Bug 207487 - [iOS] Deny mach lookup access to view service in the WebContent process
Summary: [iOS] Deny mach lookup access to view service in the WebContent process
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit Misc. (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Per Arne Vollan
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2020-02-10 11:13 PST by Per Arne Vollan
Modified: 2020-02-12 10:41 PST (History)
5 users (show)

See Also:

Attachments
Patch (3.95 KB, patch)
2020-02-10 11:17 PST, Per Arne Vollan 		darin: review+
commit-queue: commit-queue-
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Per Arne Vollan 2020-02-10 11:13:34 PST 
As part of sandbox hardening, mach lookup access to com.apple.uikit.viewservice should be denied.
Comment 1 Per Arne Vollan 2020-02-10 11:13:54 PST 
rdar://problem/56995704
Comment 2 Per Arne Vollan 2020-02-10 11:17:45 PST 
Created attachment 390271 [details]
Patch
Comment 3 Per Arne Vollan 2020-02-12 07:12:09 PST 
Comment on attachment 390271 [details]
Patch

Thanks for reviewing!
Comment 4 Per Arne Vollan 2020-02-12 07:12:40 PST 
I believe the api-ios test failure is unrelated to this patch.
Comment 5 WebKit Commit Bot 2020-02-12 07:33:24 PST 
Comment on attachment 390271 [details]
Patch

Rejecting attachment 390271 [details] from commit-queue.

Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.webkit.org', '--bot-id=webkit-cq-01', 'apply-attachment', '--no-update', '--non-interactive', 390271, '--port=mac']" exit_code: 2 cwd: /Volumes/Data/EWS/WebKit

Logging in as commit-queue@webkit.org...
Fetching: https://bugs.webkit.org/attachment.cgi?id=390271&action=edit
Fetching: https://bugs.webkit.org/show_bug.cgi?id=207487&ctype=xml&excludefield=attachmentdata
Processing 1 patch from 1 bug.
Processing patch 390271 from bug 207487.
Fetching: https://bugs.webkit.org/attachment.cgi?id=390271
Failed to run "[u'/Volumes/Data/EWS/WebKit/Tools/Scripts/svn-apply', '--force', '--reviewer', u'Darin Adler']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit

Parsed 5 diffs from patch file(s).
patching file Source/WebKit/ChangeLog
Hunk #1 succeeded at 1 with fuzz 3.
patching file Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb
Hunk #1 succeeded at 422 (offset 1 line).
patching file LayoutTests/ChangeLog
Hunk #1 succeeded at 1 with fuzz 3.
patching file LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-expected.txt
Hunk #1 FAILED at 17.
1 out of 1 hunk FAILED -- saving rejects to file LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-expected.txt.rej
patching file LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html
Hunk #1 FAILED at 20.
1 out of 1 hunk FAILED -- saving rejects to file LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html.rej

Failed to run "[u'/Volumes/Data/EWS/WebKit/Tools/Scripts/svn-apply', '--force', '--reviewer', u'Darin Adler']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit

Full output: https://webkit-queues.webkit.org/results/13321362
Comment 6 Brent Fulgham 2020-02-12 08:56:01 PST 
Looks like this didn't apply cleanly on the api-ios bot. Can you clean up and land manually?
Comment 7 Per Arne Vollan 2020-02-12 10:29:36 PST 
(In reply to Brent Fulgham from comment #6)
> Looks like this didn't apply cleanly on the api-ios bot. Can you clean up
> and land manually?

Will do!
Comment 8 Per Arne Vollan 2020-02-12 10:41:08 PST 
Committed r256450: <https://trac.webkit.org/changeset/256450/webkit>