Close access to "lsopen" for non-UI process
authorbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 23 May 2018 02:23:57 +0000 (02:23 +0000)
committerbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 23 May 2018 02:23:57 +0000 (02:23 +0000)
https://bugs.webkit.org/show_bug.cgi?id=185890
<rdar://problem/39686511>

Reviewed by Alexey Proskuryakov.

Close down access to 'lsopen' in the iOS sandboxes. These operations are
performed by the UIProcess on behalf of these helper processes.

* Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:
* Resources/SandboxProfiles/ios/com.apple.WebKit.Storage.sb:
* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@232097 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit/ChangeLog
Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb
Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Storage.sb
Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb

index 3698602..4f80874 100644 (file)
@@ -1,3 +1,18 @@
+2018-05-22  Brent Fulgham  <bfulgham@apple.com>
+
+        Close access to "lsopen" for non-UI process
+        https://bugs.webkit.org/show_bug.cgi?id=185890
+        <rdar://problem/39686511>
+
+        Reviewed by Alexey Proskuryakov.
+
+        Close down access to 'lsopen' in the iOS sandboxes. These operations are
+        performed by the UIProcess on behalf of these helper processes.
+
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.Storage.sb:
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+
 2018-05-22  Dean Jackson  <dino@apple.com>
 
         Optimized path zoom animation needs a valid UIImage and CGRect
index ebe4953..e89d757 100644 (file)
@@ -29,6 +29,8 @@
 
 (import "common.sb")
 
+(deny lsopen)
+
 (allow file-read* file-write* (extension "com.apple.app-sandbox.read-write"))
 
 (deny sysctl*)
index 9d91f54..dd71e16 100644 (file)
@@ -29,6 +29,8 @@
 
 (import "common.sb")
 
+(deny lsopen)
+
 ;;;
 ;;; The following rules were originally contained in 'UIKit-apps.sb'. We are duplicating them here so we can
 ;;; remove unneeded sandbox extensions.