[webkit-changes] [228419] trunk/Source/WebKit

[bfulgham]

Title: [228419] trunk/Source/WebKit

Revision

228419

Author

bfulg...@apple.com

Date

2018-02-13 08:51:10 -0800 (Tue, 13 Feb 2018)

Log Message

[iOS] whitelist iokit-get-properties
https://bugs.webkit.org/show_bug.cgi?id=182722
<rdar://problem/30929165>

Reviewed by Eric Carlson.

Update the iOS sandbox to block access to IOKit properties that are not needed for
legitimate WebContent process use. This brings the iOS sandbox in line with the
work done under macOS.

* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:

Modified Paths

• trunk/Source/WebKit/ChangeLog
• trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb

Diff

Modified: trunk/Source/WebKit/ChangeLog (228418 => 228419)

--- trunk/Source/WebKit/ChangeLog	2018-02-13 12:11:33 UTC (rev 228418)
+++ trunk/Source/WebKit/ChangeLog	2018-02-13 16:51:10 UTC (rev 228419)
@@ -1,3 +1,17 @@
+2018-02-13  Brent Fulgham  <bfulg...@apple.com>
+
+        [iOS] whitelist iokit-get-properties
+        https://bugs.webkit.org/show_bug.cgi?id=182722
+        <rdar://problem/30929165>
+
+        Reviewed by Eric Carlson.
+
+        Update the iOS sandbox to block access to IOKit properties that are not needed for
+        legitimate WebContent process use. This brings the iOS sandbox in line with the
+        work done under macOS.
+
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+
 2018-02-12  John Wilander  <wilan...@apple.com>
 
         Resource Load Statistics: Classify resources as prevalent based on redirects to other prevalent resources

Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb (228418 => 228419)

--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb	2018-02-13 12:11:33 UTC (rev 228418)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb	2018-02-13 16:51:10 UTC (rev 228419)
@@ -311,6 +311,23 @@
         "kern.memorystatus_level"
         "vm.footprint_suspend"))
 
+(deny iokit-get-properties (with partial-symbolication))
+(allow iokit-get-properties
+    (iokit-property-regex #"^AAPL,(DisplayPipe|OpenCLdisabled|IOGraphics_LER(|_RegTag_1|_RegTag_0|_Busy_2)|alias-policy|boot-display|display-alias|mux-switch-state|ndrv-dev|primary-display|slot-name)")
+    (iokit-property-regex #"^AppleJPEG(NumCores|Supports(AppleInterchangeFormats|MissingEOI))")
+    (iokit-property "BaseAddressAlignmentRequirement")
+    (iokit-property-regex #"^DisplayPipe(PlaneBaseAlignment|StrideRequirements)")
+    (iokit-property-regex #"^IOGL(|ES(|Metal))BundleName")
+    (iokit-property "IOGLESDefaultUseMetal")
+    (iokit-property "IOSurfaceAcceleratorCapabilitiesDict")
+    (iokit-property-regex #"^MetalPlugin(Name|ClassName)")
+    (iokit-property "emu")
+    (iokit-property "hdcp-hoover-protocol")
+    (iokit-property "iommu-present")
+    (iokit-property "product-id")
+    (iokit-property "software-behavior")
+)
+
 ;; Read-only preferences and data
 (mobile-preferences-read
     "com.apple.LaunchServices"

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes