Bug 205134 - [iOS] Deny mach lookup access to "*.apple-extension-service" in the WebContent process
Summary: [iOS] Deny mach lookup access to "*.apple-extension-service" in the WebConten...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit Misc. (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Per Arne Vollan
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2019-12-11 14:03 PST by Per Arne Vollan
Modified: 2019-12-17 10:10 PST (History)
8 users (show)

See Also:

Attachments
Patch (6.32 KB, patch)
2019-12-11 14:11 PST, Per Arne Vollan 		no flags Details | Formatted Diff | Diff
Patch (7.43 KB, patch)
2019-12-11 14:27 PST, Per Arne Vollan 		no flags Details | Formatted Diff | Diff
Patch (8.47 KB, patch)
2019-12-11 16:27 PST, Per Arne Vollan 		no flags Details | Formatted Diff | Diff
Patch (8.50 KB, patch)
2019-12-12 11:28 PST, Per Arne Vollan 		bfulgham: review+
commit-queue: commit-queue-
Details | Formatted Diff | Diff
Patch (8.46 KB, patch)
2019-12-12 13:08 PST, Per Arne Vollan 		commit-queue: commit-queue-
Details | Formatted Diff | Diff
Patch (7.18 KB, patch)
2019-12-13 10:16 PST, Per Arne Vollan 		pvollan: commit-queue-
Details | Formatted Diff | Diff
Patch (8.43 KB, patch)
2019-12-13 10:20 PST, Per Arne Vollan 		no flags Details | Formatted Diff | Diff
Show Obsolete (5) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Per Arne Vollan 2019-12-11 14:03:37 PST 
As part of sandbox hardening in the WebContent process on iOS, mach lookup access to "*.apple-extension-service” should be removed.
Comment 1 Per Arne Vollan 2019-12-11 14:04:04 PST 
rdar://problem/56984257
Comment 2 Per Arne Vollan 2019-12-11 14:11:46 PST 
Created attachment 385437 [details]
Patch
Comment 3 Per Arne Vollan 2019-12-11 14:27:59 PST 
Created attachment 385439 [details]
Patch
Comment 4 Brent Fulgham 2019-12-11 16:07:23 PST 
Comment on attachment 385439 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=385439&action=review

> LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html:10
> +}

Is it expected that Mac-wk1 and Mac-wk2 would run this iOS test sub-directory?

I guess we should add it to be skipped?
Comment 5 Per Arne Vollan 2019-12-11 16:15:25 PST 
(In reply to Brent Fulgham from comment #4)
> Comment on attachment 385439 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=385439&action=review
> 
> > LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html:10
> > +}
> 
> Is it expected that Mac-wk1 and Mac-wk2 would run this iOS test
> sub-directory?
> 
> I guess we should add it to be skipped?

Ah, that is a good point :)

I will update the patch, thanks for reviewing!
Comment 6 Per Arne Vollan 2019-12-11 16:27:49 PST 
Created attachment 385454 [details]
Patch
Comment 7 Per Arne Vollan 2019-12-12 11:28:56 PST 
Created attachment 385516 [details]
Patch
Comment 8 Brent Fulgham 2019-12-12 11:57:10 PST 
Comment on attachment 385516 [details]
Patch

r=me
Comment 9 Per Arne Vollan 2019-12-12 12:06:02 PST 
(In reply to Brent Fulgham from comment #8)
> Comment on attachment 385516 [details]
> Patch
> 
> r=me

Thanks for reviewing :)
Comment 10 WebKit Commit Bot 2019-12-12 13:05:05 PST 
Comment on attachment 385516 [details]
Patch

Rejecting attachment 385516 [details] from commit-queue.

Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.webkit.org', '--bot-id=webkit-cq-03', 'validate-changelog', '--check-oops', '--non-interactive', 385516, '--port=mac']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit

ChangeLog entry in LayoutTests/ChangeLog contains OOPS!.

Full output: https://webkit-queues.webkit.org/results/13290657
Comment 11 Per Arne Vollan 2019-12-12 13:08:15 PST 
Created attachment 385536 [details]
Patch
Comment 12 WebKit Commit Bot 2019-12-13 07:22:39 PST 
Comment on attachment 385536 [details]
Patch

Rejecting attachment 385536 [details] from commit-queue.

Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.webkit.org', '--bot-id=webkit-cq-01', 'validate-changelog', '--check-oops', '--non-interactive', 385536, '--port=mac']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit

ChangeLog entry in Source/WTF/ChangeLog contains OOPS!.

Full output: https://webkit-queues.webkit.org/results/13290990
Comment 13 Per Arne Vollan 2019-12-13 10:16:05 PST 
Created attachment 385614 [details]
Patch
Comment 14 Per Arne Vollan 2019-12-13 10:20:52 PST 
Created attachment 385615 [details]
Patch
Comment 15 WebKit Commit Bot 2019-12-13 11:07:58 PST 
Comment on attachment 385615 [details]
Patch

Clearing flags on attachment: 385615

Committed r253488: <https://trac.webkit.org/changeset/253488>