<rdar://problem/13334446> [Mac] Tweak sandbox profiles.
authorap@apple.com <ap@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 22 Apr 2013 22:21:24 +0000 (22:21 +0000)
committerap@apple.com <ap@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 22 Apr 2013 22:21:24 +0000 (22:21 +0000)
        Reviewed by Anders Carlsson.

        Unbreak Lion, which doesn't provide detailed control over IPC.

        * WebProcess/com.apple.WebProcess.sb.in:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@148917 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit2/ChangeLog
Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in

index 9d5d19c..074254f 100644 (file)
@@ -1,3 +1,13 @@
+2013-04-22  Alexey Proskuryakov  <ap@apple.com>
+
+        <rdar://problem/13334446> [Mac] Tweak sandbox profiles.
+
+        Reviewed by Anders Carlsson.
+
+        Unbreak Lion, which doesn't provide detailed control over IPC.
+
+        * WebProcess/com.apple.WebProcess.sb.in:
+
 2013-04-22  Martin Robinson  <mrobinson@igalia.com>
 
         [GTK] Enable introspection always for developer builds
index d811864..80fd0eb 100644 (file)
@@ -1,6 +1,9 @@
 (version 1)
 (deny default (with partial-symbolication))
 (allow system-audit file-read-metadata)
+#if __MAC_OS_X_VERSION_MIN_REQUIRED == 1070
+(allow ipc-posix-shm)
+#endif
 
 (import "system.sb")
 
        (iokit-user-client-class "IOAudioControlUserClient")
        (iokit-user-client-class "IOAudioEngineUserClient"))
 
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 1080
+
 ;; cookied.
 ;; FIXME: Update for <rdar://problem/13642852>.
 (allow ipc-posix-shm-read-data
 (allow ipc-posix-shm-read* ipc-posix-shm-write-data
     (ipc-posix-name-regex #"^AudioIO"))
 
+#endif
+
 ;; Various services required by AppKit and other frameworks
 (allow mach-lookup
        (global-name "com.apple.DiskArbitration.diskarbitrationd")
        (home-literal "/Library/Application Support/SyncServices/Local/ClientsWithChanges/com.apple.Keychain")
        (home-literal "/Library/Preferences/com.apple.security.plist")
        (home-literal "/Library/Preferences/com.apple.security.revocation.plist"))
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 1080
 (allow ipc-posix-shm-read* ipc-posix-shm-write-data
        (ipc-posix-name "com.apple.AppleDatabaseChanged"))
+#endif
 
 ;; CoreFoundation. We don't import com.apple.corefoundation.sb, because it allows unnecessary access to pasteboard.
 (allow mach-lookup