Remove network access from the WebContent process sandbox
authorbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 28 Feb 2018 17:17:12 +0000 (17:17 +0000)
committerbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 28 Feb 2018 17:17:12 +0000 (17:17 +0000)
https://bugs.webkit.org/show_bug.cgi?id=183192
<rdar://problem/35369115>

Reviewed by Alex Christensen.

Remove the 'system-network', 'allow-network-common', and 'network-client' access from the WebContent process.
That's why we have a Network Process!

* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
* WebProcess/com.apple.WebProcess.sb.in:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@229093 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit/ChangeLog
Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb
Source/WebKit/WebProcess/com.apple.WebProcess.sb.in

index 80db2c6..494e13e 100644 (file)
@@ -1,3 +1,17 @@
+2018-02-28  Brent Fulgham  <bfulgham@apple.com>
+
+        Remove network access from the WebContent process sandbox
+        https://bugs.webkit.org/show_bug.cgi?id=183192
+        <rdar://problem/35369115>
+
+        Reviewed by Alex Christensen.
+
+        Remove the 'system-network', 'allow-network-common', and 'network-client' access from the WebContent process.
+        That's why we have a Network Process! 
+
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+        * WebProcess/com.apple.WebProcess.sb.in:
+
 2018-02-27  Tim Horton  <timothy_horton@apple.com>
 
         Ensure target triple is propagated correctly to DerivedSources.make
index 7c80fa7..9f9d2e0 100644 (file)
 (allow-create-directory
     (home-literal "/Library/Caches/com.apple.DictionaryServices"))
 
-(allow-network-common)
-
 ; <rdar://problem/8548856> Sub-TLF: Sandbox change for apps for read-only access to the dictionary directory/data
 (allow file-read*
     ; XXX - /Library ought to be allowed in all UI profiles but isn't (CF, MobileSafari)
 ;; AWD logging
 (awd-log-directory "com.apple.WebKit.WebContent")
 
-(network-client (remote tcp) (remote udp))
-
 ;; Allow ManagedPreference access
 (allow file-read* (literal "/private/var/Managed Preferences/mobile/com.apple.webcontentfilter.plist"))
 
index 240f527..2712ab5 100644 (file)
@@ -1,4 +1,4 @@
-; Copyright (C) 2010-2017 Apple Inc. All rights reserved.
+; Copyright (C) 2010-2018 Apple Inc. All rights reserved.
 ;
 ; Redistribution and use in source and binary forms, with or without
 ; modification, are permitted provided that the following conditions
        file-ioctl
     (literal "/dev/dtracehelper"))
 
+#if __MAC_OS_X_VERSION_MIN_REQUIRED < 101300
 (allow network-outbound
     (literal "/private/var/run/asl_input")
     (literal "/private/var/run/syslog"))
-
+#endif
 
 ;;; Allow creation of core dumps.
 (allow file-write-create
         (iokit-property "ggcs")
         (iokit-property "bgcs")))))
 
-
-;;; (system-network) - Allow access to the network.
-(define (system-network)
-    (allow file-read*
-        (literal "/Library/Preferences/com.apple.networkd.plist"))
-    (allow mach-lookup
-        (global-name "com.apple.SystemConfiguration.PPPController")
-        (global-name "com.apple.SystemConfiguration.SCNetworkReachability")
-        (global-name "com.apple.nehelper")
-        (global-name "com.apple.networkd")
-        (global-name "com.apple.nsurlstorage-cache")
-        (global-name "com.apple.symptomsd")
-        (global-name "com.apple.usymptomsd"))
-    (allow network-outbound
-        (control-name "com.apple.netsrc")
-        (control-name "com.apple.network.statistics"))
-    (allow system-socket
-        (require-all (socket-domain AF_SYSTEM)
-        (socket-protocol 2)) ; SYSPROTO_CONTROL
-    (socket-domain AF_ROUTE)))
-
 ;;;
 ;;; End rules originally copied from 'system.sb'
 ;;;
 (system-graphics)
 
 ;; Networking
+#if __MAC_OS_X_VERSION_MIN_REQUIRED < 101300
 (system-network)
 (allow network-outbound
        ;; Local mDNSResponder for DNS, arbitrary outbound TCP
        (literal "/private/var/run/mDNSResponder")
        (remote tcp))
+#endif
 
 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101300
 ;; CFNetwork
        (global-name "com.apple.GSSCred")
        (global-name "com.apple.system.logger")
        (global-name "com.apple.system.notification_center"))
+#if __MAC_OS_X_VERSION_MIN_REQUIRED < 101300
 (allow network-outbound
        (remote udp))
+#endif
 (allow user-preference-read
     (preference-domain
         "com.apple.Kerberos"