Changeset 292957 in webkit

Timestamp:

Apr 18, 2022 9:46:04 AM (2 years ago)

Author:

pvollan@apple.com

Message:

Block system calls in the Network process
​https://bugs.webkit.org/show_bug.cgi?id=238935
<rdar://47323426>

Reviewed by Geoffrey Garen.

Block unused system calls in the Network process on macOS and iOS. This is based on collected telemetry.

• NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
• Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb.in:

Location:

trunk/Source/WebKit

Files:

• ChangeLog (modified) (1 diff)
• NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in (modified) (13 diffs)
• Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb.in (modified) (4 diffs)

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2022-04-18  Per Arne Vollan  <pvollan@apple.com>
+
+        Block system calls in the Network process
+        https://bugs.webkit.org/show_bug.cgi?id=238935
+        <rdar://47323426>
+
+        Reviewed by Geoffrey Garen.
+
+        Block unused system calls in the Network process on macOS and iOS. This is based on collected telemetry.
+
+        * NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb.in:
+
 2022-04-18  Wenson Hsieh  <wenson_hsieh@apple.com>
 

trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in

@@ -475 +475 @@
 
 (when (defined? 'syscall-unix)
-    (allow syscall-unix (with telemetry))
+    (deny syscall-unix (with telemetry))
     (allow syscall-unix (syscall-number
         SYS___channel_get_info
@@ -482 +482 @@
         SYS___disable_threadsignal
         SYS___mac_syscall
+        SYS___pthread_kill
         SYS___pthread_sigmask
         SYS___semwait_signal
+        SYS___semwait_signal_nocancel
+        SYS_abort_with_payload
         SYS_access
         SYS_bsdthread_create
@@ -489 +492 @@
         SYS_bsdthread_terminate
         SYS_change_fdguard_np
+        SYS_close
+        SYS_close_nocancel
+        SYS_csops_audittoken
         SYS_csrctl
         SYS_dup
@@ -494 +500 @@
         SYS_fcntl
         SYS_fcntl_nocancel
+        SYS_ffsctl
         SYS_fgetattrlist
+        SYS_fgetxattr
         SYS_fileport_makeport
+        SYS_flistxattr
         SYS_flock
+        SYS_fsetattrlist
         SYS_fsgetpath
         SYS_fstat
         SYS_fstat64
+        SYS_fstat64_extended
         SYS_fstatat
         SYS_fstatat64
@@ -507 +518 @@
         SYS_ftruncate
         SYS_getattrlist
+        SYS_getattrlistbulk
         SYS_getaudit_addr
         SYS_getdirentries
@@ -517 +529 @@
         SYS_getgid
         SYS_getgroups
+        SYS_gethostuuid
         SYS_getpeername
         SYS_getrlimit
@@ -531 +544 @@
         SYS_iopolicysys
         SYS_issetugid
+        SYS_kdebug_trace
         SYS_kdebug_trace64
         SYS_kdebug_trace_string
@@ -553 +567 @@
         SYS_necp_client_action
         SYS_necp_open
+        SYS_open
         SYS_open_dprotected_np
+        SYS_open_nocancel
+        SYS_openat
+        SYS_os_fault_with_payload
         SYS_pathconf
         SYS_pipe
         SYS_pread
         SYS_pread_nocancel
+        SYS_proc_info
         SYS_pselect
         SYS_psynch_cvbroad
@@ -586 +605 @@
         SYS_setsockopt
         SYS_shutdown
+        SYS_sigaction
         SYS_sigaltstack
+        SYS_sigprocmask
+        SYS_sigreturn
         SYS_socketpair
         SYS_stat
@@ -593 +615 @@
         SYS_statfs
         SYS_statfs64
+        SYS_sysctl
         SYS_thread_selfid
         SYS_ulock_wait
         SYS_ulock_wake
-        SYS_workq_kernreturn)))
+        SYS_unlink
+        SYS_workq_kernreturn
+        SYS_write
+        SYS_write_nocancel)))
 
 (when (defined? 'SYS__map_with_linking_np)
@@ -608 +634 @@
             
 (when (and (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES") (defined? 'syscall-mach))
-    (allow syscall-mach (with report) (with telemetry))
+    (deny syscall-mach (with telemetry))
     (allow syscall-mach
         (machtrap-number
@@ -632 +658 @@
             MSC_mach_generate_activity_id
             MSC_mach_msg_trap
+            MSC_mach_msg2_trap
             MSC_mach_reply_port
             MSC_mach_voucher_extract_attr_recipe_trap
@@ -637 +664 @@
             MSC_mk_timer_cancel
             MSC_mk_timer_create
+            MSC_mk_timer_destroy
             MSC_semaphore_signal_trap
+            MSC_semaphore_timedwait_trap
             MSC_semaphore_wait_trap
             MSC_swtch_pri
             MSC_syscall_thread_switch
+            MSC_task_dyld_process_info_notify_get
             MSC_task_self_trap
             MSC_thread_get_special_reply_port)))

trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb.in

@@ -615 +615 @@
 
 (when (defined? 'syscall-unix)
-    (allow syscall-unix)
+    (deny syscall-unix (with telemetry))
     (allow syscall-unix (syscall-number
         SYS___channel_get_info
@@ -622 +622 @@
         SYS___disable_threadsignal
         SYS___mac_syscall
+        SYS___pthread_kill
+        SYS___pthread_sigmask
         SYS___semwait_signal
         SYS_abort_with_payload
@@ -639 +641 @@
         SYS_csops_audittoken
         SYS_dup
+        SYS_dup2
         SYS_exit
         SYS_fcntl
         SYS_fcntl_nocancel
+        SYS_ffsctl
+        SYS_fileport_makefd
         SYS_fsgetpath
         SYS_fstat64
+        SYS_fstat64_extended
         SYS_fstatat64
         SYS_fstatfs64
@@ -759 +765 @@
 
 (when (defined? 'syscall-mach)
-    (allow syscall-mach (with report))
+    (deny syscall-mach (with telemetry))
     (allow syscall-mach
         (machtrap-number