Google Git
Sign in
webkit / WebKit / f10e90edb3471ae9fee333817236deb628eb805c^! / .
commitf10e90edb3471ae9fee333817236deb628eb805c[log] [tgz]
authorpvollan@apple.com <pvollan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Tue Jun 21 23:01:30 2022 +0000
committerpvollan@apple.com <pvollan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Tue Jun 21 23:01:30 2022 +0000
treed25ff010e7b132fbc2cc53a6c67f63cdbf3aa65b
parent9eac400e57fbb48f2f22249055facd672ddabdf2 [diff]
Block access to socket syscalls
https://bugs.webkit.org/show_bug.cgi?id=241722

Reviewed by Geoffrey Garen.

Block access to socket syscalls in the WebContent process. These are used by the legacy ASL logging system.
The legacy logging system is rarely used in the WebContent process.

* Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:
* Source/WebKit/WebProcess/com.apple.WebProcess.sb.in:

Canonical link: https://commits.webkit.org/251702@main


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@295697 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in b/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in
index 7fa1851..439dfab 100644
--- a/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in
+++ b/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in

@@ -1061,7 +1061,6 @@
     (syscall-number
         SYS_bsdthread_register
         SYS_chdir
-        SYS_connect
         SYS_dup2
         SYS_fsgetpath
         SYS_getpid
@@ -1203,7 +1202,6 @@
         SYS_necp_open
 #endif
         SYS_psynch_rw_wrlock
-        SYS_socket
         SYS_umask
         SYS_work_interval_ctl))
 
@@ -1231,6 +1229,10 @@
         (syscall-unix-rarely-in-use-need-backtrace))
 )
 
+(deny syscall-unix (syscall-number
+    SYS_connect
+    SYS_socket))
+
 (when (defined? 'SYS_map_with_linking_np)
     (allow syscall-unix (syscall-number SYS_map_with_linking_np)))
 

diff --git a/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in b/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in
index de5970d..d6ec98d 100644
--- a/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in
+++ b/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in

@@ -1948,7 +1948,6 @@
         SYS_sendto
         SYS_sigaltstack
         SYS_sigprocmask
-        SYS_socket
         SYS_stat64
         SYS_sysctlbyname
         SYS_thread_selfid
@@ -1974,7 +1973,6 @@
         SYS___semwait_signal_nocancel
         SYS_change_fdguard_np
         SYS_chmod
-        SYS_connect
         SYS_dup ;; Remove when <rdar://88210738> is fixed
         SYS_fchmod
         SYS_fsync
@@ -2052,6 +2050,10 @@
         (allow syscall-unix (syscall-number SYS_map_with_linking_np)))
 )
 
+(deny syscall-unix (syscall-number
+    SYS_connect
+    SYS_socket))
+
 (with-filter (uid 0)
     (allow syscall-unix (syscall-number SYS_gettid))) ;; Needed for base system, see <rdar://problem/48651255>