RESOLVED FIXED 205134
[iOS] Deny mach lookup access to "*.apple-extension-service" in the WebContent process 
https://bugs.webkit.org/show_bug.cgi?id=205134
Summary [iOS] Deny mach lookup access to "*.apple-extension-service" in the WebConten...
Per Arne Vollan
Reported 2019-12-11 14:03:37 PST
As part of sandbox hardening in the WebContent process on iOS, mach lookup access to "*.apple-extension-service” should be removed.
Attachments
Patch (6.32 KB, patch)
2019-12-11 14:11 PST, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Patch (7.43 KB, patch)
2019-12-11 14:27 PST, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Patch (8.47 KB, patch)
2019-12-11 16:27 PST, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Patch (8.50 KB, patch)
2019-12-12 11:28 PST, Per Arne Vollan 		bfulgham: review+
commit-queue: commit-queue-
DetailsFormatted DiffDiff
Patch (8.46 KB, patch)
2019-12-12 13:08 PST, Per Arne Vollan 		commit-queue: commit-queue-
DetailsFormatted DiffDiff
Patch (7.18 KB, patch)
2019-12-13 10:16 PST, Per Arne Vollan 		pvollan: commit-queue-
DetailsFormatted DiffDiff
Patch (8.43 KB, patch)
2019-12-13 10:20 PST, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Show Obsolete (5) View All Add attachment proposed patch, testcase, etc.
Per Arne Vollan
Comment 1 2019-12-11 14:04:04 PST
rdar://problem/56984257
Per Arne Vollan
Comment 2 2019-12-11 14:11:46 PST
Created attachment 385437 [details] Patch
Per Arne Vollan
Comment 3 2019-12-11 14:27:59 PST
Created attachment 385439 [details] Patch
Brent Fulgham
Comment 4 2019-12-11 16:07:23 PST
Comment on attachment 385439 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=385439&action=review > LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html:10 > +} Is it expected that Mac-wk1 and Mac-wk2 would run this iOS test sub-directory? I guess we should add it to be skipped?
Per Arne Vollan
Comment 5 2019-12-11 16:15:25 PST
(In reply to Brent Fulgham from comment #4) > Comment on attachment 385439 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=385439&action=review > > > LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html:10 > > +} > > Is it expected that Mac-wk1 and Mac-wk2 would run this iOS test > sub-directory? > > I guess we should add it to be skipped? Ah, that is a good point :) I will update the patch, thanks for reviewing!
Per Arne Vollan
Comment 6 2019-12-11 16:27:49 PST
Created attachment 385454 [details] Patch
Per Arne Vollan
Comment 7 2019-12-12 11:28:56 PST
Created attachment 385516 [details] Patch
Brent Fulgham
Comment 8 2019-12-12 11:57:10 PST
Comment on attachment 385516 [details] Patch r=me
Per Arne Vollan
Comment 9 2019-12-12 12:06:02 PST
(In reply to Brent Fulgham from comment #8) > Comment on attachment 385516 [details] > Patch > > r=me Thanks for reviewing :)
WebKit Commit Bot
Comment 10 2019-12-12 13:05:05 PST
Comment on attachment 385516 [details] Patch Rejecting attachment 385516 [details] from commit-queue. Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.webkit.org', '--bot-id=webkit-cq-03', 'validate-changelog', '--check-oops', '--non-interactive', 385516, '--port=mac']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit ChangeLog entry in LayoutTests/ChangeLog contains OOPS!. Full output: https://webkit-queues.webkit.org/results/13290657
Per Arne Vollan
Comment 11 2019-12-12 13:08:15 PST
Created attachment 385536 [details] Patch
WebKit Commit Bot
Comment 12 2019-12-13 07:22:39 PST
Comment on attachment 385536 [details] Patch Rejecting attachment 385536 [details] from commit-queue. Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.webkit.org', '--bot-id=webkit-cq-01', 'validate-changelog', '--check-oops', '--non-interactive', 385536, '--port=mac']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit ChangeLog entry in Source/WTF/ChangeLog contains OOPS!. Full output: https://webkit-queues.webkit.org/results/13290990
Per Arne Vollan
Comment 13 2019-12-13 10:16:05 PST
Created attachment 385614 [details] Patch
Per Arne Vollan
Comment 14 2019-12-13 10:20:52 PST
Created attachment 385615 [details] Patch
WebKit Commit Bot
Comment 15 2019-12-13 11:07:58 PST
Comment on attachment 385615 [details] Patch Clearing flags on attachment: 385615 Committed r253488: <https://trac.webkit.org/changeset/253488>
Note You need to log in before you can comment on or make changes to this bug.