[iOS] Remove use of 'apple-signed-executable?' from Sandbox

https://bugs.webkit.org/show_bug.cgi?id=209914
<rdar://problem/45088481>

Reviewed by Per Arne Vollan.

Some of the rules imported from the system sandbox make decisions based on whether the software is
an apple-signed executable or not. This predicate is not relevant for the WebKit processes, and
should be removed (it is always apple-signed).

This patch makes the following changes:
1. Removes all uses of 'apple-signed-executable?' (since it is always true for WebKit).
2. Removed two iCloud preference reads that are not used in WebKit.
3. Switches from the deprecated 'com.apple.ReportCrash.SimulateCrash' XPC service to its
correct name 'com.apple.osanalytics.osanalyticshelper'.

Covered by existing regression tests.

* Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb:
* Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:
* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:


Canonical link: https://commits.webkit.org/222838@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@259409 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit/ChangeLog

@@ -1,3 +1,27 @@
+2020-04-02  Brent Fulgham  <bfulgham@apple.com>
+
+        [iOS] Remove use of 'apple-signed-executable?' from Sandbox
+        https://bugs.webkit.org/show_bug.cgi?id=209914
+        <rdar://problem/45088481>
+
+        Reviewed by Per Arne Vollan.
+
+        Some of the rules imported from the system sandbox make decisions based on whether the software is
+        an apple-signed executable or not. This predicate is not relevant for the WebKit processes, and
+        should be removed (it is always apple-signed).
+
+        This patch makes the following changes:
+        1. Removes all uses of 'apple-signed-executable?' (since it is always true for WebKit).
+        2. Removed two iCloud preference reads that are not used in WebKit.
+        3. Switches from the deprecated 'com.apple.ReportCrash.SimulateCrash' XPC service to its
+        correct name 'com.apple.osanalytics.osanalyticshelper'.
+
+        Covered by existing regression tests.
+
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb:
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+
 2020-04-01  Darin Adler  <darin@apple.com>
 
         Remove all uses of live ranges from TextIterator

Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb

@@ -436,16 +436,10 @@
 
 (deny file-write-mount file-write-unmount)
 
-(allow file-read-metadata (with no-times)
-       (vnode-type DIRECTORY))
-(with-filter (apple-signed-executable?)
-  (allow file-read-metadata
-         (vnode-type DIRECTORY)))
+(allow file-read-metadata
+    (vnode-type DIRECTORY))
 
-(with-filter (apple-signed-executable?)
-  (managed-configuration-read "CloudConfigurationDetails.plist")
-  (managed-configuration-read "CloudConfigurationSetAsideDetails.plist")
-  (mobile-preferences-read "com.apple.security"))
+(mobile-preferences-read "com.apple.security")
 
 (with-filter (system-attribute apple-internal)
   (mobile-preferences-read "com.apple.PrototypeTools"))
@@ -652,9 +646,6 @@
 (allow process-info-rusage (target self))
 (allow process-info-codesignature (target self))
 
-(with-filter (apple-signed-executable?)
-    (mobile-preferences-read "com.apple.demo-settings"))
-
 ;;;
 ;;; End common.sb content
 ;;;

Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb

@@ -125,8 +125,7 @@
     (with-filter (entitlement-is-present "com.apple.private.networkextension.configuration")
            (allow file-read* (literal "/private/var/preferences/com.apple.networkextension.plist")))
 
-    (with-filter (apple-signed-executable?)
-        (allow file-read* (literal "/private/var/preferences/com.apple.networkextension.uuidcache.plist")))
+    (allow file-read* (literal "/private/var/preferences/com.apple.networkextension.uuidcache.plist"))
 
     (allow mach-lookup
            (global-name "com.apple.AppSSO.service-xpc"))
@@ -155,14 +154,9 @@
                (global-name "com.apple.networkd_privileged")))
 
     ;; <rdar://problem/20201593>
-    (with-filter (require-any
-                   (apple-signed-executable?)
-                   (require-entitlement "com.apple.authkit.client")
-                   (require-entitlement "com.apple.authkit.client.private")
-                   (require-entitlement "com.apple.authkit.client.internal"))
-        (allow mach-lookup
-               (global-name "com.apple.ak.anisette.xpc")
-               (global-name "com.apple.ak.auth.xpc")))
+    (allow mach-lookup
+        (global-name "com.apple.ak.anisette.xpc")
+        (global-name "com.apple.ak.auth.xpc"))
 
     ;; <rdar://problem/15897781>
     (allow mach-lookup
@@ -281,9 +275,8 @@
         (mobile-preferences-read "com.apple.hangtracer")
 
         ;; <rdar://problem/9090627>
-        (with-filter (apple-signed-executable?)
-          (allow mach-lookup
-                 (global-name "com.apple.ReportCrash.SimulateCrash"))))
+        (allow mach-lookup
+             (global-name "com.apple.osanalytics.osanalyticshelper")))
 
 (define-once (logd-diagnostic-paths)
     (require-any

Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb

@@ -394,16 +394,10 @@
 
 (deny file-write-mount file-write-unmount)
 
-(allow file-read-metadata (with no-times)
-       (vnode-type DIRECTORY))
-(with-filter (apple-signed-executable?)
-  (allow file-read-metadata
-         (vnode-type DIRECTORY)))
+(allow file-read-metadata
+    (vnode-type DIRECTORY))
 
-(with-filter (apple-signed-executable?)
-  (managed-configuration-read "CloudConfigurationDetails.plist")
-  (managed-configuration-read "CloudConfigurationSetAsideDetails.plist")
-  (mobile-preferences-read "com.apple.security"))
+(mobile-preferences-read "com.apple.security")
 
 (with-filter (system-attribute apple-internal)
   (mobile-preferences-read "com.apple.PrototypeTools"))
@@ -603,9 +597,6 @@
 (allow process-info-rusage (target self))
 (allow process-info-codesignature (target self))
 
-(with-filter (apple-signed-executable?)
-    (mobile-preferences-read "com.apple.demo-settings"))
-
 ;;;
 ;;; End common.sb content
 ;;;