Diff
Modified: branches/safari-537-branch/Source/WebKit2/ChangeLog (153075 => 153076)
--- branches/safari-537-branch/Source/WebKit2/ChangeLog 2013-07-24 04:51:57 UTC (rev 153075)
+++ branches/safari-537-branch/Source/WebKit2/ChangeLog 2013-07-24 04:52:02 UTC (rev 153076)
@@ -1,3 +1,26 @@
+2013-07-23 Lucas Forschler <[email protected]>
+
+ Merge r153070
+
+ 2013-07-23 Simon Cooper <[email protected]>
+
+ 10.7: Java applets do not work due to sandbox violation/exception
+ https://bugs.webkit.org/show_bug.cgi?id=118920
+ <rdar://problem/14471541&12910934&14223830&14260729&14267679>
+
+ Reviewed by Alexey Proskuryakov.
+
+ Introduce versioning into the common profile and use it to fix
+ a number of issues with Java on 10.7 and 10.8. Allow writing the
+ com.apple.java.util.prefs preference file. This change also
+ introduces a "/Library/Application Support/Java/PublicFiles"
+ area which Java can read without any restrictions. Files written
+ to this location will need to be created and written to by
+ a privileged process.
+
+ * Resources/PlugInSandboxProfiles/com.apple.WebKit.plugin-common.sb:
+ * Resources/PlugInSandboxProfiles/com.oracle.java.JavaAppletPlugin.sb:
+
2013-07-22 Lucas Forschler <[email protected]>
Merge r152984
Modified: branches/safari-537-branch/Source/WebKit2/Resources/PlugInSandboxProfiles/com.apple.WebKit.plugin-common.sb (153075 => 153076)
--- branches/safari-537-branch/Source/WebKit2/Resources/PlugInSandboxProfiles/com.apple.WebKit.plugin-common.sb 2013-07-24 04:51:57 UTC (rev 153075)
+++ branches/safari-537-branch/Source/WebKit2/Resources/PlugInSandboxProfiles/com.apple.WebKit.plugin-common.sb 2013-07-24 04:52:02 UTC (rev 153076)
@@ -50,6 +50,11 @@
(home-library-preferences-regex (string-append #"/ByHost/" (regex-quote domain) #"\..*\.plist$")))))
domains))
+;; WebKit2 sandbox launcher needs to define an _OS_VERSION parameter
+;; This parameter is the major OS Version number.
+(if (not (defined? 'os-version))
+ (define os-version (param "_OS_VERSION")))
+
;; OS X 10.7 (Lion) compatibility
(if (not (defined? 'ipc-posix-shm*))
(define ipc-posix-shm* ipc-posix-shm))
@@ -212,6 +217,9 @@
(local-name "com.apple.tsm.portname")
(global-name-regex #"_OpenStep$"))
+(if (equal? os-version "10.7")
+ (allow mach-lookup
+ (global-name "com.apple.system.DirectoryService.membership_v1")))
;; Configuration directories
(allow file-read* (subpath (param "PLUGIN_PATH")))
@@ -311,24 +319,29 @@
(define (webkit-microphone)
(allow device-microphone))
-(allow ipc-posix-shm*
- (ipc-posix-name-regex #"^AudioIO")
- (ipc-posix-name-regex #"^CFPBS:")
- (ipc-posix-name "com.apple.ColorSync.Gen.lock")
- (ipc-posix-name "com.apple.ColorSync.Disp.lock")
- (ipc-posix-name "com.apple.ColorSync.Gray2.2")
- (ipc-posix-name "com.apple.ColorSync.sRGB")
- (ipc-posix-name "com.apple.ColorSync.GenGray")
- (ipc-posix-name "com.apple.ColorSync.GenRGB")
- (ipc-posix-name-regex #"^com\.apple\.cs\.")
- (ipc-posix-name "_CS_GSHMEMLOCK")
- (ipc-posix-name "_CS_DSHMEMLOCK"))
+(if (equal? os-version "10.7")
+ (allow ipc-posix-shm)
+ (begin
+ (if (equal? os-version "10.8")
+ (allow ipc-posix-shm*
+ (ipc-posix-name "_CS_GSHMEMLOCK")
+ (ipc-posix-name "_CS_DSHMEMLOCK")))
+ (allow ipc-posix-shm*
+ (ipc-posix-name-regex #"^AudioIO")
+ (ipc-posix-name-regex #"^CFPBS:")
+ (ipc-posix-name "com.apple.ColorSync.Gen.lock")
+ (ipc-posix-name "com.apple.ColorSync.Disp.lock")
+ (ipc-posix-name "com.apple.ColorSync.Gray2.2")
+ (ipc-posix-name "com.apple.ColorSync.sRGB")
+ (ipc-posix-name "com.apple.ColorSync.GenGray")
+ (ipc-posix-name "com.apple.ColorSync.GenRGB")
+ (ipc-posix-name-regex #"^com\.apple\.cs\.")
+ (ipc-posix-name-regex #"^ls\."))
+ (allow ipc-posix-shm-read*
+ (ipc-posix-name-regex #"^/tmp/com\.apple\.csseed\.")
+ (ipc-posix-name "FNetwork.defaultStorageSession")
+ (ipc-posix-name "apple.shm.notification_center"))))
-(allow ipc-posix-shm-read*
- (ipc-posix-name-regex #"^/tmp/com\.apple\.csseed\.")
- (ipc-posix-name "FNetwork.defaultStorageSession")
- (ipc-posix-name "apple.shm.notification_center"))
-
;; Silently block access to some resources
(deny file-read* file-write* (with no-log)
(subpath "/Network/Library")
Modified: branches/safari-537-branch/Source/WebKit2/Resources/PlugInSandboxProfiles/com.oracle.java.JavaAppletPlugin.sb (153075 => 153076)
--- branches/safari-537-branch/Source/WebKit2/Resources/PlugInSandboxProfiles/com.oracle.java.JavaAppletPlugin.sb 2013-07-24 04:51:57 UTC (rev 153075)
+++ branches/safari-537-branch/Source/WebKit2/Resources/PlugInSandboxProfiles/com.oracle.java.JavaAppletPlugin.sb 2013-07-24 04:52:02 UTC (rev 153076)
@@ -1,3 +1,5 @@
+(webkit-printing)
+
(allow signal network-inbound)
(allow process-fork)
(allow process-exec
@@ -4,8 +6,17 @@
(subpath "/System/Library/Java/JavaVirtualMachines")
(subpath "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin"))
-(allow mach-lookup (global-name "com.apple.coreservices.launchservicesd"))
+(allow mach-lookup
+ (global-name "com.apple.coreservices.launchservicesd")
+ (global-name-regex #"^PlaceHolderServerName-"))
+(if (equal? os-version "10.7")
+ (begin
+ (allow mach-lookup
+ (global-name-regex #"^com\.apple\.java\.jrs\.carenderserver"))
+ (allow file-read* file-write*
+ (home-library-subpath "/Caches/net.java.openjdk.cmd"))))
+
(allow file-read*
(literal "/dev/fd")
(literal "/usr/bin")
@@ -15,9 +26,12 @@
(shared-preferences-read
"com.apple.java.JavaPreferences"
- "com.apple.java.util.prefs")
-(shared-preferences-read-write "com.oracle.javadeployment")
+ "net.java.openjdk.cmd")
+(shared-preferences-read-write
+ "com.apple.java.util.prefs"
+ "com.oracle.javadeployment")
+
(allow file-read* file-write*
(home-library-subpath "/Saved Application State/net.java.openjdk.cmd.savedState")
(home-library-subpath "/Application Support/Oracle/Java/Deployment")
@@ -27,14 +41,14 @@
(home-library-literal "/Application Support/Oracle")
(home-library-literal "/Application Support/Oracle/Java"))
+(allow file-read*
+ (subpath "/Library/Application Support/Java/PublicFiles")
+ (subpath "/Library/Application Support/Oracle/Java/Deployment"))
+
(allow network-bind network-outbound (subpath (param "DARWIN_USER_TEMP_DIR")))
(allow network-bind (local ip))
-(deny mach-lookup (with no-log)
- (global-name "com.apple.ls.boxd")
- (global-name-regex #"^PlaceHolderServerName-"))
+(deny file-write* (with no-log) (subpath "/Library/Application Support/Oracle"))
+(deny file-write* (with no-log) (subpath (param "WEBKIT2_FRAMEWORK_DIR")))
(deny job-creation (with no-log))
-(deny file-write* (with no-log) (subpath "/Library/Application Support/Oracle"))
-
-(webkit-printing)
Modified: branches/safari-537-branch/Source/WebKit2/Shared/SandboxInitializationParameters.h (153075 => 153076)
--- branches/safari-537-branch/Source/WebKit2/Shared/SandboxInitializationParameters.h 2013-07-24 04:51:57 UTC (rev 153075)
+++ branches/safari-537-branch/Source/WebKit2/Shared/SandboxInitializationParameters.h 2013-07-24 04:52:02 UTC (rev 153076)
@@ -46,6 +46,7 @@
void addConfDirectoryParameter(const char* name, int confID);
void addPathParameter(const char* name, NSString *path);
void addPathParameter(const char* name, const char* path);
+ void addParameter(const char* name, const char* value);
const char* const* namedParameterArray() const;
Modified: branches/safari-537-branch/Source/WebKit2/Shared/mac/ChildProcessMac.mm (153075 => 153076)
--- branches/safari-537-branch/Source/WebKit2/Shared/mac/ChildProcessMac.mm 2013-07-24 04:51:57 UTC (rev 153075)
+++ branches/safari-537-branch/Source/WebKit2/Shared/mac/ChildProcessMac.mm 2013-07-24 04:52:02 UTC (rev 153076)
@@ -29,6 +29,7 @@
#import "SandboxInitializationParameters.h"
#import "WebKitSystemInterface.h"
#import <WebCore/FileSystem.h>
+#import <WebCore/SystemVersionMac.h>
#import <mach/task.h>
#import <pwd.h>
#import <stdlib.h>
@@ -166,6 +167,18 @@
sandboxParameters.setSystemDirectorySuffix(defaultSystemDirectorySuffix);
}
+ Vector<String> osVersionParts;
+ String osSystemMarketingVersion = String(systemMarketingVersion());
+ osSystemMarketingVersion.split('.', false, osVersionParts);
+ if (osVersionParts.size() < 2) {
+ WTFLogAlways("%s: Couldn't find OS Version\n", getprogname());
+ exit(EX_NOPERM);
+ }
+ String osVersion = osVersionParts[0];
+ osVersion.append('.');
+ osVersion.append(osVersionParts[1]);
+ sandboxParameters.addParameter("_OS_VERSION", osVersion.utf8().data());
+
#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 1080
// Use private temporary and cache directories.
setenv("DIRHELPER_USER_DIR_SUFFIX", fileSystemRepresentation(sandboxParameters.systemDirectorySuffix()).data(), 0);
Modified: branches/safari-537-branch/Source/WebKit2/Shared/mac/SandboxInitialiationParametersMac.mm (153075 => 153076)
--- branches/safari-537-branch/Source/WebKit2/Shared/mac/SandboxInitialiationParametersMac.mm 2013-07-24 04:51:57 UTC (rev 153075)
+++ branches/safari-537-branch/Source/WebKit2/Shared/mac/SandboxInitialiationParametersMac.mm 2013-07-24 04:52:02 UTC (rev 153076)
@@ -70,6 +70,12 @@
appendPathInternal(name, path);
}
+void SandboxInitializationParameters::addParameter(const char* name, const char* value)
+{
+ m_namedParameters.append(name);
+ m_namedParameters.append(fastStrDup(value));
+}
+
const char* const* SandboxInitializationParameters::namedParameterArray() const
{
if (!(m_namedParameters.size() % 2))
