169306 – [Mac][iOS][WK2] Whitelist sysctl-read

Bug 169306 - [Mac][iOS][WK2] Whitelist sysctl-read

Summary: [Mac][iOS][WK2] Whitelist sysctl-read

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKit2 (show other bugs)
Version:	WebKit Nightly Build
Hardware:	All macOS 10.12

Importance:	P2 Normal
Assignee:	Brent Fulgham

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2017-03-07 14:20 PST by Brent Fulgham
Modified:	2017-03-07 14:53 PST (History)
CC List:	0 users

See Also:

Attachments
Patch (7.05 KB, patch) 2017-03-07 14:22 PST, Brent Fulgham	no flags	Details \| Formatted Diff \| Diff
Patch (6.82 KB, patch) 2017-03-07 14:23 PST, Brent Fulgham	achristensen: review+	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Brent Fulgham 2017-03-07 14:20:25 PST

We only have a small number of cases where we use sysctl in WebKit, and those cases are always in a read-only mode.

Modify our sandboxes to limit 'sysctl' use to read-only, and whitelist that access for the very small number of cases we actually use:

CTL_KERN, KERN_PROC. KERN_PROC_PID, #
CTL_HW, HW_AVAILCPU
CTL_HW, HW_NCPU
hw.model
kern.memorystatus_level

Comment 1 Brent Fulgham 2017-03-07 14:20:43 PST

<rdar://problem/16371458>

Comment 2 Brent Fulgham 2017-03-07 14:22:24 PST

Created attachment 303724 [details]
Patch

Comment 3 Brent Fulgham 2017-03-07 14:23:35 PST

Created attachment 303725 [details]
Patch

Comment 4 Brent Fulgham 2017-03-07 14:53:20 PST

Committed r213544: <http://trac.webkit.org/changeset/213544>