Modified: trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj (109651 => 109652)
--- trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj 2012-03-03 03:28:41 UTC (rev 109651)
+++ trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj 2012-03-03 05:31:13 UTC (rev 109652)
@@ -12842,6 +12842,7 @@
E1284BB010449FFA00EAEB52 /* JSPageTransitionEvent.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSPageTransitionEvent.cpp; sourceTree = "<group>"; };
E1284BD31044A01E00EAEB52 /* DOMPageTransitionEvent.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = DOMPageTransitionEvent.mm; sourceTree = "<group>"; };
E1284BD41044A01E00EAEB52 /* DOMPageTransitionEvent.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DOMPageTransitionEvent.h; sourceTree = "<group>"; };
+ E129CBD21501702200A7C5FB /* npapi-sandbox.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = "npapi-sandbox.h"; sourceTree = "<group>"; };
E12EDB7A0B308A78002704B6 /* EventTarget.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = EventTarget.h; sourceTree = "<group>"; };
E12EDBE90B308E0B002704B6 /* EventTarget.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = EventTarget.cpp; sourceTree = "<group>"; };
E134F5AA12EE343F004EC58D /* IntRectHash.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = IntRectHash.h; sourceTree = "<group>"; };
@@ -14946,6 +14947,7 @@
A9C6E4ED0D745E38006442E9 /* DOMPluginArray.cpp */,
A9C6E4EE0D745E38006442E9 /* DOMPluginArray.h */,
A9C6E6610D74671E006442E9 /* DOMPluginArray.idl */,
+ E129CBD21501702200A7C5FB /* npapi-sandbox.h */,
1A927FCF1416A15B003A83C8 /* npapi.h */,
1A219B3A0DCA87AB0040E3A0 /* npfunctions.h */,
1A927FD01416A15B003A83C8 /* npruntime.h */,
Added: trunk/Source/WebCore/plugins/npapi-sandbox.h (0 => 109652)
--- trunk/Source/WebCore/plugins/npapi-sandbox.h (rev 0)
+++ trunk/Source/WebCore/plugins/npapi-sandbox.h 2012-03-03 05:31:13 UTC (rev 109652)
@@ -0,0 +1,177 @@
+/*
+ * Copyright (C) 2012 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*!
+ * @header WebKit Mac Sandbox
+ *
+ * This header provides an *EXPERIMENTAL* API for NPAPI plug-ins that wish
+ * to reduce their runtime privileges. When entering the sandbox, adopting
+ * plug-ins specify a whitelist of files they wish to have available for
+ * reading and writing. Plug-ins that need to have access to arbitrary files,
+ * such as to enable user-initiated file uploads or downloads, can invoke
+ * native Cocoa APIs, which will automatically grant permissions to the plug-in.
+ *
+ *
+ * Security characteristics
+ *
+ * Sandboxed plug-in's local file access is restricted to the union of:
+ *
+ * 1. The file whitelist specified by the plug-in when entering the sandbox.
+ * 2. Any files obtained at runtime through the secure Open and Save dialogs.
+ * 3. Any files that were open before entering the sandbox.
+ *
+ * Implementation may additionally choose to restrict the creation of IPC
+ * channels or the use of other security-sensitive system resources, such as
+ * the ability to spawn additional processes. However, any such resources
+ * acquired before entry into the sandbox are guaranteed to remain available
+ * within it. For example, plug-ins are free to spawn a trusted broker process
+ * before entering the sandbox and to establish an IPC channel with it. The
+ * channel will remain available within the sandbox even if the implementation
+ * is highly restrictive and allows neither process creation nor IPC channel
+ * establishment.
+ */
+
+
+#ifndef npapi_sandbox_h
+#define npapi_sandbox_h
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*!
+ * @constant WKNVSandboxFunctions
+ * Use this constant with NPN_GetValue to get a pointer to WKNSandboxFunctions
+ * structure, which contains pointers to sandboxing functions.
+ */
+#define WKNVSandboxFunctions 74659
+
+/*!
+ * Version of WKNSandboxFunctions structure that is returned by NPN_GetValue.
+ */
+#define WKNVSandboxFunctionsVersionCurrent 1
+
+/*!
+ * @function WKN_EnterSandbox
+ * Requests that the plug-in instance be placed in a sandbox.
+ *
+ * @param readOnlyPaths
+ * NULL-terminated C array of paths to files and directories that the plug-in
+ * wishes to have available in the sandbox for read-only access. Any
+ * directories in this array will automatically extend the sandbox to encompass
+ * all their files and subdirectories, meaning that they will be available
+ * through OS level file access functions for reading.
+ *
+ * @param readWritePaths
+ * NULL-terminated C array of paths to files and directories that the plug-in
+ * wishes to have available in the sandbox for both reading and writing.
+ * Typically, this array will include paths to the plug-in's local caches, a
+ * directory for temporary files, and any configuration files which are not
+ * security sensitive, in that they are not consulted when determining the
+ * lists of paths to pass to this function during plug-in instantiation.
+ * Any directories in this array will automatically extend the sandbox to
+ * encompass all their files and subdirectories, meaning that they will be
+ * available through OS level file access functions for reading and writing.
+ *
+ * @result
+ * Places the plug-in instance in a sandbox. The sandbox allows read-only access
+ * to paths specified by `readOnlyPaths` and read-write access to
+ * `readWritePaths`. If the same path appears in both `readOnlyPaths` and
+ * `readWritePaths`, access to that path will be read-only. No other filesystem
+ * access is available except as expressly permitted by the user through
+ * NSOpenPanel and NSSavePanel invocations. Returns NPERR_NO_ERROR when the
+ * navigator has successfully placed the plug-in in a sandbox and
+ * NPERR_GENERIC_ERROR if the the plug-in instance was already placed in a sandbox
+ * with a prior call to this function. If entering sandbox fails for any other reason,
+ * the process is terminated.
+ * Note that either or both `readOnlyPaths` and `readWritePaths` may be NULL.
+ *
+ * @discussion
+ * This function should be called as early as possible during plug-in
+ * instantiation and ALWAYS before any untrusted code has run. Generally, the
+ * only things that the plug-in should do before entering the sandbox are to
+ * determine the paths to pass in as `readOnlyPaths` and `readWritePaths`, and
+ * to establish any IPC channels to be used from the sandbox. In cases where
+ * the plug-in must parse its configuration files to determine any needed local
+ * resources (such as files to preload), it should do so and then immediately
+ * call this function. If configuration files do not influence the paths that
+ * the plug-in will pass as part of `readOnlyPaths` and `readWritePaths`, the
+ * plug-in should enter the sandbox first and only then process configuration
+ * files and deal with normal startup tasks.
+ *
+ * Very close attention must be paid to weeding out security-sensitive files
+ * from the `readWritePaths` list. If the plug-in instance reads a configuration
+ * file at startup to determine which additional files it will place in the
+ * `readWritePaths` list to this call, then that configuration file MUST NOT be
+ * in the `readWritePaths` itself. Otherwise, should the plug-in become
+ * compromised, it can trivially escape its sandbox the next time it is
+ * instantiated by writing arbitrary paths (or just "/") into this writable
+ * configuration file.
+ *
+ * Note that after a plug-in instance enters the sandbox, any native calls that
+ * it makes which refer to arbitrary paths on disk will only work if the paths are
+ * available within the sandbox, either statically through `readOnlyPaths` and
+ * `readWritePaths`, or dynamically through Cocoa APIs.
+ * However, NPAPI calls (such as e.g. NPN_PostURL with the file parameter set to TRUE)
+ * can access files that navigator policies allow, which is usually an entirely
+ * different set for remote and for local Web pages.
+ */
+typedef NPError (*WKN_EnterSandboxProcPtr)(const char *readOnlyPaths[], const char *readWritePaths[]);
+
+/*!
+ * @function WKN_FileStopAccessing
+ * Requests that the navigator revoke the plug-in's access to the given path.
+ *
+ * @param path
+ * Required. A path that was previously returned from NSOpenPanel or NSSavePanel.
+ *
+ * @result
+ * Returns NPERR_NO_ERROR, or NPERR_GENERIC_ERROR if the requesting plug-in
+ * instance is not in a sandbox.
+ *
+ * @discussion
+ * Whenever file access is provided to a plug-in instance through a
+ * Cocoa API, navigator should be notfied when it is no longer needed.
+ * This will cause subsequent open(2) calls on any of the revoked files to fail,
+ * but by design no attempt is made to invalidate existing file descriptors.
+ * plug-in writers are strongly encouraged to keep files open for as short a period
+ * of time as possible, and to always call this function when objects representing
+ * the returned files go out of scope or are otherwise destroyed.
+ */
+typedef NPError (*WKN_FileStopAccessingProcPtr)(const char* path);
+
+typedef struct _WKNSandboxFunctions {
+ uint16_t size;
+ uint16_t version;
+
+ WKN_EnterSandboxProcPtr enterSandbox;
+ WKN_FileStopAccessingProcPtr fileStopAccessing;
+} WKNSandboxFunctions;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif // npapi_sandbox_h
