Title: [240289] trunk/Source/WebKit
- Revision
- 240289
- Author
- [email protected]
- Date
- 2019-01-22 13:22:34 -0800 (Tue, 22 Jan 2019)
Log Message
[macOS] Adjust logging policy in WebKit's sandbox
https://bugs.webkit.org/show_bug.cgi?id=193454
Reviewed by Brent Fulgham.
Add a rule to initially deny all calls, since the default is to allow every call.
Later rules allow syscalls that we determined are needed for proper WebKit function.
This reduces the API surface available to attackers.
* WebProcess/com.apple.WebProcess.sb.in:
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (240288 => 240289)
--- trunk/Source/WebKit/ChangeLog 2019-01-22 21:15:35 UTC (rev 240288)
+++ trunk/Source/WebKit/ChangeLog 2019-01-22 21:22:34 UTC (rev 240289)
@@ -1,3 +1,16 @@
+2019-01-22 Per Arne Vollan <[email protected]>
+
+ [macOS] Adjust logging policy in WebKit's sandbox
+ https://bugs.webkit.org/show_bug.cgi?id=193454
+
+ Reviewed by Brent Fulgham.
+
+ Add a rule to initially deny all calls, since the default is to allow every call.
+ Later rules allow syscalls that we determined are needed for proper WebKit function.
+ This reduces the API surface available to attackers.
+
+ * WebProcess/com.apple.WebProcess.sb.in:
+
2019-01-22 Daniel Bates <[email protected]>
[iOS] WebKit should handle shift state changes when using the software keyboard
Modified: trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (240288 => 240289)
--- trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2019-01-22 21:15:35 UTC (rev 240288)
+++ trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2019-01-22 21:22:34 UTC (rev 240289)
@@ -825,6 +825,7 @@
#endif // PLATFORM(MAC)
(when (defined? 'syscall-unix)
+ (deny syscall-unix (with termination))
(allow syscall-unix
(syscall-number SYS_exit)
(syscall-number SYS_read)
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
