Block access to socket syscalls

https://bugs.webkit.org/show_bug.cgi?id=241722

Reviewed by Geoffrey Garen.

Block access to socket syscalls in the WebContent process. These are used by the legacy ASL logging system.
The legacy logging system is rarely used in the WebContent process.

* Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:
* Source/WebKit/WebProcess/com.apple.WebProcess.sb.in:

Canonical link: https://commits.webkit.org/251702@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@295697 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in

@@ -1061,7 +1061,6 @@
     (syscall-number
         SYS_bsdthread_register
         SYS_chdir
-        SYS_connect
         SYS_dup2
         SYS_fsgetpath
         SYS_getpid
@@ -1203,7 +1202,6 @@
         SYS_necp_open
 #endif
         SYS_psynch_rw_wrlock
-        SYS_socket
         SYS_umask
         SYS_work_interval_ctl))
 
@@ -1231,6 +1229,10 @@
         (syscall-unix-rarely-in-use-need-backtrace))
 )
 
+(deny syscall-unix (syscall-number
+    SYS_connect
+    SYS_socket))
+
 (when (defined? 'SYS_map_with_linking_np)
     (allow syscall-unix (syscall-number SYS_map_with_linking_np)))
 

Source/WebKit/WebProcess/com.apple.WebProcess.sb.in

@@ -1948,7 +1948,6 @@
         SYS_sendto
         SYS_sigaltstack
         SYS_sigprocmask
-        SYS_socket
         SYS_stat64
         SYS_sysctlbyname
         SYS_thread_selfid
@@ -1974,7 +1973,6 @@
         SYS___semwait_signal_nocancel
         SYS_change_fdguard_np
         SYS_chmod
-        SYS_connect
         SYS_dup ;; Remove when <rdar://88210738> is fixed
         SYS_fchmod
         SYS_fsync
@@ -2052,6 +2050,10 @@
         (allow syscall-unix (syscall-number SYS_map_with_linking_np)))
 )
 
+(deny syscall-unix (syscall-number
+    SYS_connect
+    SYS_socket))
+
 (with-filter (uid 0)
     (allow syscall-unix (syscall-number SYS_gettid))) ;; Needed for base system, see <rdar://problem/48651255>