Title: [274451] branches/safari-611.1.21.2-branch/Source/WebKit
- Revision
- 274451
- Author
- alanc...@apple.com
- Date
- 2021-03-15 16:41:55 -0700 (Mon, 15 Mar 2021)
Log Message
Cherry-pick r274295. rdar://problem/75450678
[macOS] Add additional telemetry to WebContent sandbox
https://bugs.webkit.org/show_bug.cgi?id=223080
Reviewed by Brent Fulgham.
Add additional telemetry to WebContent sandbox on macOS.
* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
* WebProcess/com.apple.WebProcess.sb.in:
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@274295 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-611.1.21.2-branch/Source/WebKit/ChangeLog (274450 => 274451)
--- branches/safari-611.1.21.2-branch/Source/WebKit/ChangeLog 2021-03-15 23:30:10 UTC (rev 274450)
+++ branches/safari-611.1.21.2-branch/Source/WebKit/ChangeLog 2021-03-15 23:41:55 UTC (rev 274451)
@@ -1,3 +1,31 @@
+2021-03-15 Alan Coon <alanc...@apple.com>
+
+ Cherry-pick r274295. rdar://problem/75450678
+
+ [macOS] Add additional telemetry to WebContent sandbox
+ https://bugs.webkit.org/show_bug.cgi?id=223080
+
+ Reviewed by Brent Fulgham.
+
+ Add additional telemetry to WebContent sandbox on macOS.
+
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+ * WebProcess/com.apple.WebProcess.sb.in:
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@274295 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-03-11 Per Arne Vollan <pvol...@apple.com>
+
+ [macOS] Add additional telemetry to WebContent sandbox
+ https://bugs.webkit.org/show_bug.cgi?id=223080
+
+ Reviewed by Brent Fulgham.
+
+ Add additional telemetry to WebContent sandbox on macOS.
+
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+ * WebProcess/com.apple.WebProcess.sb.in:
+
2021-03-10 Alan Coon <alanc...@apple.com>
Cherry-pick r274231. rdar://problem/75291920
Modified: branches/safari-611.1.21.2-branch/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb (274450 => 274451)
--- branches/safari-611.1.21.2-branch/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb 2021-03-15 23:30:10 UTC (rev 274450)
+++ branches/safari-611.1.21.2-branch/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb 2021-03-15 23:41:55 UTC (rev 274451)
@@ -1299,7 +1299,7 @@
(fcntl-command F_SPECULATIVE_READ) ;; ImageLoaderMachO::mapSegments
(fcntl-command F_SETFD) ;; libwebrtc.dylib (no backtrace)
(fcntl-command F_GETFD) ;; libwebrtc.dylib (no backtrace)
-
+ (fcntl-command F_GETFL) ;; LibJPEGReadPlugin::copyImageBlockSetStandard
(fcntl-command F_SETFL) ;; CMCapture uses when camera is enabled
(fcntl-command F_SETNOSIGPIPE)) ;; CMCapture uses when camera is enabled
Modified: branches/safari-611.1.21.2-branch/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (274450 => 274451)
--- branches/safari-611.1.21.2-branch/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2021-03-15 23:30:10 UTC (rev 274450)
+++ branches/safari-611.1.21.2-branch/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2021-03-15 23:41:55 UTC (rev 274451)
@@ -1416,6 +1416,61 @@
)
)
+(when (defined? 'file-ioctl)
+ (allow file-ioctl (with telemetry))
+)
+
+(when (defined? 'socket-ioctl)
+ (allow socket-ioctl (with telemetry))
+)
+
+(when (defined? 'system-fcntl)
+ (allow system-fcntl (with telemetry))
+ (allow system-fcntl
+ (fcntl-command F_GETPATH) ;; used by dyld4 and CGFontURLCreate, getcwd (at least)
+ (fcntl-command F_ADDFILESIGS_RETURN) ;; ImageLoaderMachO::loadCodeSignature
+ (fcntl-command F_CHECK_LV) ;; ImageLoaderMachO::loadCodeSignature
+ (fcntl-command F_SPECULATIVE_READ) ;; ImageLoaderMachO::mapSegments
+ (fcntl-command F_SETFD) ;; libwebrtc.dylib (no backtrace)
+ (fcntl-command F_GETFD) ;; libwebrtc.dylib (no backtrace)
+ (fcntl-command F_GETFL) ;; LibJPEGReadPlugin::copyImageBlockSetStandard
+ (fcntl-command F_RDADVISE) ;; CoreNLP::ReadOnlyFile <- +[DDScannerService scanString:range:configuration:] <- WebCore::DictionaryLookup::rangeAtHitTestResult(WebCore::HitTestResult const&)
+ (fcntl-command F_NOCACHE) ;; Security::UnixPlusPlus::FileDesc::fcnt <- MTRegisterPluginFormatReaderBundleDirectory <- invocation function for block in WebCore::registerFormatReaderIfNecessary()
+
+ (fcntl-command F_SETFL) ;; CMCapture uses when camera is enabled
+ (fcntl-command F_SETNOSIGPIPE)) ;; CMCapture uses when camera is enabled
+
+ (allow system-fcntl
+ (fcntl-command F_GETPROTECTIONCLASS))
+)
+
+(when (defined? 'process-codesigning*)
+ ;; csops/csops_audittoken
+ (allow process-codesigning-status-set (with telemetry))
+ (allow process-codesigning-text-offset-get (with telemetry))
+ (allow process-codesigning-cdhash-get (with telemetry))
+ (allow process-codesigning-blob-get (with telemetry))
+ (allow process-codesigning-teamid-get (with telemetry))
+ (allow process-codesigning-identity-get (with telemetry)) ;; codeSigningIdentifierForCurrentProcess
+ (allow process-codesigning-entitlements-blob-get) ;; WK reading entitlments via SecTaskCopyValueForEntitlement and _getSelfParsedEntitlements (accessibility)
+ (allow process-codesigning-status-get) ;; _xpc_get_entitlements
+ (deny process-info-codesignature (with no-report)) ;; SecTaskCopyValueForEntitlement - granting this grants all the process-codesign-* checks
+)
+
+(when (defined? 'socket-option-get)
+ ;; getsockopt
+ (allow socket-option-get (with telemetry))
+ (allow socket-option-get
+ (require-all
+ (socket-option-level SOL_SOCKET)
+ (socket-option-name SO_ERROR))) ;; libwebrtc; physical_socket_server.cc, ProcessEvents. Called with fd=-1, so it fails. Not technically needed, but the code needs changing
+)
+
+(when (defined? 'socket-option-set)
+ ;; setsockopt
+ (allow socket-option-set (with telemetry))
+)
+
(when (defined? 'syscall-unix)
(deny syscall-unix (with send-signal SIGKILL))
(allow syscall-unix
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes