WebKit Bugzilla
Attachment 370767 Details for
Bug 198300
: Remove dead code from sandboxes
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-198300-20190528110808.patch (text/plain), 8.23 KB, created by
Brent Fulgham
on 2019-05-28 11:08:09 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Brent Fulgham
Created:
2019-05-28 11:08:09 PDT
Size:
8.23 KB
patch
obsolete
>Subversion Revision: 245817 >diff --git a/Source/WebKit/ChangeLog b/Source/WebKit/ChangeLog >index 63c5021cb455fdaff1e0b57c02b44472df4e1f3b..324b4eaf210dc439dac26ad380a1ed6e99b0cd96 100644 >--- a/Source/WebKit/ChangeLog >+++ b/Source/WebKit/ChangeLog >@@ -1,3 +1,16 @@ >+2019-05-28 Brent Fulgham <bfulgham@apple.com> >+ >+ Remove dead code from sandboxes >+ https://bugs.webkit.org/show_bug.cgi?id=198300 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ SSIA. >+ >+ * NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in: >+ * PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in: >+ * WebProcess/com.apple.WebProcess.sb.in: >+ > 2019-05-28 Brent Fulgham <bfulgham@apple.com> > > Update sandbox rules for more News use cases >diff --git a/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in b/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in >index 4a883d43cd0741bdfb059c54602ac2a8e996acee..88b8ed6aab63fa5a4b30d4e018f0bce961dc92be 100644 >--- a/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in >+++ b/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in >@@ -43,9 +43,7 @@ > > (deny iokit-get-properties) > >-#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101300 || PLATFORM(IOSMAC) > (deny mach-lookup (xpc-service-name-prefix "")) >-#endif > > ;; Utility functions for home directory relative path filters > (define (home-regex home-relative-regex) >@@ -57,10 +55,8 @@ > (define (home-literal home-relative-literal) > (literal (string-append (param "HOME_DIR") home-relative-literal))) > >-#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101300 || PLATFORM(IOSMAC) > ;; CFNetwork > (allow file-read-data (path "/private/var/db/nsurlstoraged/dafsaData.bin")) >-#endif > > ;; Remove when <rdar://problem/29646094> is fixed. > (define (HEX-pattern-match-generator pattern-descriptor) >@@ -152,9 +148,7 @@ > (global-name "com.apple.FileCoordination") > (global-name "com.apple.PowerManagement.control") > (global-name "com.apple.SystemConfiguration.configd") >-#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101300 || PLATFORM(IOSMAC) > (global-name "com.apple.analyticsd") >-#endif > (global-name "com.apple.cookied") > (global-name "com.apple.cfnetwork.AuthBrokerAgent") > (global-name "com.apple.cfnetwork.cfnetworkagent") >diff --git a/Source/WebKit/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in b/Source/WebKit/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in >index 8753d0ab5933d2581746e7e9ee25a0e6a4d2292b..d629a0f4016e690c6097afe046586e4c8b63de1f 100644 >--- a/Source/WebKit/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in >+++ b/Source/WebKit/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in >@@ -151,7 +151,6 @@ > (iokit-property "touch-size-id") > ) > >-#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101300 > (deny mach-lookup (xpc-service-name-prefix "")) > (allow mach-lookup > (xpc-service-name "com.apple.ViewBridgeAuxiliary") >@@ -165,7 +164,6 @@ > (xpc-service-name "com.apple.hiservices-xpcservice") > (xpc-service-name "com.apple.print.normalizerd") > ) >-#endif > > #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101400 > ;; <rdar://problem/47268166> >@@ -342,22 +340,6 @@ > > (home-literal "/Library/Preferences/com.apple.lookup.shared.plist")) > >-#if __MAC_OS_X_VERSION_MIN_REQUIRED < 101300 >-;; FIXME: This should be removed when <rdar://problem/10479685> is fixed. >-;; Restrict AppSandboxed processes from creating /Library/Keychains, but allow access to the contents of /Library/Keychains: >-(allow file-read-data file-read-metadata file-write-data >- (subpath "/Library/Keychains")) >- >-;; Do permit creating per-user keychains >-(allow file-read* file-write* >- (home-library-subpath "/Keychains")) >- >-;; Except deny access to new-style iOS Keychain folders which are UUIDs. >-(deny file-read* file-write* >- (regex (string-append "/Library/Keychains/" (uuid-regex-string) "(/|$)")) >- (home-library-regex (string-append "/Keychains/" (uuid-regex-string) "(/|$)"))) >-#endif >- > ;; Security framework > (allow mach-lookup (global-name "com.apple.ocspd")) > (allow file-read* >@@ -390,9 +372,7 @@ > (global-name "com.apple.SystemConfiguration.PPPController") > (global-name "com.apple.SystemConfiguration.configd") > (global-name "com.apple.UNCUserNotification") >-#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101300 > (global-name "com.apple.analyticsd") >-#endif > (global-name "com.apple.audio.audiohald") > (global-name "com.apple.audio.coreaudiod") > (global-name "com.apple.cfnetwork.AuthBrokerAgent") >diff --git a/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in b/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in >index 50016c7edf31836d3e6c26c6fa0c27473f2c1380..b329802fc2075122db59d07e8b37744dd46cebfd 100644 >--- a/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in >+++ b/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in >@@ -25,9 +25,6 @@ > (deny default (with partial-symbolication)) > (allow system-audit file-read-metadata) > >-#if PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED < 101300 >-(import "system.sb") >-#else > ;;; > ;;; The following rules were originally contained in 'system.sb'. We are duplicating them here so we can > ;;; remove unneeded sandbox extensions. >@@ -88,18 +85,11 @@ > file-ioctl > (literal "/dev/dtracehelper")) > >-#if __MAC_OS_X_VERSION_MIN_REQUIRED < 101300 >-(allow network-outbound >- (literal "/private/var/run/asl_input") >- (literal "/private/var/run/syslog")) >-#endif >- > ;;; Allow creation of core dumps. > (allow file-write-create > (require-all (prefix "/cores/") > (vnode-type REGULAR-FILE))) > >- > ;;; Allow IPC to standard system agents. > (allow ipc-posix-shm-read* > (ipc-posix-name "apple.shm.notification_center") >@@ -155,7 +145,6 @@ > ;;; > ;;; End rules originally copied from 'system.sb' > ;;; >-#endif > > ;;; process-info* defaults to allow; deny it and then allow operations we actually need. > (deny process-info*) >@@ -399,7 +388,6 @@ > (iokit-property "IOGVAH264EncodeCapabilities") ;; <rdar://problem/49498040> > ) > >-#if !PLATFORM(MAC) || __MAC_OS_X_VERSION_MIN_REQUIRED >= 101300 > (deny mach-lookup (xpc-service-name-prefix "")) > (allow mach-lookup > (xpc-service-name "com.apple.PerformanceAnalysis.animationperfd") >@@ -411,7 +399,6 @@ > (xpc-service-name "com.apple.hiservices-xpcservice") > (xpc-service-name "com.apple.print.normalizerd") > ) >-#endif > > ;; Utility functions for home directory relative path filters > (define (home-regex home-relative-regex) >@@ -608,10 +595,8 @@ > #endif > (global-name "com.apple.PowerManagement.control") > (global-name "com.apple.SystemConfiguration.configd") >-#if !PLATFORM(MAC) || __MAC_OS_X_VERSION_MIN_REQUIRED >= 101300 > (global-name "com.apple.analyticsd") > (global-name "com.apple.audio.AudioComponentRegistrar") >-#endif > (global-name "com.apple.assertiond.processassertionconnection") > (global-name "com.apple.audio.SystemSoundServer-OSX") > (global-name "com.apple.audio.audiohald") >@@ -687,9 +672,6 @@ > (system-graphics) > > ;; Networking >-#if PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED < 101300 >-(system-network) >-#endif > (allow network-outbound > ;; Local mDNSResponder for DNS, arbitrary outbound TCP > ;; Note: This is needed for some media playback features. <rdar://problem/38191574> >@@ -699,10 +681,8 @@ > (literal "/private/var/run/syslog") > (remote tcp)) > >-#if !PLATFORM(MAC) || __MAC_OS_X_VERSION_MIN_REQUIRED >= 101300 > ;; CFNetwork > (allow file-read-data (path "/private/var/db/nsurlstoraged/dafsaData.bin")) >-#endif > > ;; Network Extensions / VPN helper. > (allow mach-lookup >@@ -714,10 +694,6 @@ > (allow mach-lookup > (global-name "com.apple.system.logger") > (global-name "com.apple.system.notification_center")) >-#if __MAC_OS_X_VERSION_MIN_REQUIRED < 101300 >-(allow network-outbound >- (remote udp)) >-#endif > #endif > > (if (defined? 'vnode-type) >@@ -760,11 +736,9 @@ > (global-name "com.apple.coremedia.endpointplaybacksession.xpc") > ; <rdar://problem/35509194> > (global-name "com.apple.coremedia.endpointremotecontrolsession.xpc") >-#if !PLATFORM(MAC) || __MAC_OS_X_VERSION_MIN_REQUIRED >= 101300 > (global-name "com.apple.coremedia.routediscoverer.xpc") > (global-name "com.apple.coremedia.routingcontext.xpc") > (global-name "com.apple.coremedia.volumecontroller.xpc") >-#endif > ) > > ;; Data Detectors
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=370767">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 198300
: 370767