[iOS][WP] Block access to file-ioctl commands

https://bugs.webkit.org/show_bug.cgi?id=240977 <rdar://88334007> Reviewed by Chris Dumez. This is based on collected telemetry. This patch also adds telemetry to file read/write of /dev/aes_0 to determine if that can be removed as well. * Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in: Canonical link: https://commits.webkit.org/251026@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@294903 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · May 26, 2022 · 1bebfc49b0933330ad45506218b7f69256717b22 · 1bebfc4
1 parent 71524a1
commit 1bebfc49b0933330ad45506218b7f69256717b22
Showing 1 changed file with 3 additions and 9 deletions.
diff --git a/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in b/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in
@@ -315,7 +315,7 @@
           (literal "/dev/random")
           (literal "/dev/urandom"))
 
-    (allow file-read* file-write-data
+    (allow file-read* file-write-data (with telemetry)
            (literal "/dev/aes_0")))
 
 (define required-etc-files
@@ -1239,14 +1239,8 @@
 
 (deny file-ioctl (with telemetry))
 
-;; restrict to the two ioctl's /dev/aes_0 needs
-(allow file-ioctl (with telemetry)
-    (require-all
-        (literal "/dev/aes_0")
-        (require-any
-            (ioctl-command (_IO "T" 101)) ;; IOAES_GET_INFO
-            (ioctl-command (_IO "T" 102)) ;; IOAES_ENCRYPT_DECRYPT
-)))
+(deny file-ioctl (with telemetry)
+    (literal "/dev/aes_0"))
 
 (deny socket-ioctl (with telemetry))