[webkit-changes] [274439] trunk/Source/WebKit

[pvollan]

Title: [274439] trunk/Source/WebKit

Revision

274439

Author

pvol...@apple.com

Date

2021-03-15 14:22:51 -0700 (Mon, 15 Mar 2021)

Log Message

Enforce subcommand filtering
https://bugs.webkit.org/show_bug.cgi?id=223192
<rdar://75434409>

Reviewed by Brent Fulgham.

Enforce subcommand filtering in the WebContent process' sandbox.

* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
* WebProcess/com.apple.WebProcess.sb.in:

Modified Paths

• trunk/Source/WebKit/ChangeLog
• trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb
• trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in

Diff

Modified: trunk/Source/WebKit/ChangeLog (274438 => 274439)

--- trunk/Source/WebKit/ChangeLog	2021-03-15 20:49:55 UTC (rev 274438)
+++ trunk/Source/WebKit/ChangeLog	2021-03-15 21:22:51 UTC (rev 274439)
@@ -1,3 +1,16 @@
+2021-03-15  Per Arne Vollan  <pvol...@apple.com>
+
+        Enforce subcommand filtering
+        https://bugs.webkit.org/show_bug.cgi?id=223192
+        <rdar://75434409>
+
+        Reviewed by Brent Fulgham.
+
+        Enforce subcommand filtering in the WebContent process' sandbox.
+
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+        * WebProcess/com.apple.WebProcess.sb.in:
+
 2021-03-15  Jer Noble  <jer.no...@apple.com>
 
         [Cocoa] Adopt AudioComponentApplyServerRegistrations()

Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb (274438 => 274439)

--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb	2021-03-15 20:49:55 UTC (rev 274438)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb	2021-03-15 21:22:51 UTC (rev 274439)
@@ -1317,7 +1317,7 @@
 )
 
 (when (defined? 'file-ioctl)
-    (allow file-ioctl (with telemetry))
+    (deny file-ioctl (with telemetry))
     ;; restrict to the two ioctl's /dev/aes_0 needs
     (allow file-ioctl (with telemetry)
        (ioctl-command (_IO "T" 101)) ;; IOAES_GET_INFO
@@ -1325,12 +1325,22 @@
 )
 
 (when (defined? 'socket-ioctl)
-    (allow socket-ioctl (with telemetry))
+    (deny socket-ioctl (with telemetry))
 )
 
 (when (defined? 'system-fcntl)
-    (allow system-fcntl (with telemetry))
+    (deny system-fcntl (with telemetry))
     (allow system-fcntl
+        (fcntl-command F_BARRIERFSYNC)
+        (fcntl-command F_GETCONFINED)
+        (fcntl-command F_GETFL) ;; LibJPEGReadPlugin::copyImageBlockSetStandard
+        (fcntl-command F_GETLK)
+        (fcntl-command F_GETSIGSINFO)
+        (fcntl-command F_NOCACHE)
+        (fcntl-command F_OFD_GETLK)
+        (fcntl-command F_OFD_SETLKWTIMEOUT)
+        (fcntl-command F_RDADVISE)
+        (fcntl-command F_SETCONFINED)
         (fcntl-command F_GETPATH) ;; used by dyld4 and CGFontURLCreate, getcwd (at least)
         (fcntl-command F_ADDFILESIGS_RETURN) ;; ImageLoaderMachO::loadCodeSignature
         (fcntl-command F_CHECK_LV) ;; ImageLoaderMachO::loadCodeSignature
@@ -1337,10 +1347,12 @@
         (fcntl-command F_SPECULATIVE_READ) ;; ImageLoaderMachO::mapSegments
         (fcntl-command F_SETFD) ;; libwebrtc.dylib (no backtrace)
         (fcntl-command F_GETFD) ;; libwebrtc.dylib (no backtrace)
-        (fcntl-command F_GETFL) ;; LibJPEGReadPlugin::copyImageBlockSetStandard
         (fcntl-command F_SETFL) ;; CMCapture uses when camera is enabled
         (fcntl-command F_SETNOSIGPIPE)) ;; CMCapture uses when camera is enabled
 
+    (allow system-fcntl (with telemetry-backtrace)
+        (fcntl-command F_OFD_SETLK))
+
     (allow system-fcntl
         (fcntl-command F_GETPROTECTIONCLASS))
 )
@@ -1347,14 +1359,15 @@
 
 (when (defined? 'process-codesigning*)
     ;; csops/csops_audittoken
-    (allow process-codesigning-status-set (with telemetry))
-    (allow process-codesigning-text-offset-get (with telemetry))
-    (allow process-codesigning-cdhash-get (with telemetry))
-    (allow process-codesigning-blob-get (with telemetry))
-    (allow process-codesigning-teamid-get (with telemetry))
-    (allow process-codesigning-identity-get (with telemetry)) ;; codeSigningIdentifierForCurrentProcess
+    (deny process-codesigning-status-set (with telemetry))
+    (deny process-codesigning-text-offset-get (with telemetry))
+    (deny process-codesigning-cdhash-get (with telemetry))
+    (deny process-codesigning-blob-get (with telemetry))
+    (deny process-codesigning-teamid-get (with telemetry))
+    (allow process-codesigning-identity-get (target self)) ;; codeSigningIdentifierForCurrentProcess
     (allow process-codesigning-entitlements-blob-get) ;; WK reading entitlments via SecTaskCopyValueForEntitlement and _getSelfParsedEntitlements (accessibility)
     (allow process-codesigning-status-get) ;; _xpc_get_entitlements
+    (allow process-codesigning-status-set (target self))
     (deny process-info-codesignature (with no-report)) ;; SecTaskCopyValueForEntitlement - granting this grants all the process-codesign-* checks
 )
 
@@ -1364,7 +1377,7 @@
 
 (when (defined? 'socket-option-get)
     ;; getsockopt
-    (allow socket-option-get (with telemetry))
+    (deny socket-option-get (with telemetry))
     (allow socket-option-get
         (require-all
             (socket-option-level SOL_SOCKET)
@@ -1373,7 +1386,7 @@
 
 (when (defined? 'socket-option-set)
     ;; setsockopt
-    (allow socket-option-set (with telemetry))
+    (deny socket-option-set (with telemetry))
 )
 
 (when (defined? 'mach-bootstrap)

Modified: trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (274438 => 274439)

--- trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in	2021-03-15 20:49:55 UTC (rev 274438)
+++ trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in	2021-03-15 21:22:51 UTC (rev 274439)
@@ -1543,16 +1543,27 @@
     (fsctl-command (_IO "h" 47))) ;; See <rdar://74387453>
 
 (when (defined? 'file-ioctl)
-    (allow file-ioctl (with telemetry))
+    (deny file-ioctl (with telemetry))
+    (allow file-ioctl (literal "/dev/dtracehelper"))
 )
 
 (when (defined? 'socket-ioctl)
-    (allow socket-ioctl (with telemetry))
+    (deny socket-ioctl (with telemetry))
 )
 
 (when (defined? 'system-fcntl)
-    (allow system-fcntl (with telemetry))
+    (deny system-fcntl (with telemetry))
     (allow system-fcntl
+        (fcntl-command F_BARRIERFSYNC)
+        (fcntl-command F_GETCONFINED)
+        (fcntl-command F_GETFL) ;; LibJPEGReadPlugin::copyImageBlockSetStandard
+        (fcntl-command F_GETLK)
+        (fcntl-command F_GETSIGSINFO)
+        (fcntl-command F_NOCACHE)
+        (fcntl-command F_OFD_GETLK)
+        (fcntl-command F_OFD_SETLKWTIMEOUT)
+        (fcntl-command F_RDADVISE)
+        (fcntl-command F_SETCONFINED)
         (fcntl-command F_GETPATH) ;; used by dyld4 and CGFontURLCreate, getcwd (at least)
         (fcntl-command F_ADDFILESIGS_RETURN) ;; ImageLoaderMachO::loadCodeSignature
         (fcntl-command F_CHECK_LV) ;; ImageLoaderMachO::loadCodeSignature
@@ -1559,13 +1570,14 @@
         (fcntl-command F_SPECULATIVE_READ) ;; ImageLoaderMachO::mapSegments
         (fcntl-command F_SETFD) ;; libwebrtc.dylib (no backtrace)
         (fcntl-command F_GETFD) ;; libwebrtc.dylib (no backtrace)
-        (fcntl-command F_GETFL) ;; LibJPEGReadPlugin::copyImageBlockSetStandard
         (fcntl-command F_RDADVISE) ;; CoreNLP::ReadOnlyFile <- +[DDScannerService scanString:range:configuration:] <- WebCore::DictionaryLookup::rangeAtHitTestResult(WebCore::HitTestResult const&)
         (fcntl-command F_NOCACHE) ;; Security::UnixPlusPlus::FileDesc::fcnt <- MTRegisterPluginFormatReaderBundleDirectory <- invocation function for block in WebCore::registerFormatReaderIfNecessary()
-
         (fcntl-command F_SETFL) ;; CMCapture uses when camera is enabled
         (fcntl-command F_SETNOSIGPIPE)) ;; CMCapture uses when camera is enabled
 
+    (allow system-fcntl (with telemetry-backtrace)
+        (fcntl-command F_OFD_SETLK))
+
     (allow system-fcntl
         (fcntl-command F_GETPROTECTIONCLASS))
 )
@@ -1572,20 +1584,20 @@
 
 (when (defined? 'process-codesigning*)
     ;; csops/csops_audittoken
-    (allow process-codesigning-status-set (with telemetry))
-    (allow process-codesigning-text-offset-get (with telemetry))
-    (allow process-codesigning-cdhash-get (with telemetry))
-    (allow process-codesigning-blob-get (with telemetry))
-    (allow process-codesigning-teamid-get (with telemetry))
+    (deny process-codesigning-text-offset-get (with telemetry))
+    (deny process-codesigning-cdhash-get (with telemetry))
+    (deny process-codesigning-blob-get (with telemetry))
+    (deny process-codesigning-teamid-get (with telemetry))
     (allow process-codesigning-identity-get (with telemetry)) ;; codeSigningIdentifierForCurrentProcess
     (allow process-codesigning-entitlements-blob-get) ;; WK reading entitlments via SecTaskCopyValueForEntitlement and _getSelfParsedEntitlements (accessibility)
     (allow process-codesigning-status-get) ;; _xpc_get_entitlements
+    (allow process-codesigning-status-set (target self))
     (deny process-info-codesignature (with no-report)) ;; SecTaskCopyValueForEntitlement - granting this grants all the process-codesign-* checks
 )
 
 (when (defined? 'socket-option-get)
     ;; getsockopt
-    (allow socket-option-get (with telemetry))
+    (deny socket-option-get (with telemetry))
     (allow socket-option-get
         (require-all
             (socket-option-level SOL_SOCKET)
@@ -1594,7 +1606,7 @@
 
 (when (defined? 'socket-option-set)
     ;; setsockopt
-    (allow socket-option-set (with telemetry))
+    (deny socket-option-set (with telemetry))
 )
 
 (when (defined? 'syscall-unix)

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes