Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb (291432 => 291433)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb 2022-03-17 20:12:49 UTC (rev 291432)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb 2022-03-17 20:14:28 UTC (rev 291433)
@@ -43,7 +43,7 @@
(import "util.sb")
(define-once (allow-read-and-issue-generic-extensions . filters)
- (allow file-read* (with telemetry)
+ (allow file-read*
(apply require-any filters))
(allow file-issue-extension
(require-all
@@ -52,7 +52,7 @@
(apply require-any filters))))
(define-once (allow-read-write-and-issue-generic-extensions . filters)
- (allow file-read* file-write* (with telemetry)
+ (allow file-read* file-write*
(apply require-any filters))
(allow file-read-metadata
(apply require-any filters))
@@ -79,15 +79,15 @@
(literal "/private/var/Managed Preferences/mobile/com.apple.SystemConfiguration.plist"))
;; <rdar://problem/13679154>
- (deny file-read* (with telemetry)
+ (deny file-read*
(literal "/private/var/preferences/com.apple.NetworkStatistics.plist"))
;; <rdar://problem/15711661>
- (allow mach-lookup (with telemetry)
+ (allow mach-lookup
(global-name "com.apple.nesessionmanager"))
;; <rdar://problem/7693463>
- (deny system-socket (with telemetry) (socket-domain AF_ROUTE))
+ (deny system-socket (socket-domain AF_ROUTE))
(if gizmo?
(with-filter
@@ -100,7 +100,7 @@
(allow network-outbound (literal "/private/var/run/mDNSResponder"))
(allow mach-lookup (global-name "com.apple.dnssd.service")))) ;; <rdar://problem/55562091>
- (deny mach-lookup (with telemetry)
+ (deny mach-lookup
(global-name "com.apple.SystemConfiguration.helper")
(global-name "com.apple.SystemConfiguration.SCNetworkReachability")
(global-name "com.apple.SystemConfiguration.DNSConfiguration")
@@ -107,33 +107,33 @@
(global-name "com.apple.SystemConfiguration.PPPController"))
;; <rdar://problem/10962803>
;; <rdar://problem/13238730>
- (allow mach-lookup (with telemetry)
+ (allow mach-lookup
(global-name "com.apple.SystemConfiguration.configd")
(global-name "com.apple.SystemConfiguration.NetworkInformation"))
;; <rdar://problem/11792470>
;; <rdar://problem/13305819>
- (deny mach-lookup (with telemetry)
+ (deny mach-lookup
(global-name "com.apple.commcenter.xpc")
(global-name "com.apple.commcenter.cupolicy.xpc"))
- (deny mach-lookup (with telemetry)
+ (deny mach-lookup
(global-name "com.apple.securityd")
(global-name "com.apple.symptomsd"))
(allow mach-lookup
(global-name "com.apple.trustd"))
- (deny file-read* (with telemetry)
+ (deny file-read*
(literal "/private/var/preferences/com.apple.security.plist"))
;; <rdar://problem/13301795>
- (allow mach-lookup (with telemetry)
+ (allow mach-lookup
(global-name "com.apple.usymptomsd")
(global-name "com.apple.symptoms.symptomsd.managed_events")) ; <rdar://problem/32768772>
(with-filter (entitlement-is-present "com.apple.private.networkextension.configuration")
- (allow file-read* (with telemetry) (literal "/private/var/preferences/com.apple.networkextension.plist")))
+ (allow file-read* (literal "/private/var/preferences/com.apple.networkextension.plist")))
- (allow file-read* (with telemetry)
+ (allow file-read*
(literal "/private/var/preferences/com.apple.networkextension.uuidcache.plist")
(prefix "/private/var/db/com.apple.networkextension.")
)
@@ -140,7 +140,7 @@
(allow mach-lookup
(global-name "com.apple.AppSSO.service-xpc"))
- (deny ipc-posix-shm-read-data (with telemetry)
+ (deny ipc-posix-shm-read-data
(ipc-posix-name "/com.apple.AppSSO.version"))
;; <rdar://problem/30452093>
@@ -150,7 +150,7 @@
(allow-network-common)
;; <rdar://problem/9193431>
- (deny mach-lookup (with telemetry)
+ (deny mach-lookup
(global-name "com.apple.networkd"))
;; <rdar://problem/20094008>
@@ -161,16 +161,16 @@
(require-entitlement "com.apple.networkd.modify_settings")
(require-entitlement "com.apple.networkd.persistent_interface")
(require-entitlement "com.apple.networkd_privileged"))
- (deny mach-lookup (with telemetry)
+ (deny mach-lookup
(global-name "com.apple.networkd_privileged")))
;; <rdar://problem/20201593>
- (deny mach-lookup (with telemetry)
+ (deny mach-lookup
(global-name "com.apple.ak.anisette.xpc")
(global-name "com.apple.ak.auth.xpc"))
;; <rdar://problem/15897781>
- (deny mach-lookup (with telemetry)
+ (deny mach-lookup
(global-name "com.apple.nsurlsessiond"))
(allow file-issue-extension
(require-all
@@ -184,7 +184,7 @@
(global-name "com.apple.sharingd.NSURLSessionProxyService")))
;; <rdar://problem/15608009>
- (deny mach-lookup (with telemetry)
+ (deny mach-lookup
(global-name "com.apple.nsurlstorage-cache"))
;; <rdar://86781432>
@@ -191,7 +191,7 @@
(allow mach-lookup
(global-name "com.apple.cfnetwork.AuthBrokerAgent"))
;; <rdar://problem/10423007>
- (allow mach-lookup (with telemetry)
+ (allow mach-lookup
(global-name "com.apple.cfnetwork.cfnetworkagent"))
;; <rdar://problem/12620714>
@@ -198,7 +198,7 @@
(deny file-write-create (with no-report)
(home-prefix "/Library/Logs/CrashReporter/CFNetwork_"))
- (deny mach-lookup (with telemetry)
+ (deny mach-lookup
(global-name "com.apple.cookied"))
;; <rdar://problem/17910466>
@@ -226,12 +226,12 @@
(mobile-preferences-read "com.apple.CFNetwork")
(if (null? filters)
- (allow network-outbound (with telemetry))
+ (allow network-outbound)
; else
- (allow network-outbound (with telemetry) (apply require-any filters))))
+ (allow network-outbound (apply require-any filters))))
(define-once (multipath-tcp)
- (allow system-socket (with telemetry) (socket-domain 39)))
+ (allow system-socket (socket-domain 39)))
(define-once (managed-configuration-read-public)
(allow file-read*
@@ -238,11 +238,11 @@
(well-known-system-group-container-subpath "/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo")
(front-user-home-subpath "/Library/ConfigurationProfiles/PublicInfo")
(front-user-home-subpath "/Library/UserConfigurationProfiles/PublicInfo"))
- (deny mach-lookup (with telemetry)
+ (deny mach-lookup
(global-name "com.apple.managedconfiguration.profiled.public")))
(define-once (allow-preferences-common)
- (allow file-read-metadata (with telemetry)
+ (allow file-read-metadata
(home-literal "")
(home-literal "/Library/Preferences")))
@@ -251,7 +251,7 @@
(for-each (lambda (domain)
(begin
(allow user-preference-read (preference-domain domain))
- (allow file-read* (with telemetry)
+ (allow file-read*
(home-literal (string-append "/Library/Preferences/" domain ".plist")))))
domains))
@@ -310,7 +310,6 @@
(define-once (allow-multi-instance-xpc-services)
;; <rdar://problem/46716068>
(deny mach-lookup
- (with telemetry)
(with message "Create a radar and set it as a blocker to rdar://problem/48527566")
(xpc-service-name "com.apple.WebKit.Networking"
"com.apple.WebKit.WebContent")
@@ -318,7 +317,7 @@
(deny file-map-executable)
(deny file-write-mount file-write-unmount)
-(allow file-read-metadata (with telemetry)
+(allow file-read-metadata
(vnode-type DIRECTORY))
(with-elevated-precedence
@@ -337,7 +336,7 @@
(subpath "/System/Library")
(subpath "/usr/lib"))
- (allow file-read-metadata (with telemetry)
+ (allow file-read-metadata
(vnode-type SYMLINK))
(allow user-preference-read (preference-domain "kCFPreferencesAnyApplication"))
@@ -349,11 +348,11 @@
(literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist"))
(allow managed-preference-read (preference-domain "kCFPreferencesAnyApplication"))
- (deny file-read-metadata (with telemetry)
+ (deny file-read-metadata
(home-literal "/Library/Caches/powerlog.launchd"))
(allow-read-and-issue-generic-extensions (executable-bundle))
- (allow file-map-executable (with telemetry) (executable-bundle))
+ (allow file-map-executable (executable-bundle))
(deny file-read-data file-issue-extension file-map-executable
(require-all
@@ -361,10 +360,10 @@
(regex #"/[^/]+/SC_Info/")))
(with-filter (global-name-prefix "")
- (deny mach-lookup (with telemetry)
+ (deny mach-lookup
(extension "com.apple.security.exception.mach-lookup.global-name")))
(with-filter (local-name-prefix "")
- (deny mach-lookup (with telemetry)
+ (deny mach-lookup
(extension "com.apple.security.exception.mach-lookup.local-name"))
)
(allow managed-preference-read
@@ -386,7 +385,7 @@
(with-filter (require-entitlement "com.apple.security.exception.process-info")
(allow process-info-pidinfo process-info-pidfdinfo process-info-pidfileportinfo process-info-rusage process-info-codesignature)
- (allow sysctl-read (with telemetry)
+ (allow sysctl-read
(sysctl-name-prefix "kern.proc.")
(sysctl-name-prefix "kern.procargs2."))))
@@ -397,7 +396,7 @@
(allow file-read*
required-etc-files)
-(allow file-read* (with telemetry) (with message "Allowing read access to root")
+(allow file-read* (with message "Allowing read access to root")
(literal "/"))
(allow mach-lookup
@@ -404,7 +403,7 @@
(global-name "com.apple.logd")
(global-name "com.apple.logd.events"))
-(allow mach-lookup (with telemetry)
+(allow mach-lookup
(global-name "com.apple.runningboard")) ;; Needed by process assertion code (ProcessTaskStateObserver).
(allow-multi-instance-xpc-services)
@@ -419,7 +418,7 @@
(sysctl-name "vm.footprint_suspend")))
;; Needed by WebKit LOG macros and ASL logging.
-(deny file-read-metadata (with telemetry)
+(deny file-read-metadata
(literal "/private/var/run/syslog"))
;; ObjC map_images needs to send logging data to syslog. <rdar://problem/39778918>
@@ -434,12 +433,12 @@
(allow ipc-posix-shm-read*
(ipc-posix-name "apple.shm.notification_center")) ;; Needed by os_log_create
-(deny mach-lookup (with telemetry)
+(deny mach-lookup
(global-name "com.apple.distributed_notifications@1v3"))
(managed-configuration-read-public)
-(deny mach-lookup (with telemetry)
+(deny mach-lookup
(global-name "com.apple.ctkd.token-client"))
(deny system-info (with no-report)
@@ -450,7 +449,7 @@
(allow mach-task-name (target self))
-(deny process-info* (with telemetry))
+(deny process-info*)
(allow process-info-pidinfo)
(allow process-info-pidfdinfo (target self))
(allow process-info-pidfileportinfo (target self))
@@ -463,11 +462,11 @@
;;; End rules originally copied from 'common.sb'
;;;
-(deny mach-lookup (with telemetry) (xpc-service-name-prefix ""))
+(deny mach-lookup (xpc-service-name-prefix ""))
(deny lsopen)
-(deny sysctl* (with telemetry))
+(deny sysctl* )
(allow sysctl-read
(sysctl-name
"hw.activecpu"
@@ -496,8 +495,8 @@
(extension-class "com.apple.nsurlstorage.extension-cache")))
;; App sandbox extensions
-(allow file-read* file-write* (with telemetry) (extension "com.apple.app-sandbox.read-write"))
-(allow file-read* (with telemetry) (extension "com.apple.app-sandbox.read"))
+(allow file-read* file-write* (extension "com.apple.app-sandbox.read-write"))
+(allow file-read* (extension "com.apple.app-sandbox.read"))
;; FIXME: <rdar://problem/17909681> SSO expects to be able to walk the parent
;; bundle to find Info plists, so we jump through a few hoops here to provide
@@ -504,12 +503,12 @@
;; enough access to make it possible.
;; IOKit user clients
-(deny iokit-open (with telemetry)
+(deny iokit-open
(iokit-user-client-class "RootDomainUserClient") ;; Needed by PowerObserver
)
;; Various services required by CFNetwork and other frameworks
-(deny mach-lookup (with telemetry)
+(deny mach-lookup
(global-name "com.apple.PowerManagement.control"))
(network-client (remote tcp) (remote udp))
@@ -523,7 +522,7 @@
)
;; Security framework
-(deny mach-lookup (with telemetry)
+(deny mach-lookup
(global-name "com.apple.ocspd")
(global-name "com.apple.securityd"))
@@ -532,11 +531,11 @@
(global-name "com.apple.passd.in-app-payment")
(global-name "com.apple.passd.library"))
-(deny mach-lookup (with telemetry)
+(deny mach-lookup
(global-name "com.apple.FileCoordination")
(global-name "com.apple.dmd.policy"))
-(allow mach-lookup (with telemetry)
+(allow mach-lookup
(global-name "com.apple.siri.context.service")
(global-name "com.apple.ctcategories.service"))
@@ -544,7 +543,7 @@
(vnode-type SYMLINK))
;; FIXME should be removed when <rdar://problem/30498072> is fixed.
-(allow network* (with telemetry)
+(allow network*
(local udp)
(remote udp)
(local tcp)
@@ -555,7 +554,7 @@
(remote tcp "localhost:62078"))
;; Various services required by system frameworks
-(allow mach-lookup (with telemetry)
+(allow mach-lookup
(global-name "com.apple.lsd.mapdb"))
(with-filter (system-attribute apple-internal)
@@ -569,11 +568,11 @@
(global-name "com.apple.ProgressReporting"))
;; <rdar://problem/47598758>
-(allow mach-lookup (with telemetry)
+(allow mach-lookup
(global-name "com.apple.nesessionmanager.content-filter"))
;; Access to ContainerManager
-(allow mach-lookup (with telemetry)
+(allow mach-lookup
(global-name "com.apple.containermanagerd"))
(allow ipc-posix-sem-open
(ipc-posix-name "containermanagerd.fb_check"))
@@ -582,7 +581,7 @@
(literal "/dev/urandom"))
(if (system-attribute apple-internal)
- (allow file-read* file-write-data file-ioctl (with telemetry)
+ (allow file-read* file-write-data file-ioctl
(literal "/dev/dtracehelper"))
; else
(deny (with no-log) file-read* file-write-data file-ioctl
@@ -592,7 +591,7 @@
(allow mach-lookup (with telemetry) (global-name "com.apple.webkit.adattributiond.service"))
;; Access to MobileGestalt
-(deny mach-lookup (with telemetry)
+(deny mach-lookup
(global-name "com.apple.mobilegestalt.xpc"))
(allow file-read*
(well-known-system-group-container-literal "/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist"))
@@ -604,7 +603,7 @@
(global-name "com.apple.tccd"))
(when (defined? 'syscall-unix)
- (allow syscall-unix (with telemetry))
+ (allow syscall-unix)
(allow syscall-unix (syscall-number
SYS___channel_get_info
SYS___channel_open
@@ -748,7 +747,7 @@
(allow syscall-unix (syscall-number SYS__map_with_linking_np)))
(when (defined? 'syscall-mach)
- (allow syscall-mach (with report) (with telemetry))
+ (allow syscall-mach (with report))
(allow syscall-mach
(machtrap-number
MSC__kernelrpc_mach_port_allocate_trap
@@ -788,4 +787,4 @@
(when (defined? 'mach-kernel-endpoint)
(allow mach-kernel-endpoint
(apply-message-filter
- (allow mach-message-send (with report) (with telemetry)))))
+ (allow mach-message-send (with report) ))))
