Rollout macOS sandbox change in r232276
authorbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 26 Jun 2018 22:28:19 +0000 (22:28 +0000)
committerbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 26 Jun 2018 22:28:19 +0000 (22:28 +0000)
https://bugs.webkit.org/show_bug.cgi?id=186904
<rdar://problem/41350969>

Patch by Jiewen Tan <jiewen_tan@apple.com> on 2018-06-26
Reviewed by Brent Fulgham.

* NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@233226 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit/ChangeLog
Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in

index c2e6f22..f0f4ab7 100644 (file)
@@ -1,3 +1,13 @@
+2018-06-26  Jiewen Tan  <jiewen_tan@apple.com>
+
+        Rollout macOS sandbox change in r232276
+        https://bugs.webkit.org/show_bug.cgi?id=186904
+        <rdar://problem/41350969>
+
+        Reviewed by Brent Fulgham.
+
+        * NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
+
 2018-06-26  Aditya Keerthi  <akeerthi@apple.com>
 
         Tap highlight displayed when tapping a field that is already focussed
 2018-06-26  Aditya Keerthi  <akeerthi@apple.com>
 
         Tap highlight displayed when tapping a field that is already focussed
index e7e93a3..bbbf5c0 100644 (file)
 
 ;; Security framework
 (allow mach-lookup
 
 ;; Security framework
 (allow mach-lookup
-#if !HAVE(SEC_KEY_PROXY)
        (global-name "com.apple.ctkd.token-client")
        (global-name "com.apple.securityd.xpc") 
        (global-name "com.apple.CoreAuthentication.agent.libxpc")
        (global-name "com.apple.ctkd.token-client")
        (global-name "com.apple.securityd.xpc") 
        (global-name "com.apple.CoreAuthentication.agent.libxpc")
-#endif
        (global-name "com.apple.ocspd")
        (global-name "com.apple.SecurityServer"))
 
        (global-name "com.apple.ocspd")
        (global-name "com.apple.SecurityServer"))
 
-#if !HAVE(SEC_KEY_PROXY)
 ;; FIXME: This should be removed when <rdar://problem/10479685> is fixed.
 ;; Restrict AppSandboxed processes from creating /Library/Keychains, but allow access to the contents of /Library/Keychains:
 (allow file-read-data file-read-metadata file-write*
 ;; FIXME: This should be removed when <rdar://problem/10479685> is fixed.
 ;; Restrict AppSandboxed processes from creating /Library/Keychains, but allow access to the contents of /Library/Keychains:
 (allow file-read-data file-read-metadata file-write*
 (deny file-read* file-write*
     (regex (string-append "/Library/Keychains/" (uuid-regex-string) "(/|$)"))
     (home-regex (string-append "/Library/Keychains/" (uuid-regex-string) "(/|$)")))
 (deny file-read* file-write*
     (regex (string-append "/Library/Keychains/" (uuid-regex-string) "(/|$)"))
     (home-regex (string-append "/Library/Keychains/" (uuid-regex-string) "(/|$)")))
-#endif
 
 (allow file-read* file-write* (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
 
 
 (allow file-read* file-write* (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
 
 
 (allow file-read*
        (subpath "/private/var/db/mds")
 
 (allow file-read*
        (subpath "/private/var/db/mds")
-       (literal "/private/var/db/DetachedSignatures"))
+       (literal "/private/var/db/DetachedSignatures")
+
+       ; The following are needed until the causes of <rdar://problem/41487786> are resolved.
+       (literal "/Library/Preferences/com.apple.security.plist")
+       (literal "/Library/Preferences/com.apple.security.common.plist")
+       (literal "/Library/Preferences/com.apple.security.revocation.plist")
+       (home-literal "/Library/Application Support/SyncServices/Local/ClientsWithChanges/com.apple.Keychain")
+       (home-literal "/Library/Preferences/com.apple.security.plist")
+       (home-literal "/Library/Preferences/com.apple.security.revocation.plist"))
 
 (allow ipc-posix-shm-read* ipc-posix-shm-write-data
        (ipc-posix-name "com.apple.AppleDatabaseChanged"))
 
 (allow ipc-posix-shm-read* ipc-posix-shm-write-data
        (ipc-posix-name "com.apple.AppleDatabaseChanged"))