230985 – Make sandbox rules for debug syscalls stricter

Bug 230985 - Make sandbox rules for debug syscalls stricter

Summary: Make sandbox rules for debug syscalls stricter

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKit Misc. (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Per Arne Vollan

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2021-09-29 14:19 PDT by Per Arne Vollan
Modified:	2021-10-01 13:59 PDT (History)
CC List:	5 users (show)

See Also:

Attachments
Patch (4.80 KB, patch) 2021-09-29 14:24 PDT, Per Arne Vollan	bfulgham: review+ ews-feeder: commit-queue-	Details \| Formatted Diff \| Diff
Patch (4.76 KB, patch) 2021-09-29 16:40 PDT, Per Arne Vollan	ews-feeder: commit-queue-	Details \| Formatted Diff \| Diff
Patch (3.85 KB, patch) 2021-10-01 06:56 PDT, Per Arne Vollan	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Per Arne Vollan 2021-09-29 14:19:11 PDT

Make sandbox rules for debug syscalls stricter in the WebContent process on macOS and iOS.

Comment 1 Per Arne Vollan 2021-09-29 14:19:35 PDT

<rdar://49531420>

Comment 2 Per Arne Vollan 2021-09-29 14:24:23 PDT

Created attachment 439659 [details]
Patch

Comment 3 Brent Fulgham 2021-09-29 14:37:46 PDT

Comment on attachment 439659 [details]
Patch

Nice! r=me

Comment 4 Per Arne Vollan 2021-09-29 15:54:13 PDT

Comment on attachment 439659 [details]
Patch

Thanks for reviewing!

Comment 5 Per Arne Vollan 2021-09-29 16:40:34 PDT

Created attachment 439680 [details]
Patch

Comment 6 Per Arne Vollan 2021-10-01 06:56:47 PDT

Created attachment 439853 [details]
Patch

Comment 7 EWS 2021-10-01 10:08:01 PDT

Committed r283375 (242383@main): <https://commits.webkit.org/242383@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 439853 [details].

Comment 8 Alexey Proskuryakov 2021-10-01 10:49:28 PDT

Comment on attachment 439853 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=439853&action=review

> Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:1333
> +(with-filter (system-attribute apple-internal)

What are the consequences of this? Will dtrace and Instruments still work with WebKit?

Comment 9 Per Arne Vollan 2021-10-01 13:59:55 PDT

(In reply to Alexey Proskuryakov from comment #8)
> Comment on attachment 439853 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=439853&action=review
> 
> > Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:1333
> > +(with-filter (system-attribute apple-internal)
> 
> What are the consequences of this? Will dtrace and Instruments still work
> with WebKit?

That is a good point. I will look into confirming that.

Thanks for reviewing!