[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
mrowe at apple.com
mrowe at apple.com
Wed Dec 22 14:24:33 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit 446d5514ef52268a994c4e5feabb290c40b66d63
Author: mrowe at apple.com <mrowe at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Fri Oct 8 00:07:51 2010 +0000
<rdar://problem/8349882> Many WebProcess sandbox violations during basic browsing operations.
Patch by Ivan Krstić <ike at apple.com> on 2010-10-07
Reviewed by Mark Rowe.
* WebProcess/com.apple.WebProcess.sb:
* WebProcess/mac/WebProcessMainMac.mm:
(WebKit::WebProcessMain):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@69356 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/WebKit2/ChangeLog b/WebKit2/ChangeLog
index 90f9975..710ed70 100644
--- a/WebKit2/ChangeLog
+++ b/WebKit2/ChangeLog
@@ -1,3 +1,13 @@
+2010-10-07 Ivan Krstić <ike at apple.com>
+
+ Reviewed by Mark Rowe.
+
+ <rdar://problem/8349882> Many WebProcess sandbox violations during basic browsing operations.
+
+ * WebProcess/com.apple.WebProcess.sb:
+ * WebProcess/mac/WebProcessMainMac.mm:
+ (WebKit::WebProcessMain):
+
2010-10-07 Brady Eidson <beidson at apple.com>
Build fix.
diff --git a/WebKit2/WebProcess/com.apple.WebProcess.sb b/WebKit2/WebProcess/com.apple.WebProcess.sb
index 9cc2043..b80f78f 100644
--- a/WebKit2/WebProcess/com.apple.WebProcess.sb
+++ b/WebKit2/WebProcess/com.apple.WebProcess.sb
@@ -1,61 +1,105 @@
(version 1)
(deny default)
+(allow ipc-posix-shm system-audit system-socket file-read-metadata)
-(allow ipc-posix-shm sysctl-read system-audit system-socket file-read-metadata)
+(import "system.sb")
+;; Read-only preferences and data
(allow file-read*
;; Basic system paths
- (subpath "/System")
- (subpath "/usr/share")
(subpath "/Library/Fonts")
- (literal "/dev/dtracehelper")
- (literal "/dev/urandom")
- (literal "/private/var/db/mds/messages/se_SecurityMessages")
+ (subpath "/Library/Frameworks")
+ (subpath "/Library/Keychains")
+ (subpath "/private/var/db/mds")
+
+ ;; Plugins
+ (subpath "/Library/Internet Plug-Ins")
+ (subpath (string-append (param "_HOME") "/Library/Internet Plug-Ins"))
;; System and user preferences
(literal "/Library/Preferences/.GlobalPreferences.plist")
(literal (string-append (param "_HOME") "/Library/Preferences/.GlobalPreferences.plist"))
(regex (string-append "^" (param "_HOME") "/Library/Preferences/ByHost/\.GlobalPreferences\."))
+ (literal (string-append (param "_HOME") "/Library/Preferences/com.apple.ATS.plist"))
+ (literal (string-append (param "_HOME") "/Library/Preferences/com.apple.HIToolbox.plist"))
(literal (string-append (param "_HOME") "/Library/Preferences/com.apple.LaunchServices.plist"))
+ (literal (string-append (param "_HOME") "/Library/Preferences/com.apple.WebFoundation.plist"))
+ (literal (string-append (param "_HOME") "/Library/Preferences/com.apple.security.plist"))
+ (literal (string-append (param "_HOME") "/Library/Preferences/com.apple.security.revocation.plist"))
+ (subpath (string-append (param "_HOME") "/Library/Keychains"))
;; On-disk WebKit2 framework location, to account for debug installations
;; outside of /System/Library/Frameworks
- (subpath (param "webkit2_framework_path"))
+ (subpath (param "WEBKIT2_FRAMEWORK_DIR"))
;; Extensions from UIProcess
(extension))
+;; Writable preferences and temporary files
(allow file*
- ;; Our caches are writable
(subpath (string-append (param "_HOME") "/Library/Caches/com.apple.WebProcess"))
- (literal "/dev/dtracehelper"))
+ (regex (string-append "^" (param "_HOME") "/Library/Preferences/ByHost/com\.apple\.HIToolbox\."))
+ (regex (string-append "^" (param "_HOME") "/Library/Preferences/com\.apple\.WebProcess\.")))
+
+;; Darwin temporary files and caches, if present
+(if (positive? (string-length (param "DARWIN_USER_CACHE_DIR")))
+ (allow file* (subpath (param "DARWIN_USER_CACHE_DIR"))))
+(if (positive? (string-length (param "DARWIN_USER_TEMP_DIR")))
+ (allow file* (subpath (param "DARWIN_USER_TEMP_DIR"))))
-(allow iokit-open
- ;; This will need to be rethought once we're using accelerated graphics,
- ;; since we probably can't pre-enumerate the client classes for graphics cards
- (iokit-user-client-class "IOHIDParamUserClient")
- (iokit-user-client-class "RootDomainUserClient"))
+;; FIXME: overly permissive since we can't pre-enumerate the client
+;; classes for graphics cards
+(allow iokit-open)
+ ;;(iokit-user-client-class "IOHIDParamUserClient")
+ ;;(iokit-user-client-class "RootDomainUserClient"))
+;; Various services required by AppKit and other frameworks
(allow mach-lookup
- ;; Various services required by AppKit and other frameworks
(global-name "com.apple.CoreServices.coreservicesd")
+ (global-name "com.apple.DiskArbitration.diskarbitrationd")
+ (global-name "com.apple.FileCoordination")
(global-name "com.apple.FontObjectsServer")
(global-name "com.apple.FontServer")
+ (global-name "com.apple.SecurityServer")
(global-name "com.apple.SystemConfiguration.configd")
+ (global-name "com.apple.audio.VDCAssistant")
+ (global-name "com.apple.audio.audiohald")
+ (global-name "com.apple.audio.coreaudiod")
(global-name "com.apple.cookied")
+ (global-name "com.apple.cvmsServ")
(global-name "com.apple.distributed_notifications.2")
(global-name "com.apple.dock.server")
- (global-name "com.apple.system.logger")
- (global-name "com.apple.system.notification_center")
+ (global-name "com.apple.ocspd")
+ (global-name "com.apple.pasteboard.1")
(global-name "com.apple.window_proxies")
(global-name "com.apple.windowserver.active")
- (global-name "com.apple.SecurityServer")
- (global-name "com.apple.ocspd")
- (global-name "com.apple.DiskArbitration.diskarbitrationd")
- (global-name "com.apple.FileCoordination")
- (global-name-regex #"^com.apple.WebKit.WebProcess-"))
+ (global-name-regex #"^com\.apple\.WebKit\.WebProcess-"))
+ (global-name-regex #"^com\.apple\.qtkitserver\.")
+;; FIXME: These rules are required until <rdar://problem/8448410> is addressed. See <rdar://problem/8349882> for discussion.
+(allow network-outbound)
+(deny network-outbound (regex ""))
+(deny network-outbound (local ip))
(allow network-outbound
;; Local mDNSResponder for DNS, arbitrary outbound TCP
(literal "/private/var/run/mDNSResponder")
(remote tcp))
+
+;; FIXME: These rules are required until plug-ins are moved out of the web process.
+(allow file-read*
+ (regex (string-append "^" (param "_HOME") "/Library/Preferences/ByHost/com\.apple\.ist\."))
+ (literal (string-append (param "_HOME") "/Library/Preferences/edu.mit.Kerberos"))
+ (literal "/Library/Preferences/edu.mit.Kerberos"))
+(allow mach-lookup
+ (global-name "org.h5l.kcm")
+ (global-name "com.apple.tsm.uiserver")
+ (global-name-regex #"^com\.apple\.ist"))
+(allow network-outbound (remote ip))
+
+;; These rules are required while QTKitServer is being launched directly via posix_spawn (<rdar://problem/6912494>).
+(allow process-fork)
+(allow process-exec (literal "/System/Library/Frameworks/QTKit.framework/Versions/A/Resources/QTKitServer") (with no-sandbox))
+
+;; FIXME: Investigate these.
+(allow appleevent-send (appleevent-destination "com.apple.WebProcess"))
+(allow mach-lookup (global-name-regex #"^EPPC-"))
diff --git a/WebKit2/WebProcess/mac/WebProcessMainMac.mm b/WebKit2/WebProcess/mac/WebProcessMainMac.mm
index c26a888..3427039 100644
--- a/WebKit2/WebProcess/mac/WebProcessMainMac.mm
+++ b/WebKit2/WebProcess/mac/WebProcessMainMac.mm
@@ -44,6 +44,7 @@
#if ENABLE(WEB_PROCESS_SANDBOX)
#import <sandbox.h>
+#import <stdlib.h>
#endif
// FIXME: We should be doing this another way.
@@ -62,12 +63,28 @@ int WebProcessMain(const CommandLine& commandLine)
#if ENABLE(WEB_PROCESS_SANDBOX)
if (![[NSUserDefaults standardUserDefaults] boolForKey:@"DisableSandbox"]) {
char* errorBuf;
+ char tmpPath[PATH_MAX];
+ char tmpRealPath[PATH_MAX];
+ char cachePath[PATH_MAX];
+ char cacheRealPath[PATH_MAX];
const char* frameworkPath = [[[[NSBundle bundleForClass:[WKView class]] bundlePath] stringByDeletingLastPathComponent] UTF8String];
const char* profilePath = [[[NSBundle mainBundle] pathForResource:@"com.apple.WebProcess" ofType:@"sb"] UTF8String];
- const char* const sandboxParam[] = { "webkit2_framework_path", frameworkPath, NULL };
+
+ if (confstr(_CS_DARWIN_USER_TEMP_DIR, tmpPath, PATH_MAX) <= 0 || !realpath(tmpPath, tmpRealPath))
+ tmpRealPath[0] = '\0';
+
+ if (confstr(_CS_DARWIN_USER_CACHE_DIR, cachePath, PATH_MAX) <= 0 || !realpath(cachePath, cacheRealPath))
+ cacheRealPath[0] = '\0';
+
+ const char* const sandboxParam[] = {
+ "WEBKIT2_FRAMEWORK_DIR", frameworkPath,
+ "DARWIN_USER_TEMP_DIR", (const char*)tmpRealPath,
+ "DARWIN_USER_CACHE_DIR", (const char*)cacheRealPath,
+ NULL
+ };
if (sandbox_init_with_parameters(profilePath, SANDBOX_NAMED_EXTERNAL, sandboxParam, &errorBuf)) {
- fprintf(stderr, "WebProcess: couldn't initialize sandbox profile [%s] with framework path [%s]: %s\n", profilePath, frameworkPath, errorBuf);
+ fprintf(stderr, "WebProcess: couldn't initialize sandbox profile [%s] with framework path [%s], tmp path [%s], cache path [%s]: %s\n", profilePath, frameworkPath, tmpRealPath, cacheRealPath, errorBuf);
exit(EX_NOPERM);
}
} else
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list