Bug 156668

Summary: [Mac] Web Content service with a restricted entitlement may load arbitrary dylibs
Product: WebKit Reporter: mitz
Component: WebKit2Assignee: mitz
Status: RESOLVED FIXED    
Severity: Normal CC: sam, thorton
Priority: P2 Keywords: InRadar
Version: Other   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 173424    
Attachments:
Description Flags
Enable library validation when needed
andersca: review+
Enable library validation when needed
none
Enable library validation for El Capitan too sam: review+

Description mitz 2016-04-16 14:30:39 PDT 
<rdar://problem/25429784>

When the changes for bug 155414 are in effect, the Web Content service is signed with a restricted entitlement but isn’t guarded against loading arbitrary dylibs.
Comment 1 mitz 2016-04-16 14:34:51 PDT 
Created attachment 276563 [details]
Enable library validation when needed
Comment 2 mitz 2016-04-16 14:37:08 PDT 
Fixed in <http://trac.webkit.org/r199628>.
Comment 3 mitz 2016-06-13 20:27:51 PDT 
This was reverted in <http://trac.webkit.org/r200172>.
Comment 4 mitz 2016-06-13 20:31:23 PDT 
Using <rdar://problem/26714558> to reenable in macOS Sierra and later.
Comment 5 mitz 2016-06-13 20:34:52 PDT 
Created attachment 281230 [details]
Enable library validation when needed
Comment 6 mitz 2016-06-13 21:01:35 PDT 
Committed <http://trac.webkit.org/r202024>.
Comment 7 mitz 2016-08-20 12:51:10 PDT 
Can do this for El Capitan as well now.
Comment 8 mitz 2016-08-20 12:53:06 PDT 
Created attachment 286544 [details]
Enable library validation for El Capitan too
Comment 9 mitz 2016-08-20 15:02:09 PDT 
Committed <https://trac.webkit.org/r204682>.