[iOS] Deny mach lookup to 'com.apple.webinspector' in the WebContent process.
authorbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 26 Mar 2020 20:33:36 +0000 (20:33 +0000)
committerbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 26 Mar 2020 20:33:36 +0000 (20:33 +0000)
https://bugs.webkit.org/show_bug.cgi?id=207170
<rdar://problem/59134038>

Reviewed by Per Arne Vollan.

We now dynamically add access to the 'com.apple.webinspector' service, so we should remove the blanket
allow rule from the sandbox.

* GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in:
* Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb:
* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@259072 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit/ChangeLog
Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in
Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb
Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb

index cd09f2b..b8d2c76 100644 (file)
@@ -1,3 +1,18 @@
+2020-03-26  Brent Fulgham  <bfulgham@apple.com>
+
+        [iOS] Deny mach lookup to 'com.apple.webinspector' in the WebContent process.
+        https://bugs.webkit.org/show_bug.cgi?id=207170
+        <rdar://problem/59134038>
+
+        Reviewed by Per Arne Vollan.
+
+        We now dynamically add access to the 'com.apple.webinspector' service, so we should remove the blanket
+        allow rule from the sandbox.
+
+        * GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in:
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb:
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+
 2020-03-26  Daniel Bates  <dabates@apple.com>
 
         REGRESSION (r258989): ASSERTION FAILED: !isMissingPostLayoutData in WebKit::EditorState::PostLayoutData
index 4aaf556..560c4f4 100644 (file)
 (allow ipc-posix-shm-read* ipc-posix-shm-write-data
     (ipc-posix-name-regex #"^AudioIO"))
 
-;; Remote Web Inspector
-(allow mach-lookup
-       (global-name "com.apple.webinspector"))
-
 (allow mach-lookup
 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101500
     (with report) (with telemetry)
index 49a7845..fd5ab52 100644 (file)
 
 (media-accessibility-support)
 
-;; Remote Web Inspector
-(allow mach-lookup
-       (global-name "com.apple.webinspector"))
-
 ;; Various services required by CFNetwork and other frameworks
 (allow mach-lookup
     (global-name "com.apple.PowerManagement.control")
index dd401db..c07ab36 100644 (file)
 
 (media-accessibility-support)
 
-;; Remote Web Inspector
-(allow mach-lookup (with report) (with telemetry)
-       (global-name "com.apple.webinspector"))
-
 (deny mach-lookup (with telemetry-backtrace)
     (global-name "com.apple.PowerManagement.control"))