Title: [286435] branches/safari-613.1.10-branch/Source/WebKit
- Revision
- 286435
- Author
- repst...@apple.com
- Date
- 2021-12-02 09:57:42 -0800 (Thu, 02 Dec 2021)
Log Message
Cherry-pick r286266. rdar://problem/85832755
[WP] Sandbox telemetry is missing for some system calls
https://bugs.webkit.org/show_bug.cgi?id=233594
<rdar://problem/85832755>
Reviewed by Brent Fulgham.
Sandbox telemetry is missing for some system calls, since telemetry rules are automatically overridden in some cases.
This patch is addressing this by disabling system call inference.
* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@286266 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-613.1.10-branch/Source/WebKit/ChangeLog (286434 => 286435)
--- branches/safari-613.1.10-branch/Source/WebKit/ChangeLog 2021-12-02 17:48:17 UTC (rev 286434)
+++ branches/safari-613.1.10-branch/Source/WebKit/ChangeLog 2021-12-02 17:57:42 UTC (rev 286435)
@@ -1,3 +1,34 @@
+2021-12-02 Russell Epstein <repst...@apple.com>
+
+ Cherry-pick r286266. rdar://problem/85832755
+
+ [WP] Sandbox telemetry is missing for some system calls
+ https://bugs.webkit.org/show_bug.cgi?id=233594
+ <rdar://problem/85832755>
+
+ Reviewed by Brent Fulgham.
+
+ Sandbox telemetry is missing for some system calls, since telemetry rules are automatically overridden in some cases.
+ This patch is addressing this by disabling system call inference.
+
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@286266 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-11-29 Per Arne Vollan <pvol...@apple.com>
+
+ [WP] Sandbox telemetry is missing for some system calls
+ https://bugs.webkit.org/show_bug.cgi?id=233594
+ <rdar://problem/85832755>
+
+ Reviewed by Brent Fulgham.
+
+ Sandbox telemetry is missing for some system calls, since telemetry rules are automatically overridden in some cases.
+ This patch is addressing this by disabling system call inference.
+
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:
+
2021-12-01 Russell Epstein <repst...@apple.com>
Cherry-pick r286386. rdar://problem/75225923
Modified: branches/safari-613.1.10-branch/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in (286434 => 286435)
--- branches/safari-613.1.10-branch/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in 2021-12-02 17:48:17 UTC (rev 286434)
+++ branches/safari-613.1.10-branch/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in 2021-12-02 17:57:42 UTC (rev 286435)
@@ -1193,6 +1193,8 @@
(global-name "com.apple.webkit.camera")
)
+(disable-syscall-inference)
+
(when (defined? 'syscall-unix)
(deny syscall-unix (with send-signal SIGKILL))
(allow syscall-unix
@@ -1206,6 +1208,10 @@
(syscall-number SYS_bsdthread_terminate)
(syscall-number SYS_change_fdguard_np)
(syscall-number SYS_chdir)
+ (syscall-number SYS_close)
+ (syscall-number SYS_close_nocancel)
+ (syscall-number SYS_csops) ;; used by Corefoundation initialization
+ (syscall-number SYS_csops_audittoken) ;; used by WK to get entitlments
(syscall-number SYS_exit)
(syscall-number SYS_faccessat) ;; <rdar://problem/56998930>
(syscall-number SYS_fcntl)
@@ -1235,6 +1241,7 @@
(syscall-number SYS_guarded_open_dprotected_np) ; <rdar://problem/48166729>
(syscall-number SYS_guarded_open_np)
(syscall-number SYS_guarded_pwrite_np)
+ (syscall-number SYS_ioctl) ;; needed by tcgetattr (TIOCGETA) - debugging
(syscall-number SYS_issetugid)
(syscall-number SYS_kdebug_trace64)
(syscall-number SYS_kdebug_typefilter)
@@ -1253,9 +1260,13 @@
(syscall-number SYS_msync)
(syscall-number SYS_munmap)
(syscall-number SYS_objc_bp_assist_cfg_np)
+ (syscall-number SYS_open)
+ (syscall-number SYS_open_nocancel)
+ (syscall-number SYS_openat)
(syscall-number SYS_os_fault_with_payload)
(syscall-number SYS_pathconf)
(syscall-number SYS_pread)
+ (syscall-number SYS_proc_info)
(syscall-number SYS_psynch_cvbroad)
(syscall-number SYS_psynch_cvclrprepost)
(syscall-number SYS_psynch_cvsignal)
@@ -1268,17 +1279,23 @@
(syscall-number SYS_read_nocancel)
(syscall-number SYS_readlink)
(syscall-number SYS_rename)
+ (syscall-number SYS_sem_close)
+ (syscall-number SYS_sem_open)
(syscall-number SYS_shared_region_check_np)
(syscall-number SYS_shared_region_map_and_slide_2_np) ;; <rdar://problem/60294880>
+ (syscall-number SYS_shm_open)
(syscall-number SYS_sigaction)
(syscall-number SYS_stat64)
(syscall-number SYS_statfs64)
+ (syscall-number SYS_sysctl)
+ (syscall-number SYS_sysctlbyname)
(syscall-number SYS_thread_selfid)
(syscall-number SYS_ulock_wait)
(syscall-number SYS_ulock_wait2) ;; <rdar://problem/58743778>
(syscall-number SYS_ulock_wake)
(syscall-number SYS_workq_kernreturn)
- (syscall-number SYS_workq_open))
+ (syscall-number SYS_workq_open)
+ (syscall-number SYS_write_nocancel))
(allow syscall-unix (with telemetry)
(syscall-number SYS_fgetxattr)
@@ -1293,7 +1310,7 @@
(syscall-number SYS_thread_selfusage)
)
- (allow syscall-unix (with telemetry-backtrace)
+ (allow syscall-unix (with report) (with telemetry-backtrace)
(syscall-number SYS___pthread_kill)
(syscall-number SYS___pthread_markcancel)
(syscall-number SYS___pthread_sigmask)
@@ -1300,13 +1317,9 @@
(syscall-number SYS___semwait_signal)
(syscall-number SYS___semwait_signal_nocancel)
(syscall-number SYS_chmod)
- (syscall-number SYS_close)
- (syscall-number SYS_close_nocancel)
(syscall-number SYS_connect)
(syscall-number SYS_connect_nocancel)
(syscall-number SYS_connectx)
- (syscall-number SYS_csops) ;; used by Corefoundation initialization
- (syscall-number SYS_csops_audittoken) ;; used by WK to get entitlments
(syscall-number SYS_csrctl)
(syscall-number SYS_dup)
(syscall-number SYS_dup2)
@@ -1319,21 +1332,16 @@
(syscall-number SYS_getaudit_addr)
(syscall-number SYS_getpeername)
(syscall-number SYS_getsockopt) ;; used by libwebrtc
- (syscall-number SYS_ioctl) ;; needed by tcgetattr (TIOCGETA) - debugging
(syscall-number SYS_kdebug_trace)
(syscall-number SYS_mkdirat)
(syscall-number SYS_mlock)
(syscall-number SYS_mremap_encrypted)
(syscall-number SYS_munlock)
- (syscall-number SYS_open)
(syscall-number SYS_open_dprotected_np)
- (syscall-number SYS_open_nocancel)
- (syscall-number SYS_openat)
(syscall-number SYS_openat_nocancel)
(syscall-number SYS_persona)
(syscall-number SYS_pipe)
(syscall-number SYS_pread_nocancel)
- (syscall-number SYS_proc_info)
(syscall-number SYS_proc_rlimit_control)
(syscall-number SYS_process_policy)
(syscall-number SYS_psynch_rw_wrlock)
@@ -1343,8 +1351,6 @@
(syscall-number SYS_rmdir)
(syscall-number SYS_select)
(syscall-number SYS_select_nocancel)
- (syscall-number SYS_sem_close)
- (syscall-number SYS_sem_open)
(syscall-number SYS_sem_post)
(syscall-number SYS_sem_wait)
(syscall-number SYS_sendmsg_nocancel)
@@ -1351,18 +1357,14 @@
(syscall-number SYS_sendto_nocancel)
(syscall-number SYS_setpriority)
(syscall-number SYS_setsockopt)
- (syscall-number SYS_shm_open)
(syscall-number SYS_shutdown)
(syscall-number SYS_sigprocmask)
(syscall-number SYS_sigreturn)
(syscall-number SYS_socketpair)
- (syscall-number SYS_sysctl)
- (syscall-number SYS_sysctlbyname)
(syscall-number SYS_umask)
(syscall-number SYS_unlink)
(syscall-number SYS_work_interval_ctl)
(syscall-number SYS_write)
- (syscall-number SYS_write_nocancel)
(syscall-number SYS_writev))
)
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
