[webkit-changes] [242600] trunk/Source/WebKit

[pvollan]

Title: [242600] trunk/Source/WebKit

Revision

242600

Author

pvol...@apple.com

Date

2019-03-07 09:46:12 -0800 (Thu, 07 Mar 2019)

Log Message

[iOS] Disable permissive call logging in sandbox
https://bugs.webkit.org/show_bug.cgi?id=195288
<rdar://problem/47683804>

Reviewed by Brent Fulgham.

As on macOS, we should enable strict call filtering in sandbox on iOS.

* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:

Modified Paths

• trunk/Source/WebKit/ChangeLog
• trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb

Diff

Modified: trunk/Source/WebKit/ChangeLog (242599 => 242600)

--- trunk/Source/WebKit/ChangeLog	2019-03-07 17:40:40 UTC (rev 242599)
+++ trunk/Source/WebKit/ChangeLog	2019-03-07 17:46:12 UTC (rev 242600)
@@ -1,3 +1,15 @@
+2019-03-07  Per Arne Vollan  <pvol...@apple.com>
+
+        [iOS] Disable permissive call logging in sandbox
+        https://bugs.webkit.org/show_bug.cgi?id=195288
+        <rdar://problem/47683804>
+
+        Reviewed by Brent Fulgham.
+
+        As on macOS, we should enable strict call filtering in sandbox on iOS.
+
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+
 2019-03-07  Youenn Fablet  <you...@apple.com>
 
         Introduce a quota manager for Cache API/Service Worker/IDB storage

Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb (242599 => 242600)

--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb	2019-03-07 17:40:40 UTC (rev 242599)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb	2019-03-07 17:46:12 UTC (rev 242600)
@@ -542,7 +542,7 @@
 )
 
 (when (defined? 'syscall-unix)
-    (allow syscall-unix (with report))
+    (deny syscall-unix (with send-signal SIGKILL))
     (allow syscall-unix
         (syscall-number SYS_exit)
         (syscall-number SYS_read)
@@ -685,5 +685,11 @@
         (syscall-number SYS_sem_close)
         (syscall-number SYS_fsetattrlist)
         (syscall-number SYS_guarded_open_dprotected_np) ; <rdar://problem/48166729>
+        (syscall-number SYS_mremap_encrypted)
+        (syscall-number SYS_dup2)
+        (syscall-number SYS_fileport_makefd)
+        (syscall-number SYS_os_fault_with_payload)
+        (syscall-number SYS_persona)
+        (syscall-number SYS_work_interval_ctl)
     )
 )

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes