Skip to content
Browse files
[iOS][WP] Block access to file-ioctl commands

Reviewed by Chris Dumez.

This is based on collected telemetry. This patch also adds telemetry to file read/write of /dev/aes_0
to determine if that can be removed as well.

* Source/WebKit/Resources/SandboxProfiles/ios/

Canonical link:
git-svn-id: 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information
pvollan committed May 26, 2022
1 parent 71524a1 commit 1bebfc49b0933330ad45506218b7f69256717b22
Showing 1 changed file with 3 additions and 9 deletions.
@@ -315,7 +315,7 @@
(literal "/dev/random")
(literal "/dev/urandom"))

(allow file-read* file-write-data
(allow file-read* file-write-data (with telemetry)
(literal "/dev/aes_0")))

(define required-etc-files
@@ -1239,14 +1239,8 @@

(deny file-ioctl (with telemetry))

;; restrict to the two ioctl's /dev/aes_0 needs
(allow file-ioctl (with telemetry)
(literal "/dev/aes_0")
(ioctl-command (_IO "T" 101)) ;; IOAES_GET_INFO
(ioctl-command (_IO "T" 102)) ;; IOAES_ENCRYPT_DECRYPT
(deny file-ioctl (with telemetry)
(literal "/dev/aes_0"))

(deny socket-ioctl (with telemetry))

0 comments on commit 1bebfc4

Please sign in to comment.