Remove use of container relative restrictions in the network process sandbox
authoroliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 10 Jul 2014 23:17:12 +0000 (23:17 +0000)
committeroliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 10 Jul 2014 23:17:12 +0000 (23:17 +0000)
https://bugs.webkit.org/show_bug.cgi?id=134816

Reviewed by Anders Carlsson.

As i'm tidying up the various sandboxes and that's meaning we
need to reduce some file restrictions in the network process.

* Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@170979 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit2/ChangeLog
Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb

index 020ead3..375ddb6 100644 (file)
@@ -1,3 +1,15 @@
+2014-07-10  Oliver Hunt  <oliver@apple.com>
+
+        Remove use of container relative restrictions in the network process sandbox
+        https://bugs.webkit.org/show_bug.cgi?id=134816
+
+        Reviewed by Anders Carlsson.
+
+        As i'm tidying up the various sandboxes and that's meaning we
+        need to reduce some file restrictions in the network process.
+
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:
+
 2014-07-10  Pratik Solanki  <psolanki@apple.com>
 
         Unreviewed iOS build fix after r170974. Define id if building a non ObjC file.
index 83144cb..2e8a89f 100644 (file)
 (apple-cookie-access 'with-read-write)
 
 ;; Sandbox extensions
-(allow file-read* (container-subpath "Library/")
-       (extension "com.apple.webkit.read"))
+(allow file-read* (extension "com.apple.webkit.read"))
 
 ;; Access to client's cache folder & re-vending to CFNetwork.
-(allow file-read* file-write* (require-all (container-subpath "Library/")
-       (extension "com.apple.nsurlstorage.extension-cache")))
-(allow file-issue-extension  (require-all ((container-subpath "Library/")
-       (extension-class "com.apple.nsurlstorage.extension-cache")))
+(allow file-read* file-write* (extension "com.apple.nsurlstorage.extension-cache"))
+(allow file-issue-extension (extension-class "com.apple.nsurlstorage.extension-cache"))
 
 ;; App sandbox extensions
-(allow file-read* file-write* (require-all (container-subpath "Library/")
-       (extension "com.apple.app-sandbox.read-write")))
+(allow file-read* file-write* (extension "com.apple.app-sandbox.read-write"))
 
 ;; Access to own cache & temp folders.
-(allow file-read* file-write* (require-all (container-subpath "")
-       (extension "com.apple.webkit.read-write")))
+(allow file-read* file-write* (extension "com.apple.webkit.read-write"))
 
 ;; IOKit user clients
 (allow iokit-open