Consolidate sysctl-read rules in WebProcess sandbox

https://bugs.webkit.org/show_bug.cgi?id=179674
<rdar://problem/35367154>

Reviewed by Dean Jackson.

Consolidate the various calls to 'allow sysctl-read' imported during Bug 179548 into
the main function in the sandbox profile.

Remove the statement to grant global sysctl-read permissions that was copied into this
sandbox profile in an earlier checkin. We started blocking the blanket read permissions in
macOS 10.13, and want to continue to do so.
        
The earlier "grant global read access" in 'system.sb' apparently allowed some sysctl reads
to occur before we hit the block declaration in the WebContent sandbox. Now that we are
consistently blocking systcl reads from the start, we need to add whitelist entries for a
few more entries to avoid creating new sandbox violations.

* WebProcess/com.apple.WebProcess.sb.in:


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@224830 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Author: [email protected]

Source/WebKit/ChangeLog

@@ -1,3 +1,25 @@
+2017-11-14  Brent Fulgham  <[email protected]>
+
+        Consolidate sysctl-read rules in WebProcess sandbox
+        https://bugs.webkit.org/show_bug.cgi?id=179674
+        <rdar://problem/35367154>
+
+        Reviewed by Dean Jackson.
+
+        Consolidate the various calls to 'allow sysctl-read' imported during Bug 179548 into
+        the main function in the sandbox profile.
+
+        Remove the statement to grant global sysctl-read permissions that was copied into this
+        sandbox profile in an earlier checkin. We started blocking the blanket read permissions in
+        macOS 10.13, and want to continue to do so.
+        
+        The earlier "grant global read access" in 'system.sb' apparently allowed some sysctl reads
+        to occur before we hit the block declaration in the WebContent sandbox. Now that we are
+        consistently blocking systcl reads from the start, we need to add whitelist entries for a
+        few more entries to avoid creating new sandbox violations.
+
+        * WebProcess/com.apple.WebProcess.sb.in:
+
 2017-11-14  Alex Christensen  <[email protected]>
 
         Remove WebKit CFURLConnection code

Source/WebKit/WebProcess/com.apple.WebProcess.sb.in

@@ -94,10 +94,6 @@
     (ipc-posix-name "apple.shm.notification_center")
     (ipc-posix-name-prefix "apple.cfprefs."))
 
-;;; Allow mostly harmless operations.
-(allow sysctl-read)
-
-
 ;;; (system-graphics) - Allow access to graphics hardware.
 (define (system-graphics)
     ;; Preferences
@@ -181,11 +177,26 @@
 (deny sysctl*)
 (allow sysctl-read
     (sysctl-name
-        "hw.availcpu"
-        "hw.ncpu"
+        "hw.busfrequency_max"
+        "hw.cputype"
+        "hw.l2cachesize"
+        "hw.machine"
+        "hw.memsize"
         "hw.model"
+        "hw.ncpu"
+        "hw.vectorunit"
+        "kern.hostname"
+        "kern.maxfilesperproc"
         "kern.memorystatus_level"
-        "vm.footprint_suspend"))
+        "kern.safeboot"
+        "kern.version"
+        "vm.footprint_suspend")
+    (sysctl-name-regex #"^hw.(active|avail)cpu")
+    (sysctl-name-regex #"^hw.(logical|physical)cpu_max")
+    (sysctl-name-regex #"^hw.optional\.")
+    (sysctl-name-regex #"^kern.os(release|type|variant_status|version)")
+    (sysctl-name-regex #"^net.routetable")
+)
 
 (deny iokit-get-properties)
 (allow iokit-get-properties