Skip to content
Permalink
Browse files
Get rid of old sandbox rules for OS's we no longer support
https://bugs.webkit.org/show_bug.cgi?id=164638

Reviewed by Simon Fraser.

Clean up the various sandbox profiles to get rid of rules that applied to operating system
versions we no longer support, or were added in support of bugs that have long since been
fixed.

This should introduce no change in behavior.

* DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in:
* NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
* PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in:
* Resources/PlugInSandboxProfiles/com.oracle.java.JavaAppletPlugin.sb:
* WebProcess/com.apple.WebProcess.sb.in:


Canonical link: https://commits.webkit.org/182334@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@208611 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information
brentfulgham committed Nov 11, 2016
1 parent bc128ef commit 3da5dbcd3ace75e4efeef2c8b7e8a1e2613c3a4d
@@ -1,3 +1,22 @@
2016-11-11 Brent Fulgham <bfulgham@apple.com>

Get rid of old sandbox rules for OS's we no longer support
https://bugs.webkit.org/show_bug.cgi?id=164638

Reviewed by Simon Fraser.

Clean up the various sandbox profiles to get rid of rules that applied to operating system
versions we no longer support, or were added in support of bugs that have long since been
fixed.

This should introduce no change in behavior.

* DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in:
* NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
* PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in:
* Resources/PlugInSandboxProfiles/com.oracle.java.JavaAppletPlugin.sb:
* WebProcess/com.apple.WebProcess.sb.in:

2016-11-11 Brady Eidson <beidson@apple.com>

IndexedDB 2.0: "close pending flag" and firing blocked events all need fixing.
@@ -1,4 +1,4 @@
; Copyright (C) 2014 Apple Inc. All rights reserved.
; Copyright (C) 2014-2016 Apple Inc. All rights reserved.
;
; Redistribution and use in source and binary forms, with or without
; modification, are permitted provided that the following conditions
@@ -88,8 +88,5 @@
(if (defined? 'vnode-type)
(deny file-write-create (vnode-type SYMLINK)))

;; FIXME: Should be removed once <rdar://problem/16329087> is fixed.
(deny file-write-xattr (xattr "com.apple.quarantine") (with no-log))

;; Reserve a namespace for additional protected extended attributes.
(deny file-read-xattr file-write-xattr (xattr-regex #"^com\.apple\.security\.private\."))
@@ -154,9 +154,6 @@
(if (defined? 'vnode-type)
(deny file-write-create (vnode-type SYMLINK)))

;; FIXME: Should be removed once <rdar://problem/16329087> is fixed.
(deny file-write-xattr (xattr "com.apple.quarantine") (with no-log))

;; Reserve a namespace for additional protected extended attributes.
(deny file-read-xattr file-write-xattr (xattr-regex #"^com\.apple\.security\.private\."))

@@ -78,14 +78,6 @@
(if (not (defined? 'os-version))
(define os-version (param "_OS_VERSION")))

;; OS X 10.7 (Lion) compatibility
(if (not (defined? 'ipc-posix-shm*))
(define ipc-posix-shm* ipc-posix-shm))
(if (not (defined? 'ipc-posix-shm-read*))
(define ipc-posix-shm-read* ipc-posix-shm))
(if (not (defined? 'ipc-posix-shm-write-data))
(define ipc-posix-shm-write-data ipc-posix-shm))

;; Graphics
(if (defined? 'system-graphics)
(system-graphics)
@@ -247,10 +239,6 @@
(local-name "com.apple.tsm.portname")
(global-name-regex #"_OpenStep$"))

(if (equal? os-version "10.7")
(allow mach-lookup
(global-name "com.apple.system.DirectoryService.membership_v1")))

;; Configuration directories
(allow file-read* (subpath (param "PLUGIN_PATH")))
(allow file-read* (subpath (param "WEBKIT2_FRAMEWORK_DIR")))
@@ -354,38 +342,12 @@
(define (webkit-microphone)
(allow device-microphone))

(if (equal? os-version "10.7")
(allow ipc-posix-shm)
(begin
(if (equal? os-version "10.8")
(allow ipc-posix-shm*
(ipc-posix-name "_CS_GSHMEMLOCK")
(ipc-posix-name "_CS_DSHMEMLOCK")))
(allow ipc-posix-shm*
(ipc-posix-name-regex #"^AudioIO")
(ipc-posix-name-regex #"^CFPBS:")
(ipc-posix-name "com.apple.ColorSync.Gen.lock")
(ipc-posix-name "com.apple.ColorSync.Disp.lock")
(ipc-posix-name "com.apple.ColorSync.Gray2.2")
(ipc-posix-name "com.apple.ColorSync.sRGB")
(ipc-posix-name "com.apple.ColorSync.GenGray")
(ipc-posix-name "com.apple.ColorSync.GenRGB")
(ipc-posix-name-regex #"^com\.apple\.cs\.")
(ipc-posix-name-regex #"^ls\."))
(allow ipc-posix-shm-read*
(ipc-posix-name-regex #"^/tmp/com\.apple\.csseed\.")
(ipc-posix-name "FNetwork.defaultStorageSession")
(ipc-posix-name "apple.shm.notification_center"))))

;; Silently block access to some resources
(deny file-read* file-write* (with no-log)
(subpath "/Network/Library")
(subpath "/Network/Applications")
(home-library-preferences-regex #"/com\.apple\.internetconfig(priv)?\.plist")

;; FIXME: Should be removed after <rdar://problem/9422957> is fixed.
(home-library-literal "/Caches/Cache.db")

;; FIXME: Should be removed after <rdar://problem/10463881> is fixed.
(home-library-preferences-literal "/com.apple.LaunchServices.QuarantineEventsV2")
(home-library-preferences-literal "/com.apple.LaunchServices.QuarantineEventsV2-journal"))
@@ -33,13 +33,6 @@
(global-name "com.apple.coreservices.launchservicesd")
(global-name-regex #"^PlaceHolderServerName-"))

(if (equal? os-version "10.7")
(begin
(allow mach-lookup
(global-name-regex #"^com\.apple\.java\.jrs\.carenderserver"))
(allow file-read* file-write*
(home-library-subpath "/Caches/net.java.openjdk.cmd"))))

(allow file-read*
(literal "/dev/fd")
(literal "/usr/bin")
@@ -146,14 +146,7 @@
(ipc-posix-name-regex #"^WebKit Test-"))

;; ColorSync
;; FIXME: Remove names with underscores when possible (see <rdar://problem/13072721>).
(allow ipc-posix-shm*
(ipc-posix-name "_CS_GSHMEMLOCK")
(ipc-posix-name "_CS_DSHMEMLOCK")
(ipc-posix-name "_CSGRAYPROFILE")
(ipc-posix-name "_CSRGBPROFILE")
(ipc-posix-name "_CSGENGPROFILE")
(ipc-posix-name "_CSGENRPROFILE")
(ipc-posix-name "com.apple.ColorSync.Gen.lock")
(ipc-posix-name "com.apple.ColorSync.Disp.lock")
(ipc-posix-name "com.apple.ColorSync.Gray2.2")
@@ -281,9 +274,6 @@
(if (defined? 'vnode-type)
(deny file-write-create (vnode-type SYMLINK)))

;; FIXME: Should be removed once <rdar://problem/16329087> is fixed.
(deny file-write-xattr (xattr "com.apple.quarantine") (with no-log))

;; Reserve a namespace for additional protected extended attributes.
(deny file-read-xattr file-write-xattr (xattr-regex #"^com\.apple\.security\.private\."))

0 comments on commit 3da5dbc

Please sign in to comment.