2011-04-10 Maciej Stachowiak <mjs@apple.com>
authormjs@apple.com <mjs@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 11 Apr 2011 05:49:27 +0000 (05:49 +0000)
committermjs@apple.com <mjs@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 11 Apr 2011 05:49:27 +0000 (05:49 +0000)
        Reviewed by Dan Bernstein.

        REGRESSION: WebProcess spews sandboxing violations for outbound network traffic
        https://bugs.webkit.org/show_bug.cgi?id=58215
        <rdar://problem/9251695>

        * WebProcess/com.apple.WebProcess.sb: Restore some previously removed rules.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@83425 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit2/ChangeLog
Source/WebKit2/WebProcess/com.apple.WebProcess.sb

index 9fc53d2..4205ce6 100644 (file)
@@ -1,3 +1,13 @@
+2011-04-10  Maciej Stachowiak  <mjs@apple.com>
+
+        Reviewed by Dan Bernstein.
+
+        REGRESSION: WebProcess spews sandboxing violations for outbound network traffic
+        https://bugs.webkit.org/show_bug.cgi?id=58215
+        <rdar://problem/9251695>
+        
+        * WebProcess/com.apple.WebProcess.sb: Restore some previously removed rules.
+
 2011-04-10  Kimmo Kinnunen  <kimmo.t.kinnunen@nokia.com>
 
         Reviewed by Eric Seidel.
index dbcbee6..c93fff4 100644 (file)
    (global-name-regex #"^com\.apple\.qtkitserver\.")
 )
 
+;; FIXME: <rdar://problem/9263428> These rules are required to avoid
+;; sandbox violation spam, but some narrower rule should be
+;; sufficient.
+(allow network-outbound)
+(deny network-outbound (regex ""))
+(deny network-outbound (local ip))
+
 (allow network-outbound
    ;; Local mDNSResponder for DNS, arbitrary outbound TCP
    (literal "/private/var/run/mDNSResponder")
    (remote tcp)
 )
 
+(allow system-socket)
+(allow network-outbound (control-name "com.apple.network.statistics"))
+
 ;; FIXME: Once <rdar://problem/8900275> has been fixed, these rules can be removed.
 (allow mach-lookup (global-name "com.apple.pubsub.ipc"))
 (allow network-outbound (regex #"^/private/tmp/launch-[^/]+/Render"))