[webkit-changes] [283375] trunk/Source/WebKit

[pvollan]

Title: [283375] trunk/Source/WebKit

Revision

283375

Author

pvol...@apple.com

Date

2021-10-01 10:07:54 -0700 (Fri, 01 Oct 2021)

Log Message

Make sandbox rules for debug syscalls stricter
https://bugs.webkit.org/show_bug.cgi?id=230985
<rdar://49531420>

Reviewed by Brent Fulgham.

Make sandbox rules for debug syscalls stricter in the WebContent process on macOS and iOS.

* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:
* WebProcess/com.apple.WebProcess.sb.in:

Modified Paths

• trunk/Source/WebKit/ChangeLog
• trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in
• trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in

Diff

Modified: trunk/Source/WebKit/ChangeLog (283374 => 283375)

--- trunk/Source/WebKit/ChangeLog	2021-10-01 16:48:07 UTC (rev 283374)
+++ trunk/Source/WebKit/ChangeLog	2021-10-01 17:07:54 UTC (rev 283375)
@@ -1,5 +1,18 @@
 2021-10-01  Per Arne Vollan  <pvol...@apple.com>
 
+        Make sandbox rules for debug syscalls stricter
+        https://bugs.webkit.org/show_bug.cgi?id=230985
+        <rdar://49531420>
+
+        Reviewed by Brent Fulgham.
+
+        Make sandbox rules for debug syscalls stricter in the WebContent process on macOS and iOS.
+
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:
+        * WebProcess/com.apple.WebProcess.sb.in:
+
+2021-10-01  Per Arne Vollan  <pvol...@apple.com>
+
         Send Launch Services database to GPU process
         https://bugs.webkit.org/show_bug.cgi?id=225151
         <rdar://74749122>

Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in (283374 => 283375)

--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in	2021-10-01 16:48:07 UTC (rev 283374)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in	2021-10-01 17:07:54 UTC (rev 283375)
@@ -1294,7 +1294,6 @@
         (syscall-number SYS_necp_client_action)
         (syscall-number SYS_ulock_wait)
         (syscall-number SYS_ulock_wake)
-        (syscall-number SYS_kdebug_typefilter)
         (syscall-number SYS_shared_region_check_np)
         (syscall-number SYS_getpid)
         (syscall-number SYS_bsdthread_register)
@@ -1316,7 +1315,6 @@
         (syscall-number SYS_open_dprotected_np)
         (syscall-number SYS_pread_nocancel)
         (syscall-number SYS___semwait_signal_nocancel)
-        (syscall-number SYS_kdebug_trace_string) ;; Needed for performance sampling, see <rdar://problem/48829655>.
         (syscall-number SYS_fgetattrlist) ;; <rdar://problem/50266257>
         (syscall-number SYS_fsetxattr) ;; <rdar://problem/49795964>
         (syscall-number SYS_abort_with_payload) ;; <rdar://problem/50967271>
@@ -1332,6 +1330,12 @@
         (allow syscall-unix (syscall-number SYS_objc_bp_assist_cfg_np)))
 )
 
+(with-filter (system-attribute apple-internal)
+    (when (defined? 'syscall-unix)
+        (allow syscall-unix
+            (syscall-number SYS_kdebug_trace_string) ;; Needed for performance sampling, see <rdar://problem/48829655>.
+            (syscall-number SYS_kdebug_typefilter))))
+
 (when (defined? 'file-ioctl)
     (deny file-ioctl (with telemetry))
     ;; restrict to the two ioctl's /dev/aes_0 needs

Modified: trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (283374 => 283375)

--- trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in	2021-10-01 16:48:07 UTC (rev 283374)
+++ trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in	2021-10-01 17:07:54 UTC (rev 283375)
@@ -1971,10 +1971,8 @@
         (syscall-number SYS_ulock_wait)
         (syscall-number SYS_ulock_wake)
         (syscall-number SYS_work_interval_ctl)
-        (syscall-number SYS_kdebug_typefilter)
         (syscall-number SYS_gettid) ;; Needed for base system, see <rdar://problem/48651255>
         (syscall-number SYS_memorystatus_control) ;; Needed for memory measurement infrastructure, see <rdar://problem/48647263>
-        (syscall-number SYS_kdebug_trace_string) ;; Needed for performance sampling, see <rdar://problem/48829655>.
         (syscall-number SYS_psynch_rw_rdlock) ;; <rdar://problem/49060359>
         (syscall-number SYS_terminate_with_payload) ;; <rdar://problem/50026580>
         (syscall-number SYS_quotactl) ;; <rdar://problem/49945031>
@@ -2012,6 +2010,12 @@
 #endif
 )
 
+(with-filter (system-attribute apple-internal)
+    (when (defined? 'syscall-unix)
+        (allow syscall-unix
+            (syscall-number SYS_kdebug_trace_string) ;; Needed for performance sampling, see <rdar://problem/48829655>.
+            (syscall-number SYS_kdebug_typefilter))))
+
 #if USE(APPLE_INTERNAL_SDK)
 #include <WebKitAdditions/WebContentSandboxAdditionsMac.sb>
 #endif

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes