Title: [287085] branches/safari-613.1.11-branch/Source/WebKit
- Revision
- 287085
- Author
- repst...@apple.com
- Date
- 2021-12-15 10:32:26 -0800 (Wed, 15 Dec 2021)
Log Message
Cherry-pick r286778. rdar://problem/86221898
[macOS][WP] Block access to unused system calls
https://bugs.webkit.org/show_bug.cgi?id=234003
Reviewed by Brent Fulgham.
Based on telemetry, block access to unused system calls in the WebContent process on macOS.
* WebProcess/com.apple.WebProcess.sb.in:
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@286778 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-613.1.11-branch/Source/WebKit/ChangeLog (287084 => 287085)
--- branches/safari-613.1.11-branch/Source/WebKit/ChangeLog 2021-12-15 18:19:32 UTC (rev 287084)
+++ branches/safari-613.1.11-branch/Source/WebKit/ChangeLog 2021-12-15 18:32:26 UTC (rev 287085)
@@ -1,3 +1,30 @@
+2021-12-15 Alan Coon <alanc...@apple.com>
+
+ Cherry-pick r286778. rdar://problem/86221898
+
+ [macOS][WP] Block access to unused system calls
+ https://bugs.webkit.org/show_bug.cgi?id=234003
+
+ Reviewed by Brent Fulgham.
+
+ Based on telemetry, block access to unused system calls in the WebContent process on macOS.
+
+ * WebProcess/com.apple.WebProcess.sb.in:
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@286778 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-12-09 Per Arne Vollan <pvol...@apple.com>
+
+ [macOS][WP] Block access to unused system calls
+ https://bugs.webkit.org/show_bug.cgi?id=234003
+
+ Reviewed by Brent Fulgham.
+
+ Based on telemetry, block access to unused system calls in the WebContent process on macOS.
+
+ * WebProcess/com.apple.WebProcess.sb.in:
+
2021-12-10 Russell Epstein <repst...@apple.com>
Cherry-pick r286805. rdar://problem/86331680
Modified: branches/safari-613.1.11-branch/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (287084 => 287085)
--- branches/safari-613.1.11-branch/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2021-12-15 18:19:32 UTC (rev 287084)
+++ branches/safari-613.1.11-branch/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2021-12-15 18:32:26 UTC (rev 287085)
@@ -1896,6 +1896,8 @@
(syscall-number
SYS___disable_threadsignal
SYS___mac_syscall
+ SYS___pthread_sigmask
+ SYS___semwait_signal
SYS_access
SYS_bsdthread_create
SYS_bsdthread_ctl
@@ -1906,6 +1908,7 @@
SYS_csops_audittoken
SYS_csrctl
SYS_exit
+ SYS_faccessat ;; <rdar://problem/56690456>
SYS_fcntl
SYS_fcntl_nocancel
SYS_fgetxattr
@@ -1938,6 +1941,8 @@
SYS_kdebug_trace_string ;; Needed for performance sampling, see <rdar://problem/48829655>.
SYS_kevent_id
SYS_kevent_qos
+ SYS_kqueue_workloop_ctl ;; <rdar://problem/50999499>
+ SYS_listxattr
SYS_lseek
SYS_lstat64
SYS_madvise
@@ -1959,16 +1964,23 @@
SYS_psynch_cvwait
SYS_psynch_mutexdrop
SYS_psynch_mutexwait
+ SYS_psynch_rw_unlock
+ SYS_psynch_rw_wrlock
SYS_read
SYS_read_nocancel
SYS_readlink
SYS_rename
+ SYS_sendto
+ SYS_sigprocmask
SYS_stat64
SYS_statfs64
+ SYS_socket
SYS_sysctlbyname
SYS_thread_selfid
SYS_ulock_wait
SYS_ulock_wake
+ SYS_umask
+ SYS_work_interval_ctl
SYS_workq_kernreturn
SYS_write_nocancel
SYS_writev))
@@ -1975,19 +1987,7 @@
(define (syscall-unix-intel)
(syscall-number
- SYS___pthread_sigmask
- SYS___semwait_signal
- SYS_faccessat ;; <rdar://problem/56690456>
- SYS_kqueue_workloop_ctl ;; <rdar://problem/50999499>
- SYS_listxattr
- SYS_psynch_rw_unlock
- SYS_psynch_rw_wrlock
- SYS_sendto
- SYS_sigaltstack
- SYS_sigprocmask
- SYS_socket
- SYS_umask
- SYS_work_interval_ctl))
+ SYS_sigaltstack))
(define (syscall-unix-apple-silicon)
(syscall-number
@@ -1994,79 +1994,30 @@
SYS_guarded_open_dprotected_np ;; <rdar://problem/65897905>
SYS_mremap_encrypted))
-(define (syscalls-possibly-unused)
+(define (syscalls-rarely-used)
(syscall-number
SYS___pthread_kill
- SYS___pthread_markcancel
SYS___semwait_signal_nocancel
- SYS_abort_with_payload
SYS_change_fdguard_np
SYS_chmod
- SYS_chmod_extended
SYS_connect
- SYS_connect_nocancel
- SYS_connectx
- SYS_dup
SYS_fchmod
- SYS_fgetattrlist ;; <rdar://problem/50931110>
- SYS_fileport_makeport
- SYS_fstat64_extended ;; <rdar://problem/61310019>
SYS_fsync
SYS_getegid
- SYS_getpeername
SYS_getpriority ;; rdar://81727094. Required for CoreAudio AudioOutputUnitStart call. Remove when GPU process is enabled by default.
- SYS_getsockopt
- SYS_gettid ;; Needed for base system, see <rdar://problem/48651255>
SYS_guarded_close_np
SYS_guarded_open_np
SYS_guarded_pwrite_np
- SYS_guarded_write_np
SYS_kdebug_typefilter
- SYS_kevent
- SYS_kqueue ;; <rdar://problem/49609201>
- SYS_lstat64_extended
- SYS_lstat_extended
- SYS_memorystatus_control ;; Needed for memory measurement infrastructure, see <rdar://problem/48647263>
- SYS_mkdirat
SYS_mlock
SYS_munlock
SYS_necp_client_action
SYS_necp_open
- SYS_open_dprotected_np ;; <rdar://problem/74473824>
SYS_openat_nocancel
- SYS_pipe
SYS_proc_rlimit_control
- SYS_process_policy
- SYS_psynch_rw_rdlock ;; <rdar://problem/49060359>
- SYS_pwrite
- SYS_quotactl ;; <rdar://problem/49945031>
- SYS_recvfrom
- SYS_recvfrom_nocancel
- SYS_rmdir
- SYS_select
- SYS_select_nocancel
- SYS_sem_post
- SYS_sem_wait
- SYS_sendmsg_nocancel
- SYS_sendto_nocancel
-#if __MAC_OS_X_VERSION_MIN_REQUIRED < 120000
- SYS_setattrlist ;; rdar://problem/74162777
-#endif
- SYS_setpriority
- SYS_setrlimit
- SYS_setsockopt
SYS_shm_open
- SYS_shutdown
SYS_sigaction
- SYS_sigreturn
- SYS_socketpair
- SYS_stat64_extended ;; <rdar://problem/50473330>
SYS_sysctl
- SYS_terminate_with_payload ;; <rdar://problem/50026580>
- SYS_thread_selfusage
-#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 110000
- SYS_ulock_wait2 ;; <rdar://problem/58743778>
-#endif
SYS_unlink
SYS_write))
@@ -2078,13 +2029,7 @@
(if (equal? (param "CPU") "arm64")
(begin
(allow syscall-unix
- (syscall-unix-apple-silicon))
- (allow syscall-unix
-#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 120000
- (with telemetry-backtrace)
-#endif
- (syscall-unix-intel)))
-
+ (syscall-unix-apple-silicon)))
(begin
(allow syscall-unix
(syscall-unix-intel))))
@@ -2093,7 +2038,7 @@
#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 120000
(with telemetry-backtrace)
#endif
- (syscalls-possibly-unused))
+ (syscalls-rarely-used))
#if __MAC_OS_X_VERSION_MIN_REQUIRED > 101500
(if (defined? 'SYS_objc_bp_assist_cfg_np)
@@ -2220,6 +2165,7 @@
MSC__kernelrpc_mach_port_deallocate_trap
MSC__kernelrpc_mach_port_destruct_trap
MSC__kernelrpc_mach_port_extract_member_trap
+ MSC__kernelrpc_mach_port_get_attributes_trap
MSC__kernelrpc_mach_port_guard_trap
MSC__kernelrpc_mach_port_insert_member_trap
MSC__kernelrpc_mach_port_insert_right_trap
@@ -2244,46 +2190,18 @@
MSC_mk_timer_destroy
MSC_pid_for_task
MSC_semaphore_signal_trap
+ MSC_semaphore_timedwait_trap
MSC_semaphore_wait_trap
+ MSC_swtch_pri
MSC_syscall_thread_switch
MSC_task_name_for_pid
- MSC_thread_get_special_reply_port))
-
-(define (syscall-mach-intel)
- (machtrap-number
- MSC_semaphore_timedwait_trap
+ MSC_thread_get_special_reply_port
MSC_thread_self_trap))
-(define (syscall-mach-apple-silicon)
- (machtrap-number
- MSC__kernelrpc_mach_port_get_attributes_trap
- MSC_swtch_pri))
-
(when (and (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES") (defined? 'syscall-mach))
(allow syscall-mach
(syscall-mach-common))
- (if (equal? (param "CPU") "arm64")
- (begin
- (allow syscall-mach
- (syscall-mach-apple-silicon))
- (allow syscall-mach
- (with telemetry)
- (syscall-mach-intel)))
- (begin
- (allow syscall-mach
- (syscall-mach-intel))
- (allow syscall-mach
- (with telemetry)
- (syscall-mach-apple-silicon))))
-
- (allow syscall-mach
-#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 120000
- (with telemetry-backtrace)
-#endif
- (machtrap-number
- MSC_mach_msg_overwrite_trap)))
-
(when (defined? 'MSC_mach_msg2_trap)
(allow syscall-mach
(machtrap-number MSC_mach_msg2_trap)
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
