Changeset 292980 in webkit
- Timestamp:
- Apr 18, 2022 4:46:31 PM (2 years ago)
- Location:
- trunk/Source/WebKit
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebKit/ChangeLog
r292977 r292980 1 2022-04-18 Per Arne Vollan <pvollan@apple.com> 2 3 Block system calls in the Network process 4 https://bugs.webkit.org/show_bug.cgi?id=238935 5 <rdar://47323426> 6 7 Reviewed by Geoffrey Garen. 8 9 Block unused system calls in the Network process on macOS and iOS. This is based on collected telemetry. 10 11 * NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in: 12 * Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb.in: 13 1 14 2022-04-18 Per Arne Vollan <pvollan@apple.com> 2 15 -
trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in
r292975 r292980 475 475 476 476 (when (defined? 'syscall-unix) 477 ( allowsyscall-unix (with telemetry))477 (deny syscall-unix (with telemetry)) 478 478 (allow syscall-unix (syscall-number 479 479 SYS___channel_get_info … … 482 482 SYS___disable_threadsignal 483 483 SYS___mac_syscall 484 SYS___pthread_kill 484 485 SYS___pthread_sigmask 485 486 SYS___semwait_signal 487 SYS___semwait_signal_nocancel 488 SYS_abort_with_payload 486 489 SYS_access 487 490 SYS_bsdthread_create … … 489 492 SYS_bsdthread_terminate 490 493 SYS_change_fdguard_np 494 SYS_close 495 SYS_close_nocancel 496 SYS_csops_audittoken 491 497 SYS_csrctl 492 498 SYS_dup … … 494 500 SYS_fcntl 495 501 SYS_fcntl_nocancel 502 SYS_ffsctl 496 503 SYS_fgetattrlist 504 SYS_fgetxattr 497 505 SYS_fileport_makeport 506 SYS_flistxattr 498 507 SYS_flock 508 SYS_fsetattrlist 499 509 SYS_fsgetpath 500 510 SYS_fstat 501 511 SYS_fstat64 512 SYS_fstat64_extended 502 513 SYS_fstatat 503 514 SYS_fstatat64 … … 507 518 SYS_ftruncate 508 519 SYS_getattrlist 520 SYS_getattrlistbulk 509 521 SYS_getaudit_addr 510 522 SYS_getdirentries … … 517 529 SYS_getgid 518 530 SYS_getgroups 531 SYS_gethostuuid 519 532 SYS_getpeername 520 533 SYS_getrlimit … … 531 544 SYS_iopolicysys 532 545 SYS_issetugid 546 SYS_kdebug_trace 533 547 SYS_kdebug_trace64 534 548 SYS_kdebug_trace_string … … 553 567 SYS_necp_client_action 554 568 SYS_necp_open 569 SYS_open 555 570 SYS_open_dprotected_np 571 SYS_open_nocancel 572 SYS_openat 573 SYS_os_fault_with_payload 556 574 SYS_pathconf 557 575 SYS_pipe 558 576 SYS_pread 559 577 SYS_pread_nocancel 578 SYS_proc_info 560 579 SYS_pselect 561 580 SYS_psynch_cvbroad … … 586 605 SYS_setsockopt 587 606 SYS_shutdown 607 SYS_sigaction 588 608 SYS_sigaltstack 609 SYS_sigprocmask 610 SYS_sigreturn 589 611 SYS_socketpair 590 612 SYS_stat … … 593 615 SYS_statfs 594 616 SYS_statfs64 617 SYS_sysctl 595 618 SYS_thread_selfid 596 619 SYS_ulock_wait 597 620 SYS_ulock_wake 598 SYS_workq_kernreturn))) 621 SYS_unlink 622 SYS_workq_kernreturn 623 SYS_write 624 SYS_write_nocancel))) 599 625 600 626 (when (defined? 'SYS_map_with_linking_np) … … 608 634 609 635 (when (and (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES") (defined? 'syscall-mach)) 610 ( allow syscall-mach (with report)(with telemetry))636 (deny syscall-mach (with telemetry)) 611 637 (allow syscall-mach 612 638 (machtrap-number … … 637 663 MSC_mk_timer_cancel 638 664 MSC_mk_timer_create 665 MSC_mk_timer_destroy 639 666 MSC_semaphore_signal_trap 667 MSC_semaphore_timedwait_trap 640 668 MSC_semaphore_wait_trap 641 669 MSC_swtch_pri 642 670 MSC_syscall_thread_switch 671 MSC_task_dyld_process_info_notify_get 643 672 MSC_task_self_trap 644 MSC_thread_get_special_reply_port))) 673 MSC_thread_get_special_reply_port)) 674 675 (when (defined? 'MSC_mach_msg2_trap) 676 (allow syscall-mach 677 (machtrap-number MSC_mach_msg2_trap)))) 645 678 #endif // HAVE(SANDBOX_MESSAGE_FILTERING) -
trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb.in
r292975 r292980 615 615 616 616 (when (defined? 'syscall-unix) 617 ( allow syscall-unix)617 (deny syscall-unix (with telemetry)) 618 618 (allow syscall-unix (syscall-number 619 619 SYS___channel_get_info … … 622 622 SYS___disable_threadsignal 623 623 SYS___mac_syscall 624 SYS___pthread_kill 625 SYS___pthread_sigmask 624 626 SYS___semwait_signal 625 627 SYS_abort_with_payload … … 639 641 SYS_csops_audittoken 640 642 SYS_dup 643 SYS_dup2 641 644 SYS_exit 642 645 SYS_fcntl 643 646 SYS_fcntl_nocancel 647 SYS_ffsctl 648 SYS_fileport_makefd 644 649 SYS_fsgetpath 645 650 SYS_fstat64 651 SYS_fstat64_extended 646 652 SYS_fstatat64 647 653 SYS_fstatfs64 … … 759 765 760 766 (when (defined? 'syscall-mach) 761 ( allow syscall-mach (with report))767 (deny syscall-mach (with telemetry)) 762 768 (allow syscall-mach 763 769 (machtrap-number
Note: See TracChangeset
for help on using the changeset viewer.