[iOS] Deny mach lookup access to icon services
authorpvollan@apple.com <pvollan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 23 Mar 2020 15:35:42 +0000 (15:35 +0000)
committerpvollan@apple.com <pvollan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 23 Mar 2020 15:35:42 +0000 (15:35 +0000)
https://bugs.webkit.org/show_bug.cgi?id=209340

Reviewed by Brent Fulgham.

Source/WebKit:

Tested by fast/sandbox/ios/sandbox-mach-lookup.html

* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:

LayoutTests:

* fast/sandbox/ios/sandbox-mach-lookup-expected.txt:
* fast/sandbox/ios/sandbox-mach-lookup.html:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@258845 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-expected.txt
LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html
Source/WebKit/ChangeLog
Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb

index e83ceb4..f7d2589 100644 (file)
@@ -1,3 +1,13 @@
+2020-03-23  Per Arne Vollan  <pvollan@apple.com>
+
+        [iOS] Deny mach lookup access to icon services
+        https://bugs.webkit.org/show_bug.cgi?id=209340
+
+        Reviewed by Brent Fulgham.
+
+        * fast/sandbox/ios/sandbox-mach-lookup-expected.txt:
+        * fast/sandbox/ios/sandbox-mach-lookup.html:
+
 2020-03-23  Jacob Uphoff  <jacob_uphoff@apple.com>
 
         Unreviewed, reverting r258803.
index df44fd4..b616564 100644 (file)
@@ -24,3 +24,4 @@ PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebConte
 PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.PowerManagement.control") is false
 PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.mobileassetd") is false
 PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.mobileassetd.v2") is false
+PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.iconservices") is false
index a8873e7..da9a910 100644 (file)
@@ -27,6 +27,7 @@ if (window.internals) {
     shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.PowerManagement.control\")");
     shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.mobileassetd\")");
     shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.mobileassetd.v2\")");
+    shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.iconservices\")");
 }
 </script>
 </head>
index 3ddf0c8..67464ad 100644 (file)
@@ -1,3 +1,14 @@
+2020-03-23  Per Arne Vollan  <pvollan@apple.com>
+
+        [iOS] Deny mach lookup access to icon services
+        https://bugs.webkit.org/show_bug.cgi?id=209340
+
+        Reviewed by Brent Fulgham.
+
+        Tested by fast/sandbox/ios/sandbox-mach-lookup.html
+
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+
 2020-03-23  Jacob Uphoff  <jacob_uphoff@apple.com>
 
         Unreviewed, reverting r258803.
index 35c28aa..ccf7292 100644 (file)
 ;; <rdar://problem/7344719&26323449> LaunchServices app icons
 (allow file-read*
     (well-known-system-group-container-subpath "/systemgroup.com.apple.lsd.iconscache"))
-(allow mach-lookup (with telemetry-backtrace)
+(deny mach-lookup (with telemetry-backtrace)
     (xpc-service-name "com.apple.iconservices")
     (global-name "com.apple.iconservices"))