230782 – Explicitly deny 'system-privilege' in the sandbox profile as a hardening measure

Bug 230782 - Explicitly deny 'system-privilege' in the sandbox profile as a hardening measure

Summary: Explicitly deny 'system-privilege' in the sandbox profile as a hardening measure

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKit Misc. (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Brent Fulgham

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2021-09-24 19:24 PDT by Brent Fulgham
Modified:	2021-09-28 12:15 PDT (History)
CC List:	2 users (show)

See Also:

Attachments
Patch (8.71 KB, patch) 2021-09-24 19:31 PDT, Brent Fulgham	no flags	Details \| Formatted Diff \| Diff
Patch (8.24 KB, patch) 2021-09-24 20:10 PDT, Brent Fulgham	no flags	Details \| Formatted Diff \| Diff
Patch (8.05 KB, patch) 2021-09-27 10:27 PDT, Brent Fulgham	no flags	Details \| Formatted Diff \| Diff
Patch for landing (8.05 KB, patch) 2021-09-28 11:29 PDT, Brent Fulgham	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Brent Fulgham 2021-09-24 19:24:53 PDT

Although we do not need 'system-privilege', the default sandbox state includes it as a backwards-compatibility affordance.

Update our sandboxes to tell the kernel we don't need the support, except for the one case in the Networking process.

Comment 1 Brent Fulgham 2021-09-24 19:25:20 PDT

<rdar://problem/66582813>

Comment 2 Brent Fulgham 2021-09-24 19:31:35 PDT

Created attachment 439229 [details]
Patch

Comment 3 Brent Fulgham 2021-09-24 20:10:43 PDT

Created attachment 439231 [details]
Patch

Comment 4 Per Arne Vollan 2021-09-27 07:21:44 PDT

Comment on attachment 439231 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=439231&action=review

> Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in:27
> +(deny system-privilege (with telemetry-backtrace))

The telemetry-backtrace might need a guard here.

> Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:27
> +(deny system-privilege (with telemetry-backtrace))

Ditto.

> Source/WebKit/WebProcess/com.apple.WebProcess.sb.in:27
> +(deny system-privilege (with telemetry-backtrace))

Ditto.

Comment 5 Brent Fulgham 2021-09-27 10:27:50 PDT

Created attachment 439367 [details]
Patch

Comment 6 Per Arne Vollan 2021-09-27 10:34:43 PDT

Comment on attachment 439367 [details]
Patch

Great! R=me.

Comment 7 EWS 2021-09-28 11:09:33 PDT

Tools/Scripts/svn-apply failed to apply attachment 439367 [details] to trunk.
Please resolve the conflicts and upload a new patch.

Comment 8 Brent Fulgham 2021-09-28 11:29:45 PDT

Created attachment 439498 [details]
Patch for landing

Comment 9 EWS 2021-09-28 12:15:09 PDT

Committed r283187 (242235@main): <https://commits.webkit.org/242235@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 439498 [details].