Summary: | Explicitly deny 'system-privilege' in the sandbox profile as a hardening measure | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Brent Fulgham <bfulgham> | ||||||||||
Component: | WebKit Misc. | Assignee: | Brent Fulgham <bfulgham> | ||||||||||
Status: | RESOLVED FIXED | ||||||||||||
Severity: | Normal | CC: | bfulgham, pvollan | ||||||||||
Priority: | P2 | Keywords: | InRadar | ||||||||||
Version: | WebKit Nightly Build | ||||||||||||
Hardware: | Unspecified | ||||||||||||
OS: | Unspecified | ||||||||||||
Attachments: |
|
Description
Brent Fulgham
2021-09-24 19:24:53 PDT
Created attachment 439229 [details]
Patch
Created attachment 439231 [details]
Patch
Comment on attachment 439231 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=439231&action=review > Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in:27 > +(deny system-privilege (with telemetry-backtrace)) The telemetry-backtrace might need a guard here. > Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:27 > +(deny system-privilege (with telemetry-backtrace)) Ditto. > Source/WebKit/WebProcess/com.apple.WebProcess.sb.in:27 > +(deny system-privilege (with telemetry-backtrace)) Ditto. Created attachment 439367 [details]
Patch
Comment on attachment 439367 [details]
Patch
Great! R=me.
Tools/Scripts/svn-apply failed to apply attachment 439367 [details] to trunk.
Please resolve the conflicts and upload a new patch.
Created attachment 439498 [details]
Patch for landing
Committed r283187 (242235@main): <https://commits.webkit.org/242235@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 439498 [details]. |