Allow essential syscalls in WebContent process sandbox for AppCache w…

…hen it is enabled https://bugs.webkit.org/show_bug.cgi?id=267244 rdar://119946688 Reviewed by Youenn Fablet and Brent Fulgham. To ensure AppCache code is functional when it is enabled. * Source/WebKit/WebProcess/com.apple.WebProcess.sb.in: Canonical link: https://commits.webkit.org/272835@main
WebKit · Jan 10, 2024 · f8720c4 · f8720c4
1 parent d254812
commit f8720c4
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in b/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in
@@ -1854,6 +1854,13 @@
     SYS_umask
     SYS_work_interval_ctl))
 
+(define (syscall-appcache)
+    (syscall-number
+        SYS_guarded_open_np
+        SYS_guarded_close_np
+        SYS_guarded_pwrite_np
+        SYS_unlink))
+
 (define (syscall-unix-downlevels)
     (syscall-number
         SYS_flock
@@ -1902,6 +1909,8 @@
     (allow syscall-unix (syscall-unix-downlevels)))
 (with-filter (require-all (require-not (lockdown-mode)) (require-not (state-flag "BlockIOKitInWebContentSandbox")))
     (allow syscall-unix (syscall-unix-downlevels-blocked-in-lockdown-mode)))
+(with-filter (require-not (state-flag "AppCacheDisabled"))
+     (allow syscall-unix (syscall-appcache)))
 #else
 (allow syscall-unix
     (syscall-unix-only-in-use-before-launch)