[macOS][iOS] Add filter to syscall sandbox rule
authorpvollan@apple.com <pvollan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 4 Apr 2019 19:13:38 +0000 (19:13 +0000)
committerpvollan@apple.com <pvollan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 4 Apr 2019 19:13:38 +0000 (19:13 +0000)
https://bugs.webkit.org/show_bug.cgi?id=196613
<rdar://problem/49531420>

Reviewed by Brent Fulgham.

This will restrict the existing sandbox rule for the syscall.

* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
* WebProcess/com.apple.WebProcess.sb.in:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@243888 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit/ChangeLog
Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb
Source/WebKit/WebProcess/com.apple.WebProcess.sb.in

index 0d20e9f..eb85379 100644 (file)
@@ -1,3 +1,16 @@
+2019-04-04  Per Arne Vollan  <pvollan@apple.com>
+
+        [macOS][iOS] Add filter to syscall sandbox rule
+        https://bugs.webkit.org/show_bug.cgi?id=196613
+        <rdar://problem/49531420>
+
+        Reviewed by Brent Fulgham.
+
+        This will restrict the existing sandbox rule for the syscall.
+
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:
+        * WebProcess/com.apple.WebProcess.sb.in:
+
 2019-04-04  Youenn Fablet  <youenn@apple.com>
 
         Service Worker Process does not have the right domain name
index cad5a14..5c50a0a 100644 (file)
         (syscall-number SYS_open_dprotected_np)
         (syscall-number SYS_pread_nocancel)
         (syscall-number SYS___semwait_signal_nocancel)
-        (syscall-number SYS_kdebug_trace_string) ;; Needed for performance sampling, see <rdar://problem/48829655>.
+    )
+    (with-filter (system-attribute apple-internal)
+        (allow syscall-unix (syscall-number SYS_kdebug_trace_string)) ;; <rdar://problem/49531420>
     )
 )
index 7b48d1c..8a9751f 100644 (file)
         (syscall-number SYS_kdebug_typefilter)
         (syscall-number SYS_gettid) ;; Needed for base system, see <rdar://problem/48651255>
         (syscall-number SYS_memorystatus_control) ;; Needed for memory measurement infrastructure, see <rdar://problem/48647263>
-        (syscall-number SYS_kdebug_trace_string) ;; Needed for performance sampling, see <rdar://problem/48829655>.
         (syscall-number SYS_psynch_rw_rdlock) ;; <rdar://problem/49060359>
     )
+    (with-filter (system-attribute apple-internal)
+        (allow syscall-unix (syscall-number SYS_kdebug_trace_string)) ;; <rdar://problem/49531420>
+    )
 )