WebKit Bugzilla
Attachment 356622 Details for
Bug 192412
: [macOS] Enable logging of calls in sandbox.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-192412-20181205110240.patch (text/plain), 4.63 KB, created by
Per Arne Vollan
on 2018-12-05 11:02:40 PST
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Per Arne Vollan
Created:
2018-12-05 11:02:40 PST
Size:
4.63 KB
patch
obsolete
>Index: Source/WebKit/ChangeLog >=================================================================== >--- Source/WebKit/ChangeLog (revision 238900) >+++ Source/WebKit/ChangeLog (working copy) >@@ -1,3 +1,16 @@ >+2018-12-05 Per Arne Vollan <pvollan@apple.com> >+ >+ [macOS] Enable logging of calls in sandbox. >+ https://bugs.webkit.org/show_bug.cgi?id=192412 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ On macOS, enable logging of system calls in sandbox. >+ >+ * WebProcess/cocoa/WebProcessCocoa.mm: >+ (WebKit::filterSyscalls): >+ (WebKit::WebProcess::initializeSandbox): >+ > 2018-12-05 Alex Christensen <achristensen@webkit.org> > > Make WebsiteDataStoreConfiguration a proper API object >Index: Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm >=================================================================== >--- Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm (revision 238898) >+++ Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm (working copy) >@@ -102,6 +102,23 @@ > #import <os/state_private.h> > #endif > >+#if PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101500 >+#include <bitstring.h> >+#include <sandbox.h> >+#include <sys/syscall.h> >+ >+#if USE(APPLE_INTERNAL_SDK) >+#include <sandbox/private.h> >+#else >+enum sandbox_syscall_action { >+ SANDBOX_SYSCALL_DENY = 0, >+ SANDBOX_SYSCALL_ALLOW_WITH_REPORT, >+}; >+ >+extern "C" int sandbox_set_syscall_mask(const void *mask, uint32_t num_bits, enum sandbox_syscall_action action); >+#endif >+#endif >+ > namespace WebKit { > using namespace WebCore; > >@@ -428,6 +445,22 @@ RetainPtr<CFDataRef> WebProcess::sourceA > #endif > } > >+#if PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101500 >+static int filterSyscalls() >+{ >+ int len = (SYS_MAXSYSCALL + 7) / 8; >+ bitstr_t *mask = bit_alloc(SYS_MAXSYSCALL); >+ bit_nclear(mask, 0, SYS_MAXSYSCALL - 1); >+ >+ unsigned syscalls[] = { SYS_exit, SYS_read, SYS_write, SYS_open, SYS_close, SYS_unlink, SYS_chmod, SYS_getuid, SYS_geteuid, SYS_recvfrom, SYS_getpeername, SYS_access, SYS_dup, SYS_pipe, SYS_getegid, SYS_getgid, SYS_sigprocmask, SYS_sigaltstack, SYS_ioctl, SYS_readlink, SYS_umask, SYS_msync, SYS_munmap, SYS_mprotect, SYS_madvise, SYS_fcntl, SYS_select, SYS_fsync, SYS_setpriority, SYS_socket, SYS_connect, SYS_setsockopt, SYS_gettimeofday, SYS_getrusage, SYS_getsockopt, SYS_writev, SYS_fchmod, SYS_rename, SYS_flock, SYS_sendto, SYS_shutdown, SYS_socketpair, SYS_mkdir, SYS_rmdir, SYS_pread, SYS_pwrite, SYS_csops, SYS_csops_audittoken, SYS_kdebug_trace64, SYS_kdebug_trace, SYS_sigreturn, SYS_pathconf, SYS_getrlimit, SYS_setrlimit, SYS_mmap, SYS_lseek, SYS_ftruncate, SYS_sysctl, SYS_mlock, SYS_munlock, SYS_getattrlist, SYS_getxattr, SYS_fgetxattr, SYS_listxattr, SYS_shm_open, SYS_sem_wait, SYS_sem_post, SYS_sysctlbyname, SYS_psynch_mutexwait, SYS_psynch_mutexdrop, SYS_psynch_cvbroad, SYS_psynch_cvsignal, SYS_psynch_cvwait, SYS_psynch_rw_wrlock, SYS_psynch_rw_unlock, SYS_psynch_cvclrprepost, SYS_process_policy, SYS_issetugid, SYS___pthread_kill, SYS___pthread_sigmask, SYS___disable_threadsignal, SYS___semwait_signal, SYS_proc_info, SYS_stat64, SYS_fstat64, SYS_lstat64, SYS_getdirentries64, SYS_statfs64, SYS_fstatfs64, SYS_getfsstat64, SYS_getaudit_addr, SYS_bsdthread_create, SYS_bsdthread_terminate, SYS_workq_kernreturn, SYS_thread_selfid, SYS_kevent_qos, SYS_kevent_id, SYS___mac_syscall, SYS_read_nocancel, SYS_write_nocancel, SYS_open_nocancel, SYS_close_nocancel, SYS_sendmsg_nocancel, SYS_recvfrom_nocancel, SYS_fcntl_nocancel, SYS_select_nocancel, SYS_connect_nocancel, SYS_sendto_nocancel, SYS_fsgetpath, SYS_fileport_makeport, SYS_guarded_open_np, SYS_guarded_close_np, SYS_change_fdguard_np, SYS_proc_rlimit_control, SYS_connectx, SYS_getattrlistbulk, SYS_openat, SYS_openat_nocancel, SYS_fstatat64, SYS_mkdirat, SYS_bsdthread_ctl, SYS_csrctl, SYS_guarded_pwrite_np, SYS_getentropy, SYS_necp_open, SYS_necp_client_action, SYS_ulock_wait, SYS_ulock_wake }; >+ >+ for (unsigned i = 0; i < sizeof(syscalls) / sizeof(syscalls[0]); i++) >+ bit_set(mask, syscalls[i]); >+ >+ return sandbox_set_syscall_mask(mask, len, SANDBOX_SYSCALL_ALLOW_WITH_REPORT); >+} >+#endif >+ > void WebProcess::initializeSandbox(const ChildProcessInitializationParameters& parameters, SandboxInitializationParameters& sandboxParameters) > { > #if ENABLE(WEB_PROCESS_SANDBOX) >@@ -444,6 +477,9 @@ void WebProcess::initializeSandbox(const > sandboxParameters.setOverrideSandboxProfilePath([webKit2Bundle pathForResource:@"com.apple.WebProcess" ofType:@"sb"]); > #endif > ChildProcess::initializeSandbox(parameters, sandboxParameters); >+#if PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101500 >+ filterSyscalls(); >+#endif > #endif > #else > UNUSED_PARAM(parameters);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=356622">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 192412
: 356622