Changeset 292146 in webkit
- Timestamp:
- Mar 31, 2022 1:40:01 AM (2 years ago)
- Location:
- trunk/Source
- Files:
-
- 5 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WTF/ChangeLog
r292138 r292146 1 2022-03-31 Per Arne Vollan <pvollan@apple.com> 2 3 Add runtime flag for blocking IOKit resources in the WebContent process' sandbox 4 https://bugs.webkit.org/show_bug.cgi?id=238528 5 6 Reviewed by Simon Fraser. 7 8 * Scripts/Preferences/WebPreferencesInternal.yaml: 9 1 10 2022-03-30 Myles C. Maxfield <mmaxfield@apple.com> 2 11 -
trunk/Source/WTF/Scripts/Preferences/WebPreferencesInternal.yaml
r292010 r292146 123 123 default: false 124 124 125 BlockIOKitInWebContentSandbox: 126 type: bool 127 humanReadableName: "IOKit blocking in the WebContent sandbox" 128 humanReadableDescription: "Block IOKit access in the WebContent sandbox" 129 webcoreBinding: none 130 exposed: [ WebKit ] 131 defaultValue: 132 WebKit: 133 default: false 134 125 135 CSSDisplayContentsAXSupportEnabled: 126 136 type: bool -
trunk/Source/WebKit/ChangeLog
r292143 r292146 1 2022-03-31 Per Arne Vollan <pvollan@apple.com> 2 3 Add runtime flag for blocking IOKit resources in the WebContent process' sandbox 4 https://bugs.webkit.org/show_bug.cgi?id=238528 5 6 Reviewed by Simon Fraser. 7 8 This flag will trigger a set of sandbox rules in the WebContent process which will block graphics 9 related IOKit classes and the Metal compiler service. 10 11 * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in: 12 * WebProcess/WebPage/WebPage.cpp: 13 1 14 2022-03-30 Simon Fraser <simon.fraser@apple.com> 2 15 -
trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in
r291982 r292146 1043 1043 ) 1044 1044 1045 (allow iokit-open (with telemetry )1045 (allow iokit-open (with telemetry-backtrace) 1046 1046 (require-all 1047 1047 (require-not (extension "com.apple.webkit.extension.iokit")) … … 1068 1068 ) 1069 1069 1070 (allow iokit-open (with report) (with telemetry )1070 (allow iokit-open (with report) (with telemetry-backtrace) 1071 1071 (require-all 1072 1072 (require-not (extension "com.apple.webkit.extension.iokit")) … … 1074 1074 ) 1075 1075 ) 1076 1077 #if HAVE(SANDBOX_STATE_FLAGS) 1078 ;; This rule enables the WebContent process to enable the "BlockIOKitInWebContentSandbox" sandbox variable 1079 ;; by reading a preference from the domain "com.apple.WebKit.WebContent.BlockIOKitInWebContentSandbox". 1080 (deny user-preference-read (with enable-state-flag "BlockIOKitInWebContentSandbox") 1081 (preference-domain "com.apple.WebKit.WebContent.BlockIOKitInWebContentSandbox")) 1082 1083 (with-filter (state-flag "BlockIOKitInWebContentSandbox") 1084 (deny iokit-open (with telemetry-backtrace) 1085 (require-all 1086 (require-not (extension "com.apple.webkit.extension.iokit")) 1087 (iokit-user-client-class "IOSurfaceRootUserClient"))) 1088 (deny iokit-open (with telemetry-backtrace) 1089 (require-all 1090 (require-not (extension "com.apple.webkit.extension.iokit")) 1091 (iokit-connection "IOGPU"))) 1092 (deny mach-lookup (with telemetry-backtrace) 1093 (require-all 1094 (require-not (extension "com.apple.webkit.extension.mach")) 1095 (xpc-service-name "com.apple.MTLCompilerService")))) 1096 #endif 1076 1097 1077 1098 (with-filter (system-attribute apple-internal) -
trunk/Source/WebKit/WebProcess/WebPage/WebPage.cpp
r292134 r292146 908 908 CFPreferencesGetAppIntegerValue(CFSTR("key"), CFSTR("com.apple.WebKit.WebContent.AppCacheDisabled"), nullptr); 909 909 } 910 if (parameters.store.getBoolValueForKey(WebPreferencesKey::blockIOKitInWebContentSandboxKey())) 911 CFPreferencesGetAppIntegerValue(CFSTR("key"), CFSTR("com.apple.WebKit.WebContent.BlockIOKitInWebContentSandbox"), nullptr); 910 912 #endif 911 913
Note: See TracChangeset
for help on using the changeset viewer.