Get rid of old sandbox rules for OS's we no longer support

https://bugs.webkit.org/show_bug.cgi?id=164638

Reviewed by Simon Fraser.

Clean up the various sandbox profiles to get rid of rules that applied to operating system
versions we no longer support, or were added in support of bugs that have long since been
fixed.

This should introduce no change in behavior.

* DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in:
* NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
* PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in:
* Resources/PlugInSandboxProfiles/com.oracle.java.JavaAppletPlugin.sb:
* WebProcess/com.apple.WebProcess.sb.in:


Canonical link: https://commits.webkit.org/182334@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@208611 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit2/ChangeLog

@@ -1,3 +1,22 @@
+2016-11-11  Brent Fulgham  <bfulgham@apple.com>
+
+        Get rid of old sandbox rules for OS's we no longer support
+        https://bugs.webkit.org/show_bug.cgi?id=164638
+
+        Reviewed by Simon Fraser.
+
+        Clean up the various sandbox profiles to get rid of rules that applied to operating system
+        versions we no longer support, or were added in support of bugs that have long since been
+        fixed.
+
+        This should introduce no change in behavior.
+
+        * DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in:
+        * NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
+        * PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in:
+        * Resources/PlugInSandboxProfiles/com.oracle.java.JavaAppletPlugin.sb:
+        * WebProcess/com.apple.WebProcess.sb.in:
+
 2016-11-11  Brady Eidson  <beidson@apple.com>
 
         IndexedDB 2.0: "close pending flag" and firing blocked events all need fixing.

Source/WebKit2/DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in

@@ -1,4 +1,4 @@
-; Copyright (C) 2014 Apple Inc. All rights reserved.
+; Copyright (C) 2014-2016 Apple Inc. All rights reserved.
 ;
 ; Redistribution and use in source and binary forms, with or without
 ; modification, are permitted provided that the following conditions
@@ -88,8 +88,5 @@
 (if (defined? 'vnode-type)
     (deny file-write-create (vnode-type SYMLINK)))
 
-;; FIXME: Should be removed once <rdar://problem/16329087> is fixed.
-(deny file-write-xattr (xattr "com.apple.quarantine") (with no-log))
-
 ;; Reserve a namespace for additional protected extended attributes.
 (deny file-read-xattr file-write-xattr (xattr-regex #"^com\.apple\.security\.private\."))

Source/WebKit2/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in

@@ -154,9 +154,6 @@
 (if (defined? 'vnode-type)
     (deny file-write-create (vnode-type SYMLINK)))
 
-;; FIXME: Should be removed once <rdar://problem/16329087> is fixed.
-(deny file-write-xattr (xattr "com.apple.quarantine") (with no-log))
-
 ;; Reserve a namespace for additional protected extended attributes.
 (deny file-read-xattr file-write-xattr (xattr-regex #"^com\.apple\.security\.private\."))
 

Source/WebKit2/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in

@@ -78,14 +78,6 @@
 (if (not (defined? 'os-version))
     (define os-version (param "_OS_VERSION")))
 
-;; OS X 10.7 (Lion) compatibility
-(if (not (defined? 'ipc-posix-shm*))
-    (define ipc-posix-shm* ipc-posix-shm))
-(if (not (defined? 'ipc-posix-shm-read*))
-    (define ipc-posix-shm-read* ipc-posix-shm))
-(if (not (defined? 'ipc-posix-shm-write-data))
-    (define ipc-posix-shm-write-data ipc-posix-shm))
-
 ;; Graphics
 (if (defined? 'system-graphics)
     (system-graphics)
@@ -247,10 +239,6 @@
     (local-name "com.apple.tsm.portname")
     (global-name-regex #"_OpenStep$"))
 
-(if (equal? os-version "10.7")
-    (allow mach-lookup
-        (global-name "com.apple.system.DirectoryService.membership_v1")))
-
 ;; Configuration directories
 (allow file-read* (subpath (param "PLUGIN_PATH")))
 (allow file-read* (subpath (param "WEBKIT2_FRAMEWORK_DIR")))
@@ -354,38 +342,12 @@
 (define (webkit-microphone)
     (allow device-microphone))
 
-(if (equal? os-version "10.7")
-    (allow ipc-posix-shm)
-    (begin
-        (if (equal? os-version "10.8")
-            (allow ipc-posix-shm*
-                (ipc-posix-name "_CS_GSHMEMLOCK")
-                (ipc-posix-name "_CS_DSHMEMLOCK")))
-        (allow ipc-posix-shm*
-            (ipc-posix-name-regex #"^AudioIO")
-            (ipc-posix-name-regex #"^CFPBS:")
-            (ipc-posix-name "com.apple.ColorSync.Gen.lock")
-            (ipc-posix-name "com.apple.ColorSync.Disp.lock")
-            (ipc-posix-name "com.apple.ColorSync.Gray2.2")
-            (ipc-posix-name "com.apple.ColorSync.sRGB")
-            (ipc-posix-name "com.apple.ColorSync.GenGray")
-            (ipc-posix-name "com.apple.ColorSync.GenRGB")
-            (ipc-posix-name-regex #"^com\.apple\.cs\.")
-            (ipc-posix-name-regex #"^ls\."))
-        (allow ipc-posix-shm-read*
-            (ipc-posix-name-regex #"^/tmp/com\.apple\.csseed\.")
-            (ipc-posix-name "FNetwork.defaultStorageSession")
-            (ipc-posix-name "apple.shm.notification_center"))))
-
 ;; Silently block access to some resources
 (deny file-read* file-write* (with no-log)
     (subpath "/Network/Library")
     (subpath "/Network/Applications")
     (home-library-preferences-regex #"/com\.apple\.internetconfig(priv)?\.plist")
 
-    ;; FIXME: Should be removed after <rdar://problem/9422957> is fixed.
-    (home-library-literal "/Caches/Cache.db")
-
     ;; FIXME: Should be removed after <rdar://problem/10463881> is fixed.
     (home-library-preferences-literal "/com.apple.LaunchServices.QuarantineEventsV2")
     (home-library-preferences-literal "/com.apple.LaunchServices.QuarantineEventsV2-journal"))

Source/WebKit2/Resources/PlugInSandboxProfiles/com.oracle.java.JavaAppletPlugin.sb

@@ -33,13 +33,6 @@
     (global-name "com.apple.coreservices.launchservicesd")
     (global-name-regex #"^PlaceHolderServerName-"))
 
-(if (equal? os-version "10.7")
-    (begin
-        (allow mach-lookup
-            (global-name-regex #"^com\.apple\.java\.jrs\.carenderserver"))
-        (allow file-read* file-write*
-            (home-library-subpath "/Caches/net.java.openjdk.cmd"))))
-
 (allow file-read*
     (literal "/dev/fd")
     (literal "/usr/bin")

Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in

@@ -146,14 +146,7 @@
     (ipc-posix-name-regex #"^WebKit Test-"))
 
 ;; ColorSync
-;; FIXME: Remove names with underscores when possible (see <rdar://problem/13072721>).
 (allow ipc-posix-shm*
-    (ipc-posix-name "_CS_GSHMEMLOCK")
-    (ipc-posix-name "_CS_DSHMEMLOCK")
-    (ipc-posix-name "_CSGRAYPROFILE")
-    (ipc-posix-name "_CSRGBPROFILE")
-    (ipc-posix-name "_CSGENGPROFILE")
-    (ipc-posix-name "_CSGENRPROFILE")
     (ipc-posix-name "com.apple.ColorSync.Gen.lock")
     (ipc-posix-name "com.apple.ColorSync.Disp.lock")
     (ipc-posix-name "com.apple.ColorSync.Gray2.2")
@@ -281,9 +274,6 @@
 (if (defined? 'vnode-type)
         (deny file-write-create (vnode-type SYMLINK)))
 
-;; FIXME: Should be removed once <rdar://problem/16329087> is fixed.
-(deny file-write-xattr (xattr "com.apple.quarantine") (with no-log))
-
 ;; Reserve a namespace for additional protected extended attributes.
 (deny file-read-xattr file-write-xattr (xattr-regex #"^com\.apple\.security\.private\."))