Summary: | [iOS] Block access to unused resources in the Networking process' sandbox | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Per Arne Vollan <pvollan> | ||||||||||||
Component: | WebKit Misc. | Assignee: | Per Arne Vollan <pvollan> | ||||||||||||
Status: | RESOLVED FIXED | ||||||||||||||
Severity: | Normal | CC: | bfulgham, gavin.p, mazander, webkit-bug-importer | ||||||||||||
Priority: | P2 | Keywords: | InRadar | ||||||||||||
Version: | WebKit Nightly Build | ||||||||||||||
Hardware: | Unspecified | ||||||||||||||
OS: | Unspecified | ||||||||||||||
Attachments: |
|
Description
Per Arne Vollan
2021-11-15 07:48:29 PST
Created attachment 444254 [details]
Patch
Created attachment 444263 [details]
Patch
Created attachment 444280 [details]
Patch
Comment on attachment 444280 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=444280&action=review r=me > Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:128 > + (global-name "com.apple.symptomsd")) Might be tidier to include this in the deny/with-telemetry on line 121. > Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:175 > (global-name "com.apple.nsurlsessiond")) It's shocking to me that this isn't needed! > Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:338 > (subpath "/private/var/preferences/Logging")) Could this be combined with the set on line 325 above (along with /private/var/db/timezone?) Created attachment 444672 [details]
Patch
(In reply to Brent Fulgham from comment #5) > Comment on attachment 444280 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=444280&action=review > > r=me > > > Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:128 > > + (global-name "com.apple.symptomsd")) > > Might be tidier to include this in the deny/with-telemetry on line 121. > Fixed. > > Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:175 > > (global-name "com.apple.nsurlsessiond")) > > It's shocking to me that this isn't needed! > Yes, I agree, this is surprising. Telemetry and local testing suggests that the mach service is unused and can be denied. We still have telemetry enabled in the sandbox. > > Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:338 > > (subpath "/private/var/preferences/Logging")) > > Could this be combined with the set on line 325 above (along with > /private/var/db/timezone?) Done. Thanks for reviewing! Committed r286004 (244401@main): <https://commits.webkit.org/244401@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 444672 [details]. Reopening to attach new patch. Created attachment 444711 [details]
Patch
Committed r286022 (244411@main): <https://commits.webkit.org/244411@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 444711 [details]. |