[webkit-changes] [285723] trunk/Source/WebKit

Fri, 12 Nov 2021 08:39:47 -0800

Title: [285723] trunk/Source/WebKit
Revision
285723
Author
pvol...@apple.com
Date
2021-11-12 08:38:59 -0800 (Fri, 12 Nov 2021)

Log Message

[macOS][GPUP] Remove sandbox write access to files
https://bugs.webkit.org/show_bug.cgi?id=232247
<rdar://problem/84620023>

Reviewed by Brent Fulgham.

Based on telemetry, remove sandbox write access to files in the GPU process on macOS.

* GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in:

Modified Paths

Diff

Modified: trunk/Source/WebKit/ChangeLog (285722 => 285723)


--- trunk/Source/WebKit/ChangeLog	2021-11-12 16:32:32 UTC (rev 285722)
+++ trunk/Source/WebKit/ChangeLog	2021-11-12 16:38:59 UTC (rev 285723)
@@ -1,5 +1,17 @@
 2021-11-12  Per Arne Vollan <pvol...@apple.com>
 
+        [macOS][GPUP] Remove sandbox write access to files
+        https://bugs.webkit.org/show_bug.cgi?id=232247
+        <rdar://problem/84620023>
+
+        Reviewed by Brent Fulgham.
+
+        Based on telemetry, remove sandbox write access to files in the GPU process on macOS.
+
+        * GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in:
+
+2021-11-12  Per Arne Vollan <pvol...@apple.com>
+
         [iOS][GPU] Remove access to IOKit classes
         https://bugs.webkit.org/show_bug.cgi?id=232344
         <rdar://problem/84684751>

Modified: trunk/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in (285722 => 285723)


--- trunk/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in	2021-11-12 16:32:32 UTC (rev 285722)
+++ trunk/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in	2021-11-12 16:38:59 UTC (rev 285723)
@@ -74,21 +74,9 @@
     (literal "/dev/random")
     (literal "/private/etc/passwd"))
 
-(allow file-write-data (with telemetry)
-    (literal "/dev/null")
-    (literal "/dev/zero"))
-
-(allow file-read*
+(allow file-read* file-write-data file-ioctl
     (literal "/dev/dtracehelper"))
-(allow file-write-data
-       file-ioctl (with telemetry)
-    (literal "/dev/dtracehelper"))
 
-;;; Allow creation of core dumps.
-(allow file-write-create (with telemetry)
-    (require-all (prefix "/cores/")
-        (vnode-type REGULAR-FILE)))
-
 ;;; Allow IPC to standard system agents.
 (allow ipc-posix-shm-read* (with telemetry)
 #if !ENABLE(CFPREFS_DIRECT_MODE)

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to