Title: [294969] trunk/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in
- Revision
- 294969
- Author
- pvol...@apple.com
- Date
- 2022-05-27 17:00:04 -0700 (Fri, 27 May 2022)
Log Message
[macOS][GPUP] Block unused system calls
https://bugs.webkit.org/show_bug.cgi?id=240966
<rdar://84826074>
Reviewed by Chris Dumez.
* Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in:
Canonical link: https://commits.webkit.org/251073@main
Modified Paths
Diff
Modified: trunk/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in (294968 => 294969)
--- trunk/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in 2022-05-27 23:55:11 UTC (rev 294968)
+++ trunk/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in 2022-05-28 00:00:04 UTC (rev 294969)
@@ -904,7 +904,7 @@
(allow mach-message-send (with telemetry)))))
(when (and (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES") (defined? 'syscall-mach))
- (allow syscall-mach (with telemetry))
+ (deny syscall-mach (with telemetry))
(allow syscall-mach (machtrap-number
MSC__kernelrpc_mach_port_allocate_trap
MSC__kernelrpc_mach_port_construct_trap
@@ -911,6 +911,7 @@
MSC__kernelrpc_mach_port_deallocate_trap
MSC__kernelrpc_mach_port_destruct_trap
MSC__kernelrpc_mach_port_extract_member_trap
+ MSC__kernelrpc_mach_port_get_attributes_trap
MSC__kernelrpc_mach_port_guard_trap
MSC__kernelrpc_mach_port_insert_member_trap
MSC__kernelrpc_mach_port_insert_right_trap
@@ -917,29 +918,45 @@
MSC__kernelrpc_mach_port_mod_refs_trap
MSC__kernelrpc_mach_port_request_notification_trap
MSC__kernelrpc_mach_port_type_trap
+ MSC__kernelrpc_mach_port_unguard_trap
MSC__kernelrpc_mach_vm_allocate_trap
MSC__kernelrpc_mach_vm_deallocate_trap
MSC__kernelrpc_mach_vm_map_trap
MSC__kernelrpc_mach_vm_protect_trap
+ MSC__kernelrpc_mach_vm_purgable_control_trap
MSC_host_create_mach_voucher_trap
MSC_host_self_trap
+ MSC_iokit_user_client_trap
+ MSC_mach_generate_activity_id
MSC_mach_msg_trap
MSC_mach_reply_port
MSC_mach_voucher_extract_attr_recipe_trap
+ MSC_mk_timer_arm
+ MSC_mk_timer_cancel
+ MSC_mk_timer_create
+ MSC_mk_timer_destroy
MSC_pid_for_task
MSC_semaphore_signal_trap
+ MSC_semaphore_timedwait_trap
MSC_semaphore_wait_trap
MSC_swtch_pri
MSC_syscall_thread_switch
- MSC_thread_get_special_reply_port)))
+ MSC_task_name_for_pid
+ MSC_task_self_trap
+ MSC_thread_get_special_reply_port))
+
+ (when (defined? 'MSC_mach_msg2_trap)
+ (allow syscall-mach
+ (machtrap-number MSC_mach_msg2_trap))))
#endif // HAVE(SANDBOX_MESSAGE_FILTERING)
(when (defined? 'syscall-unix)
- (allow syscall-unix (with telemetry))
+ (deny syscall-unix (with telemetry))
(allow syscall-unix (syscall-number
SYS___channel_open
SYS___disable_threadsignal
SYS___mac_syscall
+ SYS___pthread_canceled
SYS___pthread_kill
SYS___pthread_sigmask
SYS___semwait_signal
@@ -981,6 +998,7 @@
SYS_gettimeofday
SYS_getuid
SYS_getxattr
+ SYS_guarded_open_np
SYS_issetugid
SYS_kdebug_trace
SYS_kdebug_trace64
@@ -1024,6 +1042,8 @@
SYS_readlink
SYS_rename
SYS_sendto
+ SYS_setrlimit
+ SYS_setsockopt
SYS_sigaltstack
SYS_sigprocmask
SYS_socket
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes