Changeset 295697 in webkit

Timestamp:

Jun 21, 2022 4:01:30 PM (2 years ago)

Author:

pvollan@apple.com

Message:

Block access to socket syscalls
​https://bugs.webkit.org/show_bug.cgi?id=241722

Reviewed by Geoffrey Garen.

Block access to socket syscalls in the WebContent process. These are used by the legacy ASL logging system.
The legacy logging system is rarely used in the WebContent process.

• Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:
• Source/WebKit/WebProcess/com.apple.WebProcess.sb.in:

Canonical link: ​https://commits.webkit.org/251702@main

Location:

trunk/Source/WebKit

Files:

• Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in (modified) (3 diffs)
• WebProcess/com.apple.WebProcess.sb.in (modified) (3 diffs)

trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in

@@ -1062 +1062 @@
         SYS_bsdthread_register
         SYS_chdir
-        SYS_connect
         SYS_dup2
         SYS_fsgetpath
@@ -1204 +1203 @@
 #endif
         SYS_psynch_rw_wrlock
-        SYS_socket
         SYS_umask
         SYS_work_interval_ctl))
@@ -1231 +1229 @@
         (syscall-unix-rarely-in-use-need-backtrace))
 )
+
+(deny syscall-unix (syscall-number
+    SYS_connect
+    SYS_socket))
 
 (when (defined? 'SYS_map_with_linking_np)

trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in

@@ -1949 +1949 @@
         SYS_sigaltstack
         SYS_sigprocmask
-        SYS_socket
         SYS_stat64
         SYS_sysctlbyname
@@ -1975 +1974 @@
         SYS_change_fdguard_np
         SYS_chmod
-        SYS_connect
         SYS_dup ;; Remove when <rdar://88210738> is fixed
         SYS_fchmod
@@ -2052 +2050 @@
         (allow syscall-unix (syscall-number SYS_map_with_linking_np)))
 )
+
+(deny syscall-unix (syscall-number
+    SYS_connect
+    SYS_socket))
 
 (with-filter (uid 0)