Title: [285722] trunk/Source/WebKit
- Revision
- 285722
- Author
- pvol...@apple.com
- Date
- 2021-11-12 08:32:32 -0800 (Fri, 12 Nov 2021)
Log Message
[iOS][GPU] Remove access to IOKit classes
https://bugs.webkit.org/show_bug.cgi?id=232344
<rdar://problem/84684751>
Reviewed by Darin Adler.
Based on telemetry, remove access to unused IOKit classes in the GPU process' sandbox on iOS.
* Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb:
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (285721 => 285722)
--- trunk/Source/WebKit/ChangeLog 2021-11-12 16:31:07 UTC (rev 285721)
+++ trunk/Source/WebKit/ChangeLog 2021-11-12 16:32:32 UTC (rev 285722)
@@ -1,3 +1,15 @@
+2021-11-12 Per Arne Vollan <pvol...@apple.com>
+
+ [iOS][GPU] Remove access to IOKit classes
+ https://bugs.webkit.org/show_bug.cgi?id=232344
+ <rdar://problem/84684751>
+
+ Reviewed by Darin Adler.
+
+ Based on telemetry, remove access to unused IOKit classes in the GPU process' sandbox on iOS.
+
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb:
+
2021-11-12 Per Arne <pvol...@apple.com>
[macOS][GPUP] Add syscalls to sandbox
Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb (285721 => 285722)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb 2021-11-12 16:31:07 UTC (rev 285721)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb 2021-11-12 16:32:32 UTC (rev 285722)
@@ -65,21 +65,6 @@
(home-literal (string-append "/Library/Preferences/" domain ".plist")))))
domains))
-(define-once (framebuffer-access)
- (allow iokit-open (with telemetry)
- (iokit-user-client-class "IOMobileFramebufferUserClient")
- (when (defined? 'iokit-external-method)
- (apply-message-filter
- (deny (with telemetry)
- iokit-async-external-method
- iokit-external-trap)
- (allow
- iokit-external-method)
- )
- )
- )
- (mobile-preferences-read "com.apple.iokit.IOMobileGraphicsFamily"))
-
(define-once (asset-access . options)
(let ((asset-access-filter
(require-all
@@ -207,21 +192,6 @@
;;; Declare that the application uses the OpenGL, Metal, and CoreML hardware & frameworks.
;;;
(define-once (opengl)
- ;; Items not seen in testing
- (deny iokit-open (with telemetry)
- (iokit-connection "IOGPU")
- (iokit-user-client-class
- "AGXCommandQueue"
- "AGXDevice"
- "AGXSharedUserClient"
- "IOAccelContext"
- "IOAccelDevice"
- "IOAccelSharedUserClient"
- "IOAccelSubmitter2"
- "IOAccelContext2"
- "IOAccelDevice2"
- "IOAccelSharedUserClient2"))
-
(allow iokit-open (with telemetry)
(iokit-connection "IOGPU")
(iokit-user-client-class
@@ -305,7 +275,6 @@
; UIKit-required IOKit nodes.
(allow iokit-open (with telemetry)
(iokit-user-client-class "IOSurfaceAcceleratorClient")
- (iokit-user-client-class "IOSurfaceSendRight")
;; Requires by UIView -> UITextMagnifierRenderer -> UIWindow
(iokit-user-client-class "IOSurfaceRootUserClient"))
@@ -535,8 +504,6 @@
(home-literal "/Library/Caches/DateFormats.plist")
(with no-log))
-(framebuffer-access)
-
; <rdar://problem/7595408> , <rdar://problem/7643881>
(opengl)
@@ -689,24 +656,6 @@
(deny file-write-create (vnode-type SYMLINK))
(deny file-read-xattr file-write-xattr (xattr-prefix "com.apple.security.private."))
-(allow iokit-open (with telemetry)
- (require-all
- (extension "com.apple.webkit.extension.iokit")
- (iokit-user-client-class
- "AGXCommandQueue"
- "AGXDevice"
- "AGXSharedUserClient"
- "IOAccelContext"
- "IOAccelDevice"
- "IOAccelSharedUserClient"
- "IOAccelSubmitter2"
- "IOAccelContext2"
- "IOAccelDevice2"
- "IOAccelSharedUserClient2"
- )
- )
-)
-
(deny mach-lookup (with no-log)
(xpc-service-name "com.apple.audio.toolbox.reporting.service")
)
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
