From 92d5110f56f89b95fc6af3bc6dd228de8fa154cf Mon Sep 17 00:00:00 2001 From: Per Arne Vollan Date: Fri, 17 Feb 2023 20:42:00 -0800 Subject: [PATCH] Add kernel MIG sandbox filtering https://bugs.webkit.org/show_bug.cgi?id=252016 rdar://problem/105242436 Reviewed by Geoffrey Garen. Add kernel MIG sandbox filtering for the GPU and Network process. * Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in: * Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in: * Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb.in: Canonical link: https://commits.webkit.org/260490@main --- .../mac/com.apple.WebKit.GPUProcess.sb.in | 48 ++++++++++++++++++- .../mac/com.apple.WebKit.NetworkProcess.sb.in | 33 ++++++++++++- .../ios/com.apple.WebKit.GPU.sb.in | 38 +++++++++++++++ 3 files changed, 117 insertions(+), 2 deletions(-) diff --git a/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in b/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in index c0ed64819ad2..c2840052fd0f 100644 --- a/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in +++ b/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in @@ -998,7 +998,53 @@ (when (and (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES") (defined? 'mach-kernel-endpoint)) (allow mach-kernel-endpoint (apply-message-filter - (allow mach-message-send)))) + (allow mach-message-send (with report) (with telemetry)) + (allow mach-message-send (kernel-mig-routine + _mach_make_memory_entry + clock_get_time + host_get_io_master + host_info + host_request_notification + io_connect_async_method + io_connect_method + io_connect_method_var_output + io_connect_set_notification_port_64 + io_iterator_is_valid + io_iterator_next + io_object_conforms_to + io_object_get_class + io_registry_create_iterator + io_registry_entry_create_iterator + io_registry_entry_from_path + io_registry_entry_get_name + io_registry_entry_get_name_in_plane + io_registry_entry_get_parent_iterator + io_registry_entry_get_properties_bin_buf + io_registry_entry_get_property_bin_buf + io_registry_entry_get_registry_entry_id + io_registry_get_root_entry + io_server_version + io_service_add_interest_notification_64 + io_service_add_notification_bin_64 + io_service_close + io_service_get_matching_service_bin + io_service_get_matching_services_bin + io_service_open_extended + mach_port_extract_right + mach_port_get_refs + mach_port_request_notification + mach_port_set_attributes + mach_vm_copy + mach_vm_map_external + semaphore_create + semaphore_destroy + task_get_special_port_from_user + task_info_from_user + task_restartable_ranges_synchronize + thread_info + thread_policy_set + thread_resume + thread_suspend))))) (when (and (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES") (defined? 'syscall-mach)) (deny syscall-mach) diff --git a/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in b/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in index dda21455bd04..08b36f90d296 100644 --- a/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in +++ b/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in @@ -694,7 +694,38 @@ (when (and (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES") (defined? 'mach-kernel-endpoint)) (allow mach-kernel-endpoint (apply-message-filter - (allow mach-message-send)))) + (allow mach-message-send (with report) (with telemetry)) + (allow mach-message-send (kernel-mig-routine + _mach_make_memory_entry + host_get_io_master + host_info + host_request_notification + io_connect_method + io_iterator_is_valid + io_iterator_next + io_object_conforms_to + io_registry_entry_create_iterator + io_registry_entry_from_path + io_registry_entry_get_parent_iterator + io_registry_entry_get_property_bin_buf + io_server_version + io_service_add_interest_notification_64 + io_service_get_matching_service_bin + io_service_open_extended + mach_exception_raise + mach_port_get_refs + mach_port_request_notification + mach_port_set_attributes + mach_vm_copy + mach_vm_map_external + mach_vm_remap_external + semaphore_create + task_get_special_port_from_user + task_info_from_user + task_policy_set + task_restartable_ranges_synchronize + thread_resume + thread_suspend))))) (when (and (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES") (defined? 'syscall-mach)) (deny syscall-mach) diff --git a/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb.in b/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb.in index a9a7cc324ee1..e1dbbd0fe4ad 100644 --- a/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb.in +++ b/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb.in @@ -887,6 +887,44 @@ (when (defined? 'MSC_mach_msg2_trap) (allow syscall-mach (machtrap-number MSC_mach_msg2_trap))) +(allow syscall-mig (with report)(with telemetry)) +(allow syscall-mig (kernel-mig-routine + _mach_make_memory_entry + host_get_clock_service + host_get_io_master + host_get_special_port + host_info + io_connect_async_method + io_connect_method + io_connect_set_notification_port_64 + io_iterator_next + io_registry_entry_from_path + io_registry_entry_get_property_bin_buf + io_registry_entry_get_registry_entry_id + io_server_version + io_service_get_matching_service_bin + io_service_get_matching_services_bin + io_service_open_extended + mach_memory_entry_ownership + mach_port_extract_right + mach_port_get_context_from_user + mach_port_get_refs + mach_port_is_connection_for_service + mach_port_request_notification + mach_port_set_attributes + mach_vm_copy + mach_vm_map_external + semaphore_create + semaphore_destroy + task_get_special_port_from_user + task_info_from_user + task_restartable_ranges_register + task_restartable_ranges_synchronize + task_set_special_port + thread_policy_set + thread_resume + thread_suspend)) + #if ENABLE(SYSTEM_CONTENT_PATH_SANDBOX_RULES) #include