Bug 222148

Summary:

Adopt com.apple.security.cs.jit-write-allowlist on internal builds

Product:

WebKit

Reporter:

Saam Barati <saam>

Component:

JavaScriptCore

Assignee:

Mark Lam <mark.lam>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ews-watchlist, keith_miller, mark.lam, msaboff, pvollan, tzagallo, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
WIP	none
work in progress.	none
proposed patch.	none
proposed patch.	pvollan: review+
proposed patch.	none

Saam Barati

Reported 2021-02-18 17:38:33 PST

It'll prevent various pthread permissions switching APIs from working. But we can only do that on internal builds where we use the fast permission switching macro. We can't do it for open source builds, where we rely on the pthread API.

Attachments
WIP (9.01 KB, patch) 2021-02-18 17:41 PST, Saam Barati	no flags	Details Formatted Diff Diff
work in progress. (9.14 KB, patch) 2021-06-02 18:20 PDT, Mark Lam	no flags	Details Formatted Diff Diff
proposed patch. (10.68 KB, patch) 2021-06-02 22:39 PDT, Mark Lam	no flags	Details Formatted Diff Diff
proposed patch. (10.70 KB, patch) 2021-06-02 23:26 PDT, Mark Lam	pvollan: review+	Details Formatted Diff Diff
proposed patch. (10.70 KB, patch) 2021-06-16 15:23 PDT, Mark Lam	no flags	Details Formatted Diff Diff
Show Obsolete (4) View All Add attachment proposed patch, testcase, etc.

Saam Barati

Comment 1 2021-02-18 17:41:47 PST

Created attachment 420890 [details] WIP

Radar WebKit Bug Importer

Comment 2 2021-02-25 17:39:13 PST

<rdar://problem/74769414>

Mark Lam

Comment 3 2021-05-20 15:52:23 PDT

rdar://74284026

Mark Lam

Comment 4 2021-06-02 18:20:02 PDT

Created attachment 430429 [details] work in progress.

Mark Lam

Comment 5 2021-06-02 22:39:51 PDT

Created attachment 430444 [details] proposed patch.

Mark Lam

Comment 6 2021-06-02 23:26:58 PDT

Created attachment 430446 [details] proposed patch.

Per Arne Vollan

Comment 7 2021-06-03 11:14:25 PDT

Comment on attachment 430446 [details] proposed patch. R=me. Would it be sufficient to only add the entitlement to the WebContent XPC service?

Mark Lam

Comment 8 2021-06-03 11:29:43 PDT

(In reply to Per Arne Vollan from comment #7) > Comment on attachment 430446 [details] > proposed patch. > > R=me. Would it be sufficient to only add the entitlement to the WebContent > XPC service? Thanks. For our purpose, the goal of the entitlement isn't to gain access to something. Instead, by adopting the entitlement, we disable access to various pthread permissions switching APIs. Hence, we do want to add this entitlement to all processes because we want to disable those APIs on all processes.

Mark Lam

Comment 9 2021-06-16 15:23:57 PDT

Created attachment 431613 [details] proposed patch.

Per Arne Vollan

Comment 10 2021-06-16 15:43:53 PDT

Comment on attachment 431613 [details] proposed patch. R=me.

EWS

Comment 11 2021-06-16 16:37:08 PDT

Committed r278966 (238893@main): <https://commits.webkit.org/238893@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 431613 [details].

Note You need to log in before you can comment on or make changes to this bug.