2011-04-07 Maciej Stachowiak <mjs@apple.com>
authormjs@apple.com <mjs@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 7 Apr 2011 07:39:24 +0000 (07:39 +0000)
committermjs@apple.com <mjs@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 7 Apr 2011 07:39:24 +0000 (07:39 +0000)
        Reviewed by Dan Bernstein.

        Remove some no longer needed WebProcess sandbox allowances
        https://bugs.webkit.org/show_bug.cgi?id=58015
        <rdar://problem/9232592>

        * WebProcess/com.apple.WebProcess.sb: Remove no-longer needed extra network
        and launching privileges, since the bugs that required them are fixed.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@83148 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit2/ChangeLog
Source/WebKit2/WebProcess/com.apple.WebProcess.sb

index a72e66fe53205ffe74aa7d88157ed46f46925234..3609d3ff59bd58a37394aa9a0620ca65cf6cbd15 100644 (file)
@@ -1,3 +1,14 @@
+2011-04-07  Maciej Stachowiak  <mjs@apple.com>
+
+        Reviewed by Dan Bernstein.
+
+        Remove some no longer needed WebProcess sandbox allowances
+        https://bugs.webkit.org/show_bug.cgi?id=58015
+        <rdar://problem/9232592>
+
+        * WebProcess/com.apple.WebProcess.sb: Remove no-longer needed extra network
+        and launching privileges, since the bugs that required them are fixed.
+
 2011-04-06  Chang Shu  <cshu@webkit.org>
 
         Reviewed by Darin Adler.
index fcbabaf3b391b77466bbff7c90489e745aaaeda5..fb7869bffe5f8a329c057735ec34d02a22cd40fb 100644 (file)
    (global-name-regex #"^com\.apple\.qtkitserver\.")
 )
 
-;; FIXME: These rules are required until <rdar://problem/8448410> is addressed. See <rdar://problem/8349882> for discussion.
-(allow network-outbound)
-(deny network-outbound (regex ""))
-(deny network-outbound (local ip))
 (allow network-outbound
    ;; Local mDNSResponder for DNS, arbitrary outbound TCP
    (literal "/private/var/run/mDNSResponder")
 
 (allow network-outbound (remote ip))
 
-;; These rules are required while QTKitServer is being launched directly via posix_spawn (<rdar://problem/6912494>).
-(allow process-fork)
-(allow process-exec (literal "/System/Library/Frameworks/QTKit.framework/Versions/A/Resources/QTKitServer") (with no-sandbox))
-
 ;; FIXME: Once <rdar://problem/8900275> has been fixed, these rules can be removed.
 (allow mach-lookup (global-name "com.apple.pubsub.ipc"))
 (allow network-outbound (regex #"^/private/tmp/launch-[^/]+/Render"))