[webkit-changes] [253766] trunk

[bfulgham]

Title: [253766] trunk

Revision

253766

Author

bfulg...@apple.com

Date

2019-12-19 10:33:11 -0800 (Thu, 19 Dec 2019)

Log Message

Deny mach lookup access to "com.apple.pluginkit.pkd" in the WebContent process
https://bugs.webkit.org/show_bug.cgi?id=205421
<rdar://problem/56995585>

Reviewed by Per Arne Vollan.

Source/WebKit:

Telemetry and thorough testing has confirmed that we do not need access to this
mach service, and so should remove it.

Tested by fast/sandbox/ios/sandbox-mach-lookup.html.

* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:

LayoutTests:

* fast/sandbox/ios/sandbox-mach-lookup-expected.txt:
* fast/sandbox/ios/sandbox-mach-lookup.html:

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-expected.txt
• trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html
• trunk/Source/WebKit/ChangeLog
• trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb

Diff

Modified: trunk/LayoutTests/ChangeLog (253765 => 253766)

--- trunk/LayoutTests/ChangeLog	2019-12-19 18:31:03 UTC (rev 253765)
+++ trunk/LayoutTests/ChangeLog	2019-12-19 18:33:11 UTC (rev 253766)
@@ -1,3 +1,14 @@
+2019-12-19  Brent Fulgham  <bfulg...@apple.com>
+
+        Deny mach lookup access to "com.apple.pluginkit.pkd" in the WebContent process
+        https://bugs.webkit.org/show_bug.cgi?id=205421
+        <rdar://problem/56995585>
+
+        Reviewed by Per Arne Vollan.
+
+        * fast/sandbox/ios/sandbox-mach-lookup-expected.txt:
+        * fast/sandbox/ios/sandbox-mach-lookup.html:
+
 2019-12-19  Chris Dumez  <cdu...@apple.com>
 
         Unreviewed, address imported/w3c/web-platform-tests/css/css-properties-values-api/url-resolution.html flakiness

Modified: trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-expected.txt (253765 => 253766)

--- trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-expected.txt	2019-12-19 18:31:03 UTC (rev 253765)
+++ trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup-expected.txt	2019-12-19 18:33:11 UTC (rev 253766)
@@ -5,4 +5,5 @@
 
 PASS internals.hasSandboxMachLookupAccessToXPCServiceName("com.apple.WebKit.WebContent", "com.apple.apple-extension-service") is false
 PASS internals.hasSandboxMachLookupAccessToXPCServiceName("com.apple.WebKit.WebContent", "com.apple.viewservice") is false
+PASS internals.hasSandboxMachLookupAccessToGlobalName("com.apple.WebKit.WebContent", "com.apple.pluginkit.pkd") is false
 

Modified: trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html (253765 => 253766)

--- trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html	2019-12-19 18:31:03 UTC (rev 253765)
+++ trunk/LayoutTests/fast/sandbox/ios/sandbox-mach-lookup.html	2019-12-19 18:33:11 UTC (rev 253766)
@@ -8,6 +8,7 @@
 if (window.internals) {
     shouldBeFalse("internals.hasSandboxMachLookupAccessToXPCServiceName(\"com.apple.WebKit.WebContent\", \"com.apple.apple-extension-service\")");
     shouldBeFalse("internals.hasSandboxMachLookupAccessToXPCServiceName(\"com.apple.WebKit.WebContent\", \"com.apple.viewservice\")");
+    shouldBeFalse("internals.hasSandboxMachLookupAccessToGlobalName(\"com.apple.WebKit.WebContent\", \"com.apple.pluginkit.pkd\")");
 }
 </script>
 </head>

Modified: trunk/Source/WebKit/ChangeLog (253765 => 253766)

--- trunk/Source/WebKit/ChangeLog	2019-12-19 18:31:03 UTC (rev 253765)
+++ trunk/Source/WebKit/ChangeLog	2019-12-19 18:33:11 UTC (rev 253766)
@@ -1,5 +1,20 @@
 2019-12-19  Brent Fulgham  <bfulg...@apple.com>
 
+        Deny mach lookup access to "com.apple.pluginkit.pkd" in the WebContent process
+        https://bugs.webkit.org/show_bug.cgi?id=205421
+        <rdar://problem/56995585>
+
+        Reviewed by Per Arne Vollan.
+
+        Telemetry and thorough testing has confirmed that we do not need access to this
+        mach service, and so should remove it.
+
+        Tested by fast/sandbox/ios/sandbox-mach-lookup.html.
+
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+
+2019-12-19  Brent Fulgham  <bfulg...@apple.com>
+
         Remove syscall filtering from GPU Process sandbox 
         https://bugs.webkit.org/show_bug.cgi?id=205456
         <rdar://problem/58080834>

Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb (253765 => 253766)

--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb	2019-12-19 18:31:03 UTC (rev 253765)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb	2019-12-19 18:33:11 UTC (rev 253766)
@@ -629,7 +629,6 @@
 (allow mach-lookup (with report) (with telemetry)
     (global-name "com.apple.aggregated")
     (global-name "com.apple.distributed_notifications@1v3")
-    (global-name "com.apple.pluginkit.pkd")
     (global-name "com.apple.tccd"))
 
 (allow ipc-posix-shm-read*

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes