com>
     2
     3        Remove unneeded sandbox access to some file paths
     4        https://bugs.webkit.org/show_bug.cgi?id=209938
     5        <rdar://problem/59529620>
     6
     7        Reviewed by Per Arne Vollan.
     8
     9        Remove unnecessary access to some locations in /etc. These may have been needed in
     10        the past, but the WebContent process no longer requires this access. We should
     11        remove it.
     12
     13        * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
     14        * WebProcess/com.apple.WebProcess.sb.in:
     15
    1162020-04-03  Per Arne Vollan  <pvollan@apple.com>
    217
  • trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb

    r259469 r259470  
    321321           "/private/etc/hosts"
    322322           "/private/etc/group"
    323            "/private/etc/passwd"
    324323           "/private/etc/protocols"
    325324           "/private/etc/services"))
     
    515514    required-etc-files
    516515    (literal "/"))
     516
     517(deny file* (with report)
     518    (literal "/private/etc/passwd"))
    517519
    518520(allow file-read*
  • trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in

    r259366 r259470  
    7373    (literal "/dev/autofs_nowait")
    7474    (literal "/dev/random")
    75     (literal "/dev/urandom")
     75    (literal "/dev/urandom"))
     76
     77(deny file-read*
     78#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101500
     79    (with telemetry-backtrace)
     80    (with report)
     81#endif
    7682    (literal "/private/etc/master.passwd")
    7783    (literal "/private/etc/passwd"))
Note: See TracChangeset for help on using the changeset viewer.