Skip to site navigation (Press enter)

[webkit-changes] [289137] trunk/Source/WebKit

pvollan Fri, 04 Feb 2022 14:18:36 -0800

Title: [289137] trunk/Source/WebKit

Revision: 289137
Author: pvol...@apple.com
Date: 2022-02-04 14:17:55 -0800 (Fri, 04 Feb 2022)

Log Message

[iOS][WP] Block access to syscalls that are only used during launch
https://bugs.webkit.org/show_bug.cgi?id=236102
<rdar://problem/88454893>


Reviewed by Brent Fulgham.

On iOS, block access to 12 Unix syscalls and 4 Mach syscalls after the WebContent process has finished launching.
These syscalls are only used during launch.

* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:

Modified Paths

trunk/Source/WebKit/ChangeLog
trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in

Diff

Modified: trunk/Source/WebKit/ChangeLog (289136 => 289137)


--- trunk/Source/WebKit/ChangeLog	2022-02-04 21:34:45 UTC (rev 289136)
+++ trunk/Source/WebKit/ChangeLog	2022-02-04 22:17:55 UTC (rev 289137)
@@ -1,3 +1,16 @@
+2022-02-04  Per Arne Vollan  <pvol...@apple.com>
+
+        [iOS][WP] Block access to syscalls that are only used during launch
+        https://bugs.webkit.org/show_bug.cgi?id=236102
+        <rdar://problem/88454893>
+
+        Reviewed by Brent Fulgham.
+
+        On iOS, block access to 12 Unix syscalls and 4 Mach syscalls after the WebContent process has finished launching.
+        These syscalls are only used during launch.
+
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:
+
 2022-02-04  Alex Christensen  <achristen...@webkit.org>
 
         Remember whether cached main resources used private relay when considering whether to call _setPrivacyProxyFailClosed

Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in (289136 => 289137)


--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in	2022-02-04 21:34:45 UTC (rev 289136)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in	2022-02-04 22:17:55 UTC (rev 289137)
@@ -1187,24 +1187,13 @@
         SYS_bsdthread_register
         SYS_chdir
         SYS_connect
-        SYS_csops ;; used by Corefoundation initialization
         SYS_dup2
-        SYS_fileport_makefd
         SYS_fsgetpath
-        SYS_getegid
         SYS_getpid
-        SYS_getrlimit
-        SYS_gettid
-        SYS_getuid
-        SYS_ioctl ;; needed by tcgetattr (TIOCGETA - debugging
         SYS_kdebug_trace_string
-        SYS_kdebug_typefilter
         SYS_objc_bp_assist_cfg_np
-        SYS_os_fault_with_payload
         SYS_shared_region_check_np
-        SYS_shm_open
         SYS_sigaction
-        SYS_sysctl
         SYS_workq_open
         SYS_writev))
 
@@ -1220,6 +1209,7 @@
         SYS_change_fdguard_np
         SYS_close
         SYS_close_nocancel
+        SYS_csops ;; used by Corefoundation initialization
         SYS_csops_audittoken ;; used by WK to get entitlments
         SYS_exit
         SYS_faccessat ;; <rdar://problem/56998930>
@@ -1226,6 +1216,7 @@
         SYS_fcntl
         SYS_fcntl_nocancel
         SYS_fgetattrlist ;; <rdar://problem/50266257>
+        SYS_fileport_makefd
         SYS_flock
         SYS_fsetattrlist ;; MTLCompilerFSCache::openSync
         SYS_fsetxattr ;; <rdar://problem/49795964>
@@ -1235,17 +1226,23 @@
         SYS_ftruncate
         SYS_getattrlist ;; xpc_realpath and directory enumeration
         SYS_getdirentries64
+        SYS_getegid
         SYS_getentropy
         SYS_geteuid
         SYS_getfsstat64
+        SYS_getrlimit
         SYS_getrusage
+        SYS_gettid
         SYS_gettimeofday
+        SYS_getuid
         SYS_guarded_close_np
         SYS_guarded_open_dprotected_np ; <rdar://problem/48166729>
         SYS_guarded_open_np
         SYS_guarded_pwrite_np
+        SYS_ioctl ;; needed by tcgetattr (TIOCGETA - debugging
         SYS_issetugid
         SYS_kdebug_trace64
+        SYS_kdebug_typefilter
         SYS_kevent_id
         SYS_kevent_qos
         SYS_kqueue ;; <rdar://problem/49609201>
@@ -1263,6 +1260,7 @@
         SYS_open
         SYS_open_nocancel
         SYS_openat
+        SYS_os_fault_with_payload
         SYS_pathconf
         SYS_pread
         SYS_proc_info
@@ -1281,8 +1279,10 @@
         SYS_sem_close
         SYS_sem_open
         SYS_shared_region_map_and_slide_2_np ;; <rdar://problem/60294880>
+        SYS_shm_open
         SYS_stat64
         SYS_statfs64
+        SYS_sysctl
         SYS_sysctlbyname
         SYS_thread_selfid
         SYS_ulock_wait
@@ -1338,8 +1338,7 @@
         (allow syscall-unix
             (syscall-unix-only-in-use-during-launch)))
     (with-filter (state-flag "WebContentProcessLaunched")
-        (allow syscall-unix
-            (with report)
+        (deny syscall-unix
             (with telemetry)
             (with message "Unix syscall used after launch")
             (syscall-unix-only-in-use-during-launch)))
@@ -1550,8 +1549,7 @@
         (allow syscall-mach
             (syscall-mach-only-in-use-during-launch)))
     (with-filter (state-flag "WebContentProcessLaunched")
-        (allow syscall-mach
-            (with report)
+        (deny syscall-mach
             (with telemetry)
             (with message "Mach syscall used after launch")
             (syscall-mach-only-in-use-during-launch)))

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes