Changeset 242600 in webkit

Timestamp:

Mar 7, 2019 9:46:12 AM (5 years ago)

Author:

pvollan@apple.com

Message:

[iOS] Disable permissive call logging in sandbox
​https://bugs.webkit.org/show_bug.cgi?id=195288
<rdar://problem/47683804>

Reviewed by Brent Fulgham.

As on macOS, we should enable strict call filtering in sandbox on iOS.

• Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:

Location:

trunk/Source/WebKit

Files:

• ChangeLog (modified) (1 diff)
• Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb (modified) (2 diffs)

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2019-03-07  Per Arne Vollan  <pvollan@apple.com>
+
+        [iOS] Disable permissive call logging in sandbox
+        https://bugs.webkit.org/show_bug.cgi?id=195288
+        <rdar://problem/47683804>
+
+        Reviewed by Brent Fulgham.
+
+        As on macOS, we should enable strict call filtering in sandbox on iOS.
+
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+
 2019-03-07  Youenn Fablet  <youenn@apple.com>
 

trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb

@@ -543 +543 @@
 
 (when (defined? 'syscall-unix)
-    (allow syscall-unix (with report))
+    (deny syscall-unix (with send-signal SIGKILL))
     (allow syscall-unix
         (syscall-number SYS_exit)
@@ -686 +686 @@
         (syscall-number SYS_fsetattrlist)
         (syscall-number SYS_guarded_open_dprotected_np) ; <rdar://problem/48166729>
+        (syscall-number SYS_mremap_encrypted)
+        (syscall-number SYS_dup2)
+        (syscall-number SYS_fileport_makefd)
+        (syscall-number SYS_os_fault_with_payload)
+        (syscall-number SYS_persona)
+        (syscall-number SYS_work_interval_ctl)
     )
 )