Title: [294903] trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in
- Revision
- 294903
- Author
- pvol...@apple.com
- Date
- 2022-05-26 15:34:25 -0700 (Thu, 26 May 2022)
Log Message
[iOS][WP] Block access to file-ioctl commands
https://bugs.webkit.org/show_bug.cgi?id=240977
<rdar://88334007>
Reviewed by Chris Dumez.
This is based on collected telemetry. This patch also adds telemetry to file read/write of /dev/aes_0
to determine if that can be removed as well.
* Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:
Canonical link: https://commits.webkit.org/251026@main
Modified Paths
Diff
Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in (294902 => 294903)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in 2022-05-26 22:22:08 UTC (rev 294902)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in 2022-05-26 22:34:25 UTC (rev 294903)
@@ -315,7 +315,7 @@
(literal "/dev/random")
(literal "/dev/urandom"))
- (allow file-read* file-write-data
+ (allow file-read* file-write-data (with telemetry)
(literal "/dev/aes_0")))
(define required-etc-files
@@ -1239,14 +1239,8 @@
(deny file-ioctl (with telemetry))
-;; restrict to the two ioctl's /dev/aes_0 needs
-(allow file-ioctl (with telemetry)
- (require-all
- (literal "/dev/aes_0")
- (require-any
- (ioctl-command (_IO "T" 101)) ;; IOAES_GET_INFO
- (ioctl-command (_IO "T" 102)) ;; IOAES_ENCRYPT_DECRYPT
-)))
+(deny file-ioctl (with telemetry)
+ (literal "/dev/aes_0"))
(deny socket-ioctl (with telemetry))
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
