[iOS] Don't import 'UIKit-apps.sb' to the WebContent process sandbox
authorbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 11 Dec 2017 21:25:51 +0000 (21:25 +0000)
committerbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 11 Dec 2017 21:25:51 +0000 (21:25 +0000)
https://bugs.webkit.org/show_bug.cgi?id=180610
<rdar://problem/18899506>

Reviewed by Dean Jackson.

Stop including 'system.sb', and just include the portions of that sandbox that we
actually use in WebContent Process. This is the first step in some further sandbox
tightening.

* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@225754 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit/ChangeLog
Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb

index bbb3ed7..e3b1619 100644 (file)
@@ -1,3 +1,17 @@
+2017-12-11  Brent Fulgham  <bfulgham@apple.com>
+
+        [iOS] Don't import 'UIKit-apps.sb' to the WebContent process sandbox
+        https://bugs.webkit.org/show_bug.cgi?id=180610
+        <rdar://problem/18899506>
+
+        Reviewed by Dean Jackson.
+
+        Stop including 'system.sb', and just include the portions of that sandbox that we
+        actually use in WebContent Process. This is the first step in some further sandbox
+        tightening.
+
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+
 2017-12-11  Yusuke Suzuki  <utatane.tea@gmail.com>
 
         [WTF] Add Converter traits to StringHasher instead of function pointer
index 42f475e..93ef8bb 100644 (file)
@@ -1,4 +1,4 @@
-; Copyright (C) 2010-2015 Apple Inc. All rights reserved.
+; Copyright (C) 2010-2017 Apple Inc. All rights reserved.
 ;
 ; Redistribution and use in source and binary forms, with or without
 ; modification, are permitted provided that the following conditions
 
 (deny mach-lookup (xpc-service-name-prefix ""))
 
-(import "UIKit-apps.sb")
+(import "common.sb")
+
+;;;
+;;; The following rules were originally contained in 'UIKit-apps.sb'. We are duplicating them here so we can
+;;; remove unneeded sandbox extensions.
+;;;
+
+;;;
+;;; Declare that the process hosts UI provided by another process.
+;;; (This could potentially be any application; see <rdar://problem/11034833> and
+;;;  <rdar://problem/11330224> for details)
+;;;
+(define-once (remote-view-client)
+    (allow mach-lookup
+        (global-name "com.apple.frontboard.systemappservices")                 ; -[UIViewServiceInterface _createProcessAssertion] -> SBSProcessIDForDisplayIdentifier()
+        (global-name-regex #"^com\.apple\.uikit\.viewservice\..+")))
+
+;;;
+;;; Declare that the process serves UI that can be remotely-hosted by another process.
+;;;
+(define-once (remote-view-service)
+    ;; RemoteViewServices need to lookup their own accessility service in order to send
+    ;; the mach port to the hosting app.
+    (allow mach-lookup
+        (local-name "com.apple.iphone.axserver"))
+    ;; RemoteViewServices need to lookup the bundle identifier of the application hosting
+    ;; their views (see <rdar://problem/11780984>).
+    (allow mach-lookup
+        (global-name "com.apple.springboard.backgroundappservices")))
+
+(define (uikit-app . rest)
+    ;;; <rdar://problem/29959382> Allow UIKit apps access to com.apple.TextInput.preferences mach service
+    (allow mach-lookup
+        (global-name "com.apple.TextInput.preferences"))
+
+    (allow mach-lookup
+        (xpc-service-name "com.apple.siri.context.service"))
+
+    ;; Any UI could be remote-hosted.
+    (remote-view-client)
+
+    ;; Any app could use ubiquity.
+    (ubiquity-client)
+
+    ;; Any app can play audio & movies.
+    (play-audio)
+    (play-media)
+
+    ;; Any app can use ProgressKit
+    (progresskit-client)
+
+    (url-translation)
+
+    ;; For <rdar://problem/20812377> All applications need to be able to access the com.apple.UIKit.KeyboardManagement running in backboardd
+    ;; renamed in <rdar://problem/20909914> Rename com.apple.UIKit.KeyboardManagement
+    (allow mach-lookup
+        (global-name "com.apple.UIKit.KeyboardManagement")
+        (global-name "com.apple.UIKit.KeyboardManagement.hosted"))
+
+    ;; For <rdar://problem/23469318> Allow UIKit-based apps to access com.apple.remote-text-editing mach service
+    ;; and <rdar://problem/23579008> REM: Allow UIKit-based apps to access com.apple.remote-input-limiting mach service
+    (when tv?
+        (allow mach-lookup
+            (global-name "com.apple.remote-input-limiting")
+            (global-name "com.apple.remote-text-editing")
+            (global-name "com.apple.remote-text-editing-legacy")
+            (global-name "com.apple.sharing.remote-text-editing")))
+
+    ;; For ApplicationScripting
+    ;; <rdar://problem/12778546> ASProcessScriptEvent fails to obtain port for event return
+    (allow mach-lookup
+        (global-name "ScripterServer"))
+
+    ;; TextInput framework
+    (allow mach-lookup
+        (global-name "com.apple.TextInput")
+        (global-name "com.apple.TextInput.emoji")
+        (global-name "com.apple.TextInput.image-cache-server")
+        (global-name "com.apple.TextInput.lexicon-server")
+        (global-name "com.apple.TextInput.rdt")
+        (global-name "com.apple.TextInput.shortcuts"))
+    (mobile-preferences-read "com.apple.da")
+
+    ;; Various Accessibility services.
+    (allow mach-lookup
+        (xpc-service-name "com.apple.accessibility.AccessibilityUIServer"))
+
+    ;; Guided Access support (<rdar://problem/11683460>).
+    (allow mach-lookup
+        (global-name "com.apple.accessibility.gax.backboard"))
+    (allow mach-register
+        (local-name "com.apple.accessibility.gax.client"))
+
+    ;; AssistiveTouch
+    ;; <rdar://problem/11800071> sandbox error for remote message services when AssistiveTouch is running
+    (allow mach-lookup
+        (global-name "UIASTNotificationCenter"))
+
+    ;; ZoomTouch
+    ;; <rdar://problem/11823957>
+    (allow mach-lookup
+        (global-name "com.apple.accessibility.AXBackBoardServer"))
+
+    ;; Speak Selection & VoiceOver
+    ;; <rdar://problem/12030530> AX: Sandbox violation with changing Language while VO is on
+    ;; and <rdar://problem/13071747>
+    (mobile-preferences-read
+        "com.apple.SpeakSelection"
+        "com.apple.VoiceOverTouch"
+        "com.apple.voiceservices")
+    (allow mach-lookup
+        (global-name "com.apple.audio.AudioComponentPrefs")
+        (global-name "com.apple.audio.AudioComponentRegistrar")
+        (global-name "com.apple.audio.AudioQueueServer")
+        (global-name "com.apple.voiceservices.keepalive")
+        (global-name "com.apple.voiceservices.tts"))
+    (allow mach-register
+        (local-name "com.apple.iphone.axserver"))
+    ;; <rdar://problem/14555119> Access to high quality speech voices
+    (allow file-read*
+        (home-subpath "/Library/VoiceServices/Assets")
+        (home-subpath "/Library/Assets/com_apple_MobileAsset_VoiceServicesVocalizerVoice"))
+
+    ;; HearingAidSupport
+    (allow mach-lookup
+        (xpc-service-name "com.apple.accessibility.heard"))
+
+    ;; MediaAccessibility (captions)
+    ;; <rdar://problem/12801477>
+    (mobile-preferences-read "com.apple.mediaaccessibility")
+        (allow mach-lookup (global-name "com.apple.accessibility.mediaaccessibilityd"))
+
+    ;; MobileAssistantFramework's AFContextManager
+    ;; <rdar://problem/13742083> & <rdar://problem/13717391> & <rdar://problem/13811297>
+    (allow mach-register mach-lookup
+        (local-name-regex #"^com\.apple\.assistant\.contextprovider\."))
+
+    ;; Permit reading assets via MobileAsset framework.
+    (asset-access 'with-media-playback)
+
+    ;; Permit access to on-demand resources.
+    (allow mach-lookup
+        (global-name "com.apple.ondemandd.client"))
+    (with-filter
+        (require-all
+            (require-any
+                (home-subpath "/Library/OnDemandResources/AssetPacks")
+                (well-known-system-group-container-subpath "/systemgroup.com.apple.ondemandresources/Library/AssetPacks"))
+            (extension "com.apple.odr-assets"))
+        (allow file-read*)
+        (allow file-issue-extension
+            (extension-class "com.apple.app-sandbox.read" "com.apple.mediaserverd.read")))
+
+    ;; allow 3rd party applications to access nsurlstoraged's top level domain data cache
+    (allow-well-known-system-group-container-literal-read
+        "/systemgroup.com.apple.nsurlstoragedresources/Library/dafsaData.bin")
+
+    ;; allow replayd to extend read access to its data
+    (allow file-read*
+        (require-all
+            (extension "com.apple.replayd.read-only")
+            (home-subpath "/Library/ReplayKit")))
+
+    ;; AirPlay
+    (allow mach-lookup
+        (global-name "com.apple.airplaydiagnostics.server"))
+
+    ;; Access the keyboards
+    (allow file-read*
+        (home-subpath "/Library/Caches/com.apple.keyboards"))
+
+    ;; NSExtension helper for supplying information not provided by PlugInKit
+    (allow mach-lookup
+        (xpc-service-name "com.apple.uifoundation-bundle-helper"))
+
+    ;; <rdar://problem/19525887>
+    (allow mach-lookup (xpc-service-name-regex #"\.apple-extension-service$"))
+    ;; <rdar://problem/31252371>
+    (allow mach-lookup (xpc-service-name-regex #"\.viewservice$"))
+
+    ;; DataDetectors -> CallKit so user can place calls by tapping on phone numbers.
+    (allow mach-lookup
+        (global-name "com.apple.callkit.callcontrollerhost"))
+
+    ;; DataDetectors; update CoreRecents with recently-detected addresses, etc.
+    (allow mach-lookup
+        (xpc-service-name "com.apple.datadetectors.AddToRecentsService"))
+
+    ;; Accessoryd
+    (allow mach-lookup
+        (global-name "com.apple.accessories.externalaccessory-server"))
+
+    ;; Power logging
+    (allow mach-lookup
+        (global-name "com.apple.powerlog.plxpclogger.xpc"))
+
+    ;; <rdar://problem/19460486>
+    (nano-preferences-read ".GlobalPreferences")
+
+    (mobile-preferences-read
+        ; To determine whether the dictation opt-in alert should be suppressed.
+        "com.apple.assistant.backedup"
+        ; Keyboard Dictation reads the list of supported languages from com.apple.assistant.support.plist.
+        ; And Dictation checks whether Assistant is enabled by reading the same plist.
+        ; <rdar://problem/9883999> com.apple.assistant.support preference domain needs to be unsandboxed
+        "com.apple.assistant.support"
+        "com.apple.EmojiPreferences"
+        ; For CarPlay screen aspect ratio (rdar://problem/20062770).
+        "com.apple.iapd"
+        ; <rdar://problem/8477596> com.apple.InputModePreferences
+        "com.apple.InputModePreferences"
+        ; <rdar://problem/8206632> Weather(1038) deny file-read-data ~/Library/Preferences/com.apple.keyboard.plist
+        "com.apple.keyboard"
+        ; <rdar://problem/25130834> Spotlight suggestions in Lookup preference should be readable by any process
+        "com.apple.lookup.shared"
+        ; <rdar://problem/9384085>
+        "com.apple.Preferences")
+
+    ;; <rdar://problem/12985925> Need read access to /var/mobile/Library/Fonts to all apps
+    (allow file-read*
+        (home-subpath "/Library/Fonts"))
+
+    ;; <rdar://problem/23803332>, <rdar://problem/9457549>, <rdar://problem/13237899>
+    (allow mach-lookup
+        (global-name "com.apple.assistant.analytics")
+        (global-name "com.apple.assistant.dictation")
+        (global-name "com.apple.dictationd.recognition"))
+
+    ;; For copy-and-paste.
+    (allow mach-lookup
+        (global-name "com.apple.UIKit.pasteboardd")
+        (global-name "com.apple.pasteboard.pasted"))
+
+    ;; <rdar://problem/9749387>
+    (allow file-read*
+        (literal "/private/var/preferences/SystemConfiguration/com.apple.accounts.exists.plist"))
+
+    ;; For Social.framework
+    ;; <rdar://problem/13239172>
+    (allow file-read*
+        (literal "/private/var/preferences/SystemConfiguration/com.apple.sinaweibo.plist")
+        (literal "/private/var/preferences/SystemConfiguration/com.apple.twitter.plist")
+        (literal "/private/var/preferences/SystemConfiguration/com.apple.facebook.plist")
+        (literal "/private/var/preferences/SystemConfiguration/com.apple.linkedin.plist"))
+
+    ;; <rdar://problem/7344719&26323449> LaunchServices app icons
+    (allow file-read*
+        (well-known-system-group-container-subpath "/systemgroup.com.apple.lsd.iconscache"))
+    (allow mach-lookup
+        (xpc-service-name "com.apple.lsdiconservice"))
+
+    ;; <rdar://problem/14184130> SpringBoard needs read/write to statusbar cache folder - all apps need read
+    (allow file-read*
+        (home-subpath "/Library/Caches/com.apple.UIStatusBar"))
+
+    ;; <rdar://problem/22346174> Allow read-only access from the container profile to ~/Library/TVWallpaper
+    (when tv?
+        (allow file-read*
+        (home-subpath "/Library/TVWallpaper")))
+
+    ;; Common mach services needed by UIKit.
+    (allow mach-lookup
+        (global-name "com.apple.CARenderServer")
+        (global-name "com.apple.KeyboardServices.TextReplacementService")
+        (global-name "com.apple.UIKit.statusbarserver")
+        (global-name "com.apple.uikit.GestureServer")
+        (global-name "com.apple.assertiond.applicationstateconnection")
+        (global-name "com.apple.assertiond.expiration")
+        (global-name "com.apple.assertiond.processinfoservice")
+        (global-name "com.apple.audio.hapticd")
+        (global-name "com.apple.audio.SystemSoundServer-iOS")
+        (global-name "com.apple.backboard.TouchDeliveryPolicyServer")
+        (global-name "com.apple.backboard.animation-fence-arbiter")
+        (global-name "com.apple.backboard.display.services")
+        (global-name "com.apple.backboard.hid.focus")
+        (global-name "com.apple.backboard.hid.services")
+        (global-name "com.apple.iohideventsystem")
+        (global-name "com.apple.iphone.axserver-systemwide")
+        (global-name "com.apple.frontboard.workspace")
+        (global-name "com.apple.frontboard.systemappservices")
+        (global-name "com.apple.progressd"))
+
+    (pasteboard-client)
+    (springboard-services)
+
+    (when gizmo?
+        (mobile-preferences-read "com.apple.nano")
+        (allow mach-lookup
+            (global-name "com.apple.appaudiod")
+            (global-name "com.apple.Carousel.ButtonTapAssertion")
+            (global-name "com.apple.Carousel.CSLSBackgroundTaskRequestService")
+            (global-name "com.apple.Carousel.CSLSDockStatusService")
+            (global-name "com.apple.Carousel.activatingUIAssertion")
+            (global-name "com.apple.Carousel.alertSuppression")
+            (global-name "com.apple.Carousel.appOnWake")
+            (global-name "com.apple.Carousel.suspendSystemGestureAssertion")
+            (global-name "com.apple.carousel.backlightxpc")
+            (global-name "com.apple.carousel.brightnesscalculator")
+            (global-name "com.apple.carousel.connectionstatusservice")
+            (global-name "com.apple.Carousel.contextuallock")
+            (global-name "com.apple.carousel.fetchschedulingservice")
+            (global-name "com.apple.carousel.snapshotservice")
+            (global-name "com.apple.carousel.uiscalingservice")
+            (global-name "com.apple.carousel.unblankingsynchronization")
+            (global-name "com.apple.pepperuicore.statusbaritemserver")))
+
+    ;; AirDrop from the activity sheet.
+    ;; <rdar://problem/12715391>, <rdar://problem/12847034>, <rdar://problem/16400661>
+    (allow mach-lookup
+        (global-name "com.apple.sharingd")
+        (global-name "com.apple.sharingd.nsxpc")
+        (with report)
+        (with message "This rule is being removed in rdar://15713112 -- please report this violation to Sandbox_profiles | all"))
+    (allow-preferences-common)
+    (allow user-preference-read
+        (preference-domain "com.apple.Sharing")
+        (with report)
+        (with message "This rule is being removed in rdar://15713112 -- please report this violation to Sandbox_profiles | all"))
+
+    ;; <rdar://problem/30874167> Create a new CacheDelete mach service to allow for public API for purgeable space requests
+    (allow mach-lookup
+        (global-name "com.apple.cache_delete.public"))
+
+    ;; MIDI
+    (allow ipc-posix-shm-read* ipc-posix-shm-write-data
+        (ipc-posix-name-regex #"^Apple MIDI (in|out) [0-9]+$"))
+
+    ;; CoreMotion
+    (mobile-preferences-read "com.apple.CoreMotion")
+
+    ;; CoreMotion’s deviceMotion API
+    (with-filter
+        (require-any
+            (iokit-registry-entry-class "AppleOscarNub")
+            (iokit-registry-entry-class "AppleSPUHIDInterface"))
+        (allow iokit-get-properties
+            (iokit-property "gyro-interrupt-calibration")))
+    (with-filter (iokit-registry-entry-class "IOHIDEventServiceFastPathUserClient")
+    (allow iokit-open)
+    (allow iokit-get-properties iokit-set-properties
+        (iokit-property "interval"
+                        "mode"
+                        "QueueSize"
+                        "useMag"))
+    (allow iokit-get-properties
+    (iokit-property "client")))
+
+    ;; Common preferences read by UIKit.
+    (mobile-preferences-read "com.apple.Accessibility"
+        "com.apple.UIKit"
+        "com.apple.WebUI"
+        "com.apple.airplay"
+        "com.apple.avkit"
+        "com.apple.coreanimation"
+        "com.apple.mt"
+        "com.apple.preferences.sounds"
+        "com.apple.telephonyutilities.dialassist")
+
+    ;; Silence sandbox violations from apps trying to create the empty plist if it doesn't exist.
+    ;; <rdar://problem/13796537>
+    (deny file-write-create
+        (home-prefix "/Library/Preferences/com.apple.UIKit.plist")
+        (with no-report))
+
+    ;; <rdar://problem/10809394>
+    (deny file-write-create
+        (home-prefix "/Library/Preferences/com.apple.Accessibility.plist")
+        (with no-report))
+
+    ;; <rdar://problem/9404009>
+    (mobile-preferences-read "kCFPreferencesAnyApplication")
+
+    ;; <rdar://problem/10266866>
+    (marco-logging-client)
+
+    ;; <rdar://problem/12250145>
+    (mobile-preferences-read "com.apple.mediaaccessibility")
+
+    ; Dictionary Services used by UITextFields.
+    ; <rdar://problem/9386926>
+    (allow-create-directory
+        (home-literal "/Library/Caches/com.apple.DictionaryServices"))
+
+    ; <rdar://problem/11204655>
+    (mobile-preferences-read "com.apple.MapKit.internal")
+
+    ;; Required to detect whether Airplane mode is enabled.
+    (allow file-read*
+        (literal "/private/var/preferences/SystemConfiguration/com.apple.radios.plist"))
+
+    (when (memq 'with-printing rest)
+        (allow file-read-metadata network-outbound
+            (literal "/private/var/run/printd"))
+        (allow mach-lookup
+            (xpc-service-name "com.apple.PrintKit.PrinterTool")))
+
+    ; <rdar://problem/9007191> , <rdar://problem/9244785>
+    (when (memq 'with-gamekit-data rest)
+        (allow file-read*
+            (home-regex "/Library/GameKit/Data/[^/]+\.gcdata$"))
+        (allow file-read-metadata
+            (home-literal "/Library/GameKit/Data")))
+
+    ; rfc3484 -- from common.sb
+    (unless (memq 'without-network rest)
+        (allow-network-common))
+
+    ; <rdar://problem/8548856> Sub-TLF: Sandbox change for apps for read-only access to the dictionary directory/data
+    (allow file-read*
+        ; XXX - /Library ought to be allowed in all UI profiles but isn't (CF, MobileSafari)
+        (subpath "/Library/Dictionaries")
+        (home-subpath "/Library/Dictionaries"))
+
+    ; <rdar://problem/8440231>
+    (allow file-read*
+        (home-literal "/Library/Caches/DateFormats.plist"))
+    ; Silently deny writes when CFData attempts to write to the cache directory.
+    (deny file-write*
+        (home-literal "/Library/Caches/DateFormats.plist")
+        (with no-log))
+
+    ; UIKit-required IOKit nodes.
+    (allow iokit-open
+        (iokit-user-client-class "AppleJPEGDriverUserClient")
+        (iokit-user-client-class "IOSurfaceAcceleratorClient")
+        (iokit-user-client-class "IOSurfaceSendRight")
+        ;; Requires by UIView -> UITextMagnifierRenderer -> UIWindow
+        (iokit-user-client-class "IOSurfaceRootUserClient"))
+
+    ;; <rdar://problem/12675621>
+    (allow iokit-open
+        (iokit-user-client-class "IOHIDLibUserClient"))
+
+    (framebuffer-access)
+
+    ;; <rdar://problem/7822790>
+    (mobile-keybag-access)
+
+    ; <rdar://problem/7595408> , <rdar://problem/7643881>
+    (if (memq 'with-opengl rest)
+        (opengl))
+
+    (if (memq 'with-geoservices rest)
+        (geoservices))
+
+    (if (memq 'with-location-services rest)
+        (location-services))
+
+    ; <rdar://problem/8181749> Allow access to iTunes database files in container.sb
+    (if (memq 'with-itunes-db rest)
+        (itunes-db-read))
+
+    (if (memq 'with-push-notifications rest)
+        (push-notifications))
+
+    (if (memq 'with-in-app-purchases rest)
+        (in-app-purchases))
+
+    ; CRCopyRestrictionsDictionary periodically tries to CFPreferencesAppSynchronize com.apple.springboard.plist
+    ; which will attempt to create the plist if it doesn't exist -- from any application.  Only SpringBoard is
+    ; allowed to write its plist; ignore all others, they don't know what they are doing.
+    ; See <rdar://problem/9375027> for sample backtraces.
+    (deny file-write*
+        (home-prefix "/Library/Preferences/com.apple.springboard.plist")
+        (with no-log))
+
+    ;; For <rdar://problem/29428318> Allow DragUI mach service lookups for all UIKit apps
+    (allow mach-lookup
+        (global-name "com.apple.DragUI.druid.destination")
+        (global-name "com.apple.DragUI.druid.source"))
+
+    ;; <rdar://problem/30544378> Allow global lookup of com.apple.contactsd
+    (allow mach-lookup
+        (global-name "com.apple.contactsd"))
+
+    ;; <rdar://problem/31571441> need AX Drag-and-drop mach services added to default sandbox profile
+    (allow mach-lookup
+        (global-name "com.apple.VoiceOverTouch.drag.xpc")
+        (global-name "com.apple.assistivetouchd.drag.xpc"))
+
+    ;; <rdar://problem/34092690>
+    (allow mach-lookup
+        (xpc-service-name "com.apple.avkit.SharedPreferences"))
+
+    ;; <rdar://problem/34437589>
+    (allow mach-lookup
+        (global-name "com.apple.ap.adtrackingd.attribution"))
+
+    ;; <rdar://problem/34986314> Sandbox Profiles changes for indigo pref
+    (mobile-preferences-read "com.apple.indigo")
+
+    ;; <rdar://problem/35417382>, <rdar://problem/35518557>
+    (allow mach-lookup
+        (global-name "com.apple.corespotlightservice"))
+
+    ;; <rdar://problem/35446577>
+    (allow mach-lookup
+        (global-name "com.apple.coremedia.endpointplaybacksession.xpc"))
+
+    ;; For the (define... nesting.
+    )
+
+;;;
+;;; End UIKit-apps.sb content
+;;;
 
 (uikit-app 'with-opengl 'with-location-services)