Title: [253761] trunk/Source/WebKit
- Revision
- 253761
- Author
- bfulg...@apple.com
- Date
- 2019-12-19 09:59:25 -0800 (Thu, 19 Dec 2019)
Log Message
Remove syscall filtering from GPU Process sandbox
https://bugs.webkit.org/show_bug.cgi?id=205456
<rdar://problem/58080834>
Reviewed by Tim Horton.
We don't have a fully built-out GPU Process yet. Let's not lock down the syscall filter set until
we know which are actually needed by the process. The current set is just copied over from the
WebContent process, and are not likely to be the correct set.
* GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in:
* Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb:
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (253760 => 253761)
--- trunk/Source/WebKit/ChangeLog 2019-12-19 17:55:36 UTC (rev 253760)
+++ trunk/Source/WebKit/ChangeLog 2019-12-19 17:59:25 UTC (rev 253761)
@@ -1,3 +1,18 @@
+2019-12-19 Brent Fulgham <bfulg...@apple.com>
+
+ Remove syscall filtering from GPU Process sandbox
+ https://bugs.webkit.org/show_bug.cgi?id=205456
+ <rdar://problem/58080834>
+
+ Reviewed by Tim Horton.
+
+ We don't have a fully built-out GPU Process yet. Let's not lock down the syscall filter set until
+ we know which are actually needed by the process. The current set is just copied over from the
+ WebContent process, and are not likely to be the correct set.
+
+ * GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in:
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb:
+
2019-12-19 Chris Dumez <cdu...@apple.com>
imported/w3c/web-platform-tests/service-workers/service-worker/skip-waiting-installed.https.html is flaky
Modified: trunk/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in (253760 => 253761)
--- trunk/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in 2019-12-19 17:55:36 UTC (rev 253760)
+++ trunk/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in 2019-12-19 17:59:25 UTC (rev 253761)
@@ -836,161 +836,3 @@
(iokit-user-client-class "IOUSBInterfaceUserClientV2"))
(allow device-camera))
#endif // PLATFORM(MAC)
-
-(when (defined? 'syscall-unix)
- (deny syscall-unix (with send-signal SIGKILL))
- (allow syscall-unix
- (syscall-number SYS_abort_with_payload)
- (syscall-number SYS_exit)
- (syscall-number SYS_read)
- (syscall-number SYS_write)
- (syscall-number SYS_open)
- (syscall-number SYS_close)
- (syscall-number SYS_unlink)
- (syscall-number SYS_chmod)
- (syscall-number SYS_chmod_extended)
- (syscall-number SYS_getuid)
- (syscall-number SYS_geteuid)
- (syscall-number SYS_recvfrom)
- (syscall-number SYS_getpeername)
- (syscall-number SYS_access)
- (syscall-number SYS_dup)
- (syscall-number SYS_pipe)
- (syscall-number SYS_getegid)
- (syscall-number SYS_getgid)
- (syscall-number SYS_sigprocmask)
- (syscall-number SYS_sigaltstack)
- (syscall-number SYS_ioctl)
- (syscall-number SYS_readlink)
- (syscall-number SYS_umask)
- (syscall-number SYS_msync)
- (syscall-number SYS_munmap)
- (syscall-number SYS_mprotect)
- (syscall-number SYS_madvise)
- (syscall-number SYS_fcntl)
- (syscall-number SYS_select)
- (syscall-number SYS_fsync)
- (syscall-number SYS_setpriority)
- (syscall-number SYS_socket)
- (syscall-number SYS_connect)
- (syscall-number SYS_setsockopt)
- (syscall-number SYS_gettimeofday)
- (syscall-number SYS_getrusage)
- (syscall-number SYS_getsockopt)
- (syscall-number SYS_writev)
- (syscall-number SYS_fchmod)
- (syscall-number SYS_rename)
- (syscall-number SYS_flock)
- (syscall-number SYS_sendto)
- (syscall-number SYS_shutdown)
- (syscall-number SYS_socketpair)
- (syscall-number SYS_mkdir)
- (syscall-number SYS_rmdir)
- (syscall-number SYS_pread)
- (syscall-number SYS_pwrite)
- (syscall-number SYS_csops)
- (syscall-number SYS_csops_audittoken)
- (syscall-number SYS_kdebug_trace64)
- (syscall-number SYS_kdebug_trace)
- (syscall-number SYS_sigaction)
- (syscall-number SYS_sigreturn)
- (syscall-number SYS_pathconf)
- (syscall-number SYS_getrlimit)
- (syscall-number SYS_setrlimit)
- (syscall-number SYS_mmap)
- (syscall-number SYS_lseek)
- (syscall-number SYS_ftruncate)
- (syscall-number SYS_sysctl)
- (syscall-number SYS_mlock)
- (syscall-number SYS_munlock)
- (syscall-number SYS_getattrlist)
- (syscall-number SYS_getxattr)
- (syscall-number SYS_fgetxattr)
- (syscall-number SYS_listxattr)
- (syscall-number SYS_shm_open)
- (syscall-number SYS_sem_wait)
- (syscall-number SYS_sem_post)
- (syscall-number SYS_sysctlbyname)
- (syscall-number SYS_psynch_mutexwait)
- (syscall-number SYS_psynch_mutexdrop)
- (syscall-number SYS_psynch_cvbroad)
- (syscall-number SYS_psynch_cvsignal)
- (syscall-number SYS_psynch_cvwait)
- (syscall-number SYS_psynch_rw_wrlock)
- (syscall-number SYS_psynch_rw_unlock)
- (syscall-number SYS_psynch_cvclrprepost)
- (syscall-number SYS_process_policy)
- (syscall-number SYS_issetugid)
- (syscall-number SYS___pthread_kill)
- (syscall-number SYS___pthread_markcancel)
- (syscall-number SYS___pthread_sigmask)
- (syscall-number SYS___disable_threadsignal)
- (syscall-number SYS___semwait_signal)
- (syscall-number SYS___semwait_signal_nocancel)
- (syscall-number SYS_proc_info)
- (syscall-number SYS_stat64)
- (syscall-number SYS_fstat64)
- (syscall-number SYS_lstat64)
- (syscall-number SYS_getdirentries64)
- (syscall-number SYS_statfs64)
- (syscall-number SYS_fstatfs64)
- (syscall-number SYS_getfsstat64)
- (syscall-number SYS_getaudit_addr)
- (syscall-number SYS_bsdthread_create)
- (syscall-number SYS_bsdthread_terminate)
- (syscall-number SYS_workq_kernreturn)
- (syscall-number SYS_thread_selfid)
- (syscall-number SYS_kevent)
- (syscall-number SYS_kevent_qos)
- (syscall-number SYS_kevent_id)
- (syscall-number SYS___mac_syscall)
- (syscall-number SYS_read_nocancel)
- (syscall-number SYS_write_nocancel)
- (syscall-number SYS_open_nocancel)
- (syscall-number SYS_close_nocancel)
- (syscall-number SYS_sendmsg_nocancel)
- (syscall-number SYS_recvfrom_nocancel)
- (syscall-number SYS_fcntl_nocancel)
- (syscall-number SYS_select_nocancel)
- (syscall-number SYS_connect_nocancel)
- (syscall-number SYS_sendto_nocancel)
- (syscall-number SYS_fsgetpath)
- (syscall-number SYS_fileport_makeport)
- (syscall-number SYS_guarded_open_np)
- (syscall-number SYS_guarded_close_np)
- (syscall-number SYS_guarded_write_np)
- (syscall-number SYS_change_fdguard_np)
- (syscall-number SYS_proc_rlimit_control)
- (syscall-number SYS_connectx)
- (syscall-number SYS_getattrlistbulk)
- (syscall-number SYS_openat)
- (syscall-number SYS_openat_nocancel)
- (syscall-number SYS_fstatat64)
- (syscall-number SYS_mkdirat)
- (syscall-number SYS_bsdthread_ctl)
- (syscall-number SYS_csrctl)
- (syscall-number SYS_guarded_pwrite_np)
- (syscall-number SYS_getentropy)
- (syscall-number SYS_necp_open)
- (syscall-number SYS_necp_client_action)
- (syscall-number SYS_ulock_wait)
- (syscall-number SYS_ulock_wake)
- (syscall-number SYS_work_interval_ctl)
- (syscall-number SYS_kdebug_typefilter)
- (syscall-number SYS_gettid) ;; Needed for base system, see <rdar://problem/48651255>
- (syscall-number SYS_memorystatus_control) ;; Needed for memory measurement infrastructure, see <rdar://problem/48647263>
- (syscall-number SYS_kdebug_trace_string) ;; Needed for performance sampling, see <rdar://problem/48829655>.
- (syscall-number SYS_psynch_rw_rdlock) ;; <rdar://problem/49060359>
- (syscall-number SYS_terminate_with_payload) ;; <rdar://problem/50026580>
- (syscall-number SYS_quotactl) ;; <rdar://problem/49945031>
- (syscall-number SYS_stat64_extended) ;; <rdar://problem/50473330>
- (syscall-number SYS_lstat_extended)
- (syscall-number SYS_lstat64_extended)
- (syscall-number SYS_fgetattrlist) ;; <rdar://problem/50931110>
- (syscall-number SYS_kqueue) ;; <rdar://problem/49609201>
- (syscall-number SYS_kqueue_workloop_ctl) ;; <rdar://problem/50999499>
- (syscall-number SYS_faccessat) ;; <rdar://problem/56690456>
- (syscall-number SYS_fsetxattr) ;; <rdar://problem/56332491>
- )
-)
-
Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb (253760 => 253761)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb 2019-12-19 17:55:36 UTC (rev 253760)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb 2019-12-19 17:59:25 UTC (rev 253761)
@@ -977,169 +977,3 @@
(deny mach-lookup
(global-name "com.apple.webkit.camera")
)
-
-(when (defined? 'syscall-unix)
- (deny syscall-unix (with send-signal SIGKILL))
- (allow syscall-unix
- (syscall-number SYS_exit)
- (syscall-number SYS_read)
- (syscall-number SYS_write)
- (syscall-number SYS_open)
- (syscall-number SYS_close)
- (syscall-number SYS_unlink)
- (syscall-number SYS_chmod)
- (syscall-number SYS_getuid)
- (syscall-number SYS_geteuid)
- (syscall-number SYS_recvfrom)
- (syscall-number SYS_getpeername)
- (syscall-number SYS_access)
- (syscall-number SYS_dup)
- (syscall-number SYS_pipe)
- (syscall-number SYS_getegid)
- (syscall-number SYS_getgid)
- (syscall-number SYS_sigprocmask)
- (syscall-number SYS_sigaltstack)
- (syscall-number SYS_ioctl)
- (syscall-number SYS_readlink)
- (syscall-number SYS_umask)
- (syscall-number SYS_msync)
- (syscall-number SYS_munmap)
- (syscall-number SYS_mprotect)
- (syscall-number SYS_madvise)
- (syscall-number SYS_fcntl)
- (syscall-number SYS_select)
- (syscall-number SYS_fsync)
- (syscall-number SYS_setpriority)
- (syscall-number SYS_socket)
- (syscall-number SYS_connect)
- (syscall-number SYS_setsockopt)
- (syscall-number SYS_gettimeofday)
- (syscall-number SYS_getrusage)
- (syscall-number SYS_getsockopt)
- (syscall-number SYS_writev)
- (syscall-number SYS_fchmod)
- (syscall-number SYS_rename)
- (syscall-number SYS_flock)
- (syscall-number SYS_sendto)
- (syscall-number SYS_shutdown)
- (syscall-number SYS_socketpair)
- (syscall-number SYS_mkdir)
- (syscall-number SYS_rmdir)
- (syscall-number SYS_pread)
- (syscall-number SYS_pwrite)
- (syscall-number SYS_csops)
- (syscall-number SYS_csops_audittoken)
- (syscall-number SYS_kdebug_trace64)
- (syscall-number SYS_kdebug_trace)
- (syscall-number SYS_sigreturn)
- (syscall-number SYS_pathconf)
- (syscall-number SYS_getrlimit)
- (syscall-number SYS_setrlimit)
- (syscall-number SYS_mmap)
- (syscall-number SYS_lseek)
- (syscall-number SYS_ftruncate)
- (syscall-number SYS_sysctl)
- (syscall-number SYS_mlock)
- (syscall-number SYS_munlock)
- (syscall-number SYS_getattrlist)
- (syscall-number SYS_getxattr)
- (syscall-number SYS_fgetxattr)
- (syscall-number SYS_listxattr)
- (syscall-number SYS_shm_open)
- (syscall-number SYS_sem_wait)
- (syscall-number SYS_sem_post)
- (syscall-number SYS_sysctlbyname)
- (syscall-number SYS_psynch_mutexwait)
- (syscall-number SYS_psynch_mutexdrop)
- (syscall-number SYS_psynch_cvbroad)
- (syscall-number SYS_psynch_cvsignal)
- (syscall-number SYS_psynch_cvwait)
- (syscall-number SYS_psynch_rw_wrlock)
- (syscall-number SYS_psynch_rw_unlock)
- (syscall-number SYS_psynch_cvclrprepost)
- (syscall-number SYS_process_policy)
- (syscall-number SYS_issetugid)
- (syscall-number SYS___pthread_kill)
- (syscall-number SYS___pthread_markcancel)
- (syscall-number SYS___pthread_sigmask)
- (syscall-number SYS___disable_threadsignal)
- (syscall-number SYS___semwait_signal)
- (syscall-number SYS_proc_info)
- (syscall-number SYS_stat64)
- (syscall-number SYS_fstat64)
- (syscall-number SYS_lstat64)
- (syscall-number SYS_getdirentries64)
- (syscall-number SYS_statfs64)
- (syscall-number SYS_fstatfs64)
- (syscall-number SYS_getfsstat64)
- (syscall-number SYS_getaudit_addr)
- (syscall-number SYS_bsdthread_create)
- (syscall-number SYS_bsdthread_terminate)
- (syscall-number SYS_workq_kernreturn)
- (syscall-number SYS_thread_selfid)
- (syscall-number SYS_kevent_qos)
- (syscall-number SYS_kevent_id)
- (syscall-number SYS___mac_syscall)
- (syscall-number SYS_read_nocancel)
- (syscall-number SYS_write_nocancel)
- (syscall-number SYS_open_nocancel)
- (syscall-number SYS_close_nocancel)
- (syscall-number SYS_sendmsg_nocancel)
- (syscall-number SYS_recvfrom_nocancel)
- (syscall-number SYS_fcntl_nocancel)
- (syscall-number SYS_select_nocancel)
- (syscall-number SYS_connect_nocancel)
- (syscall-number SYS_sendto_nocancel)
- (syscall-number SYS_fsgetpath)
- (syscall-number SYS_fileport_makeport)
- (syscall-number SYS_guarded_open_np)
- (syscall-number SYS_guarded_close_np)
- (syscall-number SYS_change_fdguard_np)
- (syscall-number SYS_proc_rlimit_control)
- (syscall-number SYS_connectx)
- (syscall-number SYS_getattrlistbulk)
- (syscall-number SYS_openat)
- (syscall-number SYS_openat_nocancel)
- (syscall-number SYS_fstatat64)
- (syscall-number SYS_mkdirat)
- (syscall-number SYS_bsdthread_ctl)
- (syscall-number SYS_csrctl)
- (syscall-number SYS_guarded_pwrite_np)
- (syscall-number SYS_getentropy)
- (syscall-number SYS_necp_open)
- (syscall-number SYS_necp_client_action)
- (syscall-number SYS_ulock_wait)
- (syscall-number SYS_ulock_wake)
- (syscall-number SYS_kdebug_typefilter)
- (syscall-number SYS_shared_region_check_np)
- (syscall-number SYS_getpid)
- (syscall-number SYS_bsdthread_register)
- (syscall-number SYS_sigaction)
- (syscall-number SYS_gettid)
- (syscall-number SYS_workq_open)
- (syscall-number SYS_chdir)
- (syscall-number SYS_memorystatus_control)
- (syscall-number SYS_sem_open)
- (syscall-number SYS_sem_close)
- (syscall-number SYS_fsetattrlist)
- (syscall-number SYS_guarded_open_dprotected_np) ; <rdar://problem/48166729>
- (syscall-number SYS_mremap_encrypted)
- (syscall-number SYS_dup2)
- (syscall-number SYS_fileport_makefd)
- (syscall-number SYS_os_fault_with_payload)
- (syscall-number SYS_persona)
- (syscall-number SYS_work_interval_ctl)
- (syscall-number SYS_open_dprotected_np)
- (syscall-number SYS_pread_nocancel)
- (syscall-number SYS___semwait_signal_nocancel)
- (syscall-number SYS_kdebug_trace_string) ;; Needed for performance sampling, see <rdar://problem/48829655>.
- (syscall-number SYS_fgetattrlist) ;; <rdar://problem/50266257>
- (syscall-number SYS_fsetxattr) ;; <rdar://problem/49795964>
- (syscall-number SYS_abort_with_payload) ;; <rdar://problem/50967271>
- (syscall-number SYS_kqueue) ;; <rdar://problem/49609201>
- (syscall-number SYS_kqueue_workloop_ctl) ;; <rdar://problem/50999499>
- (syscall-number SYS_psynch_rw_rdlock) ;; <rdar://problem/51134351>
- (syscall-number SYS_faccessat) ;; <rdar://problem/56998930>
- (syscall-number SYS_chmod_extended) ;; <rdar://problem/58046272>
- )
-)
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
