[webkit-changes] [295697] trunk/Source/WebKit

Tue, 21 Jun 2022 16:02:26 -0700

Title: [295697] trunk/Source/WebKit
Revision
295697
Author
pvol...@apple.com
Date
2022-06-21 16:01:30 -0700 (Tue, 21 Jun 2022)

Log Message

Block access to socket syscalls
https://bugs.webkit.org/show_bug.cgi?id=241722

Reviewed by Geoffrey Garen.

Block access to socket syscalls in the WebContent process. These are used by the legacy ASL logging system.
The legacy logging system is rarely used in the WebContent process.

* Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:
* Source/WebKit/WebProcess/com.apple.WebProcess.sb.in:

Canonical link: https://commits.webkit.org/251702@main

Modified Paths

Diff

Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in (295696 => 295697)


--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in	2022-06-21 22:39:28 UTC (rev 295696)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in	2022-06-21 23:01:30 UTC (rev 295697)
@@ -1061,7 +1061,6 @@
     (syscall-number
         SYS_bsdthread_register
         SYS_chdir
-        SYS_connect
         SYS_dup2
         SYS_fsgetpath
         SYS_getpid
@@ -1203,7 +1202,6 @@
         SYS_necp_open
 #endif
         SYS_psynch_rw_wrlock
-        SYS_socket
         SYS_umask
         SYS_work_interval_ctl))
 
@@ -1231,6 +1229,10 @@
         (syscall-unix-rarely-in-use-need-backtrace))
 )
 
+(deny syscall-unix (syscall-number
+    SYS_connect
+    SYS_socket))
+
 (when (defined? 'SYS_map_with_linking_np)
     (allow syscall-unix (syscall-number SYS_map_with_linking_np)))

Modified: trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in (295696 => 295697)


--- trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in	2022-06-21 22:39:28 UTC (rev 295696)
+++ trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in	2022-06-21 23:01:30 UTC (rev 295697)
@@ -1948,7 +1948,6 @@
         SYS_sendto
         SYS_sigaltstack
         SYS_sigprocmask
-        SYS_socket
         SYS_stat64
         SYS_sysctlbyname
         SYS_thread_selfid
@@ -1974,7 +1973,6 @@
         SYS___semwait_signal_nocancel
         SYS_change_fdguard_np
         SYS_chmod
-        SYS_connect
         SYS_dup ;; Remove when <rdar://88210738> is fixed
         SYS_fchmod
         SYS_fsync
@@ -2052,6 +2050,10 @@
         (allow syscall-unix (syscall-number SYS_map_with_linking_np)))
 )
 
+(deny syscall-unix (syscall-number
+    SYS_connect
+    SYS_socket))
+
 (with-filter (uid 0)
     (allow syscall-unix (syscall-number SYS_gettid))) ;; Needed for base system, see <rdar://problem/48651255>
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to