Summary: | Investigate if mach lookup access to *.apple-extension-service, *.viewservice, and com.apple.uikit.viewservice.* can be denied | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Per Arne Vollan <pvollan> | ||||||||
Component: | WebKit Misc. | Assignee: | Per Arne Vollan <pvollan> | ||||||||
Status: | RESOLVED FIXED | ||||||||||
Severity: | Normal | CC: | ap, bfulgham, commit-queue, ggaren, webkit-bug-importer | ||||||||
Priority: | P2 | Keywords: | InRadar | ||||||||
Version: | WebKit Nightly Build | ||||||||||
Hardware: | Unspecified | ||||||||||
OS: | Unspecified | ||||||||||
Attachments: |
|
Description
Per Arne Vollan
2019-10-30 14:03:23 PDT
Created attachment 382348 [details]
Patch
Created attachment 382351 [details]
Patch
Comment on attachment 382351 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=382351&action=review I am worried about this change. Please make sure to test on a device with this sandbox, using MobileMaill and MobileSafari, and attempting to share URLs. > Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:434 > (xpc-service-name-regex #"\.apple-extension-service$") ;; <rdar://problem/19525887> I can't see this radar, but this could be related to sharing services. We should make sure to test with share sheet before checking this change in. > Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:435 > (xpc-service-name-regex #"\.viewservice$") ;; <rdar://problem/31252371> I'm worried about this denial: According to <rdar://problem/31252371>, this was triggered in MobileSafari. Unless you have run MobileSafari with this change, I wouldn't want to land this. (In reply to Brent Fulgham from comment #4) > Comment on attachment 382351 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=382351&action=review > > I am worried about this change. Please make sure to test on a device with > this sandbox, using MobileMaill and MobileSafari, and attempting to share > URLs. > > > Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:434 > > (xpc-service-name-regex #"\.apple-extension-service$") ;; <rdar://problem/19525887> > > I can't see this radar, but this could be related to sharing services. We > should make sure to test with share sheet before checking this change in. > > > Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:435 > > (xpc-service-name-regex #"\.viewservice$") ;; <rdar://problem/31252371> > > I'm worried about this denial: According to <rdar://problem/31252371>, this > was triggered in MobileSafari. Unless you have run MobileSafari with this > change, I wouldn't want to land this. I will perform tests with MobileMail and MobileSafari, sharing URLs and testing with share sheet. Thanks for reviewing! Comment on attachment 382351 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=382351&action=review > Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:432 > + (deny mach-lookup (with send-signal SIGKILL) Sending SIGKILL is potentially super disruptive to a lot of people if we miss something in testing. At the very least, there should be a bug that tracks removing SIGKILL before shipping, but really, we need a better mechanism to learn about sandbox violations. Created attachment 382599 [details]
Patch
Comment on attachment 382599 [details]
Patch
OK. I don't know what "with telemetry" does, but it sounds appropriate :)
(In reply to Alexey Proskuryakov from comment #8) > Comment on attachment 382599 [details] > Patch > > OK. I don't know what "with telemetry" does, but it sounds appropriate :) Thanks for reviewing :) Comment on attachment 382599 [details] Patch Clearing flags on attachment: 382599 Committed r251935: <https://trac.webkit.org/changeset/251935> All reviewed patches have been landed. Closing bug. |