[Cocoa] Allow two syscalls found by sandbox telemetry

https://bugs.webkit.org/show_bug.cgi?id=264632 <rdar://problem/118254040> Reviewed by Per Arne Vollan. Telemetry on iOS and macOS shows that we need to allow access to SYS_fsctl in the Network process, and silence the SYS_crossarch_trap syscall in all sandboxes. This was discussed with the larger security team, and the need confirmed with the components that require these syscalls. * Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in: * Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in: * Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb.in: * Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb.in: * Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in: * Source/WebKit/WebProcess/com.apple.WebProcess.sb.in: Canonical link: https://commits.webkit.org/270661@main
WebKit · Nov 13, 2023 · b627d2e · b627d2e
1 parent 771a8c6
commit b627d2e
Show file tree

Hide file tree

Showing 6 changed files with 26 additions and 5 deletions.
diff --git a/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in b/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in
@@ -1,4 +1,4 @@
-; Copyright (C) 2010-2022 Apple Inc. All rights reserved.
+; Copyright (C) 2010-2023 Apple Inc. All rights reserved.
 ;
 ; Redistribution and use in source and binary forms, with or without
 ; modification, are permitted provided that the following conditions
@@ -1179,6 +1179,9 @@
 
 (when (defined? 'syscall-unix)
     (deny syscall-unix)
+    (when (defined? 'SYS_crossarch_trap)
+        (deny syscall-unix (with no-report) (syscall-number
+            SYS_crossarch_trap)))
     (allow syscall-unix (syscall-number
         SYS___channel_open
         SYS___disable_threadsignal

diff --git a/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in b/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in
@@ -588,6 +588,9 @@
 
 (when (defined? 'syscall-unix)
     (deny syscall-unix)
+    (when (defined? 'SYS_crossarch_trap)
+        (deny syscall-unix (with no-report) (syscall-number
+            SYS_crossarch_trap)))
     (allow syscall-unix (syscall-number
         SYS___channel_get_info
         SYS___channel_open
@@ -618,6 +621,7 @@
         SYS_fileport_makeport
         SYS_flistxattr
         SYS_flock
+        SYS_fsctl
         SYS_fsetattrlist
         SYS_fsgetpath
         SYS_fstat

diff --git a/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb.in b/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb.in
@@ -1,4 +1,4 @@
-; Copyright (C) 2010-2022 Apple Inc. All rights reserved.
+; Copyright (C) 2010-2023 Apple Inc. All rights reserved.
 ;
 ; Redistribution and use in source and binary forms, with or without
 ; modification, are permitted provided that the following conditions
@@ -774,6 +774,9 @@
     (deny syscall-unix (with telemetry))
     (deny syscall-unix (with no-report) (syscall-number
         SYS_faccessat))
+    (when (defined? 'SYS_crossarch_trap)
+        (deny syscall-unix (with no-report) (syscall-number
+            SYS_crossarch_trap)))
     (allow syscall-unix (syscall-number
         SYS___disable_threadsignal
         SYS___mac_syscall

diff --git a/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb.in b/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb.in
@@ -1,4 +1,4 @@
-; Copyright (C) 2014-2022 Apple Inc. All rights reserved.
+; Copyright (C) 2014-2023 Apple Inc. All rights reserved.
 ;
 ; Redistribution and use in source and binary forms, with or without
 ; modification, are permitted provided that the following conditions
@@ -736,6 +736,9 @@
 
 (when (defined? 'syscall-unix)
     (deny syscall-unix (with telemetry))
+    (when (defined? 'SYS_crossarch_trap)
+        (deny syscall-unix (with no-report) (syscall-number
+            SYS_crossarch_trap)))
     (allow syscall-unix (syscall-number
         SYS___channel_get_info
         SYS___channel_open
@@ -768,6 +771,7 @@
         SYS_ffsctl
         SYS_fileport_makefd
         SYS_fileport_makeport
+        SYS_fsctl
         SYS_fsgetpath
         SYS_fstat64
         SYS_fstat64_extended

diff --git a/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in b/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in
@@ -1,4 +1,4 @@
-; Copyright (C) 2010-2022 Apple Inc. All rights reserved.
+; Copyright (C) 2010-2023 Apple Inc. All rights reserved.
 ;
 ; Redistribution and use in source and binary forms, with or without
 ; modification, are permitted provided that the following conditions
@@ -1168,6 +1168,10 @@
 #endif
     SYS_socket))
 
+(when (defined? 'SYS_crossarch_trap)
+    (deny syscall-unix (with no-report) (syscall-number
+        SYS_crossarch_trap)))
+
 (when (defined? 'SYS_map_with_linking_np)
     (allow syscall-unix (syscall-number SYS_map_with_linking_np)))
 

diff --git a/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in b/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in
@@ -1,4 +1,4 @@
-; Copyright (C) 2010-2022 Apple Inc. All rights reserved.
+; Copyright (C) 2010-2023 Apple Inc. All rights reserved.
 ;
 ; Redistribution and use in source and binary forms, with or without
 ; modification, are permitted provided that the following conditions
@@ -2006,6 +2006,9 @@
         SYS_unlink))
 
 (deny syscall-unix)
+(when (defined? 'SYS_crossarch_trap)
+    (deny syscall-unix (with no-report) (syscall-number
+        SYS_crossarch_trap)))
 
 #if HAVE(SANDBOX_STATE_FLAGS)
 (with-filter (require-not (webcontent-process-launched))