Skip to content

GitLab

T
tangled
Commit 00942501 authored by Anders Hartvoll Ruud's avatar Anders Hartvoll Ruud Committed by Commit Bot
Browse files
Options

Revert "macOS V2 Sandbox: Leverage additional enforcement options." 

This reverts commit 2a121e9f.

Reason for revert: Suspected culprit of 957483.

Original change's description:
> macOS V2 Sandbox: Leverage additional enforcement options.
> 
> This enforces additional restrictions, such as iokit-get-properties and
> process-info, that the default policy allows.
> 
> Bug: 799149
> Change-Id: If2b53df37c78fad2dee7aefb2e7b17d189c6618a
> Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1586200
> Reviewed-by: Robert Sesek <rsesek@chromium.org>
> Commit-Queue: Greg Kerr <kerrnel@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#654630}

TBR=kerrnel@chromium.org,rsesek@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: 799149,957483
Change-Id: I091862c2dff370ed7e0ee39b52b46cb4d2a47c16
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1585896Reviewed-by: default avatarAnders Hartvoll Ruud <andruud@chromium.org>
Commit-Queue: Anders Hartvoll Ruud <andruud@chromium.org>
Cr-Commit-Position: refs/heads/master@{#654802}
parent 73ee0b88
Hide whitespace changes
Inline Side-by-side
Showing with 0 additions and 22 deletions
services/service_manager/sandbox/mac/common.sb
View file @ 00942501
...@@ -182,7 +182,6 @@ ...@@ -182,7 +182,6 @@
(sysctl-name "hw.cachelinesize_compat") (sysctl-name "hw.cachelinesize_compat")
(sysctl-name "hw.cpufrequency_compat") (sysctl-name "hw.cpufrequency_compat")
(sysctl-name "hw.cputype") (sysctl-name "hw.cputype")
(sysctl-name "hw.logicalcpu_max")
(sysctl-name "hw.machine") (sysctl-name "hw.machine")
(sysctl-name "hw.ncpu") (sysctl-name "hw.ncpu")
(sysctl-name "hw.pagesize_compat") (sysctl-name "hw.pagesize_compat")
...@@ -193,7 +192,6 @@ ...@@ -193,7 +192,6 @@
(sysctl-name "kern.maxfilesperproc") (sysctl-name "kern.maxfilesperproc")
(sysctl-name "kern.osrelease") (sysctl-name "kern.osrelease")
(sysctl-name "kern.ostype") (sysctl-name "kern.ostype")
(sysctl-name "kern.osvariant_status")
(sysctl-name "kern.osversion") (sysctl-name "kern.osversion")
(sysctl-name "kern.usrstack64") (sysctl-name "kern.usrstack64")
(sysctl-name "kern.version") (sysctl-name "kern.version")
......
services/service_manager/sandbox/mac/renderer.sb
View file @ 00942501
...@@ -4,17 +4,9 @@ ...@@ -4,17 +4,9 @@
; --- The contents of common.sb implicitly included here. --- ; --- The contents of common.sb implicitly included here. ---
; Put the denials first.
; crbug.com/799149: These operations are allowed by default.
(deny iokit-get-properties process-info* nvram*)
; Allow cf prefs to work. ; Allow cf prefs to work.
(allow user-preference-read) (allow user-preference-read)
; process-info
(allow process-info-pidinfo)
(allow process-info-setcontrol (target self))
; File reads. ; File reads.
; Reads from the home directory. ; Reads from the home directory.
(allow file-read-data (allow file-read-data
...@@ -75,15 +67,3 @@ ...@@ -75,15 +67,3 @@
(global-name "com.apple.lsd.mapdb") (global-name "com.apple.lsd.mapdb")
(global-name "com.apple.system.notification_center") ; https://crbug.com/792217 (global-name "com.apple.system.notification_center") ; https://crbug.com/792217
) )
; IOKit properties.
(allow iokit-get-properties
(iokit-property "CaseSensitive")
(iokit-property "Ejectable")
(iokit-property "Encrypted")
(iokit-property "IOClassNameOverride")
(iokit-property "IOMediaIcon")
(iokit-property "Protocol Characteristics")
(iokit-property "Removable")
(iokit-property "image-encrypted")
)
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment