Unreviewed, reverting 269832@main.

https://bugs.webkit.org/show_bug.cgi?id=264439 Created perf regression Reverted changeset: "Remove lockdown mode related ENABLE macro" https://bugs.webkit.org/show_bug.cgi?id=263693 https://commits.webkit.org/269832@main Canonical link: https://commits.webkit.org/270407@main
WebKit · Nov 8, 2023 · 32eadbf · 32eadbf
1 parent 67030da
commit 32eadbf
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 0 deletions.
diff --git a/Source/WTF/wtf/PlatformEnableCocoa.h b/Source/WTF/wtf/PlatformEnableCocoa.h
@@ -578,6 +578,10 @@
 #define ENABLE_LOCKDOWN_MODE_API 1
 #endif
 
+#if !defined(ENABLE_LOCKDOWN_MODE_TELEMETRY) && PLATFORM(MAC)
+#define ENABLE_LOCKDOWN_MODE_TELEMETRY 1
+#endif
+
 #if !defined(ENABLE_MEDIA_SOURCE) && !PLATFORM(MACCATALYST) && !PLATFORM(WATCHOS) && !PLATFORM(APPLETV)
 #define ENABLE_MEDIA_SOURCE 1
 #endif

diff --git a/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in b/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in
@@ -2038,11 +2038,18 @@
     (allow syscall-unix (syscall-unix-downlevels-blocked-in-lockdown-mode)))
 #endif
 
+#if ENABLE(LOCKDOWN_MODE_TELEMETRY)
 (with-filter (require-not (lockdown-mode))
     (allow syscall-unix (syscall-unix-blocked-in-lockdown-mode))
     (when (equal? (param "CPU") "arm64")
         (allow syscall-unix (syscall-unix-apple-silicon)))
     (allow syscall-unix (with report) (with telemetry) (syscalls-rarely-used-blocked-in-lockdown-mode)))
+#else
+(allow syscall-unix (syscall-unix-blocked-in-lockdown-mode))
+(when (equal? (param "CPU") "arm64")
+    (allow syscall-unix (syscall-unix-apple-silicon)))
+(allow syscall-unix (syscalls-rarely-used-blocked-in-lockdown-mode))
+#endif
 
 (when (defined? 'SYS_objc_bp_assist_cfg_np)
     (allow syscall-unix (syscall-number SYS_objc_bp_assist_cfg_np)))
@@ -2057,11 +2064,13 @@
     (allow syscall-unix (syscall-number SYS_quotactl)))
 #endif
 
+#if ENABLE(LOCKDOWN_MODE_TELEMETRY)
 (with-filter (lockdown-mode)
     (deny syscall-unix (with telemetry) (syscall-unix-blocked-in-lockdown-mode))
     (deny syscall-unix (with telemetry) (syscalls-rarely-used-blocked-in-lockdown-mode))
     (when (equal? (param "CPU") "arm64")
         (deny syscall-unix (with telemetry) (syscall-unix-apple-silicon))))
+#endif
 
 #if HAVE(ADDITIONAL_APPLE_CAMERA_SERVICE)
 (if (equal? (param "CPU") "arm64")
@@ -2188,12 +2197,17 @@
     (allow mach-kernel-endpoint
         (apply-message-filter
             (deny mach-message-send)
+#if ENABLE(LOCKDOWN_MODE_TELEMETRY)
             (with-filter (require-not (lockdown-mode))
                 (allow mach-message-send (kernel-mig-routines-blocked-in-lockdown-mode))
                 (allow mach-message-send (kernel-mig-routines-blocked-in-lockdown-mode-avoid-telemetry)))
             (with-filter (lockdown-mode)
                 (deny mach-message-send (with telemetry) (kernel-mig-routines-blocked-in-lockdown-mode))
                 (deny mach-message-send (with telemetry) (kernel-mig-routines-blocked-in-lockdown-mode-avoid-telemetry)))
+#else
+            (allow mach-message-send (kernel-mig-routines-blocked-in-lockdown-mode))
+            (allow mach-message-send (kernel-mig-routines-blocked-in-lockdown-mode-avoid-telemetry))
+#endif
 
             (allow mach-message-send (kernel-mig-routines-in-use))
 #if !PLATFORM(MAC) || __MAC_OS_X_VERSION_MIN_REQUIRED <= 140000
@@ -2280,10 +2294,14 @@
     (with-filter (require-not (lockdown-mode))
         (allow syscall-mach (syscall-mach-downlevels-blocked-in-lockdown-mode)))
 #endif
+#if ENABLE(LOCKDOWN_MODE_TELEMETRY)
     (with-filter (require-not (lockdown-mode))
         (allow syscall-mach (syscall-mach-blocked-in-lockdown-mode)))
     (with-filter (lockdown-mode)
         (deny syscall-mach (with telemetry) (syscall-mach-blocked-in-lockdown-mode)))
+#else
+    (allow syscall-mach (syscall-mach-blocked-in-lockdown-mode))
+#endif
     (when (defined? 'MSC_mach_msg2_trap)
         (allow syscall-mach (machtrap-number MSC_mach_msg2_trap))))
 #endif // HAVE(SANDBOX_MESSAGE_FILTERING)