[webkit-changes] [290068] branches/safari-613.1.17.1-branch/Source/WebKit

Thu, 17 Feb 2022 13:31:59 -0800

Title: [290068] branches/safari-613.1.17.1-branch/Source/WebKit
Revision
290068
Author
[email protected]
Date
2022-02-17 13:31:24 -0800 (Thu, 17 Feb 2022)

Log Message

Cherry-pick r290066. rdar://problem/89072361

    [macOS][WP] Add required syscall to sandbox
    https://bugs.webkit.org/show_bug.cgi?id=236781
    <rdar://89072361>

    Reviewed by Chris Dumez.

    Add required syscall to the WebContent process' sandbox on macOS. This patch also adds back a set of
    syscalls that were removed in https://commits.webkit.org/r286778 for current and previous versions
    of macOS. These syscalls will be denied going forward.

    * WebProcess/com.apple.WebProcess.sb.in:

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@290066 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Modified Paths

Diff

Modified: branches/safari-613.1.17.1-branch/Source/WebKit/ChangeLog (290067 => 290068)


--- branches/safari-613.1.17.1-branch/Source/WebKit/ChangeLog	2022-02-17 21:29:19 UTC (rev 290067)
+++ branches/safari-613.1.17.1-branch/Source/WebKit/ChangeLog	2022-02-17 21:31:24 UTC (rev 290068)
@@ -1,5 +1,38 @@
 2022-02-17  Russell Epstein  <[email protected]>
 
+        Cherry-pick r290066. rdar://problem/89072361
+
+    [macOS][WP] Add required syscall to sandbox
+    https://bugs.webkit.org/show_bug.cgi?id=236781
+    <rdar://89072361>
+    
+    Reviewed by Chris Dumez.
+    
+    Add required syscall to the WebContent process' sandbox on macOS. This patch also adds back a set of
+    syscalls that were removed in https://commits.webkit.org/r286778 for current and previous versions
+    of macOS. These syscalls will be denied going forward.
+    
+    * WebProcess/com.apple.WebProcess.sb.in:
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@290066 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2022-02-17  Per Arne Vollan  <[email protected]>
+
+            [macOS][WP] Add required syscall to sandbox
+            https://bugs.webkit.org/show_bug.cgi?id=236781
+            <rdar://89072361>
+
+            Reviewed by Chris Dumez.
+
+            Add required syscall to the WebContent process' sandbox on macOS. This patch also adds back a set of
+            syscalls that were removed in https://commits.webkit.org/r286778 for current and previous versions
+            of macOS. These syscalls will be denied going forward.
+
+            * WebProcess/com.apple.WebProcess.sb.in:
+
+2022-02-17  Russell Epstein  <[email protected]>
+
         Cherry-pick r290005. rdar://problem/87596724
 
     CrashTracer: com.apple.WebKit.WebContent at _javascript_Core: bmalloc_allocate_impl_impl_slow

Modified: branches/safari-613.1.17.1-branch/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (290067 => 290068)


--- branches/safari-613.1.17.1-branch/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in	2022-02-17 21:29:19 UTC (rev 290067)
+++ branches/safari-613.1.17.1-branch/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in	2022-02-17 21:31:24 UTC (rev 290068)
@@ -1897,6 +1897,57 @@
 (disable-syscall-inference)
 #endif
 
+#if !PLATFORM(MAC) || __MAC_OS_X_VERSION_MIN_REQUIRED < 130000
+(define (syscall-unix-older-macOS)
+    (syscall-number
+        SYS___pthread_markcancel
+        SYS_abort_with_payload
+        SYS_chmod_extended
+        SYS_connect_nocancel
+        SYS_connectx
+        SYS_fgetattrlist ;; <rdar://problem/50931110>
+        SYS_fileport_makeport
+        SYS_fstat64_extended ;; <rdar://problem/61310019>
+        SYS_getpeername
+        SYS_getsockopt
+        SYS_guarded_write_np
+        SYS_lstat64_extended
+        SYS_lstat_extended
+        SYS_memorystatus_control ;; Needed for memory measurement infrastructure, see <rdar://problem/48647263>
+        SYS_mkdirat
+        SYS_open_dprotected_np ;; <rdar://problem/74473824>
+        SYS_pipe
+        SYS_process_policy
+        SYS_psynch_rw_rdlock ;; <rdar://problem/49060359>
+        SYS_pwrite
+        SYS_quotactl ;; <rdar://problem/49945031>
+        SYS_recvfrom
+        SYS_recvfrom_nocancel
+        SYS_rmdir
+        SYS_select
+        SYS_select_nocancel
+        SYS_sem_post
+        SYS_sem_wait
+        SYS_sendmsg_nocancel
+        SYS_sendto_nocancel
+#if __MAC_OS_X_VERSION_MIN_REQUIRED < 120000
+        SYS_setattrlist ;; rdar://problem/74162777
+#endif
+        SYS_setpriority
+        SYS_setrlimit
+        SYS_setsockopt
+        SYS_shutdown
+        SYS_sigreturn
+        SYS_socketpair
+        SYS_stat64_extended ;; <rdar://problem/50473330>
+        SYS_terminate_with_payload ;; <rdar://problem/50026580>
+        SYS_thread_selfusage
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 110000
+        SYS_ulock_wait2 ;; <rdar://problem/58743778>
+#endif
+))
+#endif
+
 (define (syscall-unix-common)
     (syscall-number
         SYS___disable_threadsignal
@@ -1944,6 +1995,7 @@
         SYS_kdebug_trace
         SYS_kdebug_trace64
         SYS_kdebug_trace_string ;; Needed for performance sampling, see <rdar://problem/48829655>.
+        SYS_kevent ;; <rdar://89072361>
         SYS_kevent_id
         SYS_kevent_qos
         SYS_kqueue ;; See <rdar://problem/88241768>. Remove after <rdar://56634240> is resolved.
@@ -2049,6 +2101,11 @@
     (allow syscall-unix
         (syscall-unix-common))
 
+#if !PLATFORM(MAC) || __MAC_OS_X_VERSION_MIN_REQUIRED < 130000
+    (allow syscall-unix
+        (syscall-unix-older-macOS))
+#endif
+
     (if (equal? (param "CPU") "arm64")
         (begin
             (allow syscall-unix

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to