WebKit Bugzilla
Attachment 338775 Details for
Bug 184428
: Remove access to keychain from the WebContent process
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Part 3 WIP
bug-184428-20180425130943.patch (text/plain), 3.75 KB, created by
Jiewen Tan
on 2018-04-25 13:09:43 PDT
(
hide
)
Description:
Part 3 WIP
Filename:
MIME Type:
Creator:
Jiewen Tan
Created:
2018-04-25 13:09:43 PDT
Size:
3.75 KB
patch
obsolete
>Subversion Revision: 230919 >diff --git a/Source/WebKit/ChangeLog b/Source/WebKit/ChangeLog >index 220ef6490a31b176e60b84d5a689f82b46b558ea..b30c75789fa795c9e991fc076dc2cbd0d02d2c6f 100644 >--- a/Source/WebKit/ChangeLog >+++ b/Source/WebKit/ChangeLog >@@ -1,3 +1,17 @@ >+2018-04-25 Jiewen Tan <jiewen_tan@apple.com> >+ >+ Remove access to keychain from the WebContent process >+ https://bugs.webkit.org/show_bug.cgi?id=184428 >+ <rdar://problem/13150903> >+ >+ Part 3. >+ >+ Tighten WebContent Process' sandbox profile to all Security.framework services. >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * WebProcess/com.apple.WebProcess.sb.in: >+ > 2018-04-23 Chris Dumez <cdumez@apple.com> > > WebProcessProxy frequently re-takes a process assertion for the network process even though is already has one >diff --git a/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in b/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in >index c875bdde1c0b4a82934b92a1dab08c6e62107ee5..4ae432f284968d9f9c578e1d26f791d1b0b11fc4 100644 >--- a/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in >+++ b/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in >@@ -365,7 +365,6 @@ > (xpc-service-name "com.apple.hiservices-xpcservice") > (xpc-service-name "com.apple.ist.ds.appleconnect2.HelperService") > (xpc-service-name "com.apple.print.normalizerd") >- (xpc-service-name "com.apple.securityd.xpc") > (xpc-service-name "com.apple.signpost.signpost-notificationd") > ) > #endif >@@ -469,9 +468,6 @@ > "com.apple.driver.AppleHIDMouse" > "com.apple.lookup.shared" > "com.apple.networkConnect" >- "com.apple.security" >- "com.apple.security.common" >- "com.apple.security.revocation" > "com.apple.speech.voice.prefs" > "com.apple.systemsound" > "com.apple.universalaccess" >@@ -600,40 +596,11 @@ > (global-name "com.apple.xpcd") > ) > >-;; Security framework >-(allow mach-lookup >- (global-name "com.apple.ctkd.token-client") >- (global-name "com.apple.ocspd") >- (global-name "com.apple.securityd.xpc") >- (global-name "com.apple.CoreAuthentication.agent.libxpc") >- (global-name "com.apple.SecurityServer")) >- >-;; FIXME: This should be removed when <rdar://problem/10479685> is fixed. >-;; Restrict AppSandboxed processes from creating /Library/Keychains, but allow access to the contents of /Library/Keychains: >-(allow file-read-data file-read-metadata file-write* >- (subpath "/Library/Keychains")) >- >-;; Do permit creating per-user keychains >-(allow file-read* file-write* >- (home-subpath "/Library/Keychains")) >- >-;; Except deny access to new-style iOS Keychain folders which are UUIDs. >-(deny file-read* file-write* >- (regex (string-append "/Library/Keychains/" (uuid-regex-string) "(/|$)")) >- (home-regex (string-append "/Library/Keychains/" (uuid-regex-string) "(/|$)"))) >- > (allow file-read* file-write* (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed. > > (allow file-read* > (subpath "/private/var/db/mds") > (literal "/private/var/db/DetachedSignatures") >- ; The following are needed until <rdar://problem/11134688> is resolved. >- (literal "/Library/Preferences/com.apple.security.plist") >- (literal "/Library/Preferences/com.apple.security.common.plist") >- (literal "/Library/Preferences/com.apple.security.revocation.plist") >- (home-literal "/Library/Application Support/SyncServices/Local/ClientsWithChanges/com.apple.Keychain") >- (home-literal "/Library/Preferences/com.apple.security.plist") >- (home-literal "/Library/Preferences/com.apple.security.revocation.plist")) > > (allow ipc-posix-shm-read* ipc-posix-shm-write-data > (ipc-posix-name "com.apple.AppleDatabaseChanged"))
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=338775">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
ews-watchlist
:
commit-queue-
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 184428
:
337544
|
338193
|
338258
|
338261
|
338265
|
338364
|
338714
|
338763
|
338775
|
338789
|
338807
|
338826