commit 597ba040fbf1cee10ad96bab3c798377fe4dd608
author bfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Sat Apr 28 16:57:48 2018 +0000
committer bfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Sat Apr 28 16:57:48 2018 +0000
tree f69cb68b2713a3e24485f3ff6d8dd230663589a2
parent 7153e657d2d5ed70560e39e2cc6357104f78da5f

Revise sandboxes to allow additional IOKit property access
https://bugs.webkit.org/show_bug.cgi?id=185095
<rdar://problem/39809455>

Reviewed by Eric Carlson.

Update the WebContent and Plugin processes to allow additional IOKit property access.

* PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in:
* WebProcess/com.apple.WebProcess.sb.in:


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@231135 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit/ChangeLog

diff --git a/Source/WebKit/ChangeLog b/Source/WebKit/ChangeLog
index 542de02..20084f4 100644
--- a/Source/WebKit/ChangeLog
+++ b/Source/WebKit/ChangeLog
@@ -1,3 +1,16 @@
+2018-04-28  Brent Fulgham  <bfulgham@apple.com>
+
+        Revise sandboxes to allow additional IOKit property access
+        https://bugs.webkit.org/show_bug.cgi?id=185095
+        <rdar://problem/39809455>
+
+        Reviewed by Eric Carlson.
+
+        Update the WebContent and Plugin processes to allow additional IOKit property access.
+
+        * PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in:
+        * WebProcess/com.apple.WebProcess.sb.in:
+
 2018-04-28  Carlos Garcia Campos  <cgarcia@igalia.com>
 
         [GTK] WebProcess from WebKitGtk+ 2.19.92 SIGSEVs in WebCore::TextureMapperGL::~TextureMapperGL

Source/WebKit/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in

diff --git a/Source/WebKit/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in b/Source/WebKit/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in
index 7fe8614..8ca9ff8 100644
--- a/Source/WebKit/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in
+++ b/Source/WebKit/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in
@@ -43,10 +43,10 @@
 
 (deny iokit-get-properties)
 (allow iokit-get-properties
-    (iokit-property-regex #"^AAPL,(DisplayPipe|boot-display|mux-switch-state)")
+    (iokit-property-regex #"^AAPL,(DisplayPipe|OpenCLdisabled|IOGraphics_LER(|_RegTag_1|_RegTag_0|_Busy_2)|alias-policy|boot-display|display-alias|mux-switch-state|ndrv-dev|primary-display|slot-name)")
     (iokit-property "AGCInfo")
-    (iokit-property-regex #"^ATY,fb_(linebytes|offset|size)")
-    (iokit-property "AccelCaps")
+    (iokit-property-regex #"^ATY,(cbits|fb_(linebytes|offset|size)|intrev)")
+    (iokit-property-regex #"^Accel(Caps|NativeDMARowByteAlignment)")
     (iokit-property "ActuationSupported")
     (iokit-property "AllowDisplaySleep")
     (iokit-property "AlwaysNeedsVelocityCalculated")
@@ -60,7 +60,10 @@
     (iokit-property "Endianness")
     (iokit-property "Family ID")
     (iokit-property "ForceSupported")
+    (iokit-property "GPUConfigurationVariable")
+    (iokit-property "GpuDebugPolicy")
     (iokit-property "HIDPointerAccelerationType")
+    (iokit-property-regex #"^IOAV(.*)(De|En)code$")
     (iokit-property-regex #"^IOAccel(DisplayPipeCapabilities|Index|Revision|Types)")
     (iokit-property-regex #"^IOAudioControl(ChannelID|ID|SubType|Usage)")
     (iokit-property-regex #"^IOAudioDevice(CanBeDefaults|TransportType)")
@@ -71,6 +74,7 @@
     (iokit-property-regex #"^IOAudioEngineNum(ActiveUserClients|SampleFramesPerBuffer)")
     (iokit-property "IOAudioSampleRate")
     (iokit-property "IOAudioStreamSampleFormatByteOrder")
+    (iokit-property "IOBacklightHandlerID")
     (iokit-property "IOClassNameOverride")
     (iokit-property "IOCFPlugInTypes")
     (iokit-property "IOClass")
@@ -82,19 +86,20 @@
     (iokit-property "IOFramebufferOpenGLIndex")
     (iokit-property "IOGeneralInterest")
     (iokit-property "IOGLBundleName")
-    (iokit-property "IOGVACodec")
-    (iokit-property "IOGVAVTCapabilities")
-    (iokit-property-regex #"^IOGVA(BGRAEnc|Codec|EncoderRestricted|Scaler)")
-    (iokit-property "IOI2CTransactionTypes")
+    (iokit-property-regex #"^IOGVA(BGRAEnc|Codec|EncoderRestricted|Scaler|VTCapabilities)")
     (iokit-property-regex "^IOGVA[A-Z]+(De|En)code")
+    (iokit-property "IOI2CTransactionTypes")
+    (iokit-property "IOKitDebug")
     (iokit-property "IOMACAddress") ;; For some Flash players
     (iokit-property "IOMatchCategory")
     (iokit-property-regex #"^IOName(Match|Matched)")
-    (iokit-property-regex #"^IOPCI(ClassMatch|Express(Capabilities|Link(Status|Capabilities))|PrimaryMatch|MSIMode|Resourced|Tunnelled)")
+    (iokit-property "IOOCDBundleName")
+    (iokit-property-regex #"^IOPCI((Class|Primary|Property|)Match|Express(Capabilities|Link(Status|Capabilities))|MSIMode|Resourced|Tunnelled)")
     (iokit-property "IOPMStrictTreeOrder")
     (iokit-property-regex #"^IOPlatform(SerialNumber|UUID)") ;; Ditto
     (iokit-property "IOPowerManagement")
     (iokit-property "IOProbeScore")
+    (iokit-property "IOPropertyMatch")
     (iokit-property "IOProviderClass")
     (iokit-property-regex #"^IOReport(Lures|Legend(|Public))")
     (iokit-property "IOScreenRestoreState")
@@ -105,11 +110,13 @@
     (iokit-property "MaintainPowerInUILock")
     (iokit-property "Max Packet Size")
     (iokit-property-regex #"^MetalPlugin(Name|ClassName)")
+    (iokit-property "MetalStatisticsName")
     (iokit-property-regex #"^Multitouch (ID|Serial Number|Subdevice ID)")
     (iokit-property "NXSystemInfo")
     (iokit-property "NoAutoRoute")
     (iokit-property-regex #"^PerformanceStatistics(|Accum)")
     (iokit-property "Protocol Characteristics")
+    (iokit-property "SafeEjectRequested")
     (iokit-property-regex #"^Sensor (Columns|Region (Descriptor|Param)|Rows|Surface (Descriptor|Height|Width))")
     (iokit-property "SupportAudioAUUC")
     (iokit-property "SurfaceList")
@@ -123,8 +130,10 @@
     (iokit-property "bcdVersion")
     (iokit-property "boot-gamma-restored")
     (iokit-property "built-in")
+    (iokit-property "cail_properties")
     (iokit-property "connector-type")
     (iokit-property "device-colors")
+    (iokit-property "dpm")
     (iokit-property "graphic-options")
     (iokit-property "idProduct")
     (iokit-property "idVendor")

Source/WebKit/WebProcess/com.apple.WebProcess.sb.in

diff --git a/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in b/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in
index dc9bc07..28a3a7a 100644
--- a/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in
+++ b/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in
@@ -182,7 +182,7 @@
 (deny iokit-get-properties)
 (allow iokit-get-properties
     (iokit-property "AGCInfo")
-    (iokit-property "AccelCaps")
+    (iokit-property-regex #"^Accel(Caps|NativeDMARowByteAlignment)")
     (iokit-property-regex #"^(Accurate|Extended)MaxDigitizerPressureValue")
     (iokit-property-regex #"^(Activation|Animation)Thresholds")
     (iokit-property "ActuationSupported")
@@ -190,7 +190,7 @@
     (iokit-property "AlwaysNeedsVelocityCalculated")
     (iokit-property-regex #"Apple(GVAKeyDoesNotExist|IntelMEVABundleName)")
     (iokit-property-regex #"^AAPL,(DisplayPipe|OpenCLdisabled|IOGraphics_LER(|_RegTag_1|_RegTag_0|_Busy_2)|alias-policy|boot-display|display-alias|mux-switch-state|ndrv-dev|primary-display|slot-name)")
-    (iokit-property-regex #"^ATY,fb_(linebytes|offset|size)")
+    (iokit-property-regex #"^ATY,(cbits|fb_(linebytes|offset|size)|intrev)")
     (iokit-property "BacklightHandle")
     (iokit-property "BlockSize")
     (iokit-property-regex #"^CEA(ModeID|PixelRepetition)")
@@ -207,6 +207,8 @@
     (iokit-property "Family ID")
     (iokit-property "ForceSupported")
     (iokit-property "Formats")
+    (iokit-property "GPUConfigurationVariable")
+    (iokit-property "GpuDebugPolicy")
     (iokit-property "HIDPointerAccelerationType")
     (iokit-property-regex #"^IOAccel(DisplayPipeCapabilities|Index|Types|Revision)")
     (iokit-property-regex #"^IO(Class|MatchCategory|NameMatch)")
@@ -239,20 +241,21 @@
     (iokit-property "IOFramebufferOpenGLIndex")
     (iokit-property "IOGeneralInterest")
     (iokit-property "IOGLBundleName")
+    (iokit-property-regex #"^IOGVA(BGRAEnc|Codec|EncoderRestricted|Scaler|VTCapabilities)")
+    (iokit-property-regex #"^IOGVA(.*)(De|En)code$")
     (iokit-property "IOHibernateState")
     (iokit-property "IOI2CTransactionTypes")
     (iokit-property-regex #"^IOInterrupt(Controllers|Specifiers)")
-    (iokit-property "IOGVAVTCapabilities")
-    (iokit-property-regex #"^IOGVA(BGRAEnc|Codec|EncoderRestricted|Scaler)")
-    (iokit-property-regex #"^IOGVA(.*)(De|En)code$")
+    (iokit-property "IOKitDebug")
     (iokit-property "IOMatchCategory")
     (iokit-property "IONDRVFramebufferGeneration")
     (iokit-property "IONVRAMProperty")
     (iokit-property-regex #"^IOName(|Match(|ed))")
+    (iokit-property "IOOCDBundleName")
     (iokit-property "IOPCITunnelled")
     (iokit-property "IOPMStrictTreeOrder")
     (iokit-property "IOParentMatch")
-    (iokit-property-regex #"^IOPCI(ClassMatch|Express(Capabilities|Link(Status|Capabilities))|PrimaryMatch|MSIMode|Resourced|Tunnelled)")
+    (iokit-property-regex #"^IOPCI((Class|Primary|Property|)Match|Express(Capabilities|Link(Status|Capabilities))|MSIMode|Resourced|Tunnelled)")
     (iokit-property "IOPMIsPowerManaged")
     (iokit-property-regex #"^IOPlatform(SerialNumber|UUID)")
     (iokit-property "IOPowerManagement")
@@ -310,11 +313,13 @@
     (iokit-property-regex #"^(board|device|revision|subsystem|vendor)-id")
     (iokit-property "boot-gamma-restored")
     (iokit-property "built-in")
+    (iokit-property "cail_properties")
     (iokit-property "class-code")
     (iokit-property "compatible")
     (iokit-property "connector-type")
     (iokit-property-regex #"^(device|revision|subsystem-vendor|touch-size)-id")
     (iokit-property "device_type")
+    (iokit-property "dpm")
     (iokit-property "graphic-options")
     (iokit-property "hda-gfx")
     (iokit-property-regex #"^id(Product|Vendor)")