[webkit-changes] [294969] trunk/Source/WebKit/GPUProcess/mac/ com.apple.WebKit.GPUProcess.sb.in

Fri, 27 May 2022 17:00:44 -0700

Title: [294969] trunk/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in
Revision
294969
Author
pvol...@apple.com
Date
2022-05-27 17:00:04 -0700 (Fri, 27 May 2022)

Log Message

[macOS][GPUP] Block unused system calls
https://bugs.webkit.org/show_bug.cgi?id=240966
<rdar://84826074>

Reviewed by Chris Dumez.

* Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in:

Canonical link: https://commits.webkit.org/251073@main

Modified Paths

Diff

Modified: trunk/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in (294968 => 294969)


--- trunk/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in	2022-05-27 23:55:11 UTC (rev 294968)
+++ trunk/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in	2022-05-28 00:00:04 UTC (rev 294969)
@@ -904,7 +904,7 @@
             (allow mach-message-send (with telemetry)))))
             
 (when (and (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES") (defined? 'syscall-mach))
-    (allow syscall-mach (with telemetry))
+    (deny syscall-mach (with telemetry))
     (allow syscall-mach (machtrap-number
         MSC__kernelrpc_mach_port_allocate_trap
         MSC__kernelrpc_mach_port_construct_trap
@@ -911,6 +911,7 @@
         MSC__kernelrpc_mach_port_deallocate_trap
         MSC__kernelrpc_mach_port_destruct_trap
         MSC__kernelrpc_mach_port_extract_member_trap
+        MSC__kernelrpc_mach_port_get_attributes_trap
         MSC__kernelrpc_mach_port_guard_trap
         MSC__kernelrpc_mach_port_insert_member_trap
         MSC__kernelrpc_mach_port_insert_right_trap
@@ -917,29 +918,45 @@
         MSC__kernelrpc_mach_port_mod_refs_trap
         MSC__kernelrpc_mach_port_request_notification_trap
         MSC__kernelrpc_mach_port_type_trap
+        MSC__kernelrpc_mach_port_unguard_trap
         MSC__kernelrpc_mach_vm_allocate_trap
         MSC__kernelrpc_mach_vm_deallocate_trap
         MSC__kernelrpc_mach_vm_map_trap
         MSC__kernelrpc_mach_vm_protect_trap
+        MSC__kernelrpc_mach_vm_purgable_control_trap
         MSC_host_create_mach_voucher_trap
         MSC_host_self_trap
+        MSC_iokit_user_client_trap
+        MSC_mach_generate_activity_id
         MSC_mach_msg_trap
         MSC_mach_reply_port
         MSC_mach_voucher_extract_attr_recipe_trap
+        MSC_mk_timer_arm
+        MSC_mk_timer_cancel
+        MSC_mk_timer_create
+        MSC_mk_timer_destroy
         MSC_pid_for_task
         MSC_semaphore_signal_trap
+        MSC_semaphore_timedwait_trap
         MSC_semaphore_wait_trap
         MSC_swtch_pri
         MSC_syscall_thread_switch
-        MSC_thread_get_special_reply_port)))
+        MSC_task_name_for_pid
+        MSC_task_self_trap
+        MSC_thread_get_special_reply_port))
+
+    (when (defined? 'MSC_mach_msg2_trap)
+        (allow syscall-mach
+            (machtrap-number MSC_mach_msg2_trap))))
 #endif // HAVE(SANDBOX_MESSAGE_FILTERING)
 
 (when (defined? 'syscall-unix)
-    (allow syscall-unix (with telemetry))
+    (deny syscall-unix (with telemetry))
     (allow syscall-unix (syscall-number
         SYS___channel_open
         SYS___disable_threadsignal
         SYS___mac_syscall
+        SYS___pthread_canceled
         SYS___pthread_kill
         SYS___pthread_sigmask
         SYS___semwait_signal
@@ -981,6 +998,7 @@
         SYS_gettimeofday
         SYS_getuid
         SYS_getxattr
+        SYS_guarded_open_np
         SYS_issetugid
         SYS_kdebug_trace
         SYS_kdebug_trace64
@@ -1024,6 +1042,8 @@
         SYS_readlink
         SYS_rename
         SYS_sendto
+        SYS_setrlimit
+        SYS_setsockopt
         SYS_sigaltstack
         SYS_sigprocmask
         SYS_socket

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to