Title: [284099] trunk/Source/WebKit
- Revision
- 284099
- Author
- [email protected]
- Date
- 2021-10-13 10:00:39 -0700 (Wed, 13 Oct 2021)
Log Message
[iOS] Stop including 'util.sb' in the WebContent process' sandbox
https://bugs.webkit.org/show_bug.cgi?id=231570
<rdar://problem/84143956>
Reviewed by Brent Fulgham.
This is a step towards being able to test-compile the sandbox on Open Source builders.
* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:
* Shared/Sandbox/util.sb: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (284098 => 284099)
--- trunk/Source/WebKit/ChangeLog 2021-10-13 16:59:35 UTC (rev 284098)
+++ trunk/Source/WebKit/ChangeLog 2021-10-13 17:00:39 UTC (rev 284099)
@@ -1,3 +1,16 @@
+2021-10-13 Per Arne Vollan <[email protected]>
+
+ [iOS] Stop including 'util.sb' in the WebContent process' sandbox
+ https://bugs.webkit.org/show_bug.cgi?id=231570
+ <rdar://problem/84143956>
+
+ Reviewed by Brent Fulgham.
+
+ This is a step towards being able to test-compile the sandbox on Open Source builders.
+
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:
+ * Shared/Sandbox/util.sb: Added.
+
2021-10-12 Alexey Proskuryakov <[email protected]>
Invoke build scripts with python3 explicitly
Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in (284098 => 284099)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in 2021-10-13 16:59:35 UTC (rev 284098)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in 2021-10-13 17:00:39 UTC (rev 284099)
@@ -30,13 +30,13 @@
;; Silence spurious logging due to rdar://20117923 and rdar://72366475
(deny system-privilege (privilege-id PRIV_GLOBAL_PROC_INFO) (with no-report))
+#include "Shared/Sandbox/util.sb"
+
;;;
;;; The following rules were originally contained in 'common.sb'. We are duplicating them here so we can
;;; remove unneeded sandbox extensions.
;;;
-(import "util.sb")
-
(define-once (allow-read-and-issue-generic-extensions . filters)
(allow file-read*
(apply require-any filters))
Added: trunk/Source/WebKit/Shared/Sandbox/util.sb (0 => 284099)
--- trunk/Source/WebKit/Shared/Sandbox/util.sb (rev 0)
+++ trunk/Source/WebKit/Shared/Sandbox/util.sb 2021-10-13 17:00:39 UTC (rev 284099)
@@ -0,0 +1,94 @@
+; Copyright (C) 2021 Apple Inc. All rights reserved.
+;
+; Redistribution and use in source and binary forms, with or without
+; modification, are permitted provided that the following conditions
+; are met:
+; 1. Redistributions of source code must retain the above copyright
+; notice, this list of conditions and the following disclaimer.
+; 2. Redistributions in binary form must reproduce the above copyright
+; notice, this list of conditions and the following disclaimer in the
+; documentation and/or other materials provided with the distribution.
+;
+; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+; THE POSSIBILITY OF SUCH DAMAGE.
+
+(macro (define-once form)
+ (let* ((ps (cdr form))
+ (signature (car ps))
+ (body (cdr ps))
+ (name (car signature)))
+ (if (not (defined? name))
+ `(define ,signature ,@body))))
+
+(define-once (home-literal . relative-subpaths)
+ (apply literal (map home-relative-path relative-subpaths)))
+
+(define-once (home-subpath . relative-subpaths)
+ (apply subpath (map home-relative-path relative-subpaths)))
+
+(define-once (home-prefix . relative-subpaths)
+ (apply prefix (map home-relative-path relative-subpaths)))
+
+(define-once (home-regex . relative-regexes)
+ (require-all
+ (apply any-home-regex relative-regexes)
+ (home-subpath "")))
+
+(define-once (home-relative-path relative-subpath)
+ (string-append "${HOME}" relative-subpath))
+
+(define-once (front-user-home-subpath . relative-subpaths)
+ (apply subpath (map front-user-home-relative-path relative-subpaths)))
+
+(define-once (front-user-home-relative-path relative-subpath)
+ (string-append "${FRONT_USER_HOME}" relative-subpath))
+
+(define-once (%elevated-precedence-finalize)
+ (lambda () #f))
+
+(macro (with-elevated-precedence form)
+ (let* ((rules (cdr form)))
+ ;; Later rules override earlier rules so emit the given rules as
+ ;; late as possible to give them high precendence.
+ `(%at-elevated-precedence-finalize (lambda () ,@rules))))
+
+(define-once (%at-elevated-precedence-finalize func)
+ (let*
+ ((orig-finalize %elevated-precedence-finalize)
+ (new-finalize
+ (lambda ()
+ (orig-finalize)
+ (func))))
+ (set! %elevated-precedence-finalize new-finalize)))
+
+(define-once (well-known-system-group-container-path relative-subpath)
+ (string-append "/private/var/containers/Shared/SystemGroup" relative-subpath))
+
+(define-once (well-known-system-group-container-literal . relative-subpaths)
+ (apply literal (map well-known-system-group-container-path relative-subpaths)))
+
+(define-once (well-known-system-group-container-subpath . relative-subpaths)
+ (apply subpath (map well-known-system-group-container-path relative-subpaths)))
+
+(define-once (allow-well-known-system-group-container-subpath-read . subpaths)
+ (for-each
+ (lambda (relative-path)
+ (allow file-read*
+ (well-known-system-group-container-subpath relative-path)))
+ subpaths))
+
+(define-once (allow-well-known-system-group-container-literal-read . subpaths)
+ (for-each
+ (lambda (relative-path)
+ (allow file-read*
+ (well-known-system-group-container-literal relative-path)))
+ subpaths))
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
