Bug 238528 - Add runtime flag for blocking IOKit in the WebContent process' sandbox
Summary: Add runtime flag for blocking IOKit in the WebContent process' sandbox
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit Misc. (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Per Arne Vollan
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2022-03-29 16:14 PDT by Per Arne Vollan
Modified: 2022-03-31 04:45 PDT (History)
6 users (show)

See Also:

Attachments
Patch (6.36 KB, patch)
2022-03-29 16:17 PDT, Per Arne Vollan 		no flags Details | Formatted Diff | Diff
Patch (6.88 KB, patch)
2022-03-29 16:23 PDT, Per Arne Vollan 		no flags Details | Formatted Diff | Diff
Patch (7.10 KB, patch)
2022-03-30 07:29 PDT, Per Arne Vollan 		no flags Details | Formatted Diff | Diff
Patch (6.87 KB, patch)
2022-03-30 09:51 PDT, Per Arne Vollan 		no flags Details | Formatted Diff | Diff
Patch (5.04 KB, patch)
2022-03-30 10:56 PDT, Per Arne Vollan 		no flags Details | Formatted Diff | Diff
Patch (5.11 KB, patch)
2022-03-30 11:11 PDT, Per Arne Vollan 		simon.fraser: review+
ews-feeder: commit-queue-
Details | Formatted Diff | Diff
Patch (5.09 KB, patch)
2022-03-30 14:43 PDT, Per Arne Vollan 		ews-feeder: commit-queue-
Details | Formatted Diff | Diff
Show Obsolete (5) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Per Arne Vollan 2022-03-29 16:14:26 PDT 
Add runtime flag for blocking graphics related resources in the WebContent process' sandbox.
Comment 1 Per Arne Vollan 2022-03-29 16:17:26 PDT 
Created attachment 456076 [details]
Patch
Comment 2 Per Arne Vollan 2022-03-29 16:23:46 PDT 
Created attachment 456080 [details]
Patch
Comment 3 Per Arne Vollan 2022-03-30 07:29:22 PDT 
Created attachment 456119 [details]
Patch
Comment 4 Simon Fraser (smfr) 2022-03-30 09:34:34 PDT 
Comment on attachment 456119 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=456119&action=review

> Source/WTF/Scripts/Preferences/WebPreferencesInternal.yaml:125
> +BlockGraphicsResourcesInWebContentSandbox:

I think we should just say "IOKit" everywhere, instead of "GraphicsResources". It's less ambiguous.
Comment 5 Per Arne Vollan 2022-03-30 09:40:34 PDT 
(In reply to Simon Fraser (smfr) from comment #4)
> Comment on attachment 456119 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=456119&action=review
> 
> > Source/WTF/Scripts/Preferences/WebPreferencesInternal.yaml:125
> > +BlockGraphicsResourcesInWebContentSandbox:
> 
> I think we should just say "IOKit" everywhere, instead of
> "GraphicsResources". It's less ambiguous.

That is a good point, I will update the patch.

Thanks for reviewing!
Comment 6 Per Arne Vollan 2022-03-30 09:51:16 PDT 
Created attachment 456132 [details]
Patch
Comment 7 Simon Fraser (smfr) 2022-03-30 09:56:42 PDT 
Comment on attachment 456132 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=456132&action=review

> Source/WTF/Scripts/Preferences/WebPreferencesInternal.yaml:127
> +  humanReadableName: "Block IOKit access in the WebContent sandbox"

Better as "IOKit Blocking" to make It easier to find.

> Source/WebCore/page/RuntimeEnabledFeatures.h:140
> +    void setBlockIOKitInWebContentSandbox(bool block) { m_blockIOKitInWebContentSandbox = block; }
> +    bool blockIOKitInWebContentSandbox() const { return m_blockIOKitInWebContentSandbox; }

It's weird that this WebKit-level feature infects this WebCore code.
Comment 8 Per Arne Vollan 2022-03-30 10:56:00 PDT 
Created attachment 456149 [details]
Patch
Comment 9 Per Arne Vollan 2022-03-30 10:57:10 PDT 
(In reply to Simon Fraser (smfr) from comment #7)
> Comment on attachment 456132 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=456132&action=review
> 
> > Source/WTF/Scripts/Preferences/WebPreferencesInternal.yaml:127
> > +  humanReadableName: "Block IOKit access in the WebContent sandbox"
> 
> Better as "IOKit Blocking" to make It easier to find.
> 
> > Source/WebCore/page/RuntimeEnabledFeatures.h:140
> > +    void setBlockIOKitInWebContentSandbox(bool block) { m_blockIOKitInWebContentSandbox = block; }
> > +    bool blockIOKitInWebContentSandbox() const { return m_blockIOKitInWebContentSandbox; }
> 
> It's weird that this WebKit-level feature infects this WebCore code.

Fixed in latest patch.

Thanks for reviewing!
Comment 10 Per Arne Vollan 2022-03-30 11:11:02 PDT 
Created attachment 456151 [details]
Patch
Comment 11 Per Arne Vollan 2022-03-30 14:43:33 PDT 
Created attachment 456175 [details]
Patch
Comment 12 EWS 2022-03-31 01:41:16 PDT 
Committed r292146 (249053@main): <https://commits.webkit.org/249053@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 456175 [details].
Comment 13 Radar WebKit Bug Importer 2022-03-31 01:42:19 PDT 
<rdar://problem/91092247>