Modified: trunk/Source/WebKit/ChangeLog (276657 => 276658)
--- trunk/Source/WebKit/ChangeLog 2021-04-27 20:28:09 UTC (rev 276657)
+++ trunk/Source/WebKit/ChangeLog 2021-04-27 20:37:56 UTC (rev 276658)
@@ -1,3 +1,17 @@
+2021-04-27 Per Arne <[email protected]>
+
+ Enforce IOKit filtering
+ https://bugs.webkit.org/show_bug.cgi?id=223937
+ <rdar://problem/76271551>
+
+ Reviewed by Brent Fulgham.
+
+ Enforce IOKit method filtering based on telemetry. This patch also adds IOKit method telemetry for some Apple Silicion
+ IOKit classes, which were overlooked in the first telemetry phase.
+
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+ * WebProcess/com.apple.WebProcess.sb.in:
+
2021-04-27 Chris Dumez <[email protected]>
Don't keep local storage data in memory in the NetworkProcess
Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb (276657 => 276658)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb 2021-04-27 20:28:09 UTC (rev 276657)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb 2021-04-27 20:37:56 UTC (rev 276658)
@@ -258,7 +258,7 @@
(apply-message-filter
(deny (with telemetry)
iokit-external-trap)
- (allow (with telemetry) (with message "AGXDeviceUserClient")
+ (deny (with telemetry) (with message "AGXDeviceUserClient")
iokit-async-external-method
iokit-external-method
)
@@ -432,7 +432,7 @@
(deny (with telemetry)
iokit-async-external-method
iokit-external-trap)
- (allow (with telemetry) (with message "IOSurfaceRootUserClient")
+ (deny (with telemetry) (with message "IOSurfaceRootUserClient")
iokit-external-method)
(allow iokit-external-method
(iokit-method-number
@@ -444,6 +444,7 @@
9
10
11
+ 12
13
14
15
@@ -495,7 +496,7 @@
(deny (with telemetry)
iokit-async-external-method
iokit-external-trap)
- (allow (with telemetry) (with message "IOSurfaceAcceleratorClient")
+ (deny (with telemetry) (with message "IOSurfaceAcceleratorClient")
iokit-external-method)
(allow iokit-external-method
(iokit-method-number
Modified: trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (276657 => 276658)
--- trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2021-04-27 20:28:09 UTC (rev 276657)
+++ trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in 2021-04-27 20:37:56 UTC (rev 276658)
@@ -111,7 +111,7 @@
(define (IOAcceleratorMessageFilter)
(apply-message-filter
- (allow (with telemetry) (with message "IOAccelerator")
+ (deny (with telemetry) (with message "IOAccelerator")
iokit-async-external-method
iokit-external-method
)
@@ -144,6 +144,7 @@
22
23
24
+ 28
29
30
31
@@ -157,6 +158,8 @@
260
261
262
+ 263
+ 265
267
512
)
@@ -169,7 +172,7 @@
(define (IOSurfaceRootUserClientMessageFilter)
(apply-message-filter
- (allow (with telemetry) (with message "IOSurfaceRootUserClient")
+ (deny (with telemetry) (with message "IOSurfaceRootUserClient")
iokit-async-external-method
iokit-external-method
)
@@ -198,6 +201,8 @@
32
34
35
+ 36
+ 38
44
)
)
@@ -207,6 +212,42 @@
)
)
+(define (AppleAVDUserClientMessageFilter)
+ (if (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES")
+ (apply-message-filter
+ (allow (with telemetry) (with message "AppleAVDUserClient")
+ iokit-async-external-method
+ iokit-external-method
+ iokit-external-trap
+ )
+ )
+ )
+)
+
+(define (IOSurfaceAcceleratorClientMessageFilter)
+ (if (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES")
+ (apply-message-filter
+ (allow (with telemetry) (with message "IOSurfaceAcceleratorClient")
+ iokit-async-external-method
+ iokit-external-method
+ iokit-external-trap
+ )
+ )
+ )
+)
+
+(define (IOMobileFramebufferUserClientMessageFilter)
+ (if (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES")
+ (apply-message-filter
+ (allow (with telemetry) (with message "IOMobileFramebufferUserClient")
+ iokit-async-external-method
+ iokit-external-method
+ iokit-external-trap
+ )
+ )
+ )
+)
+
;;; (system-graphics) - Allow access to graphics hardware.
(define (system-graphics)
;; Preferences
@@ -306,7 +347,7 @@
)
(with telemetry-backtrace)
(apply-message-filter
- (allow (with telemetry) (with message "AppleIntelMEUserClient")
+ (deny (with telemetry) (with message "AppleIntelMEUserClient")
iokit-external-method
)
(allow iokit-external-method
@@ -338,7 +379,7 @@
)
(with telemetry-backtrace)
(apply-message-filter
- (allow (with telemetry) (with message "AppleSNBFBUserClient")
+ (deny (with telemetry) (with message "AppleSNBFBUserClient")
iokit-external-method
)
(allow iokit-external-method
@@ -393,7 +434,7 @@
)
(with telemetry-backtrace)
(apply-message-filter
- (allow (with telemetry) (with message "AppleGraphicsControlClient")
+ (deny (with telemetry) (with message "AppleGraphicsControlClient")
iokit-async-external-method
iokit-external-method
)
@@ -450,7 +491,7 @@
)
(with telemetry-backtrace)
(apply-message-filter
- (allow (with telemetry) (with message "AppleMGPUPowerControlClient")
+ (deny (with telemetry) (with message "AppleMGPUPowerControlClient")
iokit-external-method
)
(allow iokit-external-method
@@ -1039,7 +1080,7 @@
)
(with telemetry-backtrace)
(apply-message-filter
- (allow (with telemetry) (with message "AppleUpstreamUserClient")
+ (deny (with telemetry) (with message "AppleUpstreamUserClient")
iokit-external-method
)
(allow iokit-external-method
@@ -1074,7 +1115,7 @@
)
(with telemetry-backtrace)
(apply-message-filter
- (allow (with telemetry) (with message "RootDomainUserClient")
+ (deny (with telemetry) (with message "RootDomainUserClient")
iokit-external-method
)
(allow iokit-external-method
@@ -1106,7 +1147,7 @@
)
(with telemetry-backtrace)
(apply-message-filter
- (allow (with telemetry) (with message "AudioAUUC")
+ (deny (with telemetry) (with message "AudioAUUC")
iokit-external-method
)
(allow iokit-external-method
@@ -1191,10 +1232,39 @@
(extension "com.apple.webkit.extension.iokit")
(iokit-user-client-class
"AppleAVDUserClient"
+ )
+ )
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 120000
+ (AppleAVDUserClientMessageFilter)
+#endif
+ )
+ (allow iokit-open
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 110000
+ (with telemetry-backtrace)
+#endif
+ (require-all
+ (extension "com.apple.webkit.extension.iokit")
+ (iokit-user-client-class
"IOMobileFramebufferUserClient"
+ )
+ )
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 120000
+ (IOMobileFramebufferUserClientMessageFilter)
+#endif
+ )
+ (allow iokit-open
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 110000
+ (with telemetry-backtrace)
+#endif
+ (require-all
+ (extension "com.apple.webkit.extension.iokit")
+ (iokit-user-client-class
"IOSurfaceAcceleratorClient" ;; <rdar://problem/63696732>
)
)
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 120000
+ (IOSurfaceAcceleratorClientMessageFilter)
+#endif
)
)
@@ -2103,9 +2173,25 @@
(require-not (extension "com.apple.webkit.extension.iokit"))
(iokit-user-client-class
"AppleAVDUserClient"
+ )
+ )
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 120000
+ (AppleAVDUserClientMessageFilter)
+#endif
+ )
+ (allow iokit-open (with report)
+#if __MAC_OS_X_VERSION_MIN_REQUIRED > 110000
+ (with telemetry-backtrace)
+#endif
+ (require-all
+ (require-not (extension "com.apple.webkit.extension.iokit"))
+ (iokit-user-client-class
"IOSurfaceAcceleratorClient"
)
)
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 120000
+ (IOSurfaceAcceleratorClientMessageFilter)
+#endif
)
)
