Skip to content
Permalink
Browse files
[iOS][WP] Block access to file-ioctl commands
https://bugs.webkit.org/show_bug.cgi?id=240977
<rdar://88334007>

Reviewed by Chris Dumez.

This is based on collected telemetry. This patch also adds telemetry to file read/write of /dev/aes_0
to determine if that can be removed as well.

* Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:

Canonical link: https://commits.webkit.org/251026@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@294903 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information
pvollan committed May 26, 2022
1 parent 71524a1 commit 1bebfc49b0933330ad45506218b7f69256717b22
Showing 1 changed file with 3 additions and 9 deletions.
@@ -315,7 +315,7 @@
(literal "/dev/random")
(literal "/dev/urandom"))

(allow file-read* file-write-data
(allow file-read* file-write-data (with telemetry)
(literal "/dev/aes_0")))

(define required-etc-files
@@ -1239,14 +1239,8 @@

(deny file-ioctl (with telemetry))

;; restrict to the two ioctl's /dev/aes_0 needs
(allow file-ioctl (with telemetry)
(require-all
(literal "/dev/aes_0")
(require-any
(ioctl-command (_IO "T" 101)) ;; IOAES_GET_INFO
(ioctl-command (_IO "T" 102)) ;; IOAES_ENCRYPT_DECRYPT
)))
(deny file-ioctl (with telemetry)
(literal "/dev/aes_0"))

(deny socket-ioctl (with telemetry))

0 comments on commit 1bebfc4

Please sign in to comment.