Diff
Modified: trunk/Source/WebKit2/ChangeLog (186809 => 186810)
--- trunk/Source/WebKit2/ChangeLog 2015-07-14 19:50:37 UTC (rev 186809)
+++ trunk/Source/WebKit2/ChangeLog 2015-07-14 20:06:10 UTC (rev 186810)
@@ -1,3 +1,22 @@
+2015-07-14 Michael Catanzaro <mcatanz...@igalia.com>
+
+ [Linux] SeccompFilters: whitelist all NPAPI plugin directories
+ https://bugs.webkit.org/show_bug.cgi?id=140067
+
+ Reviewed by Žan Doberšek.
+
+ * PlatformEfl.cmake: Build PluginSearchPath.cpp
+ * PlatformGTK.cmake: Build PluginSearchPath.cpp
+ * Shared/Plugins/unix/PluginSearchPath.cpp: Added.
+ (WebKit::pluginsDirectories): Moved from PluginInfoStoreUnix.cpp.
+ * Shared/Plugins/unix/PluginSearchPath.h: Added.
+ * Shared/linux/SeccompFilters/SyscallPolicy.cpp:
+ (WebKit::SyscallPolicy::addDefaultWebProcessPolicy): Add the entire
+ plugin search path to the whitelist.
+ * UIProcess/Plugins/unix/PluginInfoStoreUnix.cpp:
+ (WebKit::PluginInfoStore::pluginsDirectories): Now gets plugins
+ directories from PluginSearchPath.cpp
+
2015-07-14 Yongjun Zhang <yongjun_zh...@apple.com>
https://bugs.webkit.org/show_bug.cgi?id=146917
Modified: trunk/Source/WebKit2/PlatformEfl.cmake (186809 => 186810)
--- trunk/Source/WebKit2/PlatformEfl.cmake 2015-07-14 19:50:37 UTC (rev 186809)
+++ trunk/Source/WebKit2/PlatformEfl.cmake 2015-07-14 20:06:10 UTC (rev 186810)
@@ -34,6 +34,8 @@
Shared/Plugins/Netscape/x11/NetscapePluginModuleX11.cpp
+ Shared/Plugins/unix/PluginSearchPath.cpp
+
Shared/cairo/ShareableBitmapCairo.cpp
Shared/efl/NativeContextMenuItemEfl.cpp
@@ -235,6 +237,7 @@
"${WEBKIT2_DIR}/Shared/CoordinatedGraphics"
"${WEBKIT2_DIR}/Shared/Downloads/soup"
"${WEBKIT2_DIR}/Shared/Network/CustomProtocols/soup"
+ "${WEBKIT2_DIR}/Shared/Plugins/unix"
"${WEBKIT2_DIR}/Shared/efl"
"${WEBKIT2_DIR}/Shared/soup"
"${WEBKIT2_DIR}/Shared/unix"
Modified: trunk/Source/WebKit2/PlatformGTK.cmake (186809 => 186810)
--- trunk/Source/WebKit2/PlatformGTK.cmake 2015-07-14 19:50:37 UTC (rev 186809)
+++ trunk/Source/WebKit2/PlatformGTK.cmake 2015-07-14 20:06:10 UTC (rev 186810)
@@ -55,6 +55,8 @@
Shared/Plugins/Netscape/x11/NetscapePluginModuleX11.cpp
+ Shared/Plugins/unix/PluginSearchPath.cpp
+
Shared/cairo/ShareableBitmapCairo.cpp
Shared/gtk/ArgumentCodersGtk.cpp
@@ -470,6 +472,7 @@
"${WEBKIT2_DIR}/Shared/API/c/gtk"
"${WEBKIT2_DIR}/Shared/Network/CustomProtocols/soup"
"${WEBKIT2_DIR}/Shared/Downloads/soup"
+ "${WEBKIT2_DIR}/Shared/Plugins/unix"
"${WEBKIT2_DIR}/Shared/gtk"
"${WEBKIT2_DIR}/Shared/soup"
"${WEBKIT2_DIR}/Shared/unix"
Copied: trunk/Source/WebKit2/Shared/Plugins/unix/PluginSearchPath.cpp (from rev 186809, trunk/Source/WebKit2/UIProcess/Plugins/unix/PluginInfoStoreUnix.cpp) (0 => 186810)
--- trunk/Source/WebKit2/Shared/Plugins/unix/PluginSearchPath.cpp (rev 0)
+++ trunk/Source/WebKit2/Shared/Plugins/unix/PluginSearchPath.cpp 2015-07-14 20:06:10 UTC (rev 186810)
@@ -0,0 +1,76 @@
+/*
+ * Copyright (C) 2015 Igalia S.L.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "PluginSearchPath.h"
+
+#include <WebCore/FileSystem.h>
+
+using namespace WebCore;
+
+namespace WebKit {
+
+Vector<String> pluginsDirectories()
+{
+ Vector<String> result;
+
+#if ENABLE(NETSCAPE_PLUGIN_API)
+ result.append(homeDirectoryPath() + "/.mozilla/plugins");
+ result.append(homeDirectoryPath() + "/.netscape/plugins");
+ result.append("/usr/lib/browser/plugins");
+ result.append("/usr/local/lib/mozilla/plugins");
+ result.append("/usr/lib/firefox/plugins");
+ result.append("/usr/lib64/browser-plugins");
+ result.append("/usr/lib/browser-plugins");
+ result.append("/usr/lib/mozilla/plugins");
+ result.append("/usr/local/netscape/plugins");
+ result.append("/opt/mozilla/plugins");
+ result.append("/opt/mozilla/lib/plugins");
+ result.append("/opt/netscape/plugins");
+ result.append("/opt/netscape/communicator/plugins");
+ result.append("/usr/lib/netscape/plugins");
+ result.append("/usr/lib/netscape/plugins-libc5");
+ result.append("/usr/lib/netscape/plugins-libc6");
+ result.append("/usr/lib64/netscape/plugins");
+ result.append("/usr/lib64/mozilla/plugins");
+ result.append("/usr/lib/nsbrowser/plugins");
+ result.append("/usr/lib64/nsbrowser/plugins");
+
+ String mozillaHome(getenv("MOZILLA_HOME"));
+ if (!mozillaHome.isEmpty())
+ result.append(mozillaHome + "/plugins");
+
+ String mozillaPaths(getenv("MOZ_PLUGIN_PATH"));
+ if (!mozillaPaths.isEmpty()) {
+ Vector<String> paths;
+ mozillaPaths.split(UChar(':'), /* allowEmptyEntries */ false, paths);
+ result.appendVector(paths);
+ }
+#endif
+
+ return result;
+}
+
+} // namespace WebKit
Added: trunk/Source/WebKit2/Shared/Plugins/unix/PluginSearchPath.h (0 => 186810)
--- trunk/Source/WebKit2/Shared/Plugins/unix/PluginSearchPath.h (rev 0)
+++ trunk/Source/WebKit2/Shared/Plugins/unix/PluginSearchPath.h 2015-07-14 20:06:10 UTC (rev 186810)
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2015 Igalia S.L.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef PluginSearchPath_h
+#define PluginSearchPath_h
+
+#include <wtf/Forward.h>
+#include <wtf/Vector.h>
+
+namespace WebKit {
+
+Vector<String> pluginsDirectories();
+
+} // namespace WebKit
+
+#endif // PluginSandboxProfile_h
Modified: trunk/Source/WebKit2/Shared/linux/SeccompFilters/SyscallPolicy.cpp (186809 => 186810)
--- trunk/Source/WebKit2/Shared/linux/SeccompFilters/SyscallPolicy.cpp 2015-07-14 19:50:37 UTC (rev 186809)
+++ trunk/Source/WebKit2/Shared/linux/SeccompFilters/SyscallPolicy.cpp 2015-07-14 20:06:10 UTC (rev 186810)
@@ -28,6 +28,7 @@
#if ENABLE(SECCOMP_FILTERS)
+#include "PluginSearchPath.h"
#include "WebProcessCreationParameters.h"
#include <libgen.h>
#include <string.h>
@@ -146,6 +147,10 @@
addDirectoryPermission(ASCIILiteral(DATADIR), Read);
addDirectoryPermission(ASCIILiteral(LIBDIR), Read);
+ // Plugin search path
+ for (String& path : pluginsDirectories())
+ addDirectoryPermission(path, Read);
+
// SSL Certificates.
addDirectoryPermission(ASCIILiteral("/etc/ssl/certs"), Read);
Modified: trunk/Source/WebKit2/UIProcess/Plugins/unix/PluginInfoStoreUnix.cpp (186809 => 186810)
--- trunk/Source/WebKit2/UIProcess/Plugins/unix/PluginInfoStoreUnix.cpp 2015-07-14 19:50:37 UTC (rev 186809)
+++ trunk/Source/WebKit2/UIProcess/Plugins/unix/PluginInfoStoreUnix.cpp 2015-07-14 20:06:10 UTC (rev 186810)
@@ -32,6 +32,7 @@
#include "PluginInfoStore.h"
#include "NetscapePluginModule.h"
+#include "PluginSearchPath.h"
#include <WebCore/FileSystem.h>
#if PLATFORM(GTK)
@@ -44,41 +45,7 @@
Vector<String> PluginInfoStore::pluginsDirectories()
{
- Vector<String> result;
-
- result.append(homeDirectoryPath() + "/.mozilla/plugins");
- result.append(homeDirectoryPath() + "/.netscape/plugins");
- result.append("/usr/lib/browser/plugins");
- result.append("/usr/local/lib/mozilla/plugins");
- result.append("/usr/lib/firefox/plugins");
- result.append("/usr/lib64/browser-plugins");
- result.append("/usr/lib/browser-plugins");
- result.append("/usr/lib/mozilla/plugins");
- result.append("/usr/local/netscape/plugins");
- result.append("/opt/mozilla/plugins");
- result.append("/opt/mozilla/lib/plugins");
- result.append("/opt/netscape/plugins");
- result.append("/opt/netscape/communicator/plugins");
- result.append("/usr/lib/netscape/plugins");
- result.append("/usr/lib/netscape/plugins-libc5");
- result.append("/usr/lib/netscape/plugins-libc6");
- result.append("/usr/lib64/netscape/plugins");
- result.append("/usr/lib64/mozilla/plugins");
- result.append("/usr/lib/nsbrowser/plugins");
- result.append("/usr/lib64/nsbrowser/plugins");
-
- String mozillaHome(getenv("MOZILLA_HOME"));
- if (!mozillaHome.isEmpty())
- result.append(mozillaHome + "/plugins");
-
- String mozillaPaths(getenv("MOZ_PLUGIN_PATH"));
- if (!mozillaPaths.isEmpty()) {
- Vector<String> paths;
- mozillaPaths.split(UChar(':'), /* allowEmptyEntries */ false, paths);
- result.appendVector(paths);
- }
-
- return result;
+ return WebKit::pluginsDirectories();
}
Vector<String> PluginInfoStore::pluginPathsInDirectory(const String& directory)
