Title: [292146] trunk/Source
- Revision
- 292146
- Author
- pvol...@apple.com
- Date
- 2022-03-31 01:40:01 -0700 (Thu, 31 Mar 2022)
Log Message
Add runtime flag for blocking IOKit resources in the WebContent process' sandbox
https://bugs.webkit.org/show_bug.cgi?id=238528
Reviewed by Simon Fraser.
Source/WebKit:
This flag will trigger a set of sandbox rules in the WebContent process which will block graphics
related IOKit classes and the Metal compiler service.
* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:
* WebProcess/WebPage/WebPage.cpp:
Source/WTF:
* Scripts/Preferences/WebPreferencesInternal.yaml:
Modified Paths
Diff
Modified: trunk/Source/WTF/ChangeLog (292145 => 292146)
--- trunk/Source/WTF/ChangeLog 2022-03-31 08:26:58 UTC (rev 292145)
+++ trunk/Source/WTF/ChangeLog 2022-03-31 08:40:01 UTC (rev 292146)
@@ -1,3 +1,12 @@
+2022-03-31 Per Arne Vollan <pvol...@apple.com>
+
+ Add runtime flag for blocking IOKit resources in the WebContent process' sandbox
+ https://bugs.webkit.org/show_bug.cgi?id=238528
+
+ Reviewed by Simon Fraser.
+
+ * Scripts/Preferences/WebPreferencesInternal.yaml:
+
2022-03-30 Myles C. Maxfield <mmaxfi...@apple.com>
[Cocoa] Link WebCore with WebGPU.framework 🎉
Modified: trunk/Source/WTF/Scripts/Preferences/WebPreferencesInternal.yaml (292145 => 292146)
--- trunk/Source/WTF/Scripts/Preferences/WebPreferencesInternal.yaml 2022-03-31 08:26:58 UTC (rev 292145)
+++ trunk/Source/WTF/Scripts/Preferences/WebPreferencesInternal.yaml 2022-03-31 08:40:01 UTC (rev 292146)
@@ -122,6 +122,16 @@
WebCore:
default: false
+BlockIOKitInWebContentSandbox:
+ type: bool
+ humanReadableName: "IOKit blocking in the WebContent sandbox"
+ humanReadableDescription: "Block IOKit access in the WebContent sandbox"
+ webcoreBinding: none
+ exposed: [ WebKit ]
+ defaultValue:
+ WebKit:
+ default: false
+
CSSDisplayContentsAXSupportEnabled:
type: bool
humanReadableName: "Accessibility support for display: contents elements"
Modified: trunk/Source/WebKit/ChangeLog (292145 => 292146)
--- trunk/Source/WebKit/ChangeLog 2022-03-31 08:26:58 UTC (rev 292145)
+++ trunk/Source/WebKit/ChangeLog 2022-03-31 08:40:01 UTC (rev 292146)
@@ -1,3 +1,16 @@
+2022-03-31 Per Arne Vollan <pvol...@apple.com>
+
+ Add runtime flag for blocking IOKit resources in the WebContent process' sandbox
+ https://bugs.webkit.org/show_bug.cgi?id=238528
+
+ Reviewed by Simon Fraser.
+
+ This flag will trigger a set of sandbox rules in the WebContent process which will block graphics
+ related IOKit classes and the Metal compiler service.
+
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:
+ * WebProcess/WebPage/WebPage.cpp:
+
2022-03-30 Simon Fraser <simon.fra...@apple.com>
Crash the WebContent process if the RemoteRenderingBackend::PrepareBuffersForDisplay IPC fails
Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in (292145 => 292146)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in 2022-03-31 08:26:58 UTC (rev 292145)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in 2022-03-31 08:40:01 UTC (rev 292146)
@@ -1042,7 +1042,7 @@
(xpc-service-name "com.apple.audio.toolbox.reporting.service")
)
-(allow iokit-open (with telemetry)
+(allow iokit-open (with telemetry-backtrace)
(require-all
(require-not (extension "com.apple.webkit.extension.iokit"))
(iokit-user-client-class
@@ -1067,7 +1067,7 @@
)
)
-(allow iokit-open (with report) (with telemetry)
+(allow iokit-open (with report) (with telemetry-backtrace)
(require-all
(require-not (extension "com.apple.webkit.extension.iokit"))
(iokit-connection "IOGPU")
@@ -1074,6 +1074,27 @@
)
)
+#if HAVE(SANDBOX_STATE_FLAGS)
+;; This rule enables the WebContent process to enable the "BlockIOKitInWebContentSandbox" sandbox variable
+;; by reading a preference from the domain "com.apple.WebKit.WebContent.BlockIOKitInWebContentSandbox".
+(deny user-preference-read (with enable-state-flag "BlockIOKitInWebContentSandbox")
+ (preference-domain "com.apple.WebKit.WebContent.BlockIOKitInWebContentSandbox"))
+
+(with-filter (state-flag "BlockIOKitInWebContentSandbox")
+ (deny iokit-open (with telemetry-backtrace)
+ (require-all
+ (require-not (extension "com.apple.webkit.extension.iokit"))
+ (iokit-user-client-class "IOSurfaceRootUserClient")))
+ (deny iokit-open (with telemetry-backtrace)
+ (require-all
+ (require-not (extension "com.apple.webkit.extension.iokit"))
+ (iokit-connection "IOGPU")))
+ (deny mach-lookup (with telemetry-backtrace)
+ (require-all
+ (require-not (extension "com.apple.webkit.extension.mach"))
+ (xpc-service-name "com.apple.MTLCompilerService"))))
+#endif
+
(with-filter (system-attribute apple-internal)
(allow mach-lookup
(global-name "com.apple.diagnosticd")
Modified: trunk/Source/WebKit/WebProcess/WebPage/WebPage.cpp (292145 => 292146)
--- trunk/Source/WebKit/WebProcess/WebPage/WebPage.cpp 2022-03-31 08:26:58 UTC (rev 292145)
+++ trunk/Source/WebKit/WebProcess/WebPage/WebPage.cpp 2022-03-31 08:40:01 UTC (rev 292146)
@@ -907,6 +907,8 @@
// This call should be replaced with proper API when available.
CFPreferencesGetAppIntegerValue(CFSTR("key"), CFSTR("com.apple.WebKit.WebContent.AppCacheDisabled"), nullptr);
}
+ if (parameters.store.getBoolValueForKey(WebPreferencesKey::blockIOKitInWebContentSandboxKey()))
+ CFPreferencesGetAppIntegerValue(CFSTR("key"), CFSTR("com.apple.WebKit.WebContent.BlockIOKitInWebContentSandbox"), nullptr);
#endif
updateThrottleState();
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
