Bug 225370

Summary: [Cocoa] Remove access to the unused 'nvram' system command
Product: WebKit Reporter: Brent Fulgham <bfulgham>
Component: WebKit Misc.Assignee: Brent Fulgham <bfulgham>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, pvollan, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Description Brent Fulgham 2021-05-04 16:05:17 PDT
Deny access to 'nvram' in the WebKit sandboxes. No API surface interacts with this low-level feature, and other system sandboxes already deny it. It should not have been possible to reach nvram, but there's no reason to allow the sandbox to access it.

<rdar://problem/66583129>
Comment 1 Brent Fulgham 2021-05-04 16:07:49 PDT
Created attachment 427709 [details]
Patch
Comment 2 Brent Fulgham 2021-05-04 16:35:13 PDT
Confirmed proper function on iOS device and macOS. Waiting for EWS to show any other impact on downlevel platforms.
Comment 3 Per Arne Vollan 2021-05-05 10:02:15 PDT
Comment on attachment 427709 [details]
Patch

R=me.
Comment 4 EWS 2021-05-05 11:43:32 PDT
Committed r277032 (237345@main): <https://commits.webkit.org/237345@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 427709 [details].
Comment 5 Radar WebKit Bug Importer 2021-05-05 11:44:16 PDT
<rdar://problem/77567746>