Skip to site navigation (Press enter)

[webkit-changes] [210076] trunk/Source/WebKit2

bfulgham Wed, 21 Dec 2016 14:02:38 -0800

Title: [210076] trunk/Source/WebKit2

Revision: 210076
Author: [email protected]
Date: 2016-12-21 14:02:48 -0800 (Wed, 21 Dec 2016)

Log Message

[Mac][WK2] Stop using file* rules in WebProcess sandbox profiles
https://bugs.webkit.org/show_bug.cgi?id=165824
<rdar://problem/14024823>


Reviewed by Alexey Proskuryakov

Switch from blanket 'file*' sandbox rules, to the specific 'file-read*' and 'file-write*' rules
we actually need.

* DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in:
* PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in:
* WebProcess/com.apple.WebProcess.sb.in:

Modified Paths

trunk/Source/WebKit2/ChangeLog
trunk/Source/WebKit2/DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in
trunk/Source/WebKit2/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in
trunk/Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in

Diff

Modified: trunk/Source/WebKit2/ChangeLog (210075 => 210076)


--- trunk/Source/WebKit2/ChangeLog	2016-12-21 21:30:30 UTC (rev 210075)
+++ trunk/Source/WebKit2/ChangeLog	2016-12-21 22:02:48 UTC (rev 210076)
@@ -1,3 +1,18 @@
+2016-12-21  Brent Fulgham  <[email protected]>
+
+        [Mac][WK2] Stop using file* rules in WebProcess sandbox profiles
+        https://bugs.webkit.org/show_bug.cgi?id=165824
+        <rdar://problem/14024823>
+
+        Reviewed by Alexey Proskuryakov
+
+        Switch from blanket 'file*' sandbox rules, to the specific 'file-read*' and 'file-write*' rules
+        we actually need.
+
+        * DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in:
+        * PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in:
+        * WebProcess/com.apple.WebProcess.sb.in:
+
 2016-12-21  Beth Dakin  <[email protected]>
 
         Holding down on candidates in the TouchBar should show panel on screen

Modified: trunk/Source/WebKit2/DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in (210075 => 210076)


--- trunk/Source/WebKit2/DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in	2016-12-21 21:30:30 UTC (rev 210075)
+++ trunk/Source/WebKit2/DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in	2016-12-21 22:02:48 UTC (rev 210076)
@@ -37,6 +37,13 @@
 (define (home-literal home-relative-literal)
     (literal (string-append (param "HOME_DIR") home-relative-literal)))
 
+(define (allow-read-write-directory-and-issue-read-write-extensions path)
+    (if path
+        (begin
+            (allow file-read* file-write* (subpath path))
+            (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") (subpath path)))
+            (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") (subpath path))))))
+
 ;; IOKit user clients
 (allow iokit-open
     (iokit-user-client-class "RootDomainUserClient"))
@@ -59,9 +66,9 @@
 (allow ipc-posix-shm-read* ipc-posix-shm-write-data
        (ipc-posix-name "com.apple.AppleDatabaseChanged"))
 (if (positive? (string-length (param "DARWIN_USER_CACHE_DIR")))
-    (allow file* (subpath (param "DARWIN_USER_CACHE_DIR"))))
+    (allow-read-write-directory-and-issue-read-write-extensions (param "DARWIN_USER_CACHE_DIR")))
 (if (positive? (string-length (param "DARWIN_USER_TEMP_DIR")))
-    (allow file* (subpath (param "DARWIN_USER_TEMP_DIR"))))
+    (allow-read-write-directory-and-issue-read-write-extensions (param "DARWIN_USER_TEMP_DIR")))
 
 ;; Read-only preferences and data
 (allow user-preference-read

Modified: trunk/Source/WebKit2/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in (210075 => 210076)


--- trunk/Source/WebKit2/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in	2016-12-21 21:30:30 UTC (rev 210075)
+++ trunk/Source/WebKit2/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in	2016-12-21 22:02:48 UTC (rev 210076)
@@ -99,6 +99,13 @@
         (set! *uuid-pattern* (uuid-HEX-pattern-match-string)))
     *uuid-pattern*)
 
+(define (allow-read-write-directory-and-issue-read-write-extensions path)
+    (if path
+        (begin
+            (allow file-read* file-write* (subpath path))
+            (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") (subpath path)))
+            (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") (subpath path))))))
+
 ;; WebKit2 sandbox launcher needs to define an _OS_VERSION parameter
 ;; This parameter is the major OS Version number.
 (if (not (defined? 'os-version))
@@ -260,9 +267,12 @@
 ;; Configuration directories
 (allow file-read* (subpath (param "PLUGIN_PATH")))
 (allow file-read* (subpath (param "WEBKIT2_FRAMEWORK_DIR")))
-(allow file* (subpath (param "DARWIN_USER_TEMP_DIR")))
-(allow file* (subpath (param "DARWIN_USER_CACHE_DIR")))
-(allow file* (subpath (param "NSURL_CACHE_DIR")))
+(if (positive? (string-length (param "DARWIN_USER_CACHE_DIR")))
+    (allow-read-write-directory-and-issue-read-write-extensions (param "DARWIN_USER_CACHE_DIR")))
+(if (positive? (string-length (param "DARWIN_USER_TEMP_DIR")))
+    (allow-read-write-directory-and-issue-read-write-extensions (param "DARWIN_USER_TEMP_DIR")))
+(if (positive? (string-length (param "NSURL_CACHE_DIR")))
+    (allow-read-write-directory-and-issue-read-write-extensions (param "NSURL_CACHE_DIR")))
 
 ;; Allow the OpenGL Profiler to attach.
 (if (defined? 'mach-register)

Modified: trunk/Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in (210075 => 210076)


--- trunk/Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in	2016-12-21 21:30:30 UTC (rev 210075)
+++ trunk/Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in	2016-12-21 22:02:48 UTC (rev 210076)
@@ -43,6 +43,13 @@
             (allow file-read* (subpath path))
             (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") (subpath path))))))
 
+(define (allow-read-write-directory-and-issue-read-write-extensions path)
+    (if path
+        (begin
+            (allow file-read* file-write* (subpath path))
+            (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") (subpath path)))
+            (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") (subpath path))))))
+
 ;; Remove when <rdar://problem/29646094> is fixed.
 (define (HEX-pattern-match-generator pattern-descriptor)
     (letrec ((pattern-string ""))
@@ -163,10 +170,10 @@
     (preference-domain "com.apple.mediaaccessibility.public"))
 
 (if (positive? (string-length (param "DARWIN_USER_CACHE_DIR")))
-    (allow file* (subpath (param "DARWIN_USER_CACHE_DIR"))))
+    (allow-read-write-directory-and-issue-read-write-extensions (param "DARWIN_USER_CACHE_DIR")))
 
 (if (positive? (string-length (param "DARWIN_USER_TEMP_DIR")))
-    (allow file* (subpath (param "DARWIN_USER_TEMP_DIR"))))
+    (allow-read-write-directory-and-issue-read-write-extensions (param "DARWIN_USER_TEMP_DIR")))
 
 ;; IOKit user clients
 (allow iokit-open

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes