Changeset 240289 in webkit

Timestamp:

Jan 22, 2019 1:22:34 PM (5 years ago)

Author:

pvollan@apple.com

Message:

[macOS] Adjust logging policy in WebKit's sandbox
​https://bugs.webkit.org/show_bug.cgi?id=193454

Reviewed by Brent Fulgham.

Add a rule to initially deny all calls, since the default is to allow every call.
Later rules allow syscalls that we determined are needed for proper WebKit function.
This reduces the API surface available to attackers.

• WebProcess/com.apple.WebProcess.sb.in:

Location:

trunk/Source/WebKit

Files:

• ChangeLog (modified) (1 diff)
• WebProcess/com.apple.WebProcess.sb.in (modified) (1 diff)

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2019-01-22  Per Arne Vollan  <pvollan@apple.com>
+
+        [macOS] Adjust logging policy in WebKit's sandbox
+        https://bugs.webkit.org/show_bug.cgi?id=193454
+
+        Reviewed by Brent Fulgham.
+
+        Add a rule to initially deny all calls, since the default is to allow every call.
+        Later rules allow syscalls that we determined are needed for proper WebKit function.
+        This reduces the API surface available to attackers.
+
+        * WebProcess/com.apple.WebProcess.sb.in:
+
 2019-01-22  Daniel Bates  <dabates@apple.com>
 

trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in

@@ -826 +826 @@
 
 (when (defined? 'syscall-unix)
+    (deny syscall-unix (with termination))
     (allow syscall-unix
         (syscall-number SYS_exit)