Make the WebProcess sandbox profile more like the NetworkProcess by getting rid of the global "file*" rules, switching to more finely-focused versions. Similar changes should be made in the Databases and Plugin sandboxes.
<rdar://problem/14024823>
Created attachment 297046 [details] Patch
(In reply to comment #0) > Make the WebProcess sandbox profile more like the NetworkProcess by getting > rid of the global "file*" rules, switching to more finely-focused versions. > > Similar changes should be made in the Databases and Plugin sandboxes. Why not make them all at once?
Comment on attachment 297046 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=297046&action=review > Source/WebKit2/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in:262 > +(allow file-read* file-write* (subpath (param "NSURL_CACHE_DIR"))) I think that CFNetwork may need to issue sandbox extensions for cache content. > Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in:173 > + (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") (subpath (param "DARWIN_USER_TEMP_DIR")))))) Did you test uploading packages? I'm not entirely sure if read extensions are all we use.
This seems worth trying, but I wouldn't be surprised if this broke something.
(In reply to comment #4) > Comment on attachment 297046 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=297046&action=review > > > Source/WebKit2/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in:262 > > +(allow file-read* file-write* (subpath (param "NSURL_CACHE_DIR"))) > > I think that CFNetwork may need to issue sandbox extensions for cache > content. OK. I'll adjust the rules for that. > > Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in:173 > > + (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") (subpath (param "DARWIN_USER_TEMP_DIR")))))) > > Did you test uploading packages? I'm not entirely sure if read extensions > are all we use. I did find that I needed to use "com.apple.app-sandbox.read-write" during my local testing (after uploading this patch). I'll use the read-write extension-class when landing this change.
> I did find that I needed to use "com.apple.app-sandbox.read-write" during my local testing (after uploading this patch). Do we need com.apple.app-sandbox.read too?
Created attachment 297099 [details] Patch
Created attachment 297103 [details] Patch
Comment on attachment 297103 [details] Patch Rebaselined patch.
We should probably wait to land this until next week.
Created attachment 297150 [details] Patch
Updated patch to support "read" and "read-write" extensions.
Comment on attachment 297150 [details] Patch Scary, but worth trying.
We can land this now! cq+.
Comment on attachment 297150 [details] Patch Clearing flags on attachment: 297150 Committed r210076: <http://trac.webkit.org/changeset/210076>
All reviewed patches have been landed. Closing bug.