Changeset 291626 in webkit

Timestamp:

Mar 22, 2022 10:19:45 AM (2 years ago)

Author:

pvollan@apple.com

Message:

[macOS][WP] Add telemetry for syscalls used during launch
​https://bugs.webkit.org/show_bug.cgi?id=235865
<rdar://problem/88228583>

Reviewed by Brent Fulgham.

Add telemetry in the WebContent process' sandbox on macOS to determine which syscalls are used only during launch.

• WebProcess/com.apple.WebProcess.sb.in:

Location:

trunk/Source/WebKit

Files:

• ChangeLog (modified) (1 diff)
• WebProcess/com.apple.WebProcess.sb.in (modified) (8 diffs)

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2022-03-22  Per Arne Vollan  <pvollan@apple.com>
+
+        [macOS][WP] Add telemetry for syscalls used during launch
+        https://bugs.webkit.org/show_bug.cgi?id=235865
+        <rdar://problem/88228583>
+
+        Reviewed by Brent Fulgham.
+
+        Add telemetry in the WebContent process' sandbox on macOS to determine which syscalls are used only during launch.
+
+        * WebProcess/com.apple.WebProcess.sb.in:
+
 2022-03-22  J Pascoe  <j_pascoe@apple.com>
 

trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in

@@ -1877 +1877 @@
 #endif
 
-(define (syscall-unix-common)
+#if HAVE(SANDBOX_STATE_FLAGS)
+(deny user-preference-read (with enable-state-flag "WebContentProcessLaunched")
+    (preference-domain "com.apple.WebKit.WebContent.Launch"))
+#endif
+
+(define (syscall-unix-only-in-use-during-launch)
+    (syscall-number
+        SYS_csops
+        SYS_csrctl
+        SYS_fsgetpath
+        SYS_getaudit_addr
+        SYS_getfsstat64
+        SYS_getrlimit
+        SYS_kdebug_trace
+        SYS_pathconf
+        SYS_statfs64))
+
+(define (syscall-unix-in-use-after-launch)
     (syscall-number
         SYS___disable_threadsignal
@@ -1889 +1906 @@
         SYS_close
         SYS_close_nocancel
-        SYS_csops
         SYS_csops_audittoken
-        SYS_csrctl
         SYS_exit
         SYS_faccessat ;; <rdar://problem/56690456>
@@ -1900 +1915 @@
         SYS_flock
         SYS_fsetxattr ;; <rdar://problem/56332491>
-        SYS_fsgetpath
         SYS_fstat64
         SYS_fstatat64
@@ -1907 +1921 @@
         SYS_getattrlist
         SYS_getattrlistbulk
-        SYS_getaudit_addr
         SYS_getdirentries64
         SYS_getentropy
         SYS_geteuid
-        SYS_getfsstat64
         SYS_getgid
         SYS_gethostuuid
-        SYS_getrlimit
         SYS_getrusage
         SYS_gettimeofday
@@ -1921 +1932 @@
         SYS_ioctl
         SYS_issetugid
-        SYS_kdebug_trace
         SYS_kdebug_trace64
         SYS_kdebug_trace_string ;; Needed for performance sampling, see <rdar://problem/48829655>.
@@ -1944 +1954 @@
         SYS_open_nocancel
         SYS_openat
-        SYS_pathconf
         SYS_pread
         SYS_proc_info
@@ -1962 +1971 @@
         SYS_sigaltstack
         SYS_sigprocmask
+        SYS_socket
         SYS_stat64
-        SYS_statfs64
-        SYS_socket
         SYS_sysctlbyname
         SYS_thread_selfid
@@ -2030 +2038 @@
 
 (when (defined? 'syscall-unix)
-    (deny syscall-unix (with send-signal SIGKILL))
+    (deny syscall-unix (with telemetry) (with send-signal SIGKILL))
     (allow syscall-unix
-        (syscall-unix-common))
+        (syscall-unix-in-use-after-launch)
+        (syscall-unix-only-in-use-during-launch))
+
+#if HAVE(SANDBOX_STATE_FLAGS)
+    (with-filter (state-flag "WebContentProcessLaunched")
+        (deny syscall-unix
+            (syscall-unix-only-in-use-during-launch))
+        (allow syscall-unix
+            (with report)
+            (with telemetry)
+            (with message "Unix syscall used after launch")
+            (syscall-unix-only-in-use-during-launch)))
+#endif
 
     (if (equal? (param "CPU") "arm64")