Title: [213564] trunk/Source/WebKit2
- Revision
- 213564
- Author
- [email protected]
- Date
- 2017-03-07 20:49:26 -0800 (Tue, 07 Mar 2017)
Log Message
[Mac][WK2] Whitelist iokit-get-properties
https://bugs.webkit.org/show_bug.cgi?id=169331
<rdar://problem/16363632>
Reviewed by Alex Christensen.
Block access to all IOKit properties by default. Turn on only those properties
that are actually needed by our engine.
* DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in:
* NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
* PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in:
* WebProcess/com.apple.WebProcess.sb.in:
Modified Paths
Diff
Modified: trunk/Source/WebKit2/ChangeLog (213563 => 213564)
--- trunk/Source/WebKit2/ChangeLog 2017-03-08 03:54:28 UTC (rev 213563)
+++ trunk/Source/WebKit2/ChangeLog 2017-03-08 04:49:26 UTC (rev 213564)
@@ -1,3 +1,19 @@
+2017-03-07 Brent Fulgham <[email protected]>
+
+ [Mac][WK2] Whitelist iokit-get-properties
+ https://bugs.webkit.org/show_bug.cgi?id=169331
+ <rdar://problem/16363632>
+
+ Reviewed by Alex Christensen.
+
+ Block access to all IOKit properties by default. Turn on only those properties
+ that are actually needed by our engine.
+
+ * DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in:
+ * NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
+ * PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in:
+ * WebProcess/com.apple.WebProcess.sb.in:
+
2017-03-07 Simon Fraser <[email protected]>
Enable SubpixelAntialiasedLayerTextEnabled by default on some versions of macOS
Modified: trunk/Source/WebKit2/DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in (213563 => 213564)
--- trunk/Source/WebKit2/DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in 2017-03-08 03:54:28 UTC (rev 213563)
+++ trunk/Source/WebKit2/DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in 2017-03-08 04:49:26 UTC (rev 213564)
@@ -40,6 +40,8 @@
"hw.ncpu"
"hw.model"
"kern.memorystatus_level"))
+
+(deny iokit-get-properties)
#endif
;; Utility functions for home directory relative path filters
Modified: trunk/Source/WebKit2/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in (213563 => 213564)
--- trunk/Source/WebKit2/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in 2017-03-08 03:54:28 UTC (rev 213563)
+++ trunk/Source/WebKit2/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in 2017-03-08 04:49:26 UTC (rev 213564)
@@ -40,6 +40,8 @@
"hw.ncpu"
"hw.model"
"kern.memorystatus_level"))
+
+(deny iokit-get-properties)
#endif
;; Utility functions for home directory relative path filters
Modified: trunk/Source/WebKit2/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in (213563 => 213564)
--- trunk/Source/WebKit2/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in 2017-03-08 03:54:28 UTC (rev 213563)
+++ trunk/Source/WebKit2/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in 2017-03-08 04:49:26 UTC (rev 213564)
@@ -40,6 +40,33 @@
"hw.ncpu"
"hw.model"
"kern.memorystatus_level"))
+
+(deny iokit-get-properties)
+(allow iokit-get-properties
+ (iokit-property "AllowDisplaySleep")
+ (iokit-property "DisplayRouting")
+ (iokit-property-regex #"^IOAudioControl(ChannelID|ID|SubType|Usage)")
+ (iokit-property-regex #"^IOAudioDevice(CanBeDefaults|TransportType)")
+ (iokit-property-regex #"^IOAudioEngine(ChannelNames|ClientDescription|CoreAudioPlugIn|Description|Flavor|GlobalUniqueID|OutputChannelLayout|SampleOffset|State)")
+ (iokit-property-regex #"^IOAudioEngineClock(Domain|IsStable)")
+ (iokit-property "IOAudioEngineDisableClockBoundsCheck")
+ (iokit-property-regex #"^IOAudioEngine(Input|Output)Sample(Latency|Offset)")
+ (iokit-property-regex #"^IOAudioEngineNum(ActiveUserClients|SampleFramesPerBuffer)")
+ (iokit-property "IOAudioSampleRate")
+ (iokit-property "IOAudioStreamSampleFormatByteOrder")
+ (iokit-property "IOClassNameOverride")
+ (iokit-property "IOConsoleUsers")
+ (iokit-property "IOFBCurrentPixelClock")
+ (iokit-property-regex #"^IOFBCurrentPixelCount(Real)")
+ (iokit-property "IOGeneralInterest")
+ (iokit-property "IOGLBundleName")
+ (iokit-property "IOScreenRestoreState")
+ (iokit-property "IOVARendererID")
+ (iokit-property-regex #"^MetalPlugin(Name|ClassName)")
+ (iokit-property "SupportAudioAUUC")
+ (iokit-property "board-id")
+ (iokit-property "idProduct")
+ (iokit-property "idVendor"))
#endif
;; Utility functions
Modified: trunk/Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in (213563 => 213564)
--- trunk/Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in 2017-03-08 03:54:28 UTC (rev 213563)
+++ trunk/Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in 2017-03-08 04:49:26 UTC (rev 213564)
@@ -43,6 +43,60 @@
"hw.ncpu"
"hw.model"
"kern.memorystatus_level"))
+
+(deny iokit-get-properties)
+(allow iokit-get-properties
+ (iokit-property "AllowDisplaySleep")
+ (iokit-property "AAPL,mux-switch-state")
+ (iokit-property-regex #"^ATY,fb_(linebytes|offset|size)")
+ (iokit-property "CFBundleIdentifier")
+ (iokit-property "DisplayRouting")
+ (iokit-property-regex #"^IOAccel(Index|Types|Revision)")
+ (iokit-property-regex #"^IO(Class|MatchCategory|NameMatch)")
+ (iokit-property-regex #"^IOAudioControl(ChannelID|ID|SubType|Usage)")
+ (iokit-property-regex #"^IOAudioDevice(CanBeDefaults|TransportType)")
+ (iokit-property-regex #"^IOAudioEngine(ChannelNames|ClientDescription|CoreAudioPlugIn|Description|Flavor|GlobalUniqueID|OutputChannelLayout|SampleOffset|State)")
+ (iokit-property-regex #"^IOAudioEngineClock(Domain|IsStable)")
+ (iokit-property "IOAudioEngineDisableClockBoundsCheck")
+ (iokit-property-regex #"^IOAudioEngine(Input|Output)Sample(Latency|Offset)")
+ (iokit-property-regex #"^IOAudioEngineNum(ActiveUserClients|SampleFramesPerBuffer)")
+ (iokit-property "IOAudioSampleRate")
+ (iokit-property "IOAudioStreamSampleFormatByteOrder")
+ (iokit-property "IOCFPlugInTypes")
+ (iokit-property-regex #"^IOClass(|NameOverride)")
+ (iokit-property "IOConsoleUsers")
+ (iokit-property "IODVDBundleName")
+ (iokit-property "IODisplayParameters")
+ (iokit-property-regex #"^IOFB(CLUTDefer|Config|CursorInfo|Dependent(ID|Index))")
+ (iokit-property "IOFBCurrentPixelClock")
+ (iokit-property-regex #"^IOFBCurrentPixelCount(|Real)")
+ (iokit-property-regex #"^IOFB(DetailedTimings|Gamma(Count|HeaderSize|Width))")
+ (iokit-property-regex #"^IOFBI2CInterface(IDs|Info)")
+ (iokit-property-regex #"^IOFB(MemorySize|NeedsRefresh|ProbeOptions|ScalerInfo|TimingRange|Transform|UIScale|WaitCursor(Frames|Period))")
+ (iokit-property "IOFramebufferOpenGLIndex")
+ (iokit-property "IOGeneralInterest")
+ (iokit-property "IOGLBundleName")
+ (iokit-property-regex #"^IOGVA(Codec|EncoderRestricted)")
+ (iokit-property "IOMatchCategory")
+ (iokit-property-regex #"^IONameMatch(|ed)")
+ (iokit-property "IOPMStrictTreeOrder")
+ (iokit-property "IOPowerManagement")
+ (iokit-property "IOProbeScore")
+ (iokit-property "IOProviderClass")
+ (iokit-property "IOScreenRestoreState")
+ (iokit-property "IOVARendererID")
+ (iokit-property-regex #"^MetalPlugin(Name|ClassName)")
+ (iokit-property "Protocol Characteristics")
+ (iokit-property "SupportAudioAUUC")
+ (iokit-property-regex #"^audio-(codec-info|selector)")
+ (iokit-property "av-signal-type")
+ (iokit-property "board-id")
+ (iokit-property "boot-gamma-restored")
+ (iokit-property "graphic-options")
+ (iokit-property "idProduct")
+ (iokit-property "idVendor")
+ (iokit-property "iofb_version")
+ (iokit-property "startup-timing"))
#endif
;; Utility functions for home directory relative path filters
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
