Title: [292980] trunk/Source/WebKit
- Revision
- 292980
- Author
- pvol...@apple.com
- Date
- 2022-04-18 16:46:31 -0700 (Mon, 18 Apr 2022)
Log Message
Block system calls in the Network process
https://bugs.webkit.org/show_bug.cgi?id=238935
<rdar://47323426>
Reviewed by Geoffrey Garen.
Block unused system calls in the Network process on macOS and iOS. This is based on collected telemetry.
* NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
* Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb.in:
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (292979 => 292980)
--- trunk/Source/WebKit/ChangeLog 2022-04-18 23:42:17 UTC (rev 292979)
+++ trunk/Source/WebKit/ChangeLog 2022-04-18 23:46:31 UTC (rev 292980)
@@ -1,5 +1,18 @@
2022-04-18 Per Arne Vollan <pvol...@apple.com>
+ Block system calls in the Network process
+ https://bugs.webkit.org/show_bug.cgi?id=238935
+ <rdar://47323426>
+
+ Reviewed by Geoffrey Garen.
+
+ Block unused system calls in the Network process on macOS and iOS. This is based on collected telemetry.
+
+ * NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb.in:
+
+2022-04-18 Per Arne Vollan <pvol...@apple.com>
+
[iOS][WP] Add telemetry with backtrace for network related system calls
https://bugs.webkit.org/show_bug.cgi?id=239465
Modified: trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in (292979 => 292980)
--- trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in 2022-04-18 23:42:17 UTC (rev 292979)
+++ trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in 2022-04-18 23:46:31 UTC (rev 292980)
@@ -474,7 +474,7 @@
(prefix "/private/var/db/com.apple.networkextension."))
(when (defined? 'syscall-unix)
- (allow syscall-unix (with telemetry))
+ (deny syscall-unix (with telemetry))
(allow syscall-unix (syscall-number
SYS___channel_get_info
SYS___channel_open
@@ -481,24 +481,35 @@
SYS___channel_sync
SYS___disable_threadsignal
SYS___mac_syscall
+ SYS___pthread_kill
SYS___pthread_sigmask
SYS___semwait_signal
+ SYS___semwait_signal_nocancel
+ SYS_abort_with_payload
SYS_access
SYS_bsdthread_create
SYS_bsdthread_ctl
SYS_bsdthread_terminate
SYS_change_fdguard_np
+ SYS_close
+ SYS_close_nocancel
+ SYS_csops_audittoken
SYS_csrctl
SYS_dup
SYS_exit
SYS_fcntl
SYS_fcntl_nocancel
+ SYS_ffsctl
SYS_fgetattrlist
+ SYS_fgetxattr
SYS_fileport_makeport
+ SYS_flistxattr
SYS_flock
+ SYS_fsetattrlist
SYS_fsgetpath
SYS_fstat
SYS_fstat64
+ SYS_fstat64_extended
SYS_fstatat
SYS_fstatat64
SYS_fstatfs
@@ -506,6 +517,7 @@
SYS_fsync
SYS_ftruncate
SYS_getattrlist
+ SYS_getattrlistbulk
SYS_getaudit_addr
SYS_getdirentries
SYS_getdirentries64
@@ -516,6 +528,7 @@
SYS_getfsstat64
SYS_getgid
SYS_getgroups
+ SYS_gethostuuid
SYS_getpeername
SYS_getrlimit
SYS_getsockname
@@ -530,6 +543,7 @@
SYS_guarded_pwrite_np
SYS_iopolicysys
SYS_issetugid
+ SYS_kdebug_trace
SYS_kdebug_trace64
SYS_kdebug_trace_string
SYS_kdebug_typefilter
@@ -552,11 +566,16 @@
SYS_munmap
SYS_necp_client_action
SYS_necp_open
+ SYS_open
SYS_open_dprotected_np
+ SYS_open_nocancel
+ SYS_openat
+ SYS_os_fault_with_payload
SYS_pathconf
SYS_pipe
SYS_pread
SYS_pread_nocancel
+ SYS_proc_info
SYS_pselect
SYS_psynch_cvbroad
SYS_psynch_cvclrprepost
@@ -585,7 +604,10 @@
SYS_setrlimit
SYS_setsockopt
SYS_shutdown
+ SYS_sigaction
SYS_sigaltstack
+ SYS_sigprocmask
+ SYS_sigreturn
SYS_socketpair
SYS_stat
SYS_stat64
@@ -592,10 +614,14 @@
SYS_stat64_extended
SYS_statfs
SYS_statfs64
+ SYS_sysctl
SYS_thread_selfid
SYS_ulock_wait
SYS_ulock_wake
- SYS_workq_kernreturn)))
+ SYS_unlink
+ SYS_workq_kernreturn
+ SYS_write
+ SYS_write_nocancel)))
(when (defined? 'SYS_map_with_linking_np)
(allow syscall-unix (syscall-number SYS_map_with_linking_np)))
@@ -607,7 +633,7 @@
(allow mach-message-send (with telemetry)))))
(when (and (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES") (defined? 'syscall-mach))
- (allow syscall-mach (with report) (with telemetry))
+ (deny syscall-mach (with telemetry))
(allow syscall-mach
(machtrap-number
MSC__kernelrpc_mach_port_allocate_trap
@@ -636,10 +662,17 @@
MSC_mk_timer_arm
MSC_mk_timer_cancel
MSC_mk_timer_create
+ MSC_mk_timer_destroy
MSC_semaphore_signal_trap
+ MSC_semaphore_timedwait_trap
MSC_semaphore_wait_trap
MSC_swtch_pri
MSC_syscall_thread_switch
+ MSC_task_dyld_process_info_notify_get
MSC_task_self_trap
- MSC_thread_get_special_reply_port)))
+ MSC_thread_get_special_reply_port))
+
+ (when (defined? 'MSC_mach_msg2_trap)
+ (allow syscall-mach
+ (machtrap-number MSC_mach_msg2_trap))))
#endif // HAVE(SANDBOX_MESSAGE_FILTERING)
Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb.in (292979 => 292980)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb.in 2022-04-18 23:42:17 UTC (rev 292979)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb.in 2022-04-18 23:46:31 UTC (rev 292980)
@@ -614,7 +614,7 @@
(global-name "com.apple.tccd"))
(when (defined? 'syscall-unix)
- (allow syscall-unix)
+ (deny syscall-unix (with telemetry))
(allow syscall-unix (syscall-number
SYS___channel_get_info
SYS___channel_open
@@ -621,6 +621,8 @@
SYS___channel_sync
SYS___disable_threadsignal
SYS___mac_syscall
+ SYS___pthread_kill
+ SYS___pthread_sigmask
SYS___semwait_signal
SYS_abort_with_payload
SYS_access
@@ -638,11 +640,15 @@
SYS_csops
SYS_csops_audittoken
SYS_dup
+ SYS_dup2
SYS_exit
SYS_fcntl
SYS_fcntl_nocancel
+ SYS_ffsctl
+ SYS_fileport_makefd
SYS_fsgetpath
SYS_fstat64
+ SYS_fstat64_extended
SYS_fstatat64
SYS_fstatfs64
SYS_fsync
@@ -758,7 +764,7 @@
(allow syscall-unix (syscall-number SYS_map_with_linking_np)))
(when (defined? 'syscall-mach)
- (allow syscall-mach (with report))
+ (deny syscall-mach (with telemetry))
(allow syscall-mach
(machtrap-number
MSC__kernelrpc_mach_port_allocate_trap
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes