[iOS][WebContent] Block iopolicysys syscall in sandbox by pvollan · Pull Request #52241 · WebKit/WebKit

pvollan · 2025-10-13T15:10:53Z

`6b5ffb6`

[iOS][WebContent] Block iopolicysys syscall in sandbox
https://bugs.webkit.org/show_bug.cgi?id=300630
rdar://162528753

Reviewed by Brent Fulgham.

This syscall is rarely used, and the client is handling the blocking gracefully, so it can be blocked.

* Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.Development.sb.in:
* Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:
* Source/WebKit/Shared/Sandbox/iOS/webcontent-defines.sb:

Canonical link: https://commits.webkit.org/301474@main

2118730

Misc	iOS, visionOS, tvOS & watchOS	macOS	Linux	Windows	Apple Internal
✅ 🧪 style	✅ 🛠 ios	✅ 🛠 mac	✅ 🛠 wpe	✅ 🛠 win	✅ 🛠 ios-apple
	✅ 🛠 ios-sim	✅ 🛠 mac-AS-debug	✅ 🧪 wpe-wk2	✅ 🧪 win-tests	✅ 🛠 mac-apple
✅ 🧪 webkitperl	✅ 🧪 ios-wk2	✅ 🧪 api-mac	✅ 🧪 api-wpe		✅ 🛠 vision-apple
	✅ 🧪 ios-wk2-wpt		✅ 🛠 wpe-cairo
	✅ 🧪 api-ios	✅ 🧪 mac-wk2	✅ 🛠 gtk
	✅ 🛠 vision	✅ 🧪 mac-AS-debug-wk2	✅ 🧪 gtk-wk2
	✅ 🛠 vision-sim	✅ 🧪 mac-wk2-stress	✅ 🧪 api-gtk
	✅ 🧪 vision-wk2	✅ 🧪 mac-intel-wk2	✅ 🛠 playstation
✅ 🛠 🧪 unsafe-merge	✅ 🛠 tv	✅ 🛠 mac-safer-cpp
	✅ 🛠 tv-sim
	✅ 🛠 watch
	✅ 🛠 watch-sim

webkit-early-warning-system · 2025-10-13T15:10:59Z

EWS run on current version of this PR (hash 2118730)

Details

Misc	iOS, visionOS, tvOS & watchOS	macOS	Linux	Windows	Apple Internal
✅ 🧪 style	✅ 🛠 ios	✅ 🛠 mac	✅ 🛠 wpe	✅ 🛠 win	✅ 🛠 ios-apple
	✅ 🛠 ios-sim	✅ 🛠 mac-AS-debug	✅ 🧪 wpe-wk2	✅ 🧪 win-tests	✅ 🛠 mac-apple
✅ 🧪 webkitperl	✅ 🧪 ios-wk2	✅ 🧪 api-mac	✅ 🧪 api-wpe		✅ 🛠 vision-apple
	✅ 🧪 ios-wk2-wpt		✅ 🛠 wpe-cairo
	✅ 🧪 api-ios	✅ 🧪 mac-wk2	✅ 🛠 gtk
	✅ 🛠 vision	✅ 🧪 mac-AS-debug-wk2	✅ 🧪 gtk-wk2
	✅ 🛠 vision-sim	✅ 🧪 mac-wk2-stress	✅ 🧪 api-gtk
	✅ 🧪 vision-wk2	✅ 🧪 mac-intel-wk2	✅ 🛠 playstation
✅ 🛠 🧪 unsafe-merge	✅ 🛠 tv	✅ 🛠 mac-safer-cpp
	✅ 🛠 tv-sim
	✅ 🛠 watch
	✅ 🛠 watch-sim

brentfulgham

Looks good. r=me.

Please consider filing a reminder bug to remove the telemetry once we're confident this change will stay permanently.

brentfulgham · 2025-10-13T16:06:52Z

Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in

 (deny file-write-mount file-write-unmount)

+(deny process-iopolicy-get (with telemetry))
+(deny process-iopolicy-set (with telemetry))


Should we file a bug to remind ourselves to remove this telemetry once we've captured enough live-on time?

Good point! I'll file a bug for that.

Thanks for reviewing!

https://bugs.webkit.org/show_bug.cgi?id=300696

https://bugs.webkit.org/show_bug.cgi?id=300630 rdar://162528753 Reviewed by Brent Fulgham. This syscall is rarely used, and the client is handling the blocking gracefully, so it can be blocked. * Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.Development.sb.in: * Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in: * Source/WebKit/Shared/Sandbox/iOS/webcontent-defines.sb: Canonical link: https://commits.webkit.org/301474@main

webkit-commit-queue · 2025-10-14T13:48:08Z

Committed 301474@main (6b5ffb6): https://commits.webkit.org/301474@main

Reviewed commits have been landed. Closing PR #52241 and removing active labels.

pvollan requested a review from brentfulgham as a code owner October 13, 2025 15:10

pvollan self-assigned this Oct 13, 2025

pvollan added the WebKit Process Model Bugs related to WebKit's multi-process architecture label Oct 13, 2025

pvollan requested review from cdumez and szewai October 13, 2025 15:11

brentfulgham approved these changes Oct 13, 2025

View reviewed changes

pvollan requested review from gavin-apple and sheeparegreat October 13, 2025 21:35

pvollan added the unsafe-merge-queue Applied to send a pull request to merge-queue, but skip building and testing label Oct 14, 2025

webkit-commit-queue force-pushed the eng/iOS-WebContent-Block-iopolicysys-syscall-in-sandbox branch from 2118730 to 6b5ffb6 Compare October 14, 2025 13:48

webkit-commit-queue merged commit 6b5ffb6 into WebKit:main Oct 14, 2025

webkit-commit-queue removed the unsafe-merge-queue Applied to send a pull request to merge-queue, but skip building and testing label Oct 14, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[iOS][WebContent] Block iopolicysys syscall in sandbox#52241

[iOS][WebContent] Block iopolicysys syscall in sandbox#52241
webkit-commit-queue merged 1 commit intoWebKit:mainfrom
pvollan:eng/iOS-WebContent-Block-iopolicysys-syscall-in-sandbox

pvollan commented Oct 13, 2025 •

edited by webkit-early-warning-system

Loading

Uh oh!

webkit-early-warning-system commented Oct 13, 2025 •

edited

Loading

Uh oh!

brentfulgham left a comment

Uh oh!

brentfulgham Oct 13, 2025

Uh oh!

pvollan Oct 13, 2025

Uh oh!

pvollan Oct 14, 2025

Uh oh!

webkit-commit-queue commented Oct 14, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

pvollan commented Oct 13, 2025 • edited by webkit-early-warning-system Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

6b5ffb6

Uh oh!

webkit-early-warning-system commented Oct 13, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

brentfulgham left a comment

Choose a reason for hiding this comment

Uh oh!

brentfulgham Oct 13, 2025

Choose a reason for hiding this comment

Uh oh!

pvollan Oct 13, 2025

Choose a reason for hiding this comment

Uh oh!

pvollan Oct 14, 2025

Choose a reason for hiding this comment

Uh oh!

webkit-commit-queue commented Oct 14, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

pvollan commented Oct 13, 2025 •

edited by webkit-early-warning-system

Loading

`6b5ffb6`

webkit-early-warning-system commented Oct 13, 2025 •

edited

Loading