RESOLVED FIXED 205077
[iOS] Deny mach lookup access to content filter service in the WebContent sandbox 
https://bugs.webkit.org/show_bug.cgi?id=205077
Summary [iOS] Deny mach lookup access to content filter service in the WebContent san...
Per Arne Vollan
Reported 2019-12-10 12:24:37 PST
The WebContent process' sandbox should deny mach lookup to the content filter service. Instead an extension from the UI process should be consumed when needed.
Attachments
Patch (16.18 KB, patch)
2019-12-10 13:40 PST, Per Arne Vollan 		bfulgham: review+
DetailsFormatted DiffDiff
Patch (11.44 KB, patch)
2019-12-10 15:57 PST, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Patch (14.31 KB, patch)
2019-12-11 11:12 PST, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Patch (1.03 KB, patch)
2019-12-13 14:33 PST, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Patch (1.03 KB, patch)
2019-12-13 15:25 PST, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2019-12-10 12:25:13 PST
<rdar://problem/57803795>
Per Arne Vollan
Comment 2 2019-12-10 13:40:10 PST
Created attachment 385302 [details] Patch
Brent Fulgham
Comment 3 2019-12-10 14:35:38 PST
Comment on attachment 385302 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=385302&action=review Looks good! r=me > Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:969 > + (global-name "com.apple.iphone.axserver-systemwide" "com.apple.tccd" "com.apple.AGXCompilerService" "com.apple.uikit.viewservice.com.apple.WebContentFilter.remoteUI"))) Is there an equivalent process we use on macOS that we could treat the same way?
Per Arne Vollan
Comment 4 2019-12-10 15:57:05 PST
Created attachment 385312 [details] Patch
Per Arne Vollan
Comment 5 2019-12-10 17:29:31 PST
(In reply to Brent Fulgham from comment #3) > Comment on attachment 385302 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=385302&action=review > > Looks good! r=me > > > Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:969 > > + (global-name "com.apple.iphone.axserver-systemwide" "com.apple.tccd" "com.apple.AGXCompilerService" "com.apple.uikit.viewservice.com.apple.WebContentFilter.remoteUI"))) > > Is there an equivalent process we use on macOS that we could treat the same > way? That’s a good point. I will try to find the equivalent service on macOS, so we can do the same there. Thanks for reviewing!
Per Arne Vollan
Comment 6 2019-12-11 11:12:43 PST
Created attachment 385413 [details] Patch
Per Arne Vollan
Comment 7 2019-12-11 11:15:35 PST
(In reply to Per Arne Vollan from comment #6) > Created attachment 385413 [details] > Patch I uploaded another patch with a potential fix for the API test failure. Brent, are you OK with landing this, or would you like to do another review?
Brent Fulgham
Comment 8 2019-12-12 10:21:32 PST
Comment on attachment 385413 [details] Patch r=me
Per Arne Vollan
Comment 9 2019-12-12 10:37:21 PST
(In reply to Brent Fulgham from comment #8) > Comment on attachment 385413 [details] > Patch > > r=me Thanks for reviewing!
WebKit Commit Bot
Comment 10 2019-12-12 11:09:21 PST
Comment on attachment 385413 [details] Patch Clearing flags on attachment: 385413 Committed r253440: <https://trac.webkit.org/changeset/253440>
Per Arne Vollan
Comment 11 2019-12-13 14:33:05 PST
Created attachment 385644 [details] Patch
Per Arne Vollan
Comment 12 2019-12-13 15:25:01 PST
Reopening to attach new patch.
Per Arne Vollan
Comment 13 2019-12-13 15:25:02 PST
Created attachment 385647 [details] Patch
Brent Fulgham
Comment 14 2019-12-18 12:56:48 PST
(In reply to Per Arne Vollan from comment #13) > Created attachment 385647 [details] > Patch Do you need to land this other patch, too? It's not marked for review.
Per Arne Vollan
Comment 15 2019-12-18 13:02:34 PST
(In reply to Brent Fulgham from comment #14) > (In reply to Per Arne Vollan from comment #13) > > Created attachment 385647 [details] > > Patch > > Do you need to land this other patch, too? It's not marked for review. This was landed manually as a tvOS build fix.
Note You need to log in before you can comment on or make changes to this bug.