Changeset 283375 in webkit

Timestamp:

Oct 1, 2021, 10:07:54 AM (3 years ago)

Author:

pvollan@apple.com

Message:

Make sandbox rules for debug syscalls stricter
​https://bugs.webkit.org/show_bug.cgi?id=230985
<rdar://49531420>

Reviewed by Brent Fulgham.

Make sandbox rules for debug syscalls stricter in the WebContent process on macOS and iOS.

• Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:
• WebProcess/com.apple.WebProcess.sb.in:

Location:

trunk/Source/WebKit

Files:

• ChangeLog (modified) (1 diff)
• Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in (modified) (3 diffs)
• WebProcess/com.apple.WebProcess.sb.in (modified) (2 diffs)

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2021-10-01  Per Arne Vollan  <pvollan@apple.com>
+
+        Make sandbox rules for debug syscalls stricter
+        https://bugs.webkit.org/show_bug.cgi?id=230985
+        <rdar://49531420>
+
+        Reviewed by Brent Fulgham.
+
+        Make sandbox rules for debug syscalls stricter in the WebContent process on macOS and iOS.
+
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:
+        * WebProcess/com.apple.WebProcess.sb.in:
+
 2021-10-01  Per Arne Vollan  <pvollan@apple.com>
 

trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in

@@ -1295 +1295 @@
         (syscall-number SYS_ulock_wait)
         (syscall-number SYS_ulock_wake)
-        (syscall-number SYS_kdebug_typefilter)
         (syscall-number SYS_shared_region_check_np)
         (syscall-number SYS_getpid)
@@ -1317 +1316 @@
         (syscall-number SYS_pread_nocancel)
         (syscall-number SYS___semwait_signal_nocancel)
-        (syscall-number SYS_kdebug_trace_string) ;; Needed for performance sampling, see <rdar://problem/48829655>.
         (syscall-number SYS_fgetattrlist) ;; <rdar://problem/50266257>
         (syscall-number SYS_fsetxattr) ;; <rdar://problem/49795964>
@@ -1332 +1330 @@
         (allow syscall-unix (syscall-number SYS_objc_bp_assist_cfg_np)))
 )
+
+(with-filter (system-attribute apple-internal)
+    (when (defined? 'syscall-unix)
+        (allow syscall-unix
+            (syscall-number SYS_kdebug_trace_string) ;; Needed for performance sampling, see <rdar://problem/48829655>.
+            (syscall-number SYS_kdebug_typefilter))))
 
 (when (defined? 'file-ioctl)

trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in

@@ -1972 +1972 @@
         (syscall-number SYS_ulock_wake)
         (syscall-number SYS_work_interval_ctl)
-        (syscall-number SYS_kdebug_typefilter)
         (syscall-number SYS_gettid) ;; Needed for base system, see <rdar://problem/48651255>
         (syscall-number SYS_memorystatus_control) ;; Needed for memory measurement infrastructure, see <rdar://problem/48647263>
-        (syscall-number SYS_kdebug_trace_string) ;; Needed for performance sampling, see <rdar://problem/48829655>.
         (syscall-number SYS_psynch_rw_rdlock) ;; <rdar://problem/49060359>
         (syscall-number SYS_terminate_with_payload) ;; <rdar://problem/50026580>
@@ -2012 +2010 @@
 #endif
 )
+
+(with-filter (system-attribute apple-internal)
+    (when (defined? 'syscall-unix)
+        (allow syscall-unix
+            (syscall-number SYS_kdebug_trace_string) ;; Needed for performance sampling, see <rdar://problem/48829655>.
+            (syscall-number SYS_kdebug_typefilter))))
 
 #if USE(APPLE_INTERNAL_SDK)