Block IOKit related syscalls

https://bugs.webkit.org/show_bug.cgi?id=271740 rdar://119001315 Reviewed by Sihui Liu. All IOKit related syscalls can be blocked in the WebContent process sandbox on iOS, since all use of IOKit is blocked by the sandbox. * Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in: Canonical link: https://commits.webkit.org/276743@main
WebKit · Mar 27, 2024 · 5ff65f3 · 5ff65f3
1 parent c51e76f
commit 5ff65f3
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in b/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in
@@ -1372,12 +1372,14 @@
 (define (kernel-mig-routine-rarely-used-need-backtrace-blocked-in-lockdown-mode)
     (kernel-mig-routine
         clock_get_time
+#if !ENABLE(WEBCONTENT_GPU_SANDBOX_EXTENSIONS_BLOCKING)
         io_connect_add_client
         io_connect_async_method
         io_connect_map_memory_into_task ;; <rdar://88300200>
         io_connect_method
         io_connect_set_notification_port_64
         io_service_close
+#endif
         mach_exception_raise
         mach_vm_region
         task_threads_from_user))