Bug 225370 - [Cocoa] Remove access to the unused 'nvram' system command
Summary: [Cocoa] Remove access to the unused 'nvram' system command
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit Misc. (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Brent Fulgham
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-05-04 16:05 PDT by Brent Fulgham
Modified: 2021-05-05 11:44 PDT (History)
3 users (show)

See Also:


Attachments
Patch (5.51 KB, patch)
2021-05-04 16:07 PDT, Brent Fulgham
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Brent Fulgham 2021-05-04 16:05:17 PDT
Deny access to 'nvram' in the WebKit sandboxes. No API surface interacts with this low-level feature, and other system sandboxes already deny it. It should not have been possible to reach nvram, but there's no reason to allow the sandbox to access it.

<rdar://problem/66583129>
Comment 1 Brent Fulgham 2021-05-04 16:07:49 PDT
Created attachment 427709 [details]
Patch
Comment 2 Brent Fulgham 2021-05-04 16:35:13 PDT
Confirmed proper function on iOS device and macOS. Waiting for EWS to show any other impact on downlevel platforms.
Comment 3 Per Arne Vollan 2021-05-05 10:02:15 PDT
Comment on attachment 427709 [details]
Patch

R=me.
Comment 4 EWS 2021-05-05 11:43:32 PDT
Committed r277032 (237345@main): <https://commits.webkit.org/237345@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 427709 [details].
Comment 5 Radar WebKit Bug Importer 2021-05-05 11:44:16 PDT
<rdar://problem/77567746>