Title: [285579] trunk/Source/WebKit
- Revision
- 285579
- Author
- pvol...@apple.com
- Date
- 2021-11-10 09:06:12 -0800 (Wed, 10 Nov 2021)
Log Message
[macOS][GPUP] Remove access to IOKit classes
https://bugs.webkit.org/show_bug.cgi?id=232308
<rdar://problem/84665748>
Reviewed by Brent Fulgham.
Based on telemetry, remove access to unused IOKit classes in the GPU process' sandbox on macOS.
* GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in:
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (285578 => 285579)
--- trunk/Source/WebKit/ChangeLog 2021-11-10 17:05:31 UTC (rev 285578)
+++ trunk/Source/WebKit/ChangeLog 2021-11-10 17:06:12 UTC (rev 285579)
@@ -1,3 +1,15 @@
+2021-11-10 Per Arne Vollan <pvol...@apple.com>
+
+ [macOS][GPUP] Remove access to IOKit classes
+ https://bugs.webkit.org/show_bug.cgi?id=232308
+ <rdar://problem/84665748>
+
+ Reviewed by Brent Fulgham.
+
+ Based on telemetry, remove access to unused IOKit classes in the GPU process' sandbox on macOS.
+
+ * GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in:
+
2021-11-10 Youenn Fablet <you...@apple.com>
Update libwebrtc to M96
Modified: trunk/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in (285578 => 285579)
--- trunk/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in 2021-11-10 17:05:31 UTC (rev 285578)
+++ trunk/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in 2021-11-10 17:06:12 UTC (rev 285579)
@@ -110,11 +110,11 @@
;; OpenCL
(allow iokit-open (with telemetry)
(iokit-connection "IOAccelerator")
- (iokit-registry-entry-class "IOAccelerationUserClient")
- (iokit-registry-entry-class "IOSurfaceRootUserClient")
- (iokit-registry-entry-class "IOSurfaceSendRight"))
+ (iokit-registry-entry-class "IOSurfaceRootUserClient"))
+ (deny iokit-open (with telemetry)
+ (iokit-registry-entry-class "IOAccelerationUserClient"))
;; CoreVideo CVCGDisplayLink
- (allow iokit-open (with telemetry)
+ (deny iokit-open (with telemetry)
(iokit-registry-entry-class "IOFramebufferSharedUserClient"))
;; These are needed for Encrypted Media on some hardware (MacMini8,1 for example)
@@ -124,12 +124,12 @@
)
;; QuartzCore
- (allow iokit-open (with telemetry)
+ (deny iokit-open (with telemetry)
(iokit-registry-entry-class "AGPMClient")
(iokit-registry-entry-class "AppleGraphicsControlClient")
(iokit-registry-entry-class "AppleGraphicsPolicyClient"))
;; OpenGL
- (allow iokit-open (with telemetry)
+ (deny iokit-open (with telemetry)
(iokit-registry-entry-class "AppleMGPUPowerControlClient"))
;; GPU bundles
(allow file-read* (with telemetry)
@@ -665,9 +665,7 @@
;; IOKit user clients
(allow iokit-open (with telemetry)
- (iokit-user-client-class "AppleMultitouchDeviceUserClient")
(iokit-user-client-class "AppleUpstreamUserClient")
- (iokit-user-client-class "IOHIDParamUserClient")
(iokit-user-client-class "RootDomainUserClient")
(iokit-user-client-class "IOAudioControlUserClient")
(iokit-user-client-class "IOAudioEngineUserClient")
@@ -674,6 +672,10 @@
;; Following is needed due to <rdar://problem/10427451> && <rdar://problem/10808817>
(iokit-user-client-class "AudioAUUC"))
+(deny iokit-open (with telemetry)
+ (iokit-user-client-class "AppleMultitouchDeviceUserClient")
+ (iokit-user-client-class "IOHIDParamUserClient"))
+
;; Audio
(allow ipc-posix-shm-read* ipc-posix-shm-write-data
(ipc-posix-name-prefix "AudioIO"))
@@ -898,7 +900,7 @@
)
#endif
)
- (allow iokit-open (with telemetry)
+ (deny iokit-open (with telemetry)
;; QuickTimeUSBVDCDigitizer
(iokit-user-client-class "IOUSBDeviceUserClientV2")
(iokit-user-client-class "IOUSBInterfaceUserClientV2"))
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
