Bug 230782

Summary:

Explicitly deny 'system-privilege' in the sandbox profile as a hardening measure

Product:

WebKit

Reporter:

Brent Fulgham <bfulgham>

Component:

WebKit Misc.

Assignee:

Brent Fulgham <bfulgham>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

bfulgham, pvollan

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	none
Patch	none
Patch	none
Patch for landing	none

Brent Fulgham

Reported 2021-09-24 19:24:53 PDT

Although we do not need 'system-privilege', the default sandbox state includes it as a backwards-compatibility affordance. Update our sandboxes to tell the kernel we don't need the support, except for the one case in the Networking process.

Attachments
Patch (8.71 KB, patch) 2021-09-24 19:31 PDT, Brent Fulgham	no flags	Details Formatted Diff Diff
Patch (8.24 KB, patch) 2021-09-24 20:10 PDT, Brent Fulgham	no flags	Details Formatted Diff Diff
Patch (8.05 KB, patch) 2021-09-27 10:27 PDT, Brent Fulgham	no flags	Details Formatted Diff Diff
Patch for landing (8.05 KB, patch) 2021-09-28 11:29 PDT, Brent Fulgham	no flags	Details Formatted Diff Diff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.

Brent Fulgham

Comment 1 2021-09-24 19:25:20 PDT

<rdar://problem/66582813>

Brent Fulgham

Comment 2 2021-09-24 19:31:35 PDT

Created attachment 439229 [details] Patch

Brent Fulgham

Comment 3 2021-09-24 20:10:43 PDT

Created attachment 439231 [details] Patch

Per Arne Vollan

Comment 4 2021-09-27 07:21:44 PDT

Comment on attachment 439231 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=439231&action=review > Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in:27 > +(deny system-privilege (with telemetry-backtrace)) The telemetry-backtrace might need a guard here. > Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:27 > +(deny system-privilege (with telemetry-backtrace)) Ditto. > Source/WebKit/WebProcess/com.apple.WebProcess.sb.in:27 > +(deny system-privilege (with telemetry-backtrace)) Ditto.

Brent Fulgham

Comment 5 2021-09-27 10:27:50 PDT

Created attachment 439367 [details] Patch

Per Arne Vollan

Comment 6 2021-09-27 10:34:43 PDT

Comment on attachment 439367 [details] Patch Great! R=me.

EWS

Comment 7 2021-09-28 11:09:33 PDT

Tools/Scripts/svn-apply failed to apply attachment 439367 [details] to trunk. Please resolve the conflicts and upload a new patch.

Brent Fulgham

Comment 8 2021-09-28 11:29:45 PDT

Created attachment 439498 [details] Patch for landing

EWS

Comment 9 2021-09-28 12:15:09 PDT

Committed r283187 (242235@main): <https://commits.webkit.org/242235@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 439498 [details].

Note You need to log in before you can comment on or make changes to this bug.