Correct sandbox profiles to fix some excess privileges
authoroliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 22 Jul 2014 00:10:11 +0000 (00:10 +0000)
committeroliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 22 Jul 2014 00:10:11 +0000 (00:10 +0000)
https://bugs.webkit.org/show_bug.cgi?id=135134
<rdar://problem/17741886>
<rdar://problem/17739080>

Reviewed by Alexey Proskuryakov.

This cleans up our sandbox profiles to fix a few issues - the profiles
no longer allow us to issue file extension we have the ability to consume,
and tightens some of the other file access rules.

This means we have to addd some rules to allow us to access things
that we previously had access to due to lax file system restrictions.

Some of the features were fixable simply by using entitlements on the
process rather than custom rules.

* Configurations/WebContent-iOS.entitlements:
* Resources/SandboxProfiles/ios/com.apple.WebKit.Databases.sb:
* Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:
* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@171322 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit2/ChangeLog
Source/WebKit2/Configurations/WebContent-iOS.entitlements
Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.Databases.sb
Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb
Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb

index 592438b..136d066 100644 (file)
@@ -1,3 +1,27 @@
+2014-07-21  Oliver Hunt  <oliver@apple.com>
+
+        Correct sandbox profiles to fix some excess privileges
+        https://bugs.webkit.org/show_bug.cgi?id=135134
+        <rdar://problem/17741886>
+        <rdar://problem/17739080>
+
+        Reviewed by Alexey Proskuryakov.
+
+        This cleans up our sandbox profiles to fix a few issues - the profiles
+        no longer allow us to issue file extension we have the ability to consume,
+        and tightens some of the other file access rules.
+
+        This means we have to addd some rules to allow us to access things
+        that we previously had access to due to lax file system restrictions.
+
+        Some of the features were fixable simply by using entitlements on the
+        process rather than custom rules.
+
+        * Configurations/WebContent-iOS.entitlements:
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.Databases.sb:
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+
 2014-07-21  Simon Fraser  <simon.fraser@apple.com>
 
         [iOS WK2] Turn off position:fixed behavior when the keyboard is up
index 515c1f7..9c47c9e 100644 (file)
        <true/>
        <key>com.apple.private.webinspector.proxy-application</key>
        <true/>
+       <key>com.apple.locationd.authorizeapplications</key>
+       <true/>
+       <key>com.apple.locationd.effective_bundle</key>
+       <true/>
        <key>seatbelt-profiles</key>
        <array>
                <string>com.apple.WebKit.WebContent</string>
index 7cfdd66..deef19c 100644 (file)
 (import "common.sb")
 (import "removed-dev-nodes.sb")
 
-;; Sandbox extensions
-(define (apply-read-and-issue-extension op path-filter)
-    (op file-read* path-filter)
-    (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") path-filter)))
-(define (apply-write-and-issue-extension op path-filter)
-    (op file-write* path-filter)
-    (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") path-filter)))
-(define (read-only-and-issue-extensions path-filter)
-    (apply-read-and-issue-extension allow path-filter))
-(define (read-write-and-issue-extensions path-filter)
-    (apply-read-and-issue-extension allow path-filter)
-    (apply-write-and-issue-extension allow path-filter))
-(read-only-and-issue-extensions (extension "com.apple.app-sandbox.read"))
-(read-write-and-issue-extensions (extension "com.apple.app-sandbox.read-write"))
-
-(if (defined? 'vnode-type)
-    (deny file-write-create (vnode-type SYMLINK)))
+(allow file-read* file-write* (extension "com.apple.app-sandbox.read-write"))
index ef5a7a4..2a0fdfd 100644 (file)
 (allow file-read* (extension "com.apple.webkit.read"))
 
 ;; Access to client's cache folder & re-vending to CFNetwork.
-(allow file-read* file-write* (extension "com.apple.nsurlstorage.extension-cache"))
-(allow file-issue-extension (extension-class "com.apple.nsurlstorage.extension-cache"))
+;; FIXME: Remove the webkti specific extension classes <rdar://problem/17755931>
+(allow file-issue-extension (require-all
+    (require-any (extension "com.apple.webkit.read-write") (extension "com.apple.app-sandbox.read-write"))
+    (extension-class "com.apple.nsurlstorage.extension-cache")))
 
 ;; App sandbox extensions
 (allow file-read* file-write* (extension "com.apple.app-sandbox.read-write"))
index 9834d8f..7162c21 100644 (file)
 ;; This is too generous -- <rdar://problem/17496756>
 (apple-cookie-access 'with-read-write)
 
+;; Access to media controls
 (play-media)
+(media-remote)
 
 ;; Read-only preferences and data
 (mobile-preferences-read
     "com.apple.LaunchServices"
-    "com.apple.WebFoundation")
+    "com.apple.WebFoundation"
+    "com.apple.mobileipod")
 
 ;; Sandbox extensions
 (define (apply-read-and-issue-extension op path-filter)
             (extension "com.apple.app-sandbox.read-write"))))
 
 
-(allow file-read* file-write* (extension "com.apple.nsurlstorage.extension-cache"))
-(allow file-issue-extension (extension-class "com.apple.nsurlstorage.extension-cache"))
+;; Access to client's cache folder & re-vending to CFNetwork.
+;; FIXME: Remove the webkti specific extension classes <rdar://problem/17755931>
+(allow file-issue-extension (require-all
+    (require-any (extension "com.apple.webkit.read-write") (extension "com.apple.app-sandbox.read-write"))
+    (extension-class "com.apple.nsurlstorage.extension-cache")))
 
 ;; Access to own cache & temp folders.
 (allow file-read* (extension "com.apple.webkit.read"))