Title: [290066] trunk/Source/WebKit
- Revision
- 290066
- Author
- pvol...@apple.com
- Date
- 2022-02-17 13:27:37 -0800 (Thu, 17 Feb 2022)
Log Message
[macOS][WP] Add required syscall to sandbox
https://bugs.webkit.org/show_bug.cgi?id=236781
<rdar://89072361>
Reviewed by Chris Dumez.
Add required syscall to the WebContent process' sandbox on macOS. This patch also adds back a set of
syscalls that were removed in https://commits.webkit.org/r286778 for current and previous versions
of macOS. These syscalls will be denied going forward.
* WebProcess/com.apple.WebProcess.sb.in:
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (290065 => 290066)
--- trunk/Source/WebKit/ChangeLog 2022-02-17 21:19:01 UTC (rev 290065)
+++ trunk/Source/WebKit/ChangeLog 2022-02-17 21:27:37 UTC (rev 290066)
@@ -1,3 +1,17 @@
+2022-02-17 Per Arne Vollan <pvol...@apple.com>
+
+ [macOS][WP] Add required syscall to sandbox
+ https://bugs.webkit.org/show_bug.cgi?id=236781
+ <rdar://89072361>
+
+ Reviewed by Chris Dumez.
+
+ Add required syscall to the WebContent process' sandbox on macOS. This patch also adds back a set of
+ syscalls that were removed in https://commits.webkit.org/r286778 for current and previous versions
+ of macOS. These syscalls will be denied going forward.
+
+ * WebProcess/com.apple.WebProcess.sb.in:
+
2022-02-17 Kimmo Kinnunen <kkinnu...@apple.com>
ASSERTION FAILED: Thread::current().uid() == threadAssertion.m_uid for RemoteVideoFrameObjectHeap
Modified: trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (290065 => 290066)
--- trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2022-02-17 21:19:01 UTC (rev 290065)
+++ trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2022-02-17 21:27:37 UTC (rev 290066)
@@ -1895,6 +1895,57 @@
(disable-syscall-inference)
#endif
+#if !PLATFORM(MAC) || __MAC_OS_X_VERSION_MIN_REQUIRED < 130000
+(define (syscall-unix-older-macOS)
+ (syscall-number
+ SYS___pthread_markcancel
+ SYS_abort_with_payload
+ SYS_chmod_extended
+ SYS_connect_nocancel
+ SYS_connectx
+ SYS_fgetattrlist ;; <rdar://problem/50931110>
+ SYS_fileport_makeport
+ SYS_fstat64_extended ;; <rdar://problem/61310019>
+ SYS_getpeername
+ SYS_getsockopt
+ SYS_guarded_write_np
+ SYS_lstat64_extended
+ SYS_lstat_extended
+ SYS_memorystatus_control ;; Needed for memory measurement infrastructure, see <rdar://problem/48647263>
+ SYS_mkdirat
+ SYS_open_dprotected_np ;; <rdar://problem/74473824>
+ SYS_pipe
+ SYS_process_policy
+ SYS_psynch_rw_rdlock ;; <rdar://problem/49060359>
+ SYS_pwrite
+ SYS_quotactl ;; <rdar://problem/49945031>
+ SYS_recvfrom
+ SYS_recvfrom_nocancel
+ SYS_rmdir
+ SYS_select
+ SYS_select_nocancel
+ SYS_sem_post
+ SYS_sem_wait
+ SYS_sendmsg_nocancel
+ SYS_sendto_nocancel
+#if __MAC_OS_X_VERSION_MIN_REQUIRED < 120000
+ SYS_setattrlist ;; rdar://problem/74162777
+#endif
+ SYS_setpriority
+ SYS_setrlimit
+ SYS_setsockopt
+ SYS_shutdown
+ SYS_sigreturn
+ SYS_socketpair
+ SYS_stat64_extended ;; <rdar://problem/50473330>
+ SYS_terminate_with_payload ;; <rdar://problem/50026580>
+ SYS_thread_selfusage
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 110000
+ SYS_ulock_wait2 ;; <rdar://problem/58743778>
+#endif
+))
+#endif
+
(define (syscall-unix-common)
(syscall-number
SYS___disable_threadsignal
@@ -1942,6 +1993,7 @@
SYS_kdebug_trace
SYS_kdebug_trace64
SYS_kdebug_trace_string ;; Needed for performance sampling, see <rdar://problem/48829655>.
+ SYS_kevent ;; <rdar://89072361>
SYS_kevent_id
SYS_kevent_qos
SYS_kqueue ;; See <rdar://problem/88241768>. Remove after <rdar://56634240> is resolved.
@@ -2049,6 +2101,11 @@
(allow syscall-unix
(syscall-unix-common))
+#if !PLATFORM(MAC) || __MAC_OS_X_VERSION_MIN_REQUIRED < 130000
+ (allow syscall-unix
+ (syscall-unix-older-macOS))
+#endif
+
(if (equal? (param "CPU") "arm64")
(begin
(allow syscall-unix
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
