Sandbox logging indicates that we are now blocking an iokit-get-property call that is needed when starting up the WebContent process.
<rdar://problem/57897684>
Created attachment 386135 [details] Patch
Comment on attachment 386135 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=386135&action=review > Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:105 > + ; IOMobileFramebuffer > + (with-filter (iokit-registry-entry-class "IOMobileFramebuffer") > + (allow iokit-get-properties > + (iokit-property "AppleTV" > + "DisplayPipePlaneBaseAlignment" > + "DisplayPipeStrideRequirements" > + "PerformanceStatistics" > + "appleTV-VID0" > + "appleTV-VID1" > + "hdcp-hoover-protocol"))) > + > + (mobile-preferences-read "com.apple.iokit.IOMobileGraphicsFamily") > +) Do we need to audit new iokit get properties rules in the WebContent process? Or is it always safe to add these?
Comment on attachment 386135 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=386135&action=review >> Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:105 >> +) > > Do we need to audit new iokit get properties rules in the WebContent process? Or is it always safe to add these? Are all strictly needed, or would a subset be sufficient?
Comment on attachment 386135 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=386135&action=review >>> Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:105 >>> +) >> >> Do we need to audit new iokit get properties rules in the WebContent process? Or is it always safe to add these? > > Are all strictly needed, or would a subset be sufficient? Many of these are already part of the "global" set of allow rules; I want to move to this model for them in the future. So this change is a first step in that direction. I think these are safe to add from a security standpoint. They were vetted for use in container.sb, and David has stated that he isn't worried about these "read data" properties.
Comment on attachment 386135 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=386135&action=review R=me. >>>> Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:105 >>>> +) >>> >>> Do we need to audit new iokit get properties rules in the WebContent process? Or is it always safe to add these? >> >> Are all strictly needed, or would a subset be sufficient? > > Many of these are already part of the "global" set of allow rules; I want to move to this model for them in the future. So this change is a first step in that direction. > > I think these are safe to add from a security standpoint. They were vetted for use in container.sb, and David has stated that he isn't worried about these "read data" properties. Sounds good!
Committed r253792: <https://trac.webkit.org/changeset/253792>