Skip to content

Commit

Permalink
Cherry-pick 81941f6. rdar://problem/101888960
Browse files Browse the repository at this point in the history 
    Initially allow syscall mach in sandbox v2
    https://bugs.webkit.org/show_bug.cgi?id=247402
    rdar://101888960

    Reviewed by Tim Nguyen.

    Initially allow syscall mach in sandbox v2, since it was allowed in v1. Individual sandboxes will deny mach syscalls.

    * Source/WebKit/Shared/Sandbox/macOS/common.sb:

    Canonical link: https://commits.webkit.org/256265@main

Canonical link: https://commits.webkit.org/256138.13@safari-7615.1.12-branch
  • Loading branch information
@pvollan @rjepstein
pvollan authored and rjepstein committed Nov 3, 2022
1 parent bf37b79 commit 255818f
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions Source/WebKit/Shared/Sandbox/macOS/common.sb
View file
Expand Up @@ -38,6 +38,7 @@
(allow file-map-executable (with telemetry))
(allow iokit-open-service (with telemetry))
(allow system-mac-syscall (with telemetry))
(allow syscall-mach)

(with-filter (mac-policy-name "Sandbox")
(allow system-mac-syscall (mac-syscall-number 2 4 6 7)))
Expand Down

0 comments on commit 255818f

Please sign in to comment.