Diff
Modified: trunk/Source/WebKit2/ChangeLog (165656 => 165657)
--- trunk/Source/WebKit2/ChangeLog 2014-03-14 22:02:00 UTC (rev 165656)
+++ trunk/Source/WebKit2/ChangeLog 2014-03-14 22:24:36 UTC (rev 165657)
@@ -1,3 +1,20 @@
+2014-03-14 Alexey Proskuryakov <[email protected]>
+
+ [Mac] Sync extended attribute related rules with AppSandbox profile
+ https://bugs.webkit.org/show_bug.cgi?id=130263
+ <rdar://problem/16318965>
+
+ Reviewed by Sam Weinig.
+
+ * NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
+ * Resources/PlugInSandboxProfiles/com.apple.QuickTime Plugin.plugin.sb:
+ * Resources/PlugInSandboxProfiles/com.apple.WebKit.plugin-common.sb:
+ * Resources/PlugInSandboxProfiles/com.apple.ist.ds.appleconnect.webplugin.sb:
+ * Resources/PlugInSandboxProfiles/com.macromedia.Flash Player.plugin.sb:
+ * Resources/PlugInSandboxProfiles/com.microsoft.SilverlightPlugin.sb:
+ * Resources/PlugInSandboxProfiles/com.oracle.java.JavaAppletPlugin.sb:
+ * WebProcess/com.apple.WebProcess.sb.in:
+
2014-03-14 Simon Fraser <[email protected]>
[iOS WK2] Improve behavior of fixed elments on zooming
Modified: trunk/Source/WebKit2/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in (165656 => 165657)
--- trunk/Source/WebKit2/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in 2014-03-14 22:02:00 UTC (rev 165656)
+++ trunk/Source/WebKit2/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in 2014-03-14 22:24:36 UTC (rev 165657)
@@ -1,3 +1,26 @@
+; Copyright (C) 2013, 2014 Apple Inc. All rights reserved.
+;
+; Redistribution and use in source and binary forms, with or without
+; modification, are permitted provided that the following conditions
+; are met:
+; 1. Redistributions of source code must retain the above copyright
+; notice, this list of conditions and the following disclaimer.
+; 2. Redistributions in binary form must reproduce the above copyright
+; notice, this list of conditions and the following disclaimer in the
+; documentation and/or other materials provided with the distribution.
+;
+; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+; THE POSSIBILITY OF SUCH DAMAGE.
+
(version 1)
(deny default (with partial-symbolication))
(allow system-audit file-read-metadata)
@@ -122,6 +145,12 @@
(if (defined? 'vnode-type)
(deny file-write-create (vnode-type SYMLINK)))
+;; FIXME: Should be removed once <rdar://problem/16329087> is fixed.
+(deny file-write-xattr (xattr "com.apple.quarantine") (with no-log))
+
+;; Reserve a namespace for additional protected extended attributes.
+(deny file-read-xattr file-write-xattr (xattr #"^com\.apple\.security\.private\."))
+
(deny file-read* file-write* (with no-log)
#if __MAC_OS_X_VERSION_MIN_REQUIRED <= 1080
(home-literal "/Library/Caches/Cache.db") ;; <rdar://problem/9422957>
Modified: trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.apple.QuickTime Plugin.plugin.sb (165656 => 165657)
--- trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.apple.QuickTime Plugin.plugin.sb 2014-03-14 22:02:00 UTC (rev 165656)
+++ trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.apple.QuickTime Plugin.plugin.sb 2014-03-14 22:24:36 UTC (rev 165657)
@@ -1,3 +1,26 @@
+; Copyright (C) 2013 Apple Inc. All rights reserved.
+;
+; Redistribution and use in source and binary forms, with or without
+; modification, are permitted provided that the following conditions
+; are met:
+; 1. Redistributions of source code must retain the above copyright
+; notice, this list of conditions and the following disclaimer.
+; 2. Redistributions in binary form must reproduce the above copyright
+; notice, this list of conditions and the following disclaimer in the
+; documentation and/or other materials provided with the distribution.
+;
+; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+; THE POSSIBILITY OF SUCH DAMAGE.
+
(webkit-powerbox)
(shared-preferences-read-write "com.apple.quicktime.plugin.preferences")
Modified: trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.apple.WebKit.plugin-common.sb (165656 => 165657)
--- trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.apple.WebKit.plugin-common.sb 2014-03-14 22:02:00 UTC (rev 165656)
+++ trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.apple.WebKit.plugin-common.sb 2014-03-14 22:24:36 UTC (rev 165657)
@@ -1,3 +1,26 @@
+; Copyright (C) 2013, 2014 Apple Inc. All rights reserved.
+;
+; Redistribution and use in source and binary forms, with or without
+; modification, are permitted provided that the following conditions
+; are met:
+; 1. Redistributions of source code must retain the above copyright
+; notice, this list of conditions and the following disclaimer.
+; 2. Redistributions in binary form must reproduce the above copyright
+; notice, this list of conditions and the following disclaimer in the
+; documentation and/or other materials provided with the distribution.
+;
+; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+; THE POSSIBILITY OF SUCH DAMAGE.
+
(version 1)
(deny default)
(allow system-audit file-read-metadata)
@@ -364,9 +387,8 @@
(global-name "com.apple.dock.server")
(global-name-regex #"^com\.apple\.distributed_notifications"))
-;; This inserts deny rules for creating symbolic links. The rules are inserted
-;; at the end of sandbox profile compilation by overriding the finalizer. The
-;; initial value of %finalize must be the last function called.
+;; The below rules are inserted at the end of sandbox profile compilation by overriding the finalizer.
+;; The initial value of %finalize must be the last function called.
(letrec
((original-%finalize %finalize)
(webkit-%finalize
@@ -374,5 +396,9 @@
(if (defined? 'vnode-type)
(deny file-write-create
(vnode-type SYMLINK)))
+ ;; Reserve a namespace for additional protected extended attributes.
+ (deny file-read-xattr file-write-xattr (xattr #"^com\.apple\.security\.private\."))
+ ;; FIXME: Should be removed once <rdar://problem/16329087> is fixed.
+ (deny file-write-xattr (xattr "com.apple.quarantine") (with no-log))
(original-%finalize))))
(set! %finalize webkit-%finalize))
Modified: trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.apple.ist.ds.appleconnect.webplugin.sb (165656 => 165657)
--- trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.apple.ist.ds.appleconnect.webplugin.sb 2014-03-14 22:02:00 UTC (rev 165656)
+++ trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.apple.ist.ds.appleconnect.webplugin.sb 2014-03-14 22:24:36 UTC (rev 165657)
@@ -1,3 +1,26 @@
+; Copyright (C) 2013, 2014 Apple Inc. All rights reserved.
+;
+; Redistribution and use in source and binary forms, with or without
+; modification, are permitted provided that the following conditions
+; are met:
+; 1. Redistributions of source code must retain the above copyright
+; notice, this list of conditions and the following disclaimer.
+; 2. Redistributions in binary form must reproduce the above copyright
+; notice, this list of conditions and the following disclaimer in the
+; documentation and/or other materials provided with the distribution.
+;
+; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+; THE POSSIBILITY OF SUCH DAMAGE.
+
(allow mach-lookup
(global-name "com.apple.ist.ds.appleconnect2.service.admin")
(global-name "com.apple.ist.ds.appleconnect2.service.agent")
Modified: trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.macromedia.Flash Player.plugin.sb (165656 => 165657)
--- trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.macromedia.Flash Player.plugin.sb 2014-03-14 22:02:00 UTC (rev 165656)
+++ trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.macromedia.Flash Player.plugin.sb 2014-03-14 22:24:36 UTC (rev 165657)
@@ -1,3 +1,26 @@
+; Copyright (C) 2013 Apple Inc. All rights reserved.
+;
+; Redistribution and use in source and binary forms, with or without
+; modification, are permitted provided that the following conditions
+; are met:
+; 1. Redistributions of source code must retain the above copyright
+; notice, this list of conditions and the following disclaimer.
+; 2. Redistributions in binary form must reproduce the above copyright
+; notice, this list of conditions and the following disclaimer in the
+; documentation and/or other materials provided with the distribution.
+;
+; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+; THE POSSIBILITY OF SUCH DAMAGE.
+
(webkit-powerbox)
(webkit-printing)
(webkit-camera)
Modified: trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.microsoft.SilverlightPlugin.sb (165656 => 165657)
--- trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.microsoft.SilverlightPlugin.sb 2014-03-14 22:02:00 UTC (rev 165656)
+++ trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.microsoft.SilverlightPlugin.sb 2014-03-14 22:24:36 UTC (rev 165657)
@@ -1,3 +1,26 @@
+; Copyright (C) 2013 Apple Inc. All rights reserved.
+;
+; Redistribution and use in source and binary forms, with or without
+; modification, are permitted provided that the following conditions
+; are met:
+; 1. Redistributions of source code must retain the above copyright
+; notice, this list of conditions and the following disclaimer.
+; 2. Redistributions in binary form must reproduce the above copyright
+; notice, this list of conditions and the following disclaimer in the
+; documentation and/or other materials provided with the distribution.
+;
+; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+; THE POSSIBILITY OF SUCH DAMAGE.
+
(allow iokit-open
(iokit-user-client-class "IOHIDLibUserClient")
(iokit-user-client-class "IOBluetoothHCIUserClient"))
Modified: trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.oracle.java.JavaAppletPlugin.sb (165656 => 165657)
--- trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.oracle.java.JavaAppletPlugin.sb 2014-03-14 22:02:00 UTC (rev 165656)
+++ trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.oracle.java.JavaAppletPlugin.sb 2014-03-14 22:24:36 UTC (rev 165657)
@@ -1,3 +1,26 @@
+; Copyright (C) 2013 Apple Inc. All rights reserved.
+;
+; Redistribution and use in source and binary forms, with or without
+; modification, are permitted provided that the following conditions
+; are met:
+; 1. Redistributions of source code must retain the above copyright
+; notice, this list of conditions and the following disclaimer.
+; 2. Redistributions in binary form must reproduce the above copyright
+; notice, this list of conditions and the following disclaimer in the
+; documentation and/or other materials provided with the distribution.
+;
+; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+; THE POSSIBILITY OF SUCH DAMAGE.
+
(webkit-printing)
(allow signal network-inbound)
Modified: trunk/Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in (165656 => 165657)
--- trunk/Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in 2014-03-14 22:02:00 UTC (rev 165656)
+++ trunk/Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in 2014-03-14 22:24:36 UTC (rev 165657)
@@ -1,3 +1,26 @@
+; Copyright (C) 2010, 2011, 2012, 2013, 2014 Apple Inc. All rights reserved.
+;
+; Redistribution and use in source and binary forms, with or without
+; modification, are permitted provided that the following conditions
+; are met:
+; 1. Redistributions of source code must retain the above copyright
+; notice, this list of conditions and the following disclaimer.
+; 2. Redistributions in binary form must reproduce the above copyright
+; notice, this list of conditions and the following disclaimer in the
+; documentation and/or other materials provided with the distribution.
+;
+; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+; THE POSSIBILITY OF SUCH DAMAGE.
+
(version 1)
(deny default (with partial-symbolication))
(allow system-audit file-read-metadata)
@@ -245,6 +268,12 @@
(if (defined? 'vnode-type)
(deny file-write-create (vnode-type SYMLINK)))
+;; FIXME: Should be removed once <rdar://problem/16329087> is fixed.
+(deny file-write-xattr (xattr "com.apple.quarantine") (with no-log))
+
+;; Reserve a namespace for additional protected extended attributes.
+(deny file-read-xattr file-write-xattr (xattr #"^com\.apple\.security\.private\."))
+
(deny file-read* file-write* (with no-log)
#if __MAC_OS_X_VERSION_MIN_REQUIRED <= 1080
(home-literal "/Library/Caches/Cache.db") ;; <rdar://problem/9422957>
