Title: [271809] trunk/Source/WebKit
- Revision
- 271809
- Author
- pvol...@apple.com
- Date
- 2021-01-25 13:24:23 -0800 (Mon, 25 Jan 2021)
Log Message
[macOS] Restrict access to mds data
https://bugs.webkit.org/show_bug.cgi?id=220920
<rdar://70355552>
Reviewed by Brent Fulgham.
Only root show have write access.
* GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in:
* NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
* WebAuthnProcess/mac/com.apple.WebKit.WebAuthnProcess.sb.in:
* WebProcess/com.apple.WebProcess.sb.in:
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (271808 => 271809)
--- trunk/Source/WebKit/ChangeLog 2021-01-25 20:52:12 UTC (rev 271808)
+++ trunk/Source/WebKit/ChangeLog 2021-01-25 21:24:23 UTC (rev 271809)
@@ -1,5 +1,20 @@
2021-01-25 Per Arne <pvol...@apple.com>
+ [macOS] Restrict access to mds data
+ https://bugs.webkit.org/show_bug.cgi?id=220920
+ <rdar://70355552>
+
+ Reviewed by Brent Fulgham.
+
+ Only root show have write access.
+
+ * GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in:
+ * NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
+ * WebAuthnProcess/mac/com.apple.WebKit.WebAuthnProcess.sb.in:
+ * WebProcess/com.apple.WebProcess.sb.in:
+
+2021-01-25 Per Arne <pvol...@apple.com>
+
[Cocoa] Adjust logic for creating sandbox extensions based on GPUP flags
https://bugs.webkit.org/show_bug.cgi?id=220917
Modified: trunk/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in (271808 => 271809)
--- trunk/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in 2021-01-25 20:52:12 UTC (rev 271808)
+++ trunk/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in 2021-01-25 21:24:23 UTC (rev 271809)
@@ -703,7 +703,11 @@
(global-name "com.apple.SecurityServer")
(global-name "com.apple.ocspd"))
-(allow file-read* file-write* (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
+(allow file-read* (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
+(with-filter (uid 0)
+ (allow file-write*
+ (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
+)
(allow file-read*
(subpath "/private/var/db/mds")
Modified: trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in (271808 => 271809)
--- trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in 2021-01-25 20:52:12 UTC (rev 271808)
+++ trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in 2021-01-25 21:24:23 UTC (rev 271809)
@@ -332,7 +332,11 @@
(regex (string-append "/Library/Keychains/" (uuid-regex-string) "(/|$)"))
(home-regex (string-append "/Library/Keychains/" (uuid-regex-string) "(/|$)")))
-(allow file-read* file-write* (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
+(allow file-read* (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
+(with-filter (uid 0)
+ (allow file-write*
+ (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
+)
(allow user-preference-read
(preference-domain
Modified: trunk/Source/WebKit/WebAuthnProcess/mac/com.apple.WebKit.WebAuthnProcess.sb.in (271808 => 271809)
--- trunk/Source/WebKit/WebAuthnProcess/mac/com.apple.WebKit.WebAuthnProcess.sb.in 2021-01-25 20:52:12 UTC (rev 271808)
+++ trunk/Source/WebKit/WebAuthnProcess/mac/com.apple.WebKit.WebAuthnProcess.sb.in 2021-01-25 21:24:23 UTC (rev 271809)
@@ -357,7 +357,11 @@
(global-name "com.apple.SecurityServer")
(global-name "com.apple.ocspd"))
-(allow file-read* file-write* (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
+(allow file-read* (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
+(with-filter (uid 0)
+ (allow file-write*
+ (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
+)
(allow file-read*
(subpath "/private/var/db/mds")
Modified: trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (271808 => 271809)
--- trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2021-01-25 20:52:12 UTC (rev 271808)
+++ trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2021-01-25 21:24:23 UTC (rev 271809)
@@ -1174,9 +1174,11 @@
#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 110000
(allow file-read* (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
-(allow file-write*
- (with report) (with telemetry-backtrace)
- (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
+(with-filter (uid 0)
+ (allow file-write*
+ (with report) (with telemetry-backtrace)
+ (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
+)
#else
(allow file-read* file-write* (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
#endif
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes