Title: [274452] branches/safari-611.1.21.2-branch/Source/WebKit
- Revision
- 274452
- Author
- alanc...@apple.com
- Date
- 2021-03-15 16:41:59 -0700 (Mon, 15 Mar 2021)
Log Message
Cherry-pick r274439. rdar://problem/75450678
Enforce subcommand filtering
https://bugs.webkit.org/show_bug.cgi?id=223192
<rdar://75434409>
Reviewed by Brent Fulgham.
Enforce subcommand filtering in the WebContent process' sandbox.
* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
* WebProcess/com.apple.WebProcess.sb.in:
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@274439 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-611.1.21.2-branch/Source/WebKit/ChangeLog (274451 => 274452)
--- branches/safari-611.1.21.2-branch/Source/WebKit/ChangeLog 2021-03-15 23:41:55 UTC (rev 274451)
+++ branches/safari-611.1.21.2-branch/Source/WebKit/ChangeLog 2021-03-15 23:41:59 UTC (rev 274452)
@@ -1,5 +1,37 @@
2021-03-15 Alan Coon <alanc...@apple.com>
+ Cherry-pick r274439. rdar://problem/75450678
+
+ Enforce subcommand filtering
+ https://bugs.webkit.org/show_bug.cgi?id=223192
+ <rdar://75434409>
+
+ Reviewed by Brent Fulgham.
+
+ Enforce subcommand filtering in the WebContent process' sandbox.
+
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+ * WebProcess/com.apple.WebProcess.sb.in:
+
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@274439 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-03-15 Per Arne Vollan <pvol...@apple.com>
+
+ Enforce subcommand filtering
+ https://bugs.webkit.org/show_bug.cgi?id=223192
+ <rdar://75434409>
+
+ Reviewed by Brent Fulgham.
+
+ Enforce subcommand filtering in the WebContent process' sandbox.
+
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+ * WebProcess/com.apple.WebProcess.sb.in:
+
+2021-03-15 Alan Coon <alanc...@apple.com>
+
Cherry-pick r274295. rdar://problem/75450678
[macOS] Add additional telemetry to WebContent sandbox
Modified: branches/safari-611.1.21.2-branch/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb (274451 => 274452)
--- branches/safari-611.1.21.2-branch/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb 2021-03-15 23:41:55 UTC (rev 274451)
+++ branches/safari-611.1.21.2-branch/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb 2021-03-15 23:41:59 UTC (rev 274452)
@@ -1279,7 +1279,7 @@
)
(when (defined? 'file-ioctl)
- (allow file-ioctl (with telemetry))
+ (deny file-ioctl (with telemetry))
;; restrict to the two ioctl's /dev/aes_0 needs
(allow file-ioctl (with telemetry)
(ioctl-command (_IO "T" 101)) ;; IOAES_GET_INFO
@@ -1287,12 +1287,22 @@
)
(when (defined? 'socket-ioctl)
- (allow socket-ioctl (with telemetry))
+ (deny socket-ioctl (with telemetry))
)
(when (defined? 'system-fcntl)
- (allow system-fcntl (with telemetry))
+ (deny system-fcntl (with telemetry))
(allow system-fcntl
+ (fcntl-command F_BARRIERFSYNC)
+ (fcntl-command F_GETCONFINED)
+ (fcntl-command F_GETFL) ;; LibJPEGReadPlugin::copyImageBlockSetStandard
+ (fcntl-command F_GETLK)
+ (fcntl-command F_GETSIGSINFO)
+ (fcntl-command F_NOCACHE)
+ (fcntl-command F_OFD_GETLK)
+ (fcntl-command F_OFD_SETLKWTIMEOUT)
+ (fcntl-command F_RDADVISE)
+ (fcntl-command F_SETCONFINED)
(fcntl-command F_GETPATH) ;; used by dyld4 and CGFontURLCreate, getcwd (at least)
(fcntl-command F_ADDFILESIGS_RETURN) ;; ImageLoaderMachO::loadCodeSignature
(fcntl-command F_CHECK_LV) ;; ImageLoaderMachO::loadCodeSignature
@@ -1299,10 +1309,12 @@
(fcntl-command F_SPECULATIVE_READ) ;; ImageLoaderMachO::mapSegments
(fcntl-command F_SETFD) ;; libwebrtc.dylib (no backtrace)
(fcntl-command F_GETFD) ;; libwebrtc.dylib (no backtrace)
- (fcntl-command F_GETFL) ;; LibJPEGReadPlugin::copyImageBlockSetStandard
(fcntl-command F_SETFL) ;; CMCapture uses when camera is enabled
(fcntl-command F_SETNOSIGPIPE)) ;; CMCapture uses when camera is enabled
+ (allow system-fcntl (with telemetry-backtrace)
+ (fcntl-command F_OFD_SETLK))
+
(allow system-fcntl
(fcntl-command F_GETPROTECTIONCLASS))
)
@@ -1309,14 +1321,15 @@
(when (defined? 'process-codesigning*)
;; csops/csops_audittoken
- (allow process-codesigning-status-set (with telemetry))
- (allow process-codesigning-text-offset-get (with telemetry))
- (allow process-codesigning-cdhash-get (with telemetry))
- (allow process-codesigning-blob-get (with telemetry))
- (allow process-codesigning-teamid-get (with telemetry))
- (allow process-codesigning-identity-get (with telemetry)) ;; codeSigningIdentifierForCurrentProcess
+ (deny process-codesigning-status-set (with telemetry))
+ (deny process-codesigning-text-offset-get (with telemetry))
+ (deny process-codesigning-cdhash-get (with telemetry))
+ (deny process-codesigning-blob-get (with telemetry))
+ (deny process-codesigning-teamid-get (with telemetry))
+ (allow process-codesigning-identity-get (target self)) ;; codeSigningIdentifierForCurrentProcess
(allow process-codesigning-entitlements-blob-get) ;; WK reading entitlments via SecTaskCopyValueForEntitlement and _getSelfParsedEntitlements (accessibility)
(allow process-codesigning-status-get) ;; _xpc_get_entitlements
+ (allow process-codesigning-status-set (target self))
(deny process-info-codesignature (with no-report)) ;; SecTaskCopyValueForEntitlement - granting this grants all the process-codesign-* checks
)
@@ -1326,7 +1339,7 @@
(when (defined? 'socket-option-get)
;; getsockopt
- (allow socket-option-get (with telemetry))
+ (deny socket-option-get (with telemetry))
(allow socket-option-get
(socket-option-level SOL_SOCKET)
(socket-option-name SO_ERROR)) ;; libwebrtc; physical_socket_server.cc, ProcessEvents. Called with fd=-1, so it fails. Not technically needed, but the code needs changing
@@ -1334,7 +1347,7 @@
(when (defined? 'socket-option-set)
;; setsockopt
- (allow socket-option-set (with telemetry))
+ (deny socket-option-set (with telemetry))
)
(when (defined? 'mach-bootstrap)
Modified: branches/safari-611.1.21.2-branch/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (274451 => 274452)
--- branches/safari-611.1.21.2-branch/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2021-03-15 23:41:55 UTC (rev 274451)
+++ branches/safari-611.1.21.2-branch/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2021-03-15 23:41:59 UTC (rev 274452)
@@ -1417,16 +1417,27 @@
)
(when (defined? 'file-ioctl)
- (allow file-ioctl (with telemetry))
+ (deny file-ioctl (with telemetry))
+ (allow file-ioctl (literal "/dev/dtracehelper"))
)
(when (defined? 'socket-ioctl)
- (allow socket-ioctl (with telemetry))
+ (deny socket-ioctl (with telemetry))
)
(when (defined? 'system-fcntl)
- (allow system-fcntl (with telemetry))
+ (deny system-fcntl (with telemetry))
(allow system-fcntl
+ (fcntl-command F_BARRIERFSYNC)
+ (fcntl-command F_GETCONFINED)
+ (fcntl-command F_GETFL) ;; LibJPEGReadPlugin::copyImageBlockSetStandard
+ (fcntl-command F_GETLK)
+ (fcntl-command F_GETSIGSINFO)
+ (fcntl-command F_NOCACHE)
+ (fcntl-command F_OFD_GETLK)
+ (fcntl-command F_OFD_SETLKWTIMEOUT)
+ (fcntl-command F_RDADVISE)
+ (fcntl-command F_SETCONFINED)
(fcntl-command F_GETPATH) ;; used by dyld4 and CGFontURLCreate, getcwd (at least)
(fcntl-command F_ADDFILESIGS_RETURN) ;; ImageLoaderMachO::loadCodeSignature
(fcntl-command F_CHECK_LV) ;; ImageLoaderMachO::loadCodeSignature
@@ -1433,13 +1444,14 @@
(fcntl-command F_SPECULATIVE_READ) ;; ImageLoaderMachO::mapSegments
(fcntl-command F_SETFD) ;; libwebrtc.dylib (no backtrace)
(fcntl-command F_GETFD) ;; libwebrtc.dylib (no backtrace)
- (fcntl-command F_GETFL) ;; LibJPEGReadPlugin::copyImageBlockSetStandard
(fcntl-command F_RDADVISE) ;; CoreNLP::ReadOnlyFile <- +[DDScannerService scanString:range:configuration:] <- WebCore::DictionaryLookup::rangeAtHitTestResult(WebCore::HitTestResult const&)
(fcntl-command F_NOCACHE) ;; Security::UnixPlusPlus::FileDesc::fcnt <- MTRegisterPluginFormatReaderBundleDirectory <- invocation function for block in WebCore::registerFormatReaderIfNecessary()
-
(fcntl-command F_SETFL) ;; CMCapture uses when camera is enabled
(fcntl-command F_SETNOSIGPIPE)) ;; CMCapture uses when camera is enabled
+ (allow system-fcntl (with telemetry-backtrace)
+ (fcntl-command F_OFD_SETLK))
+
(allow system-fcntl
(fcntl-command F_GETPROTECTIONCLASS))
)
@@ -1446,20 +1458,20 @@
(when (defined? 'process-codesigning*)
;; csops/csops_audittoken
- (allow process-codesigning-status-set (with telemetry))
- (allow process-codesigning-text-offset-get (with telemetry))
- (allow process-codesigning-cdhash-get (with telemetry))
- (allow process-codesigning-blob-get (with telemetry))
- (allow process-codesigning-teamid-get (with telemetry))
+ (deny process-codesigning-text-offset-get (with telemetry))
+ (deny process-codesigning-cdhash-get (with telemetry))
+ (deny process-codesigning-blob-get (with telemetry))
+ (deny process-codesigning-teamid-get (with telemetry))
(allow process-codesigning-identity-get (with telemetry)) ;; codeSigningIdentifierForCurrentProcess
(allow process-codesigning-entitlements-blob-get) ;; WK reading entitlments via SecTaskCopyValueForEntitlement and _getSelfParsedEntitlements (accessibility)
(allow process-codesigning-status-get) ;; _xpc_get_entitlements
+ (allow process-codesigning-status-set (target self))
(deny process-info-codesignature (with no-report)) ;; SecTaskCopyValueForEntitlement - granting this grants all the process-codesign-* checks
)
(when (defined? 'socket-option-get)
;; getsockopt
- (allow socket-option-get (with telemetry))
+ (deny socket-option-get (with telemetry))
(allow socket-option-get
(require-all
(socket-option-level SOL_SOCKET)
@@ -1468,7 +1480,7 @@
(when (defined? 'socket-option-set)
;; setsockopt
- (allow socket-option-set (with telemetry))
+ (deny socket-option-set (with telemetry))
)
(when (defined? 'syscall-unix)
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes