Add kernel MIG sandbox filtering

https://bugs.webkit.org/show_bug.cgi?id=252016
rdar://problem/105242436

Reviewed by Geoffrey Garen.

Add kernel MIG sandbox filtering for the GPU and Network process.

* Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in:
* Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
* Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb.in:

Canonical link: https://commits.webkit.org/260490@main

Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in

@@ -998,7 +998,53 @@
 (when (and (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES") (defined? 'mach-kernel-endpoint))
     (allow mach-kernel-endpoint
         (apply-message-filter
-            (allow mach-message-send))))
+            (allow mach-message-send (with report) (with telemetry))
+            (allow mach-message-send (kernel-mig-routine
+                _mach_make_memory_entry
+                clock_get_time
+                host_get_io_master
+                host_info
+                host_request_notification
+                io_connect_async_method
+                io_connect_method
+                io_connect_method_var_output
+                io_connect_set_notification_port_64
+                io_iterator_is_valid
+                io_iterator_next
+                io_object_conforms_to
+                io_object_get_class
+                io_registry_create_iterator
+                io_registry_entry_create_iterator
+                io_registry_entry_from_path
+                io_registry_entry_get_name
+                io_registry_entry_get_name_in_plane
+                io_registry_entry_get_parent_iterator
+                io_registry_entry_get_properties_bin_buf
+                io_registry_entry_get_property_bin_buf
+                io_registry_entry_get_registry_entry_id
+                io_registry_get_root_entry
+                io_server_version
+                io_service_add_interest_notification_64
+                io_service_add_notification_bin_64
+                io_service_close
+                io_service_get_matching_service_bin
+                io_service_get_matching_services_bin
+                io_service_open_extended
+                mach_port_extract_right
+                mach_port_get_refs
+                mach_port_request_notification
+                mach_port_set_attributes
+                mach_vm_copy
+                mach_vm_map_external
+                semaphore_create
+                semaphore_destroy
+                task_get_special_port_from_user
+                task_info_from_user
+                task_restartable_ranges_synchronize
+                thread_info
+                thread_policy_set
+                thread_resume
+                thread_suspend)))))
 
 (when (and (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES") (defined? 'syscall-mach))
     (deny syscall-mach)

Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in

@@ -694,7 +694,38 @@
 (when (and (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES") (defined? 'mach-kernel-endpoint))
     (allow mach-kernel-endpoint
         (apply-message-filter
-            (allow mach-message-send))))
+            (allow mach-message-send (with report) (with telemetry))
+            (allow mach-message-send (kernel-mig-routine
+                _mach_make_memory_entry
+                host_get_io_master
+                host_info
+                host_request_notification
+                io_connect_method
+                io_iterator_is_valid
+                io_iterator_next
+                io_object_conforms_to
+                io_registry_entry_create_iterator
+                io_registry_entry_from_path
+                io_registry_entry_get_parent_iterator
+                io_registry_entry_get_property_bin_buf
+                io_server_version
+                io_service_add_interest_notification_64
+                io_service_get_matching_service_bin
+                io_service_open_extended
+                mach_exception_raise
+                mach_port_get_refs
+                mach_port_request_notification
+                mach_port_set_attributes
+                mach_vm_copy
+                mach_vm_map_external
+                mach_vm_remap_external
+                semaphore_create
+                task_get_special_port_from_user
+                task_info_from_user
+                task_policy_set
+                task_restartable_ranges_synchronize
+                thread_resume
+                thread_suspend)))))
 
 (when (and (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES") (defined? 'syscall-mach))
     (deny syscall-mach)

Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb.in

@@ -887,6 +887,44 @@
 (when (defined? 'MSC_mach_msg2_trap)
     (allow syscall-mach (machtrap-number MSC_mach_msg2_trap)))
 
+(allow syscall-mig (with report)(with telemetry))
+(allow syscall-mig (kernel-mig-routine
+    _mach_make_memory_entry
+    host_get_clock_service
+    host_get_io_master
+    host_get_special_port
+    host_info
+    io_connect_async_method
+    io_connect_method
+    io_connect_set_notification_port_64
+    io_iterator_next
+    io_registry_entry_from_path
+    io_registry_entry_get_property_bin_buf
+    io_registry_entry_get_registry_entry_id
+    io_server_version
+    io_service_get_matching_service_bin
+    io_service_get_matching_services_bin
+    io_service_open_extended
+    mach_memory_entry_ownership
+    mach_port_extract_right
+    mach_port_get_context_from_user
+    mach_port_get_refs
+    mach_port_is_connection_for_service
+    mach_port_request_notification
+    mach_port_set_attributes
+    mach_vm_copy
+    mach_vm_map_external
+    semaphore_create
+    semaphore_destroy
+    task_get_special_port_from_user
+    task_info_from_user
+    task_restartable_ranges_register
+    task_restartable_ranges_synchronize
+    task_set_special_port
+    thread_policy_set
+    thread_resume
+    thread_suspend))
+
 #if ENABLE(SYSTEM_CONTENT_PATH_SANDBOX_RULES)
 #include <WebKitAdditions/SystemContentSandbox-ios.defs>