Correct sandbox profiles to fix some excess privileges
authoroliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 22 Jul 2014 00:10:11 +0000 (00:10 +0000)
committeroliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 22 Jul 2014 00:10:11 +0000 (00:10 +0000)
https://bugs.webkit.org/show_bug.cgi?id=135134
<rdar://problem/17741886>
<rdar://problem/17739080>

Reviewed by Alexey Proskuryakov.

This cleans up our sandbox profiles to fix a few issues - the profiles
no longer allow us to issue file extension we have the ability to consume,
and tightens some of the other file access rules.

This means we have to addd some rules to allow us to access things
that we previously had access to due to lax file system restrictions.

Some of the features were fixable simply by using entitlements on the
process rather than custom rules.

* Configurations/WebContent-iOS.entitlements:
* Resources/SandboxProfiles/ios/com.apple.WebKit.Databases.sb:
* Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:
* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@171322 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit2/ChangeLog
Source/WebKit2/Configurations/WebContent-iOS.entitlements
Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.Databases.sb
Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb
Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb

index 592438b255846cb0f9eca5fb637ab58864b941bc..136d06685c2d9d6362677d494ba2a06bbc7c0d15 100644 (file)
@@ -1,3 +1,27 @@
+2014-07-21  Oliver Hunt  <oliver@apple.com>
+
+        Correct sandbox profiles to fix some excess privileges
+        https://bugs.webkit.org/show_bug.cgi?id=135134
+        <rdar://problem/17741886>
+        <rdar://problem/17739080>
+
+        Reviewed by Alexey Proskuryakov.
+
+        This cleans up our sandbox profiles to fix a few issues - the profiles
+        no longer allow us to issue file extension we have the ability to consume,
+        and tightens some of the other file access rules.
+
+        This means we have to addd some rules to allow us to access things
+        that we previously had access to due to lax file system restrictions.
+
+        Some of the features were fixable simply by using entitlements on the
+        process rather than custom rules.
+
+        * Configurations/WebContent-iOS.entitlements:
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.Databases.sb:
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+
 2014-07-21  Simon Fraser  <simon.fraser@apple.com>
 
         [iOS WK2] Turn off position:fixed behavior when the keyboard is up
index 515c1f7aea99bcbe9adbf6c79ce01e5f9f188c5d..9c47c9e839b7b6f66b348945636dad75d5491eb8 100644 (file)
        <true/>
        <key>com.apple.private.webinspector.proxy-application</key>
        <true/>
+       <key>com.apple.locationd.authorizeapplications</key>
+       <true/>
+       <key>com.apple.locationd.effective_bundle</key>
+       <true/>
        <key>seatbelt-profiles</key>
        <array>
                <string>com.apple.WebKit.WebContent</string>
index 7cfdd66a6992028f4ce12f6f43888d47d0682886..deef19cebc4f2c4c8abdf4cc6e79c2ccef741737 100644 (file)
 (import "common.sb")
 (import "removed-dev-nodes.sb")
 
-;; Sandbox extensions
-(define (apply-read-and-issue-extension op path-filter)
-    (op file-read* path-filter)
-    (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") path-filter)))
-(define (apply-write-and-issue-extension op path-filter)
-    (op file-write* path-filter)
-    (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") path-filter)))
-(define (read-only-and-issue-extensions path-filter)
-    (apply-read-and-issue-extension allow path-filter))
-(define (read-write-and-issue-extensions path-filter)
-    (apply-read-and-issue-extension allow path-filter)
-    (apply-write-and-issue-extension allow path-filter))
-(read-only-and-issue-extensions (extension "com.apple.app-sandbox.read"))
-(read-write-and-issue-extensions (extension "com.apple.app-sandbox.read-write"))
-
-(if (defined? 'vnode-type)
-    (deny file-write-create (vnode-type SYMLINK)))
+(allow file-read* file-write* (extension "com.apple.app-sandbox.read-write"))
index ef5a7a44044210026db35cc76e513cd3b52e2877..2a0fdfd5b7714eff88beb264648c9b7496de60c1 100644 (file)
 (allow file-read* (extension "com.apple.webkit.read"))
 
 ;; Access to client's cache folder & re-vending to CFNetwork.
-(allow file-read* file-write* (extension "com.apple.nsurlstorage.extension-cache"))
-(allow file-issue-extension (extension-class "com.apple.nsurlstorage.extension-cache"))
+;; FIXME: Remove the webkti specific extension classes <rdar://problem/17755931>
+(allow file-issue-extension (require-all
+    (require-any (extension "com.apple.webkit.read-write") (extension "com.apple.app-sandbox.read-write"))
+    (extension-class "com.apple.nsurlstorage.extension-cache")))
 
 ;; App sandbox extensions
 (allow file-read* file-write* (extension "com.apple.app-sandbox.read-write"))
index 9834d8ff4ba7bf81afa99eaa7383ac3ab935a405..7162c21be603a6d401e94325c637558a81ae2960 100644 (file)
 ;; This is too generous -- <rdar://problem/17496756>
 (apple-cookie-access 'with-read-write)
 
+;; Access to media controls
 (play-media)
+(media-remote)
 
 ;; Read-only preferences and data
 (mobile-preferences-read
     "com.apple.LaunchServices"
-    "com.apple.WebFoundation")
+    "com.apple.WebFoundation"
+    "com.apple.mobileipod")
 
 ;; Sandbox extensions
 (define (apply-read-and-issue-extension op path-filter)
             (extension "com.apple.app-sandbox.read-write"))))
 
 
-(allow file-read* file-write* (extension "com.apple.nsurlstorage.extension-cache"))
-(allow file-issue-extension (extension-class "com.apple.nsurlstorage.extension-cache"))
+;; Access to client's cache folder & re-vending to CFNetwork.
+;; FIXME: Remove the webkti specific extension classes <rdar://problem/17755931>
+(allow file-issue-extension (require-all
+    (require-any (extension "com.apple.webkit.read-write") (extension "com.apple.app-sandbox.read-write"))
+    (extension-class "com.apple.nsurlstorage.extension-cache")))
 
 ;; Access to own cache & temp folders.
 (allow file-read* (extension "com.apple.webkit.read"))