Bug 222148

Summary: Adopt com.apple.security.cs.jit-write-allowlist on internal builds
Product: WebKit Reporter: Saam Barati <sbarati>
Component: JavaScriptCoreAssignee: Mark Lam <mark.lam>
Status: RESOLVED FIXED    
Severity: Normal CC: ews-watchlist, keith_miller, mark.lam, msaboff, pvollan, tzagallo, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
WIP
none
work in progress.
none
proposed patch.
none
proposed patch.
pvollan: review+
proposed patch. none

Description Saam Barati 2021-02-18 17:38:33 PST
It'll prevent various pthread permissions switching APIs from working. But we can only do that on internal builds where we use the fast permission switching macro. We can't do it for open source builds, where we rely on the pthread API.
Comment 1 Saam Barati 2021-02-18 17:41:47 PST
Created attachment 420890 [details]
WIP
Comment 2 Radar WebKit Bug Importer 2021-02-25 17:39:13 PST
<rdar://problem/74769414>
Comment 3 Mark Lam 2021-05-20 15:52:23 PDT
rdar://74284026
Comment 4 Mark Lam 2021-06-02 18:20:02 PDT
Created attachment 430429 [details]
work in progress.
Comment 5 Mark Lam 2021-06-02 22:39:51 PDT
Created attachment 430444 [details]
proposed patch.
Comment 6 Mark Lam 2021-06-02 23:26:58 PDT
Created attachment 430446 [details]
proposed patch.
Comment 7 Per Arne Vollan 2021-06-03 11:14:25 PDT
Comment on attachment 430446 [details]
proposed patch.

R=me. Would it be sufficient to only add the entitlement to the WebContent XPC service?
Comment 8 Mark Lam 2021-06-03 11:29:43 PDT
(In reply to Per Arne Vollan from comment #7)
> Comment on attachment 430446 [details]
> proposed patch.
> 
> R=me. Would it be sufficient to only add the entitlement to the WebContent
> XPC service?

Thanks.

For our purpose, the goal of the entitlement isn't to gain access to something.  Instead, by adopting the entitlement, we disable access to various pthread permissions switching APIs.  Hence, we do want to add this entitlement to all processes because we want to disable those APIs on all processes.
Comment 9 Mark Lam 2021-06-16 15:23:57 PDT
Created attachment 431613 [details]
proposed patch.
Comment 10 Per Arne Vollan 2021-06-16 15:43:53 PDT
Comment on attachment 431613 [details]
proposed patch.

R=me.
Comment 11 EWS 2021-06-16 16:37:08 PDT
Committed r278966 (238893@main): <https://commits.webkit.org/238893@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 431613 [details].