[macOS] Adjust logging policy in WebKit's sandbox
authorpvollan@apple.com <pvollan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 22 Jan 2019 21:22:34 +0000 (21:22 +0000)
committerpvollan@apple.com <pvollan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 22 Jan 2019 21:22:34 +0000 (21:22 +0000)
commit6f1f4e45291890893cc6098ba7e1e74d87273f18
treee3288637fbe1bd697de7c512f2b93cb4c82c7f97
parent7a5663eb1a10da692a47ac09ddee9427f78151f2
[macOS] Adjust logging policy in WebKit's sandbox
https://bugs.webkit.org/show_bug.cgi?id=193454

Reviewed by Brent Fulgham.

Add a rule to initially deny all calls, since the default is to allow every call.
Later rules allow syscalls that we determined are needed for proper WebKit function.
This reduces the API surface available to attackers.

* WebProcess/com.apple.WebProcess.sb.in:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@240289 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/WebKit/ChangeLog
Source/WebKit/WebProcess/com.apple.WebProcess.sb.in