Relax keychain access to permit users to permanently allow client certificates
authorbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 23 Aug 2017 01:05:22 +0000 (01:05 +0000)
committerbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 23 Aug 2017 01:05:22 +0000 (01:05 +0000)
https://bugs.webkit.org/show_bug.cgi?id=175857
<rdar://problem/32293867>

Reviewed by Alex Christensen.

* NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
* WebProcess/com.apple.WebProcess.sb.in:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@221061 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit/ChangeLog
Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in
Source/WebKit/WebProcess/com.apple.WebProcess.sb.in

index a7ee7cb..10c7d75 100644 (file)
@@ -1,3 +1,14 @@
+2017-08-22  Brent Fulgham  <bfulgham@apple.com>
+
+        Relax keychain access to permit users to permanently allow client certificates
+        https://bugs.webkit.org/show_bug.cgi?id=175857
+        <rdar://problem/32293867>
+
+        Reviewed by Alex Christensen.
+
+        * NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
+        * WebProcess/com.apple.WebProcess.sb.in:
+
 2017-08-22  Chris Dumez  <cdumez@apple.com>
 
         Introduce a new CompletionHandler type and use it for NetworkDataTaskClient's completion handlers to help catch bugs
index 41f6eee..c99d634 100644 (file)
 
 ;; FIXME: This should be removed when <rdar://problem/10479685> is fixed.
 ;; Restrict AppSandboxed processes from creating /Library/Keychains, but allow access to the contents of /Library/Keychains:
-(allow file-read-data file-read-metadata file-write-data
+(allow file-read-data file-read-metadata file-write-create file-write-data
     (subpath "/Library/Keychains")
     (home-subpath "/Library/Keychains"))
 
index ac20691..0ad2708 100644 (file)
 
 ;; FIXME: This should be removed when <rdar://problem/10479685> is fixed.
 ;; Restrict AppSandboxed processes from creating /Library/Keychains, but allow access to the contents of /Library/Keychains:
-(allow file-read-data file-read-metadata file-write-data
+(allow file-read-data file-read-metadata file-write-create file-write-data
     (subpath "/Library/Keychains"))
 
 ;; Do permit creating per-user keychains