Changeset 228419 in webkit


Ignore:
Timestamp:
Feb 13, 2018 8:51:10 AM (6 years ago)
Author:
Brent Fulgham
Message:

[iOS] whitelist iokit-get-properties
https://bugs.webkit.org/show_bug.cgi?id=182722
<rdar://problem/30929165>

Reviewed by Eric Carlson.

Update the iOS sandbox to block access to IOKit properties that are not needed for
legitimate WebContent process use. This brings the iOS sandbox in line with the
work done under macOS.

  • Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
Location:
trunk/Source/WebKit
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/WebKit/ChangeLog

    r228416 r228419  
     12018-02-13  Brent Fulgham  <bfulgham@apple.com>
     2
     3        [iOS] whitelist iokit-get-properties
     4        https://bugs.webkit.org/show_bug.cgi?id=182722
     5        <rdar://problem/30929165>
     6
     7        Reviewed by Eric Carlson.
     8
     9        Update the iOS sandbox to block access to IOKit properties that are not needed for
     10        legitimate WebContent process use. This brings the iOS sandbox in line with the
     11        work done under macOS.
     12
     13        * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
     14
    1152018-02-12  John Wilander  <wilander@apple.com>
    216

  • trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb

    r228341 r228419  
    312312        "vm.footprint_suspend"))
    313313
     314(deny iokit-get-properties (with partial-symbolication))
     315(allow iokit-get-properties
     316    (iokit-property-regex #"^AAPL,(DisplayPipe|OpenCLdisabled|IOGraphics_LER(|_RegTag_1|_RegTag_0|_Busy_2)|alias-policy|boot-display|display-alias|mux-switch-state|ndrv-dev|primary-display|slot-name)")
     317    (iokit-property-regex #"^AppleJPEG(NumCores|Supports(AppleInterchangeFormats|MissingEOI))")
     318    (iokit-property "BaseAddressAlignmentRequirement")
     319    (iokit-property-regex #"^DisplayPipe(PlaneBaseAlignment|StrideRequirements)")
     320    (iokit-property-regex #"^IOGL(|ES(|Metal))BundleName")
     321    (iokit-property "IOGLESDefaultUseMetal")
     322    (iokit-property "IOSurfaceAcceleratorCapabilitiesDict")
     323    (iokit-property-regex #"^MetalPlugin(Name|ClassName)")
     324    (iokit-property "emu")
     325    (iokit-property "hdcp-hoover-protocol")
     326    (iokit-property "iommu-present")
     327    (iokit-property "product-id")
     328    (iokit-property "software-behavior")
     329)
     330
    314331;; Read-only preferences and data
    315332(mobile-preferences-read
Note: See TracChangeset for help on using the changeset viewer.