[webkit-changes] [271809] trunk/Source/WebKit

Mon, 25 Jan 2021 13:25:15 -0800

Title: [271809] trunk/Source/WebKit
Revision
271809
Author
pvol...@apple.com
Date
2021-01-25 13:24:23 -0800 (Mon, 25 Jan 2021)

Log Message

[macOS] Restrict access to mds data
https://bugs.webkit.org/show_bug.cgi?id=220920
<rdar://70355552>

Reviewed by Brent Fulgham.

Only root show have write access.

* GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in:
* NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
* WebAuthnProcess/mac/com.apple.WebKit.WebAuthnProcess.sb.in:
* WebProcess/com.apple.WebProcess.sb.in:

Modified Paths

Diff

Modified: trunk/Source/WebKit/ChangeLog (271808 => 271809)


--- trunk/Source/WebKit/ChangeLog	2021-01-25 20:52:12 UTC (rev 271808)
+++ trunk/Source/WebKit/ChangeLog	2021-01-25 21:24:23 UTC (rev 271809)
@@ -1,5 +1,20 @@
 2021-01-25  Per Arne  <pvol...@apple.com>
 
+        [macOS] Restrict access to mds data
+        https://bugs.webkit.org/show_bug.cgi?id=220920
+        <rdar://70355552>
+
+        Reviewed by Brent Fulgham.
+
+        Only root show have write access.
+
+        * GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in:
+        * NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
+        * WebAuthnProcess/mac/com.apple.WebKit.WebAuthnProcess.sb.in:
+        * WebProcess/com.apple.WebProcess.sb.in:
+
+2021-01-25  Per Arne  <pvol...@apple.com>
+
         [Cocoa] Adjust logic for creating sandbox extensions based on GPUP flags
         https://bugs.webkit.org/show_bug.cgi?id=220917

Modified: trunk/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in (271808 => 271809)


--- trunk/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in	2021-01-25 20:52:12 UTC (rev 271808)
+++ trunk/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in	2021-01-25 21:24:23 UTC (rev 271809)
@@ -703,7 +703,11 @@
     (global-name "com.apple.SecurityServer")
     (global-name "com.apple.ocspd"))
 
-(allow file-read* file-write* (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
+(allow file-read* (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
+(with-filter (uid 0)
+    (allow file-write*
+        (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
+)
 
 (allow file-read*
        (subpath "/private/var/db/mds")

Modified: trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in (271808 => 271809)


--- trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in	2021-01-25 20:52:12 UTC (rev 271808)
+++ trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in	2021-01-25 21:24:23 UTC (rev 271809)
@@ -332,7 +332,11 @@
     (regex (string-append "/Library/Keychains/" (uuid-regex-string) "(/|$)"))
     (home-regex (string-append "/Library/Keychains/" (uuid-regex-string) "(/|$)")))
 
-(allow file-read* file-write* (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
+(allow file-read* (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
+(with-filter (uid 0)
+    (allow file-write*
+        (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
+)
 
 (allow user-preference-read
     (preference-domain

Modified: trunk/Source/WebKit/WebAuthnProcess/mac/com.apple.WebKit.WebAuthnProcess.sb.in (271808 => 271809)


--- trunk/Source/WebKit/WebAuthnProcess/mac/com.apple.WebKit.WebAuthnProcess.sb.in	2021-01-25 20:52:12 UTC (rev 271808)
+++ trunk/Source/WebKit/WebAuthnProcess/mac/com.apple.WebKit.WebAuthnProcess.sb.in	2021-01-25 21:24:23 UTC (rev 271809)
@@ -357,7 +357,11 @@
     (global-name "com.apple.SecurityServer")
     (global-name "com.apple.ocspd"))
 
-(allow file-read* file-write* (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
+(allow file-read* (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
+(with-filter (uid 0)
+    (allow file-write*
+        (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
+)
 
 (allow file-read*
        (subpath "/private/var/db/mds")

Modified: trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (271808 => 271809)


--- trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in	2021-01-25 20:52:12 UTC (rev 271808)
+++ trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in	2021-01-25 21:24:23 UTC (rev 271809)
@@ -1174,9 +1174,11 @@
 
 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 110000
 (allow file-read* (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
-(allow file-write*
-    (with report) (with telemetry-backtrace)
-    (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
+(with-filter (uid 0)
+    (allow file-write*
+        (with report) (with telemetry-backtrace)
+        (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
+)
 #else
 (allow file-read* file-write* (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
 #endif

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to