Modified: trunk/Source/WebKit2/Shared/linux/SeccompFilters/SyscallPolicy.cpp (187546 => 187547)
--- trunk/Source/WebKit2/Shared/linux/SeccompFilters/SyscallPolicy.cpp 2015-07-29 14:30:50 UTC (rev 187546)
+++ trunk/Source/WebKit2/Shared/linux/SeccompFilters/SyscallPolicy.cpp 2015-07-29 15:52:27 UTC (rev 187547)
@@ -30,6 +30,7 @@
#include "PluginSearchPath.h"
#include "WebProcessCreationParameters.h"
+#include "XDGBaseDirectory.h"
#include <libgen.h>
#include <string.h>
#include <sys/stat.h>
@@ -151,30 +152,30 @@
// file unless white listed bellow or by platform.
addDirectoryPermission(ASCIILiteral("/"), NotAllowed);
- // Shared libraries, plugins and fonts.
+ // System library directories
addDirectoryPermission(ASCIILiteral("/lib"), Read);
addDirectoryPermission(ASCIILiteral("/lib32"), Read);
addDirectoryPermission(ASCIILiteral("/lib64"), Read);
addDirectoryPermission(ASCIILiteral("/usr/lib"), Read);
addDirectoryPermission(ASCIILiteral("/usr/lib32"), Read);
addDirectoryPermission(ASCIILiteral("/usr/lib64"), Read);
+ addDirectoryPermission(ASCIILiteral("/usr/local/lib"), Read);
+ addDirectoryPermission(ASCIILiteral("/usr/local/lib32"), Read);
+ addDirectoryPermission(ASCIILiteral("/usr/local/lib64"), Read);
+ addDirectoryPermission(ASCIILiteral(LIBDIR), Read);
+
+ // System data directories
addDirectoryPermission(ASCIILiteral("/usr/share"), Read);
-
- // Support for alternative install prefixes, e.g. /usr/local.
+ addDirectoryPermission(ASCIILiteral("/usr/local/share"), Read);
addDirectoryPermission(ASCIILiteral(DATADIR), Read);
- addDirectoryPermission(ASCIILiteral(LIBDIR), Read);
- // Plugin search path
+ // NPAPI plugins
for (String& path : pluginsDirectories())
addDirectoryPermission(path, Read);
// SSL Certificates.
addDirectoryPermission(ASCIILiteral("/etc/ssl/certs"), Read);
- // Fontconfig cache.
- addDirectoryPermission(ASCIILiteral("/etc/fonts"), Read);
- addDirectoryPermission(ASCIILiteral("/var/cache/fontconfig"), Read);
-
// Audio devices, random number generators, etc.
addDirectoryPermission(ASCIILiteral("/dev"), ReadAndWrite);
@@ -220,56 +221,61 @@
// FIXME This is too permissive: https://bugs.webkit.org/show_bug.cgi?id=143004
addDirectoryPermission("/run/user/" + String::number(getuid()), ReadAndWrite);
- // Needed by WebKit's memory pressure handler
+ // Needed by WebKit's memory pressure handler.
addFilePermission(ASCIILiteral("/sys/fs/cgroup/memory/memory.pressure_level"), Read);
addFilePermission(ASCIILiteral("/sys/fs/cgroup/memory/cgroup.event_control"), Read);
- char* homeDir = getenv("HOME");
- if (homeDir) {
- // X11 connection token.
- addFilePermission(String::fromUTF8(homeDir) + "/.Xauthority", Read);
- }
+ // X11 connection token.
+ addFilePermission(userHomeDirectory() + "/.Xauthority", Read);
// MIME type resolution.
- char* dataHomeDir = getenv("XDG_DATA_HOME");
- if (dataHomeDir)
- addDirectoryPermission(String::fromUTF8(dataHomeDir) + "/mime", Read);
- else if (homeDir)
- addDirectoryPermission(String::fromUTF8(homeDir) + "/.local/share/mime", Read);
+ addDirectoryPermission(userDataDirectory() + "/mime", Read);
-#if ENABLE(WEBGL) || ENABLE(ACCELERATED_2D_CANVAS)
- // Needed on most non-Debian distros by libxshmfence <= 1.1, or newer
- // libxshmfence with older kernels (linux <= 3.16), for DRI3 shared memory.
- // FIXME Try removing this permission when we can rely on a newer libxshmfence.
- // See http://code.google.com/p/chromium/issues/detail?id=415681
- addDirectoryPermission(ASCIILiteral("/var/tmp"), ReadAndWrite);
+ // Needed by NVIDIA proprietary graphics driver.
+ addDirectoryPermission(userHomeDirectory() + "/.nv", ReadAndWrite);
- // Optional Mesa DRI configuration file
- addFilePermission(ASCIILiteral("/etc/drirc"), Read);
- if (homeDir)
- addFilePermission(String::fromUTF8(homeDir) + "/.drirc", Read);
-
- // Mesa uses udev.
+ // Needed by udev.
addDirectoryPermission(ASCIILiteral("/etc/udev"), Read);
addDirectoryPermission(ASCIILiteral("/run/udev"), Read);
addDirectoryPermission(ASCIILiteral("/sys/bus"), Read);
addDirectoryPermission(ASCIILiteral("/sys/class"), Read);
addDirectoryPermission(ASCIILiteral("/sys/devices"), Read);
-#endif
- // Needed by NVIDIA proprietary graphics driver
- if (homeDir)
- addDirectoryPermission(String::fromUTF8(homeDir) + "/.nv", ReadAndWrite);
+ // PulseAudio
+ addFilePermission(ASCIILiteral("/etc/asound.conf"), Read);
+ addDirectoryPermission(userConfigDirectory() + "/.pulse", Read);
+ addDirectoryPermission(userHomeDirectory() + "/.pulse", Read);
+ // Mesa
+ addFilePermission(ASCIILiteral("/etc/drirc"), Read);
+ addFilePermission(userHomeDirectory() + "/.drirc", Read);
+ addFilePermission(ASCIILiteral("/sys/fs/selinux/booleans/allow_execmem"), Read);
+
+ // GStreamer
+ addDirectoryPermission(String::fromUTF8(LIBEXECDIR) + "/gstreamer-1.0", Read);
+ addDirectoryPermission(userDataDirectory() + "/gstreamer-1.0", Read);
+ addDirectoryPermission(userCacheDirectory() + "/gstreamer-1.0", ReadAndWrite);
+ addDirectoryPermission(userHomeDirectory() + "/.frei0r-1", ReadAndWrite);
+ if (char* gstreamerPluginDirectory = getenv("GST_PLUGIN_PATH_1_0"))
+ addDirectoryPermission(gstreamerPluginDirectory, Read);
+ if (char* gstreamerRegistryFile = getenv("GST_REGISTRY_1_0"))
+ addFilePermission(gstreamerRegistryFile, ReadAndWrite);
+
+ // Fontconfig
+ addDirectoryPermission(userCacheDirectory() + "/fontconfig", ReadAndWrite);
+ addDirectoryPermission(userConfigDirectory() + "/fontconfig", Read);
+ addDirectoryPermission(userConfigDirectory() + "/fonts", Read);
+ addDirectoryPermission(userDataDirectory() + "/fonts", Read);
+ addDirectoryPermission(userHomeDirectory() + "/fontconfig", Read);
+ addDirectoryPermission(userHomeDirectory() + "/.fonts", Read);
+ addDirectoryPermission(ASCIILiteral("/etc/fonts"), Read);
+ addDirectoryPermission(ASCIILiteral("/var/cache/fontconfig"), Read);
+
#if ENABLE(DEVELOPER_MODE) && defined(SOURCE_DIR)
// Developers using build-webkit expect some libraries to be loaded
// from the build root directory and they also need access to layout test
// files.
- char* sourceDir = canonicalize_file_name(SOURCE_DIR);
- if (sourceDir) {
- addDirectoryPermission(String::fromUTF8(sourceDir), SyscallPolicy::ReadAndWrite);
- free(sourceDir);
- }
+ addDirectoryPermission(String::fromUTF8(SOURCE_DIR), SyscallPolicy::ReadAndWrite);
#endif
}
