The existing Sandbox rules for the various WebKit processes are overly permissive. We should tighten them down to just the handful of operations we really need: We should limit our access to: file-read-data, file-read-metadata, and file-write-data. We should also deny access to newer keychains (with UUID-based names) since those are not meant to be used by user processes.
<rdar://problem/16863857>
Created attachment 297036 [details] Patch
Comment on attachment 297036 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=297036&action=review > Source/WebKit2/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:41 > +;;; UUID of the form: XXXXXXXX-XXXX-XXXX--XXXX-XXXXXXXXXXXX All of this profile text is going to get embedded in the binary. Should it? > Source/WebKit2/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in:78 > +;;; That's 8X-4X-4X-4X-12X; where X = "[0-9A-F]", length(X) = 8 Ditto. > Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in:48 > +;;; That's 8X-4X-4X-4X-12X; where X = "[0-9A-F]", length(X) = 8 Ditto.
Comment on attachment 297036 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=297036&action=review >> Source/WebKit2/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:41 >> +;;; UUID of the form: XXXXXXXX-XXXX-XXXX--XXXX-XXXXXXXXXXXX > > All of this profile text is going to get embedded in the binary. Should it? That's okay -- I'll pull it out. >> Source/WebKit2/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in:78 >> +;;; That's 8X-4X-4X-4X-12X; where X = "[0-9A-F]", length(X) = 8 > > Ditto. Ditto. >> Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in:48 >> +;;; That's 8X-4X-4X-4X-12X; where X = "[0-9A-F]", length(X) = 8 > > Ditto. Ditto.
Committed r209779: <http://trac.webkit.org/changeset/209779>
This change broke the Keygen element (e.g., http/tests/misc/submit-post-keygen.html). WebProcess needs the file-write-create permission for the Keychains directory.
Committed r209806: <http://trac.webkit.org/changeset/209806>
Please note, three changes are needed to integrate this sandbox change: Committed r209779: <http://trac.webkit.org/changeset/209779> Committed r209806: <http://trac.webkit.org/changeset/209806> Committed r209814: <http://trac.webkit.org/changeset/209814>