Title: [283891] trunk/Source/WebKit
- Revision
- 283891
- Author
- [email protected]
- Date
- 2021-10-11 06:48:11 -0700 (Mon, 11 Oct 2021)
Log Message
[iOS] Sort syscall filters in the WebContent process' sandbox
https://bugs.webkit.org/show_bug.cgi?id=231509
<rdar://problem/84095366>
Unreviewed, this patch only sorts existing message filters.
Syscall filters should be sorted in the WebContent process' sandbox. This patch does not add or
remove items from the filters, so there should be no change in behavior.
* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (283890 => 283891)
--- trunk/Source/WebKit/ChangeLog 2021-10-11 11:50:26 UTC (rev 283890)
+++ trunk/Source/WebKit/ChangeLog 2021-10-11 13:48:11 UTC (rev 283891)
@@ -1,5 +1,18 @@
2021-10-11 Per Arne Vollan <[email protected]>
+ [iOS] Sort syscall filters in the WebContent process' sandbox
+ https://bugs.webkit.org/show_bug.cgi?id=231509
+ <rdar://problem/84095366>
+
+ Unreviewed, this patch only sorts existing message filters.
+
+ Syscall filters should be sorted in the WebContent process' sandbox. This patch does not add or
+ remove items from the filters, so there should be no change in behavior.
+
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:
+
+2021-10-11 Per Arne Vollan <[email protected]>
+
Block access in sandbox to capability which is allowed by default
https://bugs.webkit.org/show_bug.cgi?id=231079
<rdar://66586853>
Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in (283890 => 283891)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in 2021-10-11 11:50:26 UTC (rev 283890)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in 2021-10-11 13:48:11 UTC (rev 283891)
@@ -1169,167 +1169,167 @@
(when (defined? 'syscall-unix)
(deny syscall-unix (with send-signal SIGKILL))
(allow syscall-unix
- (syscall-number SYS_exit)
- (syscall-number SYS_read)
- (syscall-number SYS_write)
- (syscall-number SYS_open)
+ (syscall-number SYS___disable_threadsignal)
+ (syscall-number SYS___mac_syscall)
+ (syscall-number SYS___pthread_kill)
+ (syscall-number SYS___pthread_markcancel)
+ (syscall-number SYS___pthread_sigmask)
+ (syscall-number SYS___semwait_signal)
+ (syscall-number SYS___semwait_signal_nocancel)
+ (syscall-number SYS_abort_with_payload) ;; <rdar://problem/50967271>
+ (syscall-number SYS_access)
+ (syscall-number SYS_bsdthread_create)
+ (syscall-number SYS_bsdthread_ctl)
+ (syscall-number SYS_bsdthread_register)
+ (syscall-number SYS_bsdthread_terminate)
+ (syscall-number SYS_change_fdguard_np)
+ (syscall-number SYS_chdir)
+ (syscall-number SYS_chmod)
(syscall-number SYS_close)
- (syscall-number SYS_unlink)
- (syscall-number SYS_chmod)
- (syscall-number SYS_getuid)
- (syscall-number SYS_geteuid)
- (syscall-number SYS_recvfrom)
- (syscall-number SYS_getpeername)
- (syscall-number SYS_access)
+ (syscall-number SYS_close_nocancel)
+ (syscall-number SYS_connect)
+ (syscall-number SYS_connect_nocancel)
+ (syscall-number SYS_connectx)
+ (syscall-number SYS_csops) ;; used by Corefoundation initialization
+ (syscall-number SYS_csops_audittoken) ;; used by WK to get entitlments
+ (syscall-number SYS_csrctl)
(syscall-number SYS_dup)
- (syscall-number SYS_pipe)
+ (syscall-number SYS_dup2)
+ (syscall-number SYS_exit)
+ (syscall-number SYS_faccessat) ;; <rdar://problem/56998930>
+ (syscall-number SYS_fchmod)
+ (syscall-number SYS_fcntl)
+ (syscall-number SYS_fcntl_nocancel)
+ (syscall-number SYS_fgetattrlist) ;; <rdar://problem/50266257>
+ (syscall-number SYS_fgetxattr)
+ (syscall-number SYS_fileport_makefd)
+ (syscall-number SYS_fileport_makeport)
+ (syscall-number SYS_flock)
+ (syscall-number SYS_fsetattrlist) ;; MTLCompilerFSCache::openSync
+ (syscall-number SYS_fsetxattr) ;; <rdar://problem/49795964>
+ (syscall-number SYS_fsgetpath)
+ (syscall-number SYS_fstat64)
+ (syscall-number SYS_fstat64_extended) ;; <rdar://problem/61310019>
+ (syscall-number SYS_fstatat64)
+ (syscall-number SYS_fstatfs64)
+ (syscall-number SYS_fsync)
+ (syscall-number SYS_ftruncate)
+ (syscall-number SYS_getattrlist) ;; xpc_realpath and directory enumeration
+ (syscall-number SYS_getattrlistbulk) ;; xpc_realpath and directory enumeration
+ (syscall-number SYS_getaudit_addr)
+ (syscall-number SYS_getdirentries64)
(syscall-number SYS_getegid)
+ (syscall-number SYS_getentropy)
+ (syscall-number SYS_geteuid)
+ (syscall-number SYS_getfsstat64)
(syscall-number SYS_getgid)
- (syscall-number SYS_sigprocmask)
- (syscall-number SYS_sigaltstack)
- (syscall-number SYS_ioctl) ;; needed by tcgetattr (TIOCGETA) - debugging
- (syscall-number SYS_readlink)
- (syscall-number SYS_umask)
- (syscall-number SYS_msync)
- (syscall-number SYS_munmap)
- (syscall-number SYS_mprotect)
- (syscall-number SYS_madvise)
- (syscall-number SYS_fcntl)
- (syscall-number SYS_select)
- (syscall-number SYS_fsync)
- (syscall-number SYS_setpriority)
- (syscall-number SYS_socket)
- (syscall-number SYS_connect)
- (syscall-number SYS_setsockopt)
- (syscall-number SYS_gettimeofday)
+ (syscall-number SYS_getpeername)
+ (syscall-number SYS_getpid)
+ (syscall-number SYS_getrlimit)
(syscall-number SYS_getrusage)
(syscall-number SYS_getsockopt) ;; used by libwebrtc
- (syscall-number SYS_writev)
- (syscall-number SYS_fchmod)
- (syscall-number SYS_rename)
- (syscall-number SYS_flock)
- (syscall-number SYS_sendto)
- (syscall-number SYS_shutdown)
- (syscall-number SYS_socketpair)
- (syscall-number SYS_mkdir)
- (syscall-number SYS_rmdir)
- (syscall-number SYS_pread)
- (syscall-number SYS_pwrite)
- (syscall-number SYS_csops) ;; used by Corefoundation initialization
- (syscall-number SYS_csops_audittoken) ;; used by WK to get entitlments
+ (syscall-number SYS_gettid)
+ (syscall-number SYS_gettimeofday)
+ (syscall-number SYS_getuid)
+ (syscall-number SYS_getxattr)
+ (syscall-number SYS_guarded_close_np)
+ (syscall-number SYS_guarded_open_dprotected_np) ; <rdar://problem/48166729>
+ (syscall-number SYS_guarded_open_np)
+ (syscall-number SYS_guarded_pwrite_np)
+ (syscall-number SYS_ioctl) ;; needed by tcgetattr (TIOCGETA) - debugging
+ (syscall-number SYS_issetugid)
+ (syscall-number SYS_kdebug_trace)
(syscall-number SYS_kdebug_trace64)
- (syscall-number SYS_kdebug_trace)
- (syscall-number SYS_sigreturn)
- (syscall-number SYS_pathconf)
- (syscall-number SYS_getrlimit)
- (syscall-number SYS_setrlimit)
- (syscall-number SYS_mmap)
+ (syscall-number SYS_kevent_id)
+ (syscall-number SYS_kevent_qos)
+ (syscall-number SYS_kqueue) ;; <rdar://problem/49609201>
+ (syscall-number SYS_kqueue_workloop_ctl) ;; <rdar://problem/50999499>
+ (syscall-number SYS_listxattr)
(syscall-number SYS_lseek)
- (syscall-number SYS_ftruncate)
- (syscall-number SYS_sysctl)
+ (syscall-number SYS_lstat64)
+ (syscall-number SYS_madvise)
+ (syscall-number SYS_memorystatus_control)
+ (syscall-number SYS_mkdir)
+ (syscall-number SYS_mkdirat)
(syscall-number SYS_mlock)
+ (syscall-number SYS_mmap)
+ (syscall-number SYS_mprotect)
+ (syscall-number SYS_mremap_encrypted)
+ (syscall-number SYS_msync)
(syscall-number SYS_munlock)
- (syscall-number SYS_getattrlist) ;; xpc_realpath and directory enumeration
- (syscall-number SYS_getxattr)
- (syscall-number SYS_fgetxattr)
- (syscall-number SYS_listxattr)
- (syscall-number SYS_shm_open)
- (syscall-number SYS_sem_wait)
- (syscall-number SYS_sem_post)
- (syscall-number SYS_sysctlbyname)
- (syscall-number SYS_psynch_mutexwait)
- (syscall-number SYS_psynch_mutexdrop)
+ (syscall-number SYS_munmap)
+ (syscall-number SYS_necp_client_action)
+ (syscall-number SYS_necp_open)
+ (syscall-number SYS_open)
+ (syscall-number SYS_open_dprotected_np)
+ (syscall-number SYS_open_nocancel)
+ (syscall-number SYS_openat)
+ (syscall-number SYS_openat_nocancel)
+ (syscall-number SYS_os_fault_with_payload)
+ (syscall-number SYS_pathconf)
+ (syscall-number SYS_persona)
+ (syscall-number SYS_pipe)
+ (syscall-number SYS_pread)
+ (syscall-number SYS_pread_nocancel)
+ (syscall-number SYS_proc_info)
+ (syscall-number SYS_proc_rlimit_control)
+ (syscall-number SYS_process_policy)
(syscall-number SYS_psynch_cvbroad)
+ (syscall-number SYS_psynch_cvclrprepost)
(syscall-number SYS_psynch_cvsignal)
(syscall-number SYS_psynch_cvwait)
+ (syscall-number SYS_psynch_mutexdrop)
+ (syscall-number SYS_psynch_mutexwait)
+ (syscall-number SYS_psynch_rw_rdlock) ;; <rdar://problem/51134351>
+ (syscall-number SYS_psynch_rw_unlock)
(syscall-number SYS_psynch_rw_wrlock)
- (syscall-number SYS_psynch_rw_unlock)
- (syscall-number SYS_psynch_cvclrprepost)
- (syscall-number SYS_process_policy)
- (syscall-number SYS_issetugid)
- (syscall-number SYS___pthread_kill)
- (syscall-number SYS___pthread_markcancel)
- (syscall-number SYS___pthread_sigmask)
- (syscall-number SYS___disable_threadsignal)
- (syscall-number SYS___semwait_signal)
- (syscall-number SYS_proc_info)
+ (syscall-number SYS_pwrite)
+ (syscall-number SYS_read)
+ (syscall-number SYS_read_nocancel)
+ (syscall-number SYS_readlink)
+ (syscall-number SYS_recvfrom)
+ (syscall-number SYS_recvfrom_nocancel)
+ (syscall-number SYS_rename)
+ (syscall-number SYS_rmdir)
+ (syscall-number SYS_select)
+ (syscall-number SYS_select_nocancel)
+ (syscall-number SYS_sem_close)
+ (syscall-number SYS_sem_open)
+ (syscall-number SYS_sem_post)
+ (syscall-number SYS_sem_wait)
+ (syscall-number SYS_sendmsg_nocancel)
+ (syscall-number SYS_sendto)
+ (syscall-number SYS_sendto_nocancel)
+ (syscall-number SYS_setpriority)
+ (syscall-number SYS_setrlimit)
+ (syscall-number SYS_setsockopt)
+ (syscall-number SYS_shared_region_check_np)
+ (syscall-number SYS_shared_region_map_and_slide_2_np) ;; <rdar://problem/60294880>
+ (syscall-number SYS_shm_open)
+ (syscall-number SYS_shutdown)
+ (syscall-number SYS_sigaction)
+ (syscall-number SYS_sigaltstack)
+ (syscall-number SYS_sigprocmask)
+ (syscall-number SYS_sigreturn)
+ (syscall-number SYS_socket)
+ (syscall-number SYS_socketpair)
(syscall-number SYS_stat64)
- (syscall-number SYS_fstat64)
- (syscall-number SYS_lstat64)
- (syscall-number SYS_getdirentries64)
(syscall-number SYS_statfs64)
- (syscall-number SYS_fstatfs64)
- (syscall-number SYS_getfsstat64)
- (syscall-number SYS_getaudit_addr)
- (syscall-number SYS_bsdthread_create)
- (syscall-number SYS_bsdthread_terminate)
- (syscall-number SYS_workq_kernreturn)
+ (syscall-number SYS_sysctl)
+ (syscall-number SYS_sysctlbyname)
(syscall-number SYS_thread_selfid)
(syscall-number SYS_thread_selfusage)
- (syscall-number SYS_kevent_qos)
- (syscall-number SYS_kevent_id)
- (syscall-number SYS___mac_syscall)
- (syscall-number SYS_read_nocancel)
- (syscall-number SYS_write_nocancel)
- (syscall-number SYS_open_nocancel)
- (syscall-number SYS_close_nocancel)
- (syscall-number SYS_sendmsg_nocancel)
- (syscall-number SYS_recvfrom_nocancel)
- (syscall-number SYS_fcntl_nocancel)
- (syscall-number SYS_select_nocancel)
- (syscall-number SYS_connect_nocancel)
- (syscall-number SYS_sendto_nocancel)
- (syscall-number SYS_fsgetpath)
- (syscall-number SYS_fileport_makeport)
- (syscall-number SYS_guarded_open_np)
- (syscall-number SYS_guarded_close_np)
- (syscall-number SYS_change_fdguard_np)
- (syscall-number SYS_proc_rlimit_control)
- (syscall-number SYS_connectx)
- (syscall-number SYS_getattrlistbulk) ;; xpc_realpath and directory enumeration
- (syscall-number SYS_openat)
- (syscall-number SYS_openat_nocancel)
- (syscall-number SYS_fstatat64)
- (syscall-number SYS_mkdirat)
- (syscall-number SYS_bsdthread_ctl)
- (syscall-number SYS_csrctl)
- (syscall-number SYS_guarded_pwrite_np)
- (syscall-number SYS_getentropy)
- (syscall-number SYS_necp_open)
- (syscall-number SYS_necp_client_action)
(syscall-number SYS_ulock_wait)
+ (syscall-number SYS_ulock_wait2) ;; <rdar://problem/58743778>
(syscall-number SYS_ulock_wake)
- (syscall-number SYS_shared_region_check_np)
- (syscall-number SYS_getpid)
- (syscall-number SYS_bsdthread_register)
- (syscall-number SYS_sigaction)
- (syscall-number SYS_gettid)
+ (syscall-number SYS_umask)
+ (syscall-number SYS_unlink)
+ (syscall-number SYS_work_interval_ctl)
+ (syscall-number SYS_workq_kernreturn)
(syscall-number SYS_workq_open)
- (syscall-number SYS_chdir)
- (syscall-number SYS_memorystatus_control)
- (syscall-number SYS_sem_open)
- (syscall-number SYS_sem_close)
- (syscall-number SYS_fsetattrlist) ;; MTLCompilerFSCache::openSync
- (syscall-number SYS_guarded_open_dprotected_np) ; <rdar://problem/48166729>
- (syscall-number SYS_mremap_encrypted)
- (syscall-number SYS_dup2)
- (syscall-number SYS_fileport_makefd)
- (syscall-number SYS_os_fault_with_payload)
- (syscall-number SYS_persona)
- (syscall-number SYS_work_interval_ctl)
- (syscall-number SYS_open_dprotected_np)
- (syscall-number SYS_pread_nocancel)
- (syscall-number SYS___semwait_signal_nocancel)
- (syscall-number SYS_fgetattrlist) ;; <rdar://problem/50266257>
- (syscall-number SYS_fsetxattr) ;; <rdar://problem/49795964>
- (syscall-number SYS_abort_with_payload) ;; <rdar://problem/50967271>
- (syscall-number SYS_kqueue) ;; <rdar://problem/49609201>
- (syscall-number SYS_kqueue_workloop_ctl) ;; <rdar://problem/50999499>
- (syscall-number SYS_psynch_rw_rdlock) ;; <rdar://problem/51134351>
- (syscall-number SYS_faccessat) ;; <rdar://problem/56998930>
- (syscall-number SYS_shared_region_map_and_slide_2_np) ;; <rdar://problem/60294880>
- (syscall-number SYS_ulock_wait2) ;; <rdar://problem/58743778>
- (syscall-number SYS_fstat64_extended) ;; <rdar://problem/61310019>
+ (syscall-number SYS_write)
+ (syscall-number SYS_write_nocancel)
+ (syscall-number SYS_writev)
)
(if (defined? 'SYS_objc_bp_assist_cfg_np)
(allow syscall-unix (syscall-number SYS_objc_bp_assist_cfg_np)))
@@ -1477,8 +1477,8 @@
(machtrap-number MSC_host_create_mach_voucher_trap)
(machtrap-number MSC_host_self_trap)
(machtrap-number MSC_mach_generate_activity_id)
+ (machtrap-number MSC_mach_msg_overwrite_trap)
(machtrap-number MSC_mach_msg_trap)
- (machtrap-number MSC_mach_msg_overwrite_trap)
(machtrap-number MSC_mach_reply_port)
(machtrap-number MSC_mach_timebase_info_trap)
(machtrap-number MSC_mach_voucher_extract_attr_recipe_trap)
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
