RESOLVED FIXED 199119
Adjust sandboxes based on seed feedback 
https://bugs.webkit.org/show_bug.cgi?id=199119
Summary Adjust sandboxes based on seed feedback
Brent Fulgham
Reported 2019-06-21 15:09:03 PDT
Adjust our process sandboxes based on seed user feedback as follows: (1) Silence spurious warnings about two XPC services we purposefully block: (global-name "com.apple.CoreServices.coreservicesd") (global-name "com.apple.DiskArbitration.diskarbitrationd") (2) Unblock an IOKit property needed for video playback feature detection: (iokit-property "compatible") (3) Allow file-read* access to "/Library/Fonts" in the network process to allow proper font serialization: (subpath "/Library/Fonts") (4) Allow access to the sysctl for "kern.osproductversion", which is needed by LaunchServices to detect some filesystem features. "kern.osproductversion"
Attachments
Patch (4.42 KB, patch)
2019-06-21 15:12 PDT, Brent Fulgham 		ggaren: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Brent Fulgham
Comment 1 2019-06-21 15:09:43 PDT
<rdar://problem/50164879>
Brent Fulgham
Comment 2 2019-06-21 15:12:07 PDT
Created attachment 372656 [details] Patch
Brent Fulgham
Comment 3 2019-06-21 15:52:58 PDT
Committed r246702: <https://trac.webkit.org/changeset/246702>
Radar WebKit Bug Importer
Comment 4 2019-06-21 15:53:16 PDT
<rdar://problem/52006224>
mitz
Comment 5 2019-06-21 16:06:13 PDT
(In reply to Brent Fulgham from comment #0) > Adjust our process sandboxes based on seed user feedback as follows: > > (3) Allow file-read* access to "/Library/Fonts" in the network process to > allow proper font serialization: > (subpath "/Library/Fonts") What messages does the network process send or receive that include serialized font objects?
Brent Fulgham
Comment 6 2019-06-21 16:14:55 PDT
(In reply to mitz from comment #5) > (In reply to Brent Fulgham from comment #0) > > Adjust our process sandboxes based on seed user feedback as follows: > > > > (3) Allow file-read* access to "/Library/Fonts" in the network process to > > allow proper font serialization: > > (subpath "/Library/Fonts") > > What messages does the network process send or receive that include > serialized font objects? In this case, it was DidReceiveAuthenticationChallenge which wasn't actually serializing a font. However, the encoding code we use in all of our processes recognizes the possibility that it might be decoding (or encoding) a Font and instantiates a PlatformFont object that triggers access to the file I granted access to. That encoding is probably present for UIProcess <--> WebContent process communications, but it lives in NetworkProcess, too.
mitz
Comment 7 2019-06-21 16:38:53 PDT
(In reply to Brent Fulgham from comment #6) > (In reply to mitz from comment #5) > > (In reply to Brent Fulgham from comment #0) > > > Adjust our process sandboxes based on seed user feedback as follows: > > > > > > (3) Allow file-read* access to "/Library/Fonts" in the network process to > > > allow proper font serialization: > > > (subpath "/Library/Fonts") > > > > What messages does the network process send or receive that include > > serialized font objects? > > In this case, it was DidReceiveAuthenticationChallenge which wasn't actually > serializing a font. However, the encoding code we use in all of our > processes recognizes the possibility that it might be decoding (or encoding) > a Font and instantiates a PlatformFont object that triggers access to the > file I granted access to. > > That encoding is probably present for UIProcess <--> WebContent process > communications, but it lives in NetworkProcess, too. So presumably this is happening when UIFont is initialized as a side effect of [object isKindOfClass:[PlatformFont class]] in typeFromObject(). This is a case where it’s better to use NSClassFromString() and avoid all costs (time, memory, and sandbox holes) of initializing the class. You could add something like static NSString const * PlatformFontClassName = @"NSColor"; and static NSString const * PlatformFontClassName = @"UIColor"; and so on alongside the declarations the top of the file and use those string constants for the class membership tests like I described.
Note You need to log in before you can comment on or make changes to this bug.