Changeset 276658 in webkit

Timestamp:

Apr 27, 2021, 1:37:56 PM (4 years ago)

Author:

pvollan@apple.com

Message:

Enforce IOKit filtering
​https://bugs.webkit.org/show_bug.cgi?id=223937
<rdar://problem/76271551>

Reviewed by Brent Fulgham.

Enforce IOKit method filtering based on telemetry. This patch also adds IOKit method telemetry for some Apple Silicion
IOKit classes, which were overlooked in the first telemetry phase.

• Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
• WebProcess/com.apple.WebProcess.sb.in:

Location:

trunk/Source/WebKit

Files:

• ChangeLog (modified) (1 diff)
• Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb (modified) (4 diffs)
• WebProcess/com.apple.WebProcess.sb.in (modified) (15 diffs)

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2021-04-27  Per Arne  <pvollan@apple.com>
+
+        Enforce IOKit filtering
+        https://bugs.webkit.org/show_bug.cgi?id=223937
+        <rdar://problem/76271551>
+
+        Reviewed by Brent Fulgham.
+
+        Enforce IOKit method filtering based on telemetry. This patch also adds IOKit method telemetry for some Apple Silicion
+        IOKit classes, which were overlooked in the first telemetry phase.
+
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+        * WebProcess/com.apple.WebProcess.sb.in:
+
 2021-04-27  Chris Dumez  <cdumez@apple.com>
 

trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb

@@ -259 +259 @@
                 (deny (with telemetry)
                     iokit-external-trap)
-                (allow (with telemetry) (with message "AGXDeviceUserClient")
+                (deny (with telemetry) (with message "AGXDeviceUserClient")
                     iokit-async-external-method
                     iokit-external-method
@@ -433 +433 @@
                 iokit-async-external-method
                 iokit-external-trap)
-            (allow (with telemetry) (with message "IOSurfaceRootUserClient")
+            (deny (with telemetry) (with message "IOSurfaceRootUserClient")
                 iokit-external-method)
             (allow iokit-external-method
@@ -445 +445 @@
                     10
                     11
+                    12
                     13
                     14
@@ -496 +497 @@
                     iokit-async-external-method
                     iokit-external-trap)
-                (allow (with telemetry) (with message "IOSurfaceAcceleratorClient")
+                (deny (with telemetry) (with message "IOSurfaceAcceleratorClient")
                     iokit-external-method)
                 (allow iokit-external-method

trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in

@@ -112 +112 @@
 (define (IOAcceleratorMessageFilter)
     (apply-message-filter
-        (allow (with telemetry) (with message "IOAccelerator")
+        (deny (with telemetry) (with message "IOAccelerator")
             iokit-async-external-method
             iokit-external-method
@@ -145 +145 @@
                 23
                 24
+                28
                 29
                 30
@@ -158 +159 @@
                 261
                 262
+                263
+                265
                 267
                 512
@@ -170 +173 @@
 (define (IOSurfaceRootUserClientMessageFilter)
     (apply-message-filter
-        (allow (with telemetry) (with message "IOSurfaceRootUserClient")
+        (deny (with telemetry) (with message "IOSurfaceRootUserClient")
             iokit-async-external-method
             iokit-external-method
@@ -199 +202 @@
                 34
                 35
+                36
+                38
                 44
             )
@@ -204 +209 @@
         (deny (with telemetry)
             iokit-external-trap
+        )
+    )
+)
+
+(define (AppleAVDUserClientMessageFilter)
+    (if (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES")
+        (apply-message-filter
+            (allow (with telemetry) (with message "AppleAVDUserClient")
+                iokit-async-external-method
+                iokit-external-method
+                iokit-external-trap
+            )
+        )
+    )
+)
+
+(define (IOSurfaceAcceleratorClientMessageFilter)
+    (if (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES")
+        (apply-message-filter
+            (allow (with telemetry) (with message "IOSurfaceAcceleratorClient")
+                iokit-async-external-method
+                iokit-external-method
+                iokit-external-trap
+            )
+        )
+    )
+)
+
+(define (IOMobileFramebufferUserClientMessageFilter)
+    (if (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES")
+        (apply-message-filter
+            (allow (with telemetry) (with message "IOMobileFramebufferUserClient")
+                iokit-async-external-method
+                iokit-external-method
+                iokit-external-trap
+            )
         )
     )
@@ -307 +348 @@
             (with telemetry-backtrace)
             (apply-message-filter
-                (allow (with telemetry) (with message "AppleIntelMEUserClient")
+                (deny (with telemetry) (with message "AppleIntelMEUserClient")
                     iokit-external-method
                 )
@@ -339 +380 @@
             (with telemetry-backtrace)
             (apply-message-filter
-                (allow (with telemetry) (with message "AppleSNBFBUserClient")
+                (deny (with telemetry) (with message "AppleSNBFBUserClient")
                     iokit-external-method
                 )
@@ -394 +435 @@
             (with telemetry-backtrace)
             (apply-message-filter
-                (allow (with telemetry) (with message "AppleGraphicsControlClient")
+                (deny (with telemetry) (with message "AppleGraphicsControlClient")
                     iokit-async-external-method
                     iokit-external-method
@@ -451 +492 @@
             (with telemetry-backtrace)
             (apply-message-filter
-                (allow (with telemetry) (with message "AppleMGPUPowerControlClient")
+                (deny (with telemetry) (with message "AppleMGPUPowerControlClient")
                     iokit-external-method
                 )
@@ -1040 +1081 @@
         (with telemetry-backtrace)
         (apply-message-filter
-            (allow (with telemetry) (with message "AppleUpstreamUserClient")
+            (deny (with telemetry) (with message "AppleUpstreamUserClient")
                 iokit-external-method
             )
@@ -1075 +1116 @@
         (with telemetry-backtrace)
         (apply-message-filter
-            (allow (with telemetry) (with message "RootDomainUserClient")
+            (deny (with telemetry) (with message "RootDomainUserClient")
                 iokit-external-method
             )
@@ -1107 +1148 @@
         (with telemetry-backtrace)
         (apply-message-filter
-            (allow (with telemetry) (with message "AudioAUUC")
+            (deny (with telemetry) (with message "AudioAUUC")
                 iokit-external-method
             )
@@ -1192 +1233 @@
             (iokit-user-client-class
                 "AppleAVDUserClient"
+            )
+        )
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 120000
+        (AppleAVDUserClientMessageFilter)
+#endif
+    )
+    (allow iokit-open
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 110000
+        (with telemetry-backtrace)
+#endif
+        (require-all
+            (extension "com.apple.webkit.extension.iokit")
+            (iokit-user-client-class
                 "IOMobileFramebufferUserClient"
+            )
+        )
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 120000
+        (IOMobileFramebufferUserClientMessageFilter)
+#endif
+    )
+    (allow iokit-open
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 110000
+        (with telemetry-backtrace)
+#endif
+        (require-all
+            (extension "com.apple.webkit.extension.iokit")
+            (iokit-user-client-class
                 "IOSurfaceAcceleratorClient" ;; <rdar://problem/63696732>
             )
         )
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 120000
+        (IOSurfaceAcceleratorClientMessageFilter)
+#endif
     )
 )
@@ -2104 +2174 @@
             (iokit-user-client-class
                 "AppleAVDUserClient"
+            )
+        )
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 120000
+        (AppleAVDUserClientMessageFilter)
+#endif
+    )
+    (allow iokit-open (with report)
+#if __MAC_OS_X_VERSION_MIN_REQUIRED > 110000
+        (with telemetry-backtrace)
+#endif
+        (require-all
+            (require-not (extension "com.apple.webkit.extension.iokit"))
+            (iokit-user-client-class
                 "IOSurfaceAcceleratorClient"
             )
         )
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 120000
+        (IOSurfaceAcceleratorClientMessageFilter)
+#endif
     )
 )