[iOS] Remove overridden rules in sandbox
authorpvollan@apple.com <pvollan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 19 Mar 2019 17:49:21 +0000 (17:49 +0000)
committerpvollan@apple.com <pvollan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 19 Mar 2019 17:49:21 +0000 (17:49 +0000)
https://bugs.webkit.org/show_bug.cgi?id=193840
<rdar://problem/47558526>

Reviewed by Brent Fulgham.

On iOS, there are some rules overridden in the same sandbox file. The overridden rules
should be removed.

* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@243149 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit/ChangeLog
Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb

index 956423e..6e999ec 100644 (file)
@@ -1,3 +1,16 @@
+2019-03-19  Per Arne Vollan  <pvollan@apple.com>
+
+        [iOS] Remove overridden rules in sandbox
+        https://bugs.webkit.org/show_bug.cgi?id=193840
+        <rdar://problem/47558526>
+
+        Reviewed by Brent Fulgham.
+
+        On iOS, there are some rules overridden in the same sandbox file. The overridden rules
+        should be removed.
+
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+
 2019-03-19  Timothy Hatcher  <timothy@apple.com>
 
         Make WebKit/NSAttributedString.h a public header.
index c84e59f..9f25fd7 100644 (file)
 ;;; remove unneeded sandbox extensions.
 ;;;
 
-;;; <rdar://problem/29959382> Allow UIKit apps access to com.apple.TextInput.preferences mach service
-(allow mach-lookup
-    (global-name "com.apple.TextInput.preferences"))
-
-(allow mach-lookup
-    (xpc-service-name "com.apple.siri.context.service"))
-
 (allow mach-lookup
     (global-name "com.apple.frontboard.systemappservices")                 ; -[UIViewServiceInterface _createProcessAssertion] -> SBSProcessIDForDisplayIdentifier()
     (global-name-regex #"^com\.apple\.uikit\.viewservice\..+"))
 
 (url-translation)
 
-;; For <rdar://problem/20812377> All applications need to be able to access the com.apple.UIKit.KeyboardManagement running in backboardd
-;; renamed in <rdar://problem/20909914> Rename com.apple.UIKit.KeyboardManagement
-(allow mach-lookup
-    (global-name "com.apple.UIKit.KeyboardManagement")
-    (global-name "com.apple.UIKit.KeyboardManagement.hosted"))
-
 ;; TextInput framework
 (allow mach-lookup
-    (global-name "com.apple.TextInput")
-    (global-name "com.apple.TextInput.emoji")
-    (global-name "com.apple.TextInput.image-cache-server")
-    (global-name "com.apple.TextInput.lexicon-server")
-    (global-name "com.apple.TextInput.rdt")
-    (global-name "com.apple.TextInput.shortcuts"))
-(mobile-preferences-read "com.apple.da")
-
-;; Various Accessibility services.
-(allow mach-lookup
-    (xpc-service-name "com.apple.accessibility.AccessibilityUIServer")) ; Needed for Zoom focus updates
+    (global-name "com.apple.TextInput"))
 
-;; ZoomTouch
-;; <rdar://problem/11823957>
-(allow mach-lookup
-    (global-name "com.apple.accessibility.AXBackBoardServer"))
+(mobile-preferences-read "com.apple.da")
 
 ;; Speak Selection & VoiceOver
 ;; <rdar://problem/12030530> AX: Sandbox violation with changing Language while VO is on
@@ -93,9 +67,7 @@
     "com.apple.voiceservices") ; Ditto
 
 (allow mach-lookup
-    (global-name "com.apple.audio.AudioComponentPrefs")
-    (global-name "com.apple.audio.AudioComponentRegistrar")
-    (global-name "com.apple.audio.AudioQueueServer"))
+    (global-name "com.apple.audio.AudioComponentRegistrar"))
 
 (allow mach-register
     (local-name "com.apple.iphone.axserver")) ; Needed for Application Accessibility
     (home-subpath "/Library/VoiceServices/Assets")
     (home-subpath "/Library/Assets/com_apple_MobileAsset_VoiceServicesVocalizerVoice"))
 
-;; HearingAidSupport
-(allow mach-lookup
-    (xpc-service-name "com.apple.accessibility.heard"))
-
 ;; MediaAccessibility (captions)
 ;; <rdar://problem/12801477>
 (mobile-preferences-read "com.apple.mediaaccessibility")
 ;; Network Extensions / VPN helper.
 (allow mach-lookup
     (global-name "com.apple.nehelper")
-    (global-name "com.apple.nesessionmanager.content-filter") ;; <rdar://problem/48442387>
-    (global-name "com.apple.nesessionmanager"))
+    (global-name "com.apple.nesessionmanager.content-filter")) ;; <rdar://problem/48442387>
 
 ;; allow 3rd party applications to access nsurlstoraged's top level domain data cache
 (allow-well-known-system-group-container-literal-read
 (allow file-read*
     (home-subpath "/Library/Caches/com.apple.keyboards"))
 
-;; NSExtension helper for supplying information not provided by PlugInKit
-(allow mach-lookup
-    (xpc-service-name "com.apple.uifoundation-bundle-helper"))
-
 ;; <rdar://problem/19525887>
 (allow mach-lookup (xpc-service-name-regex #"\.apple-extension-service$"))
 ;; <rdar://problem/31252371>
 (allow file-read*
     (well-known-system-group-container-subpath "/systemgroup.com.apple.lsd.iconscache"))
 (allow mach-lookup
-    (xpc-service-name "com.apple.lsdiconservice") ;; Remove this line after <rdar://problem/47151295> is fixed.
     (xpc-service-name "com.apple.iconservices")
     (global-name "com.apple.iconservices"))
 
 ;; Common mach services needed by UIKit.
 (allow mach-lookup
     (global-name "com.apple.CARenderServer")
-    (global-name "com.apple.KeyboardServices.TextReplacementService")
-    (global-name "com.apple.assertiond.applicationstateconnection")
-    (global-name "com.apple.assertiond.expiration")
-    (global-name "com.apple.assertiond.processinfoservice")
-    (global-name "com.apple.audio.SystemSoundServer-iOS")
-    (global-name "com.apple.backboard.TouchDeliveryPolicyServer")
-    (global-name "com.apple.backboard.animation-fence-arbiter")
-    (global-name "com.apple.backboard.display.services")
-    (global-name "com.apple.backboard.hid.focus")
-    (global-name "com.apple.backboard.hid.services")
     (global-name "com.apple.iohideventsystem")
-    (global-name "com.apple.frontboard.workspace")
     (global-name "com.apple.frontboard.systemappservices"))
 
 ;; <rdar://problem/47268166>
     (home-prefix "/Library/Preferences/com.apple.springboard.plist")
     (with no-log))
 
-;; <rdar://problem/34092690>
-(allow mach-lookup
-    (xpc-service-name "com.apple.avkit.SharedPreferences"))
-
 ;; <rdar://problem/34986314>
 (mobile-preferences-read "com.apple.indigo")
 
-;; <rdar://problem/35417382>, <rdar://problem/35518557>
-(allow mach-lookup
-    (global-name "com.apple.corespotlightservice"))
-
-;; <rdar://problem/35446577>
-(allow mach-lookup
-    (global-name "com.apple.coremedia.endpointplaybacksession.xpc"))
-
-;; <rdar://problem/35509194>
-(allow mach-lookup
-    (global-name "com.apple.coremedia.endpointremotecontrolsession.xpc"))
-
 ;;;
 ;;; End UIKit-apps.sb content
 ;;;
 ;; Various services required by CFNetwork and other frameworks
 (allow mach-lookup
     (global-name "com.apple.PowerManagement.control")
-    (global-name "com.apple.accountsd.accountmanager")
-    (global-name "com.apple.analyticsd")
-    (global-name "com.apple.coremedia.audiodeviceclock"))
+    (global-name "com.apple.analyticsd"))
 
 (deny file-write-create (vnode-type SYMLINK))
 (deny file-read-xattr file-write-xattr (xattr-regex #"^com\.apple\.security\.private\."))
 
 ;; Support incoming video connections
 (allow mach-lookup
-    (global-name "com.apple.audio.audiohald")
     (global-name "com.apple.coremedia.compressionsession")
     (global-name "com.apple.coremedia.decompressionsession")
     (global-name "com.apple.coremedia.videoqueue"))
     (global-name "com.apple.FileCoordination")
     (global-name "com.apple.FileProvider")
     (global-name "com.apple.Honeybee.event-notify")
-    (global-name "com.apple.KeyboardServices.TextReplacementService")
     (global-name "com.apple.MediaPlayer.RemotePlayerService")
     (global-name "com.apple.ReportCrash.SimulateCrash")
-    (global-name "com.apple.TextInput.emoji")
-    (global-name "com.apple.TextInput.image-cache-server")
-    (global-name "com.apple.TextInput.lexicon-server")
-    (global-name "com.apple.TextInput.preferences")
-    (global-name "com.apple.TextInput.rdt")
-    (global-name "com.apple.TextInput.shortcuts")
-    (global-name "com.apple.UIKit.KeyboardManagement")
-    (global-name "com.apple.UIKit.KeyboardManagement.hosted")
-    (global-name "com.apple.accessibility.AXBackBoardServer")
-    (global-name "com.apple.accessibility.AccessibilityUIServer")
-    (global-name "com.apple.accessibility.heard")
     (global-name "com.apple.accountsd.accountmanager")
-    (global-name "com.apple.app-sandbox.mach")
     (global-name "com.apple.appsupport.cplogd")
-    (global-name "com.apple.assertiond.applicationstateconnection")
-    (global-name "com.apple.assertiond.expiration")
     (global-name "com.apple.assertiond.processassertionconnection")
-    (global-name "com.apple.assertiond.processinfoservice")
-    (global-name "com.apple.audio.AudioComponentPrefs")
-    (global-name "com.apple.audio.AudioQueueServer")
-    (global-name "com.apple.audio.SystemSoundServer-iOS")
-    (global-name "com.apple.audio.audiohald")
     (global-name "com.apple.audio.reporting.xpc")
-    (global-name "com.apple.avkit.SharedPreferences")
-    (global-name "com.apple.backboard.TouchDeliveryPolicyServer")
-    (global-name "com.apple.backboard.animation-fence-arbiter")
-    (global-name "com.apple.backboard.display.services")
-    (global-name "com.apple.backboard.hid.focus")
     (global-name "com.apple.bird")
     (global-name "com.apple.bird.token")
     (global-name "com.apple.cfprefsd.agent")
     (global-name "com.apple.coremedia.assetcacheinspector")
     (global-name "com.apple.coremedia.audiodeviceclock")
     (global-name "com.apple.coremedia.audioprocessingtap.xpc")
-    (global-name "com.apple.coremedia.endpointplaybacksession.xpc")
     (global-name "com.apple.coremedia.endpointremotecontrolsession.xpc")
     (global-name "com.apple.coremedia.sandboxserver")
     (global-name "com.apple.coremedia.videocompositor")
     (global-name "com.apple.coremedia.visualcontext.xpc")
     (global-name "com.apple.coreservices.lsuseractivitymanager.xpc")
-    (global-name "com.apple.corespotlightservice")
     (global-name "com.apple.ctkd.token-client")
     (global-name "com.apple.cvmsServ")
     (global-name "com.apple.duetknowledged.activity")
     (global-name "com.apple.dyld.closured")
-    (global-name "com.apple.frontboard.workspace")
     (global-name "com.apple.gpumemd.source")
     (global-name "com.apple.hangtracerd")
     (global-name "com.apple.itunescloudd.xpc")
     (global-name "com.apple.pluginkit.plugin-service")
     (global-name "com.apple.quicklook.ThumbnailsAgent")
     (global-name "com.apple.revisiond")
-    (global-name "com.apple.siri.context.service")
     (global-name "com.apple.springboard.backgroundappservices")
     (global-name "com.apple.system.libinfo.muser")
-    (global-name "com.apple.uifoundation-bundle-helper")
     (global-name "com.apple.webkit.camera")
 )