Skip to site navigation (Press enter)

[webkit-changes] [271962] trunk/Source/WebKit

pvollan Wed, 27 Jan 2021 10:06:33 -0800

Title: [271962] trunk/Source/WebKit

Revision: 271962
Author: [email protected]
Date: 2021-01-27 10:05:47 -0800 (Wed, 27 Jan 2021)

Log Message

[macOS] Tighten IOUSB access when camera is enabled
https://bugs.webkit.org/show_bug.cgi?id=221042
<rdar://problem/70504956>


Reviewed by Brent Fulgham.

Tighten IOUSB access when camera is enabled in the WebContent process on macOS.

* WebProcess/com.apple.WebProcess.sb.in:

Modified Paths

trunk/Source/WebKit/ChangeLog
trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in

Diff

Modified: trunk/Source/WebKit/ChangeLog (271961 => 271962)


--- trunk/Source/WebKit/ChangeLog	2021-01-27 18:04:26 UTC (rev 271961)
+++ trunk/Source/WebKit/ChangeLog	2021-01-27 18:05:47 UTC (rev 271962)
@@ -1,5 +1,17 @@
 2021-01-27  Per Arne  <[email protected]>
 
+        [macOS] Tighten IOUSB access when camera is enabled
+        https://bugs.webkit.org/show_bug.cgi?id=221042
+        <rdar://problem/70504956>
+
+        Reviewed by Brent Fulgham.
+
+        Tighten IOUSB access when camera is enabled in the WebContent process on macOS.
+
+        * WebProcess/com.apple.WebProcess.sb.in:
+
+2021-01-27  Per Arne  <[email protected]>
+
         [macOS] Remove shm-write access to com.apple.AppleDatabaseChanged
         https://bugs.webkit.org/show_bug.cgi?id=221041
         <rdar://problem/70501252>

Modified: trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (271961 => 271962)


--- trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in	2021-01-27 18:04:26 UTC (rev 271961)
+++ trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in	2021-01-27 18:05:47 UTC (rev 271962)
@@ -1387,7 +1387,10 @@
     ;; QuickTimeUSBVDCDigitizer
     (if (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES")
         (allow iokit-open
-            (iokit-user-client-class "IOUSBDeviceUserClientV2")
+            (require-all
+                (iokit-usb-interface-class kUSBVideoInterfaceClass)
+                (iokit-user-client-class "IOUSBDeviceUserClientV2")
+            )
             (with telemetry-backtrace)
             (apply-message-filter
                 (allow (with telemetry)
@@ -1401,13 +1404,19 @@
         )
         ; else
         (allow iokit-open
-            (iokit-user-client-class "IOUSBDeviceUserClientV2")
+            (require-all
+                (iokit-usb-interface-class kUSBVideoInterfaceClass)
+                (iokit-user-client-class "IOUSBDeviceUserClientV2")
+            )
         )
     )
 
     (if (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES")
         (allow iokit-open
-            (iokit-user-client-class "IOUSBInterfaceUserClientV2")
+            (require-all
+                (iokit-usb-interface-class kUSBVideoInterfaceClass)
+                (iokit-user-client-class "IOUSBInterfaceUserClientV2")
+            )
             (with telemetry-backtrace)
             (apply-message-filter
                 (allow (with telemetry)
@@ -1421,7 +1430,10 @@
         )
         ; else
         (allow iokit-open
-            (iokit-user-client-class "IOUSBInterfaceUserClientV2")
+            (require-all
+                (iokit-usb-interface-class kUSBVideoInterfaceClass)
+                (iokit-user-client-class "IOUSBInterfaceUserClientV2")
+            )
         )
     )

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes