RESOLVED FIXED205468
Unblock iokit-get-property needed for frame buffer initialization 
https://bugs.webkit.org/show_bug.cgi?id=205468
Summary Unblock iokit-get-property needed for frame buffer initialization
Brent Fulgham
Reported 2019-12-19 13:05:15 PST
Sandbox logging indicates that we are now blocking an iokit-get-property call that is needed when starting up the WebContent process.
Attachments
Patch (1.99 KB, patch)
2019-12-19 13:07 PST, Brent Fulgham 		pvollan: review+
bfulgham: commit-queue+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Brent Fulgham
Comment 1 2019-12-19 13:05:27 PST
<rdar://problem/57897684>
Brent Fulgham
Comment 2 2019-12-19 13:07:32 PST
Created attachment 386135 [details] Patch
Per Arne Vollan
Comment 3 2019-12-19 13:33:34 PST
Comment on attachment 386135 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=386135&action=review > Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:105 > + ; IOMobileFramebuffer > + (with-filter (iokit-registry-entry-class "IOMobileFramebuffer") > + (allow iokit-get-properties > + (iokit-property "AppleTV" > + "DisplayPipePlaneBaseAlignment" > + "DisplayPipeStrideRequirements" > + "PerformanceStatistics" > + "appleTV-VID0" > + "appleTV-VID1" > + "hdcp-hoover-protocol"))) > + > + (mobile-preferences-read "com.apple.iokit.IOMobileGraphicsFamily") > +) Do we need to audit new iokit get properties rules in the WebContent process? Or is it always safe to add these?
Per Arne Vollan
Comment 4 2019-12-19 13:58:27 PST
Comment on attachment 386135 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=386135&action=review >> Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:105 >> +) > > Do we need to audit new iokit get properties rules in the WebContent process? Or is it always safe to add these? Are all strictly needed, or would a subset be sufficient?
Brent Fulgham
Comment 5 2019-12-19 14:04:07 PST
Comment on attachment 386135 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=386135&action=review >>> Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:105 >>> +) >> >> Do we need to audit new iokit get properties rules in the WebContent process? Or is it always safe to add these? > > Are all strictly needed, or would a subset be sufficient? Many of these are already part of the "global" set of allow rules; I want to move to this model for them in the future. So this change is a first step in that direction. I think these are safe to add from a security standpoint. They were vetted for use in container.sb, and David has stated that he isn't worried about these "read data" properties.
Per Arne Vollan
Comment 6 2019-12-19 14:22:59 PST
Comment on attachment 386135 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=386135&action=review R=me. >>>> Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb:105 >>>> +) >>> >>> Do we need to audit new iokit get properties rules in the WebContent process? Or is it always safe to add these? >> >> Are all strictly needed, or would a subset be sufficient? > > Many of these are already part of the "global" set of allow rules; I want to move to this model for them in the future. So this change is a first step in that direction. > > I think these are safe to add from a security standpoint. They were vetted for use in container.sb, and David has stated that he isn't worried about these "read data" properties. Sounds good!
Brent Fulgham
Comment 7 2019-12-19 15:38:34 PST
Committed r253792: <https://trac.webkit.org/changeset/253792>
Note You need to log in before you can comment on or make changes to this bug.