Bug 233129 - [iOS] Block access to unused resources in the Networking process' sandbox
Summary: [iOS] Block access to unused resources in the Networking process' sandbox
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit Misc. (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Per Arne Vollan
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-11-15 07:48 PST by Per Arne Vollan
Modified: 2021-11-18 12:55 PST (History)
4 users (show)

See Also:

Attachments
Patch (11.34 KB, patch)
2021-11-15 07:53 PST, Per Arne Vollan 		no flags Details | Formatted Diff | Diff
Patch (18.03 KB, patch)
2021-11-15 09:10 PST, Per Arne Vollan 		no flags Details | Formatted Diff | Diff
Patch (22.69 KB, patch)
2021-11-15 11:23 PST, Per Arne Vollan 		bfulgham: review+
Details | Formatted Diff | Diff
Patch (22.85 KB, patch)
2021-11-18 07:28 PST, Per Arne Vollan 		no flags Details | Formatted Diff | Diff
Patch (1.44 KB, patch)
2021-11-18 11:53 PST, Per Arne Vollan 		no flags Details | Formatted Diff | Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Per Arne Vollan 2021-11-15 07:48:29 PST 
Based on telemetry, block access to unused resources in the Networking process' sandbox on iOS.
Comment 1 Radar WebKit Bug Importer 2021-11-15 07:51:32 PST 
<rdar://problem/85411927>
Comment 2 Per Arne Vollan 2021-11-15 07:53:26 PST 
Created attachment 444254 [details]
Patch
Comment 3 Per Arne Vollan 2021-11-15 09:10:19 PST 
Created attachment 444263 [details]
Patch
Comment 4 Per Arne Vollan 2021-11-15 11:23:51 PST 
Created attachment 444280 [details]
Patch
Comment 5 Brent Fulgham 2021-11-17 13:05:29 PST 
Comment on attachment 444280 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=444280&action=review

r=me

> Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:128
> +           (global-name "com.apple.symptomsd"))

Might be tidier to include this in the deny/with-telemetry on line 121.

> Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:175
>             (global-name "com.apple.nsurlsessiond"))

It's shocking to me that this isn't needed!

> Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:338
>          (subpath "/private/var/preferences/Logging"))

Could this be combined with the set on line 325 above (along with /private/var/db/timezone?)
Comment 6 Per Arne Vollan 2021-11-18 07:28:23 PST 
Created attachment 444672 [details]
Patch
Comment 7 Per Arne Vollan 2021-11-18 07:33:16 PST 
(In reply to Brent Fulgham from comment #5)
> Comment on attachment 444280 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=444280&action=review
> 
> r=me
> 
> > Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:128
> > +           (global-name "com.apple.symptomsd"))
> 
> Might be tidier to include this in the deny/with-telemetry on line 121.
> 

Fixed.

> > Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:175
> >             (global-name "com.apple.nsurlsessiond"))
> 
> It's shocking to me that this isn't needed!
> 

Yes, I agree, this is surprising. Telemetry and local testing suggests that the mach service is unused and can be denied. We still have telemetry enabled in the sandbox.

> > Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:338
> >          (subpath "/private/var/preferences/Logging"))
> 
> Could this be combined with the set on line 325 above (along with
> /private/var/db/timezone?)

Done.

Thanks for reviewing!
Comment 8 EWS 2021-11-18 07:56:44 PST 
Committed r286004 (244401@main): <https://commits.webkit.org/244401@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 444672 [details].
Comment 9 Per Arne Vollan 2021-11-18 11:53:24 PST 
Reopening to attach new patch.
Comment 10 Per Arne Vollan 2021-11-18 11:53:25 PST 
Created attachment 444711 [details]
Patch
Comment 11 EWS 2021-11-18 12:55:03 PST 
Committed r286022 (244411@main): <https://commits.webkit.org/244411@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 444711 [details].