[webkit-changes] [224878] trunk/Source/WebKit

Wed, 15 Nov 2017 09:00:06 -0800

Title: [224878] trunk/Source/WebKit
Revision
224878
Author
bfulg...@apple.com
Date
2017-11-15 08:59:52 -0800 (Wed, 15 Nov 2017)

Log Message

Remove access to "com.apple.pbs.fetch_services" from WebContent sandbox
https://bugs.webkit.org/show_bug.cgi?id=179689
<rdar://problem/35369172>

Reviewed by Per Arne Vollan.

WebKit's WebContent process should not have any need to interact with the fetch_services
API exposed to the system. These interactions (if needed) should be happening in the UIProcess,
so we should prevent the untrusted Web Content Process from being able to connect.

* WebProcess/com.apple.WebProcess.sb.in:

Modified Paths

Diff

Modified: trunk/Source/WebKit/ChangeLog (224877 => 224878)


--- trunk/Source/WebKit/ChangeLog	2017-11-15 16:56:55 UTC (rev 224877)
+++ trunk/Source/WebKit/ChangeLog	2017-11-15 16:59:52 UTC (rev 224878)
@@ -1,3 +1,17 @@
+2017-11-14  Brent Fulgham  <bfulg...@apple.com>
+
+        Remove access to "com.apple.pbs.fetch_services" from WebContent sandbox
+        https://bugs.webkit.org/show_bug.cgi?id=179689
+        <rdar://problem/35369172>
+
+        Reviewed by Per Arne Vollan.
+
+        WebKit's WebContent process should not have any need to interact with the fetch_services
+        API exposed to the system. These interactions (if needed) should be happening in the UIProcess,
+        so we should prevent the untrusted Web Content Process from being able to connect.
+
+        * WebProcess/com.apple.WebProcess.sb.in:
+
 2017-11-15  Michael Catanzaro  <mcatanz...@igalia.com>
 
         Remove GTK web inspector images

Modified: trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (224877 => 224878)


--- trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in	2017-11-15 16:56:55 UTC (rev 224877)
+++ trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in	2017-11-15 16:59:52 UTC (rev 224878)
@@ -653,9 +653,6 @@
        (literal "/private/var/run/mDNSResponder")
        (remote tcp))
 
-(allow mach-lookup
-       (global-name "com.apple.pbs.fetch_services"))
-
 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101300
 ;; CFNetwork
 (allow file-read-data (path "/private/var/db/nsurlstoraged/dafsaData.bin"))

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to