Title: [275433] trunk/Source/WebKit
- Revision
- 275433
- Author
- [email protected]
- Date
- 2021-04-02 12:33:16 -0700 (Fri, 02 Apr 2021)
Log Message
Add IOKit method filter telemetry
https://bugs.webkit.org/show_bug.cgi?id=223652
<rdar://problem/75751391>
Reviewed by Brent Fulgham.
Add IOKit method filter telemetry in the WebContent sandbox on macOS and iOS.
* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
* WebProcess/com.apple.WebProcess.sb.in:
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (275432 => 275433)
--- trunk/Source/WebKit/ChangeLog 2021-04-02 19:32:29 UTC (rev 275432)
+++ trunk/Source/WebKit/ChangeLog 2021-04-02 19:33:16 UTC (rev 275433)
@@ -1,3 +1,16 @@
+2021-04-02 Per Arne <[email protected]>
+
+ Add IOKit method filter telemetry
+ https://bugs.webkit.org/show_bug.cgi?id=223652
+ <rdar://problem/75751391>
+
+ Reviewed by Brent Fulgham.
+
+ Add IOKit method filter telemetry in the WebContent sandbox on macOS and iOS.
+
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+ * WebProcess/com.apple.WebProcess.sb.in:
+
2021-04-02 Youenn Fablet <[email protected]>
Capture rotation is wrong after Safari is backgrounded then foregrounded
Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb (275432 => 275433)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb 2021-04-02 19:32:29 UTC (rev 275432)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb 2021-04-02 19:33:16 UTC (rev 275433)
@@ -96,7 +96,7 @@
(deny (with telemetry)
iokit-async-external-method
iokit-external-trap)
- (allow
+ (allow (with telemetry) (with message "IOMobileFramebufferUserClient")
iokit-external-method)
)
)
@@ -238,6 +238,18 @@
(extension "com.apple.webkit.extension.iokit")
(iokit-connection "IOGPU")
)
+ (when (defined? 'iokit-external-method)
+ (apply-message-filter
+ (deny (with telemetry)
+ iokit-external-trap)
+ (allow (with telemetry) (with message "IOGPU")
+ iokit-async-external-method
+ iokit-external-method)
+ )
+ )
+ )
+
+ (allow iokit-open
(require-all
(extension "com.apple.webkit.extension.iokit")
(iokit-user-client-class "AGXDeviceUserClient") ;; Used by WebGL
@@ -246,9 +258,41 @@
(apply-message-filter
(deny (with telemetry)
iokit-external-trap)
- (allow
+ (allow (with telemetry) (with message "AGXDeviceUserClient")
iokit-async-external-method
- iokit-external-method)
+ iokit-external-method
+ )
+ (allow iokit-async-external-method
+ (iokit-method-number
+ 43
+ )
+ )
+ (allow iokit-external-method
+ (iokit-method-number
+ 0
+ 2
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+ 10
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 25
+ 26
+ 27
+ 36
+ 38
+ 44
+ )
+ )
+
)
)
)
@@ -382,6 +426,41 @@
(home-subpath "/Library/Assets/com_apple_MobileAsset_VoiceServicesVocalizerVoice"))
)
+(define (IOSurfaceRootUserClientMethodFilter)
+ (when (defined? 'iokit-external-method)
+ (apply-message-filter
+ (deny (with telemetry)
+ iokit-async-external-method
+ iokit-external-trap)
+ (allow (with telemetry) (with message "IOSurfaceRootUserClient")
+ iokit-external-method)
+ (allow iokit-external-method
+ (iokit-method-number
+ 0
+ 1
+ 2
+ 3
+ 5
+ 9
+ 10
+ 11
+ 13
+ 14
+ 15
+ 20
+ 21
+ 23
+ 27
+ 31
+ 32
+ 34
+ 35
+ )
+ )
+ )
+ )
+)
+
;; Things required by UIKit
(define-once (uikit-requirements)
(mobile-preferences-read
@@ -416,8 +495,13 @@
(deny (with telemetry)
iokit-async-external-method
iokit-external-trap)
- (allow
+ (allow (with telemetry) (with message "IOSurfaceAcceleratorClient")
iokit-external-method)
+ (allow iokit-external-method
+ (iokit-method-number
+ 1
+ )
+ )
)
)
)
@@ -427,15 +511,7 @@
(extension "com.apple.webkit.extension.iokit")
(iokit-user-client-class "IOSurfaceRootUserClient") ;; Needed by Tiled Grid code.
)
- (when (defined? 'iokit-external-method)
- (apply-message-filter
- (deny (with telemetry)
- iokit-async-external-method
- iokit-external-trap)
- (allow
- iokit-external-method)
- )
- )
+ (IOSurfaceRootUserClientMethodFilter)
)
;; Silence sandbox violations from apps trying to create the empty plist if it doesn't exist.
@@ -1021,15 +1097,7 @@
"IOSurfaceRootUserClient"
)
)
- (when (defined? 'iokit-external-method)
- (apply-message-filter
- (deny (with telemetry)
- iokit-async-external-method
- iokit-external-trap)
- (allow
- iokit-external-method)
- )
- )
+ (IOSurfaceRootUserClientMethodFilter)
)
(deny iokit-open (with telemetry-backtrace)
Modified: trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (275432 => 275433)
--- trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2021-04-02 19:32:29 UTC (rev 275432)
+++ trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2021-04-02 19:33:16 UTC (rev 275433)
@@ -109,6 +109,104 @@
(ipc-posix-name "apple.shm.notification_center")
(ipc-posix-name-prefix "apple.cfprefs."))
+(define (IOAcceleratorMessageFilter)
+ (apply-message-filter
+ (allow (with telemetry) (with message "IOAccelerator")
+ iokit-async-external-method
+ iokit-external-method
+ )
+ (allow iokit-async-external-method
+ (iokit-method-number
+ 0
+ 47
+ )
+ )
+ (allow iokit-external-method
+ (iokit-method-number
+ 0
+ 1
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+ 10
+ 11
+ 12
+ 13
+ 15
+ 16
+ 17
+ 18
+ 22
+ 23
+ 24
+ 29
+ 30
+ 31
+ 40
+ 42
+ 48
+ 256
+ 257
+ 258
+ 259
+ 260
+ 261
+ 262
+ 267
+ 512
+ )
+ )
+ (deny (with telemetry)
+ iokit-external-trap
+ )
+ )
+)
+
+(define (IOSurfaceRootUserClientMessageFilter)
+ (apply-message-filter
+ (allow (with telemetry) (with message "IOSurfaceRootUserClient")
+ iokit-async-external-method
+ iokit-external-method
+ )
+ (allow iokit-async-external-method
+ (iokit-method-number
+ 17
+ )
+ )
+ (allow iokit-external-method
+ (iokit-method-number
+ 0
+ 1
+ 2
+ 3
+ 9
+ 10
+ 11
+ 12
+ 13
+ 14
+ 15
+ 20
+ 23
+ 27
+ 31
+ 32
+ 34
+ 35
+ 44
+ )
+ )
+ (deny (with telemetry)
+ iokit-external-trap
+ )
+ )
+)
+
;;; (system-graphics) - Allow access to graphics hardware.
(define (system-graphics)
;; Preferences
@@ -143,15 +241,7 @@
(iokit-connection "IOAccelerator")
)
(with telemetry-backtrace)
- (apply-message-filter
- (allow
- iokit-async-external-method
- iokit-external-method
- )
- (deny (with telemetry)
- iokit-external-trap
- )
- )
+ (IOAcceleratorMessageFilter)
)
; else
(allow iokit-open
@@ -191,15 +281,7 @@
(iokit-registry-entry-class "IOSurfaceRootUserClient")
)
(with telemetry-backtrace)
- (apply-message-filter
- (allow
- iokit-async-external-method
- iokit-external-method
- )
- (deny (with telemetry)
- iokit-external-trap
- )
- )
+ (IOSurfaceRootUserClientMessageFilter)
)
; else
(allow iokit-open
@@ -224,9 +306,14 @@
)
(with telemetry-backtrace)
(apply-message-filter
- (allow
+ (allow (with telemetry) (with message "AppleIntelMEUserClient")
iokit-external-method
)
+ (allow iokit-external-method
+ (iokit-method-number
+ 120
+ )
+ )
(deny (with telemetry)
iokit-async-external-method
iokit-external-trap
@@ -251,9 +338,14 @@
)
(with telemetry-backtrace)
(apply-message-filter
- (allow
+ (allow (with telemetry) (with message "AppleSNBFBUserClient")
iokit-external-method
)
+ (allow iokit-external-method
+ (iokit-method-number
+ 120
+ )
+ )
(deny (with telemetry)
iokit-async-external-method
iokit-external-trap
@@ -301,10 +393,18 @@
)
(with telemetry-backtrace)
(apply-message-filter
- (allow
+ (allow (with telemetry) (with message "AppleGraphicsControlClient")
iokit-async-external-method
iokit-external-method
)
+ (allow iokit-external-method
+ (iokit-method-number
+ 0
+ 1
+ 3
+ 11
+ )
+ )
(deny (with telemetry)
iokit-external-trap
)
@@ -350,9 +450,16 @@
)
(with telemetry-backtrace)
(apply-message-filter
- (allow
+ (allow (with telemetry) (with message "AppleMGPUPowerControlClient")
iokit-external-method
)
+ (allow iokit-external-method
+ (iokit-method-number
+ 0
+ 1
+ 3
+ )
+ )
(deny (with telemetry)
iokit-async-external-method
iokit-external-trap
@@ -932,9 +1039,18 @@
)
(with telemetry-backtrace)
(apply-message-filter
- (allow
+ (allow (with telemetry) (with message "AppleUpstreamUserClient")
iokit-external-method
)
+ (allow iokit-external-method
+ (iokit-method-number
+ 0
+ 1
+ 3
+ 4
+ 5
+ )
+ )
(deny (with telemetry)
iokit-async-external-method
iokit-external-trap
@@ -958,9 +1074,14 @@
)
(with telemetry-backtrace)
(apply-message-filter
- (allow
+ (allow (with telemetry) (with message "RootDomainUserClient")
iokit-external-method
)
+ (allow iokit-external-method
+ (iokit-method-number
+ 3
+ )
+ )
(deny (with telemetry)
iokit-async-external-method
iokit-external-trap
@@ -985,9 +1106,18 @@
)
(with telemetry-backtrace)
(apply-message-filter
- (allow
+ (allow (with telemetry) (with message "AudioAUUC")
iokit-external-method
)
+ (allow iokit-external-method
+ (iokit-method-number
+ 0
+ 1
+ 3
+ 4
+ 5
+ )
+ )
(deny (with telemetry)
iokit-async-external-method
iokit-external-trap
@@ -1944,15 +2074,7 @@
"IOSurfaceRootUserClient"
)
)
- (apply-message-filter
- (allow
- iokit-async-external-method
- iokit-external-method
- )
- (deny (with telemetry)
- iokit-external-trap
- )
- )
+ (IOSurfaceRootUserClientMessageFilter)
)
; else
(allow iokit-open
@@ -1989,15 +2111,7 @@
"IOAccelerator"
)
)
- (apply-message-filter
- (allow
- iokit-async-external-method
- iokit-external-method
- )
- (deny (with telemetry)
- iokit-external-trap
- )
- )
+ (IOAcceleratorMessageFilter)
)
; else
(allow iokit-open
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
