[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
andersca at apple.com
andersca at apple.com
Wed Dec 22 11:23:27 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit 55f469fbc754ea80a9f95c803e042400afa57c7b
Author: andersca at apple.com <andersca at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Wed Jul 21 16:04:28 2010 +0000
Land file I forgot to add.
* WebProcess/com.apple.WebProcess.sb: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@63831 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/WebKit2/ChangeLog b/WebKit2/ChangeLog
index 92d32e4..9c66160 100644
--- a/WebKit2/ChangeLog
+++ b/WebKit2/ChangeLog
@@ -1,3 +1,9 @@
+2010-07-21 Anders Carlsson <andersca at apple.com>
+
+ Land file I forgot to add.
+
+ * WebProcess/com.apple.WebProcess.sb: Added.
+
2010-07-21 Adam Roben <aroben at apple.com>
Move WebKit2WebProcess's settings to a vsprops file
diff --git a/WebKit2/WebProcess/com.apple.WebProcess.sb b/WebKit2/WebProcess/com.apple.WebProcess.sb
new file mode 100644
index 0000000..1f4fb14
--- /dev/null
+++ b/WebKit2/WebProcess/com.apple.WebProcess.sb
@@ -0,0 +1,59 @@
+(version 1)
+(deny default)
+
+(allow ipc-posix-shm sysctl-read system-audit system-socket file-read-metadata)
+
+(allow file-read*
+ ;; Basic system paths
+ (subpath "/System")
+ (subpath "/usr/share")
+ (subpath "/Library/Fonts")
+ (literal "/dev/dtracehelper")
+ (literal "/dev/urandom")
+ (literal "/private/var/db/mds/messages/se_SecurityMessages")
+
+ ;; System and user preferences
+ (literal "/Library/Preferences/.GlobalPreferences.plist")
+ (literal (string-append (param "_HOME") "/Library/Preferences/.GlobalPreferences.plist"))
+ (regex (string-append "^" (param "_HOME") "/Library/Preferences/ByHost/\.GlobalPreferences\."))
+ (literal (string-append (param "_HOME") "/Library/Preferences/com.apple.LaunchServices.plist"))
+
+ ;; On-disk WebKit2 framework location, to account for debug installations
+ ;; outside of /System/Library/Frameworks
+ (subpath (param "webkit2_framework_path"))
+
+ ;; Extensions from UIProcess
+ (extension))
+
+(allow file*
+ ;; Our caches are writable
+ (subpath (string-append (param "_HOME") "/Library/Caches/com.apple.WebProcess"))
+ (literal "/dev/dtracehelper"))
+
+(allow iokit-open
+ ;; This will need to be rethought once we're using accelerated graphics,
+ ;; since we probably can't pre-enumerate the client classes for graphics cards
+ (iokit-user-client-class "IOHIDParamUserClient")
+ (iokit-user-client-class "RootDomainUserClient"))
+
+(allow mach-lookup
+ ;; Various services required by AppKit and other frameworks
+ (global-name "com.apple.CoreServices.coreservicesd")
+ (global-name "com.apple.FontObjectsServer")
+ (global-name "com.apple.FontServer")
+ (global-name "com.apple.SystemConfiguration.configd")
+ (global-name "com.apple.cookied")
+ (global-name "com.apple.distributed_notifications.2")
+ (global-name "com.apple.dock.server")
+ (global-name "com.apple.system.logger")
+ (global-name "com.apple.system.notification_center")
+ (global-name "com.apple.window_proxies")
+ (global-name "com.apple.windowserver.active")
+ (global-name "com.apple.SecurityServer")
+ (global-name "com.apple.ocspd")
+ (local-name "com.apple.WebKit.WebProcess"))
+
+(allow network-outbound
+ ;; Local mDNSResponder for DNS, arbitrary outbound TCP
+ (literal "/private/var/run/mDNSResponder")
+ (remote tcp))
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list