Bug 205134

Summary:

[iOS] Deny mach lookup access to "*.apple-extension-service" in the WebContent process

Product:

WebKit

Reporter:

Per Arne Vollan <pvollan>

Component:

WebKit Misc.

Assignee:

Per Arne Vollan <pvollan>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

benjamin, bfulgham, cdumez, cmarcelo, commit-queue, dbates, ews-watchlist, ggaren

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	none
Patch	none
Patch	none
Patch	bfulgham: review+, commit-queue: commit-queue-
Patch	commit-queue: commit-queue-
Patch	pvollan: commit-queue-
Patch	none

Per Arne Vollan

Reported 2019-12-11 14:03:37 PST

As part of sandbox hardening in the WebContent process on iOS, mach lookup access to "*.apple-extension-service” should be removed.

Attachments
Patch (6.32 KB, patch) 2019-12-11 14:11 PST, Per Arne Vollan	no flags	Details Formatted Diff Diff
Patch (7.43 KB, patch) 2019-12-11 14:27 PST, Per Arne Vollan	no flags	Details Formatted Diff Diff
Patch (8.47 KB, patch) 2019-12-11 16:27 PST, Per Arne Vollan	no flags	Details Formatted Diff Diff
Patch (8.50 KB, patch) 2019-12-12 11:28 PST, Per Arne Vollan	bfulgham: review+ commit-queue: commit-queue-	Details Formatted Diff Diff
Patch (8.46 KB, patch) 2019-12-12 13:08 PST, Per Arne Vollan	commit-queue: commit-queue-	Details Formatted Diff Diff
Patch (7.18 KB, patch) 2019-12-13 10:16 PST, Per Arne Vollan	pvollan: commit-queue-	Details Formatted Diff Diff
Patch (8.43 KB, patch) 2019-12-13 10:20 PST, Per Arne Vollan	no flags	Details Formatted Diff Diff
Show Obsolete (5) View All Add attachment proposed patch, testcase, etc.

Per Arne Vollan

Comment 1 2019-12-11 14:04:04 PST

rdar://problem/56984257

Per Arne Vollan

Comment 2 2019-12-11 14:11:46 PST

Created attachment 385437 [details] Patch

Per Arne Vollan

Comment 3 2019-12-11 14:27:59 PST

Created attachment 385439 [details] Patch

Brent Fulgham

Comment 4 2019-12-11 16:07:23 PST

Comment on attachment 385439 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=385439&action=review > LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html:10 > +} Is it expected that Mac-wk1 and Mac-wk2 would run this iOS test sub-directory? I guess we should add it to be skipped?

Per Arne Vollan

Comment 5 2019-12-11 16:15:25 PST

(In reply to Brent Fulgham from comment #4) > Comment on attachment 385439 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=385439&action=review > > > LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html:10 > > +} > > Is it expected that Mac-wk1 and Mac-wk2 would run this iOS test > sub-directory? > > I guess we should add it to be skipped? Ah, that is a good point :) I will update the patch, thanks for reviewing!

Per Arne Vollan

Comment 6 2019-12-11 16:27:49 PST

Created attachment 385454 [details] Patch

Per Arne Vollan

Comment 7 2019-12-12 11:28:56 PST

Created attachment 385516 [details] Patch

Brent Fulgham

Comment 8 2019-12-12 11:57:10 PST

Comment on attachment 385516 [details] Patch r=me

Per Arne Vollan

Comment 9 2019-12-12 12:06:02 PST

(In reply to Brent Fulgham from comment #8) > Comment on attachment 385516 [details] > Patch > > r=me Thanks for reviewing :)

WebKit Commit Bot

Comment 10 2019-12-12 13:05:05 PST

Comment on attachment 385516 [details] Patch Rejecting attachment 385516 [details] from commit-queue. Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.webkit.org', '--bot-id=webkit-cq-03', 'validate-changelog', '--check-oops', '--non-interactive', 385516, '--port=mac']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit ChangeLog entry in LayoutTests/ChangeLog contains OOPS!. Full output: https://webkit-queues.webkit.org/results/13290657

Per Arne Vollan

Comment 11 2019-12-12 13:08:15 PST

Created attachment 385536 [details] Patch

WebKit Commit Bot

Comment 12 2019-12-13 07:22:39 PST

Comment on attachment 385536 [details] Patch Rejecting attachment 385536 [details] from commit-queue. Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.webkit.org', '--bot-id=webkit-cq-01', 'validate-changelog', '--check-oops', '--non-interactive', 385536, '--port=mac']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit ChangeLog entry in Source/WTF/ChangeLog contains OOPS!. Full output: https://webkit-queues.webkit.org/results/13290990

Per Arne Vollan

Comment 13 2019-12-13 10:16:05 PST

Created attachment 385614 [details] Patch

Per Arne Vollan

Comment 14 2019-12-13 10:20:52 PST

Created attachment 385615 [details] Patch

WebKit Commit Bot

Comment 15 2019-12-13 11:07:58 PST

Comment on attachment 385615 [details] Patch Clearing flags on attachment: 385615 Committed r253488: <https://trac.webkit.org/changeset/253488>

Note You need to log in before you can comment on or make changes to this bug.