Changeset 292146 in webkit


Ignore:
Timestamp:
Mar 31, 2022 1:40:01 AM (2 years ago)
Author:
pvollan@apple.com
Message:

Add runtime flag for blocking IOKit resources in the WebContent process' sandbox
https://bugs.webkit.org/show_bug.cgi?id=238528

Reviewed by Simon Fraser.

Source/WebKit:

This flag will trigger a set of sandbox rules in the WebContent process which will block graphics
related IOKit classes and the Metal compiler service.

  • Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:
  • WebProcess/WebPage/WebPage.cpp:

Source/WTF:

  • Scripts/Preferences/WebPreferencesInternal.yaml:
Location:
trunk/Source
Files:
5 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/WTF/ChangeLog

    r292138 r292146  
     12022-03-31  Per Arne Vollan  <pvollan@apple.com>
     2
     3        Add runtime flag for blocking IOKit resources in the WebContent process' sandbox
     4        https://bugs.webkit.org/show_bug.cgi?id=238528
     5
     6        Reviewed by Simon Fraser.
     7
     8        * Scripts/Preferences/WebPreferencesInternal.yaml:
     9
    1102022-03-30  Myles C. Maxfield  <mmaxfield@apple.com>
    211

  • trunk/Source/WTF/Scripts/Preferences/WebPreferencesInternal.yaml

    r292010 r292146  
    123123      default: false
    124124
     125BlockIOKitInWebContentSandbox:
     126  type: bool
     127  humanReadableName: "IOKit blocking in the WebContent sandbox"
     128  humanReadableDescription: "Block IOKit access in the WebContent sandbox"
     129  webcoreBinding: none
     130  exposed: [ WebKit ]
     131  defaultValue:
     132    WebKit:
     133      default: false
     134
    125135CSSDisplayContentsAXSupportEnabled:
    126136  type: bool

  • trunk/Source/WebKit/ChangeLog

    r292143 r292146  
     12022-03-31  Per Arne Vollan  <pvollan@apple.com>
     2
     3        Add runtime flag for blocking IOKit resources in the WebContent process' sandbox
     4        https://bugs.webkit.org/show_bug.cgi?id=238528
     5
     6        Reviewed by Simon Fraser.
     7
     8        This flag will trigger a set of sandbox rules in the WebContent process which will block graphics
     9        related IOKit classes and the Metal compiler service.
     10
     11        * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:
     12        * WebProcess/WebPage/WebPage.cpp:
     13
    1142022-03-30  Simon Fraser  <simon.fraser@apple.com>
    215

  • trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in

    r291982 r292146  
    10431043)
    10441044
    1045 (allow iokit-open (with telemetry)
     1045(allow iokit-open (with telemetry-backtrace)
    10461046    (require-all
    10471047        (require-not (extension "com.apple.webkit.extension.iokit"))
     
    10681068)
    10691069
    1070 (allow iokit-open (with report) (with telemetry)
     1070(allow iokit-open (with report) (with telemetry-backtrace)
    10711071    (require-all
    10721072        (require-not (extension "com.apple.webkit.extension.iokit"))
     
    10741074    )
    10751075)
     1076
     1077#if HAVE(SANDBOX_STATE_FLAGS)
     1078;; This rule enables the WebContent process to enable the "BlockIOKitInWebContentSandbox" sandbox variable
     1079;; by reading a preference from the domain "com.apple.WebKit.WebContent.BlockIOKitInWebContentSandbox".
     1080(deny user-preference-read (with enable-state-flag "BlockIOKitInWebContentSandbox")
     1081    (preference-domain "com.apple.WebKit.WebContent.BlockIOKitInWebContentSandbox"))
     1082
     1083(with-filter (state-flag "BlockIOKitInWebContentSandbox")
     1084    (deny iokit-open (with telemetry-backtrace)
     1085        (require-all
     1086            (require-not (extension "com.apple.webkit.extension.iokit"))
     1087            (iokit-user-client-class "IOSurfaceRootUserClient")))
     1088    (deny iokit-open (with telemetry-backtrace)
     1089        (require-all
     1090            (require-not (extension "com.apple.webkit.extension.iokit"))
     1091            (iokit-connection "IOGPU")))
     1092    (deny mach-lookup (with telemetry-backtrace)
     1093        (require-all
     1094            (require-not (extension "com.apple.webkit.extension.mach"))
     1095            (xpc-service-name "com.apple.MTLCompilerService"))))
     1096#endif
    10761097
    10771098(with-filter (system-attribute apple-internal)

  • trunk/Source/WebKit/WebProcess/WebPage/WebPage.cpp

    r292134 r292146  
    908908        CFPreferencesGetAppIntegerValue(CFSTR("key"), CFSTR("com.apple.WebKit.WebContent.AppCacheDisabled"), nullptr);
    909909    }
     910    if (parameters.store.getBoolValueForKey(WebPreferencesKey::blockIOKitInWebContentSandboxKey()))
     911        CFPreferencesGetAppIntegerValue(CFSTR("key"), CFSTR("com.apple.WebKit.WebContent.BlockIOKitInWebContentSandbox"), nullptr);
    910912#endif
    911913
Note: See TracChangeset for help on using the changeset viewer.