Lock down the sandbox further by denying XPC services access by default, and only permitting connections to things we need to access.
<rdar://problem/30669445>
Created attachment 310526 [details] Patch
Created attachment 310528 [details] Patch
Comment on attachment 310528 [details] Patch How did we come up with the list of needed services? Might there be services used on unlikely paths that need whitelisting?
(In reply to Geoffrey Garen from comment #4) > Comment on attachment 310528 [details] > Patch > > How did we come up with the list of needed services? Might there be services > used on unlikely paths that need whitelisting? These are based on discussion with the Sandboxing team and the global sandboxes they set up for 3rd-party applications. I did local testing with a handful of iOS units of varying screen size and features, but it was not exhaustive. I'd like to get this in a build so that we could get larger QC on it in case we need to add anything else.
Comment on attachment 310528 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=310528&action=review > Source/WebKit2/ChangeLog:13 > + > + * Resources/SandboxProfiles/ios/com.apple.WebKit.Databases.sb: > + * Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb: > + * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb: This could be more fleshed out. > Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.Databases.sb:48 > +;; Various services required by system frameworks > +(allow mach-lookup > + (global-name "com.apple.analyticsd") > + (global-name "com.apple.lsd.mapdb")) Are these related to the XPC deny change? > Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:70 > > +(deny iokit-get-properties) > +(allow iokit-get-properties > + (iokit-property-prefix "AGXParameterBufferMaxSize") > + (iokit-property-regex #"^AppleJPEG") ; AppleJPEGDriver, EmbeddedCoreMedia > + (iokit-property "AppleTV") > + (iokit-property "BaseAddressAlignmentRequirement") > + (iokit-property "CFBundleIdentifier") > + (iokit-property "DisplayPipePlaneBaseAlignment") > + (iokit-property "DisplayPipeStrideRequirements") > + (iokit-property "ForceSupported") > + (iokit-property-regex "^IOGL(|ES)(|Metal)BundleName") > + (iokit-property-regex #"^InternalStatistics(|Accm)") > + (iokit-property-regex #"^MetalPlugin(Name|ClassName)") > + (iokit-property-regex #"^PerformanceStatistics(|Accum)") > + (iokit-property "Protocol Characteristics") > + (iokit-property "Size") > + (iokit-property "compass-calibration") > + (iokit-property "display-rotation") > + (iokit-property "display-scale"") > + (iokit-property "graphic-options") > + (iokit-property "gyro-interrupt-calibration") > + (iokit-property "hdcp-hoover-protocol") > + (iokit-property-regex #"^parser-(options|type)") > + (iokit-property "product-id") > + (iokit-property "software-behavior") These don't seem like XPC services. > Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:77 > + (xpc-service-name-regex #"\.viewservice$") What is this? It seems scarier than the other two. > Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:125 > + (global-name "com.apple.analyticsd") > (global-name "com.apple.accountsd.accountmanager") > - (global-name "com.apple.coremedia.audiodeviceclock")) > + (global-name "com.apple.coremedia.audiodeviceclock") > + (global-name "com.apple.lsd.mapdb") How do these relate to the XPC whitelist change?
Comment on attachment 310528 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=310528&action=review >> Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:70 >> + (iokit-property "software-behavior") > > These don't seem like XPC services. Yeah, I'll split these out into a separate patch. I was trying to get the iOS and macOS sandboxes in sync. >> Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:77 >> + (xpc-service-name-regex #"\.viewservice$") > > What is this? It seems scarier than the other two. Right now we don't block any of these things. The Sandboxing team gave me a list of things they are whitelisting in the global application sandboxes, which included these three items. The others were for things without any plausible relevance to WebContent process, so I didn't include them. These seemed like the might be used under some code paths, so I whitelisted them to avoid the chance of breaking something. >> Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:125 >> + (global-name "com.apple.lsd.mapdb") > > How do these relate to the XPC whitelist change? 'analyticsd' is needed in newer OS's to support some logging features. We should be whitelisting this, but I can do it as a separate patch. 'lsd.mapdb' should have been whitelisted a few releases ago, but was overlooked since no one was keeping an eye on things. Blocking it means we are making core services do extra work on iOS (prevents access to a cache)
(In reply to Brent Fulgham from comment #7) > Comment on attachment 310528 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=310528&action=review > > >> Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:70 > >> + (iokit-property "software-behavior") > > > > These don't seem like XPC services. > > Yeah, I'll split these out into a separate patch. I was trying to get the > iOS and macOS sandboxes in sync. Cool. > > >> Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:77 > >> + (xpc-service-name-regex #"\.viewservice$") > > > > What is this? It seems scarier than the other two. > > Right now we don't block any of these things. The Sandboxing team gave me a > list of things they are whitelisting in the global application sandboxes, > which included these three items. The others were for things without any > plausible relevance to WebContent process, so I didn't include them. > > These seemed like the might be used under some code paths, so I whitelisted > them to avoid the chance of breaking something. Yeah, but what is #"\.viewservice$ ? > > >> Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:125 > >> + (global-name "com.apple.lsd.mapdb") > > > > How do these relate to the XPC whitelist change? > > 'analyticsd' is needed in newer OS's to support some logging features. We > should be whitelisting this, but I can do it as a separate patch. Is it something we want a compromised WebProcess to have access to? > > 'lsd.mapdb' should have been whitelisted a few releases ago, but was > overlooked since no one was keeping an eye on things. Blocking it means we > are making core services do extra work on iOS (prevents access to a cache) Is this cache something we want a compromised WebProcess to have access to? Does it contain all the installed applications, for instance?
Created attachment 310945 [details] Patch
Comment on attachment 310945 [details] Patch Still curious about those questions, but, this looks good. Ice cold, no XPC!
Committed r217277: <http://trac.webkit.org/changeset/217277>