Bug 135134

Summary: Correct sandbox profiles to fix some excess privileges
Product: WebKit Reporter: Oliver Hunt <oliver>
Component: New BugsAssignee: Oliver Hunt <oliver>
Status: RESOLVED FIXED    
Severity: Normal CC: darin
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch ap: review+, ap: commit-queue-

Description Oliver Hunt 2014-07-21 16:41:56 PDT 
Correct sandbox profiles to fix some excess privileges
Comment 1 Oliver Hunt 2014-07-21 16:50:06 PDT 
Created attachment 235253 [details]
Patch
Comment 2 Alexey Proskuryakov 2014-07-21 17:05:58 PDT 
Comment on attachment 235253 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=235253&action=review

> Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.Databases.sb:32
> +(allow file-read* file-write* (require-any (
> +    extension "com.apple.app-sandbox.read-write") (extension "com.apple.app-sandbox.read-write")))

This is nonsense - com.apple.app-sandbox.read-write is repeated twice. Please fix.

> Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:40
> +    (require-any (extension "com.apple.webkit.read-write") (extension "com.apple.app-sandbox.read-write"))

I think that com.apple.webkit.read-write is here by some misunderstanding. Please remove, or at the very least, please add a FIXME about removing it.

> Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:74
> +    (require-any (extension "com.apple.webkit.read-write") (extension "com.apple.app-sandbox.read-write"))

Ditto.
Comment 3 Oliver Hunt 2014-07-21 17:11:05 PDT 
Committed r171322: <http://trac.webkit.org/changeset/171322>
Comment 4 Darin Adler 2014-07-21 17:17:57 PDT 
(In reply to comment #3)
> Committed r171322: <http://trac.webkit.org/changeset/171322>

This contained the string “webkti” in a couple places.