RESOLVED FIXED 230782
Explicitly deny 'system-privilege' in the sandbox profile as a hardening measure 
https://bugs.webkit.org/show_bug.cgi?id=230782
Summary Explicitly deny 'system-privilege' in the sandbox profile as a hardening measure
Brent Fulgham
Reported 2021-09-24 19:24:53 PDT
Although we do not need 'system-privilege', the default sandbox state includes it as a backwards-compatibility affordance. Update our sandboxes to tell the kernel we don't need the support, except for the one case in the Networking process.
Attachments
Patch (8.71 KB, patch)
2021-09-24 19:31 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Patch (8.24 KB, patch)
2021-09-24 20:10 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Patch (8.05 KB, patch)
2021-09-27 10:27 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Patch for landing (8.05 KB, patch)
2021-09-28 11:29 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Brent Fulgham
Comment 1 2021-09-24 19:25:20 PDT
<rdar://problem/66582813>
Brent Fulgham
Comment 2 2021-09-24 19:31:35 PDT
Created attachment 439229 [details] Patch
Brent Fulgham
Comment 3 2021-09-24 20:10:43 PDT
Created attachment 439231 [details] Patch
Per Arne Vollan
Comment 4 2021-09-27 07:21:44 PDT
Comment on attachment 439231 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=439231&action=review > Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in:27 > +(deny system-privilege (with telemetry-backtrace)) The telemetry-backtrace might need a guard here. > Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:27 > +(deny system-privilege (with telemetry-backtrace)) Ditto. > Source/WebKit/WebProcess/com.apple.WebProcess.sb.in:27 > +(deny system-privilege (with telemetry-backtrace)) Ditto.
Brent Fulgham
Comment 5 2021-09-27 10:27:50 PDT
Created attachment 439367 [details] Patch
Per Arne Vollan
Comment 6 2021-09-27 10:34:43 PDT
Comment on attachment 439367 [details] Patch Great! R=me.
EWS
Comment 7 2021-09-28 11:09:33 PDT
Tools/Scripts/svn-apply failed to apply attachment 439367 [details] to trunk. Please resolve the conflicts and upload a new patch.
Brent Fulgham
Comment 8 2021-09-28 11:29:45 PDT
Created attachment 439498 [details] Patch for landing
EWS
Comment 9 2021-09-28 12:15:09 PDT
Committed r283187 (242235@main): <https://commits.webkit.org/242235@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 439498 [details].
Note You need to log in before you can comment on or make changes to this bug.