Changeset 269751 in webkit

Timestamp:

Nov 12, 2020 2:12:21 PM (3 years ago)

Author:

pvollan@apple.com

Message:

[iOS] IOKit sandbox violation when enabling all GPU runtime flags
​https://bugs.webkit.org/show_bug.cgi?id=218820
<rdar://problem/71296116>

Reviewed by Brent Fulgham.

When enabling all GPU runtime flags on iOS, there is an iokit-open sandbox violation for the IOKit class AGXDeviceUserClient
in the WebContent process. When all GPU runtime flags are enabled, IOKit extensions are not provided to the WebContent process,
which should then fall back to a set of rules allowing use of these IOKit classes, with logging. There seems to be a problem
with the fallback for this specific IOKit class, which this patch addresses by adding an extra requirement to the rule. The
extra requirement is that IOKit extensions have not been provided for these IOKit classes.

• Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:

Location:

trunk/Source/WebKit

Files:

• ChangeLog (modified) (1 diff)
• Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb (modified) (2 diffs)

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2020-11-12  Per Arne Vollan  <pvollan@apple.com>
+
+        [iOS] IOKit sandbox violation when enabling all GPU runtime flags
+        https://bugs.webkit.org/show_bug.cgi?id=218820
+        <rdar://problem/71296116>
+
+        Reviewed by Brent Fulgham.
+
+        When enabling all GPU runtime flags on iOS, there is an iokit-open sandbox violation for the IOKit class AGXDeviceUserClient
+        in the WebContent process. When all GPU runtime flags are enabled, IOKit extensions are not provided to the WebContent process,
+        which should then fall back to a set of rules allowing use of these IOKit classes, with logging. There seems to be a problem
+        with the fallback for this specific IOKit class, which this patch addresses by adding an extra requirement to the rule. The
+        extra requirement is that IOKit extensions have not been provided for these IOKit classes.
+
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+
 2020-11-12  Chris Dumez  <cdumez@apple.com>
 

trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb

@@ -472 +472 @@
 (with-filter (system-attribute apple-internal)
   (mobile-preferences-read "com.apple.PrototypeTools"))
-
-(allow iokit-open (with report) (with telemetry-backtrace)
-    (iokit-user-client-class "IOMobileFramebufferUserClient")
-    (iokit-user-client-class "AGXDeviceUserClient")
-    (iokit-user-client-class "AppleJPEGDriverUserClient")
-    (iokit-user-client-class "IOSurfaceAcceleratorClient")
-    (iokit-user-client-class "IOSurfaceRootUserClient")
-)
-
-(allow iokit-open (with report) (with telemetry-backtrace)
-    (iokit-connection "IOGPU")
-)
 
 (with-elevated-precedence
@@ -982 +970 @@
 (deny mach-lookup (with telemetry-backtrace)
     (global-name "com.apple.mobilegestalt.xpc")
+)
+
+;; FIXME: This is just for logging. Remove when the GPU process is enabled by default.
+(allow iokit-open (with report) (with telemetry-backtrace)
+    (require-all
+        (require-not (extension "com.apple.webkit.extension.iokit"))
+        (iokit-user-client-class
+            "IOMobileFramebufferUserClient"
+            "AGXDeviceUserClient"
+            "AppleJPEGDriverUserClient"
+            "IOSurfaceAcceleratorClient"
+            "IOSurfaceRootUserClient"
+        )
+    )
+)
+
+(allow iokit-open (with report) (with telemetry-backtrace)
+    (require-all
+        (require-not (extension "com.apple.webkit.extension.iokit"))
+        (iokit-connection "IOGPU")
+    )
 )