| Summary: | Add runtime flag for blocking IOKit in the WebContent process' sandbox | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Per Arne Vollan <pvollan> | ||||||||||||||||
| Component: | WebKit Misc. | Assignee: | Per Arne Vollan <pvollan> | ||||||||||||||||
| Status: | RESOLVED FIXED | ||||||||||||||||||
| Severity: | Normal | CC: | gavin.p, ggaren, jonlee, mazander, simon.fraser, webkit-bug-importer | ||||||||||||||||
| Priority: | P2 | Keywords: | InRadar | ||||||||||||||||
| Version: | WebKit Nightly Build | ||||||||||||||||||
| Hardware: | Unspecified | ||||||||||||||||||
| OS: | Unspecified | ||||||||||||||||||
| Attachments: |
|
||||||||||||||||||
|
Description
Per Arne Vollan
2022-03-29 16:14:26 PDT
Created attachment 456076 [details]
Patch
Created attachment 456080 [details]
Patch
Created attachment 456119 [details]
Patch
Comment on attachment 456119 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=456119&action=review > Source/WTF/Scripts/Preferences/WebPreferencesInternal.yaml:125 > +BlockGraphicsResourcesInWebContentSandbox: I think we should just say "IOKit" everywhere, instead of "GraphicsResources". It's less ambiguous. (In reply to Simon Fraser (smfr) from comment #4) > Comment on attachment 456119 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=456119&action=review > > > Source/WTF/Scripts/Preferences/WebPreferencesInternal.yaml:125 > > +BlockGraphicsResourcesInWebContentSandbox: > > I think we should just say "IOKit" everywhere, instead of > "GraphicsResources". It's less ambiguous. That is a good point, I will update the patch. Thanks for reviewing! Created attachment 456132 [details]
Patch
Comment on attachment 456132 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=456132&action=review > Source/WTF/Scripts/Preferences/WebPreferencesInternal.yaml:127 > + humanReadableName: "Block IOKit access in the WebContent sandbox" Better as "IOKit Blocking" to make It easier to find. > Source/WebCore/page/RuntimeEnabledFeatures.h:140 > + void setBlockIOKitInWebContentSandbox(bool block) { m_blockIOKitInWebContentSandbox = block; } > + bool blockIOKitInWebContentSandbox() const { return m_blockIOKitInWebContentSandbox; } It's weird that this WebKit-level feature infects this WebCore code. Created attachment 456149 [details]
Patch
(In reply to Simon Fraser (smfr) from comment #7) > Comment on attachment 456132 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=456132&action=review > > > Source/WTF/Scripts/Preferences/WebPreferencesInternal.yaml:127 > > + humanReadableName: "Block IOKit access in the WebContent sandbox" > > Better as "IOKit Blocking" to make It easier to find. > > > Source/WebCore/page/RuntimeEnabledFeatures.h:140 > > + void setBlockIOKitInWebContentSandbox(bool block) { m_blockIOKitInWebContentSandbox = block; } > > + bool blockIOKitInWebContentSandbox() const { return m_blockIOKitInWebContentSandbox; } > > It's weird that this WebKit-level feature infects this WebCore code. Fixed in latest patch. Thanks for reviewing! Created attachment 456151 [details]
Patch
Created attachment 456175 [details]
Patch
Committed r292146 (249053@main): <https://commits.webkit.org/249053@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 456175 [details]. |