Bug 233129

Summary: [iOS] Block access to unused resources in the Networking process' sandbox
Product: WebKit Reporter: Per Arne Vollan <pvollan>
Component: WebKit Misc.Assignee: Per Arne Vollan <pvollan>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, gavin.p, mazander, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch
bfulgham: review+
Patch
none
Patch none

Per Arne Vollan
Reported 2021-11-15 07:48:29 PST
Based on telemetry, block access to unused resources in the Networking process' sandbox on iOS.
Attachments
Patch (11.34 KB, patch)
2021-11-15 07:53 PST, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Patch (18.03 KB, patch)
2021-11-15 09:10 PST, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Patch (22.69 KB, patch)
2021-11-15 11:23 PST, Per Arne Vollan 		bfulgham: review+
DetailsFormatted DiffDiff
Patch (22.85 KB, patch)
2021-11-18 07:28 PST, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Patch (1.44 KB, patch)
2021-11-18 11:53 PST, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2021-11-15 07:51:32 PST
<rdar://problem/85411927>
Per Arne Vollan
Comment 2 2021-11-15 07:53:26 PST
Created attachment 444254 [details] Patch
Per Arne Vollan
Comment 3 2021-11-15 09:10:19 PST
Created attachment 444263 [details] Patch
Per Arne Vollan
Comment 4 2021-11-15 11:23:51 PST
Created attachment 444280 [details] Patch
Brent Fulgham
Comment 5 2021-11-17 13:05:29 PST
Comment on attachment 444280 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=444280&action=review r=me > Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:128 > + (global-name "com.apple.symptomsd")) Might be tidier to include this in the deny/with-telemetry on line 121. > Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:175 > (global-name "com.apple.nsurlsessiond")) It's shocking to me that this isn't needed! > Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:338 > (subpath "/private/var/preferences/Logging")) Could this be combined with the set on line 325 above (along with /private/var/db/timezone?)
Per Arne Vollan
Comment 6 2021-11-18 07:28:23 PST
Created attachment 444672 [details] Patch
Per Arne Vollan
Comment 7 2021-11-18 07:33:16 PST
(In reply to Brent Fulgham from comment #5) > Comment on attachment 444280 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=444280&action=review > > r=me > > > Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:128 > > + (global-name "com.apple.symptomsd")) > > Might be tidier to include this in the deny/with-telemetry on line 121. > Fixed. > > Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:175 > > (global-name "com.apple.nsurlsessiond")) > > It's shocking to me that this isn't needed! > Yes, I agree, this is surprising. Telemetry and local testing suggests that the mach service is unused and can be denied. We still have telemetry enabled in the sandbox. > > Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:338 > > (subpath "/private/var/preferences/Logging")) > > Could this be combined with the set on line 325 above (along with > /private/var/db/timezone?) Done. Thanks for reviewing!
EWS
Comment 8 2021-11-18 07:56:44 PST
Committed r286004 (244401@main): <https://commits.webkit.org/244401@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 444672 [details].
Per Arne Vollan
Comment 9 2021-11-18 11:53:24 PST
Reopening to attach new patch.
Per Arne Vollan
Comment 10 2021-11-18 11:53:25 PST
Created attachment 444711 [details] Patch
EWS
Comment 11 2021-11-18 12:55:03 PST
Committed r286022 (244411@main): <https://commits.webkit.org/244411@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 444711 [details].
Note You need to log in before you can comment on or make changes to this bug.