Extend Networking Process sandbox for some system frameworks
authorjiewen_tan@apple.com <jiewen_tan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 21 Mar 2019 00:36:06 +0000 (00:36 +0000)
committerjiewen_tan@apple.com <jiewen_tan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 21 Mar 2019 00:36:06 +0000 (00:36 +0000)
https://bugs.webkit.org/show_bug.cgi?id=196036
<rdar://problem/47594150>

Reviewed by Brent Fulgham.

* NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
* Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@243267 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit/ChangeLog
Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in
Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb

index 886b050..83ed059 100644 (file)
@@ -1,3 +1,14 @@
+2019-03-20  Jiewen Tan  <jiewen_tan@apple.com>
+
+        Extend Networking Process sandbox for some system frameworks
+        https://bugs.webkit.org/show_bug.cgi?id=196036
+        <rdar://problem/47594150>
+
+        Reviewed by Brent Fulgham.
+
+        * NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:
+
 2019-03-20  Alex Christensen  <achristensen@webkit.org>
 
         Reduce use of LegacySync IPC message type
index 640ed40..20e9906 100644 (file)
 (allow ipc-posix-shm-read-data
     (ipc-posix-name "FNetwork.defaultStorageSession")
     (ipc-posix-name-regex #"\.PrivateBrowsing-")
-    (ipc-posix-name-regex #"^WebKit Test-"))
+    (ipc-posix-name-regex #"^WebKit Test-")
+    (ipc-posix-name "/com.apple.AppSSO.version")
+)
 
 ;; Various services required by CFNetwork and other frameworks
 (allow mach-lookup
     (global-name "com.apple.lsd.mapdb")
     (global-name "com.apple.nesessionmanager.flow-divert-token")
     (global-name "com.apple.nesessionmanager.content-filter") ;; <rdar://problem/47598758>
+    (global-name "com.apple.AppSSO.service-xpc")
 )
 
 ;; Security framework
index ae0d175..da60b1b 100644 (file)
@@ -95,7 +95,8 @@
 ;; Various services required by system frameworks
 (allow mach-lookup
     (global-name "com.apple.lsd.mapdb")
-    (global-name "com.apple.analyticsd"))
+    (global-name "com.apple.analyticsd")
+    (global-name "com.apple.AppSSO.service-xpc"))
 
 ;; For reporting progress for active downloads <rdar://problem/44405661>
 (allow mach-lookup
  ;; <rdar://problem/47598758>
 (allow mach-lookup
     (global-name "com.apple.nesessionmanager.content-filter"))
+
+;; Various shared memory accesses required by system frameworks
+(allow ipc-posix-shm-read-data
+    (ipc-posix-name "/com.apple.AppSSO.version"))