Diff
Modified: trunk/Source/WebKit2/ChangeLog (141334 => 141335)
--- trunk/Source/WebKit2/ChangeLog 2013-01-30 23:45:27 UTC (rev 141334)
+++ trunk/Source/WebKit2/ChangeLog 2013-01-30 23:52:53 UTC (rev 141335)
@@ -1,3 +1,18 @@
+2013-01-30 Alexey Proskuryakov <a...@apple.com>
+
+ <rdar://problem/12695827> PPT: Make loading file URLs work with a sandboxed NetworkProcess
+
+ Reviewed by Sam Weinig.
+
+ * DerivedSources.make: Preprocess a .sb.in file to build the profile.
+
+ * NetworkProcess/mac/NetworkProcessMac.mm:
+ Don't prevent entering the sandbox. Override sandbox path, because service
+ gets a differnt one by default.
+
+ * WebKit2.xcodeproj/project.pbxproj:
+ * NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in: Added.
+
2013-01-30 Huang Dongsung <luxte...@company100.net>
Coordinated Graphics: LayerTreeRenderer manages the surface of UpdateAtlas.
Modified: trunk/Source/WebKit2/DerivedSources.make (141334 => 141335)
--- trunk/Source/WebKit2/DerivedSources.make 2013-01-30 23:45:27 UTC (rev 141334)
+++ trunk/Source/WebKit2/DerivedSources.make 2013-01-30 23:52:53 UTC (rev 141335)
@@ -23,6 +23,7 @@
VPATH = \
$(WebKit2) \
$(WebKit2)/NetworkProcess \
+ $(WebKit2)/NetworkProcess/mac \
$(WebKit2)/PluginProcess \
$(WebKit2)/PluginProcess/mac \
$(WebKit2)/Shared/Plugins \
@@ -148,7 +149,8 @@
endif
SANDBOX_PROFILES = \
- com.apple.WebProcess.sb
+ com.apple.WebProcess.sb \
+ com.apple.WebKit.NetworkProcess.sb
all: $(SANDBOX_PROFILES)
Modified: trunk/Source/WebKit2/NetworkProcess/mac/NetworkProcessMac.mm (141334 => 141335)
--- trunk/Source/WebKit2/NetworkProcess/mac/NetworkProcessMac.mm 2013-01-30 23:45:27 UTC (rev 141334)
+++ trunk/Source/WebKit2/NetworkProcess/mac/NetworkProcessMac.mm 2013-01-30 23:52:53 UTC (rev 141335)
@@ -46,9 +46,6 @@
#import "SecItemShim.h"
#endif
-// Define this to 1 to bypass the sandbox for debugging purposes.
-#define DEBUG_BYPASS_SANDBOX 0
-
using namespace WebCore;
@interface NSURLRequest (Details)
@@ -180,8 +177,9 @@
void NetworkProcess::initializeSandbox(const ChildProcessInitializationParameters& parameters, SandboxInitializationParameters& sandboxParameters)
{
- // FIXME: Remove when the process has a profile.
- sandboxParameters.setOverrideSandboxProfilePath(String());
+ // Need to overide the default, because service has a different bundle ID.
+ NSBundle *webkit2Bundle = [NSBundle bundleForClass:NSClassFromString(@"WKView")];
+ sandboxParameters.setOverrideSandboxProfilePath([webkit2Bundle pathForResource:@"com.apple.WebKit.NetworkProcess" ofType:@"sb"]);
ChildProcess::initializeSandbox(parameters, sandboxParameters);
}
Added: trunk/Source/WebKit2/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in (0 => 141335)
--- trunk/Source/WebKit2/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in (rev 0)
+++ trunk/Source/WebKit2/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in 2013-01-30 23:52:53 UTC (rev 141335)
@@ -0,0 +1,138 @@
+(version 1)
+(deny default (with partial-symbolication))
+(allow ipc-posix-shm system-audit file-read-metadata)
+
+(import "system.sb")
+
+;; Utility functions for home directory relative path filters
+(define (home-regex home-relative-regex)
+ (regex (string-append "^" (regex-quote (param "HOME_DIR")) home-relative-regex)))
+
+(define (home-subpath home-relative-subpath)
+ (subpath (string-append (param "HOME_DIR") home-relative-subpath)))
+
+(define (home-literal home-relative-literal)
+ (literal (string-append (param "HOME_DIR") home-relative-literal)))
+
+#if __MAC_OS_X_VERSION_MIN_REQUIRED == 1070
+;; Low level networking. Defined in system.sb on newer OS versions.
+(define (system-network)
+ (allow file-read*
+ (literal "/Library/Preferences/com.apple.networkd.plist"))
+ (allow mach-lookup
+ (global-name "com.apple.SystemConfiguration.PPPController")
+ (global-name "com.apple.SystemConfiguration.SCNetworkReachability")
+ (global-name "com.apple.networkd"))
+ (allow network-outbound
+ (control-name "com.apple.netsrc")
+ (control-name "com.apple.network.statistics"))
+ (allow system-socket
+ (require-all (socket-domain AF_SYSTEM)
+ (socket-protocol 2)) ; SYSPROTO_CONTROL
+ (socket-domain AF_ROUTE)))
+#endif
+
+;; Read-only preferences and data
+(allow file-read*
+ ;; Basic system paths
+ (subpath "/Library/Frameworks")
+ (subpath "/Library/Managed Preferences")
+
+ ;; System and user preferences
+ (literal "/Library/Preferences/.GlobalPreferences.plist")
+ (regex #"^/Library/Managed Preferences/[^/]+/com\.apple\.networkConnect\.plist$")
+ (home-literal "/Library/Preferences/.GlobalPreferences.plist")
+ (home-regex #"/Library/Preferences/ByHost/\.GlobalPreferences\.")
+ (home-regex #"/Library/Preferences/ByHost/com\.apple\.networkConnect\.")
+ (home-literal "/Library/Preferences/com.apple.DownloadAssessment.plist")
+ (home-literal "/Library/Preferences/com.apple.WebFoundation.plist")
+
+ ;; On-disk WebKit2 framework location, to account for debug installations
+ ;; outside of /System/Library/Frameworks
+ (subpath (param "WEBKIT2_FRAMEWORK_DIR")))
+
+;; Sandbox extensions
+(define (apply-read-and-issue-extension op path-filter)
+ (op file-read* path-filter)
+ (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") path-filter)))
+(define (apply-write-and-issue-extension op path-filter)
+ (op file-write* path-filter)
+ (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") path-filter)))
+(define (read-only-and-issue-extensions path-filter)
+ (apply-read-and-issue-extension allow path-filter))
+(define (read-write-and-issue-extensions path-filter)
+ (apply-read-and-issue-extension allow path-filter)
+ (apply-write-and-issue-extension allow path-filter))
+(read-only-and-issue-extensions (extension "com.apple.app-sandbox.read"))
+(read-write-and-issue-extensions (extension "com.apple.app-sandbox.read-write"))
+
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 1080
+(allow file-read* file-write* (subpath (param "DARWIN_USER_CACHE_DIR")))
+#else
+(allow file-read* file-write* (subpath (string-append (param "DARWIN_USER_CACHE_DIR") "/mds")))
+#endif
+
+(allow file-read* file-write* (subpath (param "DARWIN_USER_TEMP_DIR")))
+
+;; IOKit user clients
+(allow iokit-open
+ (iokit-user-client-class "RootDomainUserClient"))
+
+;; Various services required by CFNetwork and other frameworks
+(allow mach-lookup
+ (global-name "com.apple.SystemConfiguration.configd")
+ (global-name "com.apple.cookied")
+ (global-name "com.apple.cfnetwork.AuthBrokerAgent"))
+
+;; Security framework
+(allow mach-lookup
+ (global-name "com.apple.ocspd")
+ (global-name "com.apple.SecurityServer"))
+(allow file-read* file-write* (home-subpath "/Library/Keychains")) ;; FIXME: This should be removed when <rdar://problem/10479685> is fixed.
+(allow file-read*
+ (subpath "/Library/Keychains")
+ (subpath "/private/var/db/mds")
+ (literal "/private/var/db/DetachedSignatures")
+ (literal "/Library/Preferences/com.apple.crypto.plist")
+ (literal "/Library/Preferences/com.apple.security.plist")
+ (literal "/Library/Preferences/com.apple.security.common.plist")
+ (literal "/Library/Preferences/com.apple.security.revocation.plist")
+ (home-literal "/Library/Application Support/SyncServices/Local/ClientsWithChanges/com.apple.Keychain")
+ (home-literal "/Library/Preferences/com.apple.security.plist")
+ (home-literal "/Library/Preferences/com.apple.security.revocation.plist"))
+
+(system-network)
+(allow network-outbound
+ ;; Local mDNSResponder for DNS, arbitrary outbound TCP
+ (literal "/private/var/run/mDNSResponder")
+ (remote tcp))
+
+;; FIXME should be removed when <rdar://problem/9347205> + related radar in Safari is fixed
+(allow mach-lookup
+ (global-name "org.h5l.kcm")
+ (global-name "com.apple.system.logger")
+ (global-name "com.apple.system.notification_center"))
+(allow network-outbound
+ (remote udp))
+(allow file-read*
+ (literal (string-append (param "HOME_DIR") "/Library/Preferences/com.apple.Kerberos.plist"))
+ (literal (string-append (param "HOME_DIR") "/Library/Preferences/com.apple.GSS.plist"))
+ (literal (string-append (param "HOME_DIR") "/Library/Preferences/edu.mit.Kerberos"))
+ (literal "/Library/Preferences/com.apple.Kerberos.plist")
+ (literal "/Library/Preferences/com.apple.GSS.plist")
+ (literal "/Library/Preferences/edu.mit.Kerberos")
+ (literal "/private/etc/krb5.conf")
+ (literal "/private/etc/services")
+ (literal "/private/etc/host"))
+
+#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 1080
+(deny file-write-create (vnode-type SYMLINK))
+#endif
+
+(deny file-read* file-write* (with no-log)
+#if __MAC_OS_X_VERSION_MIN_REQUIRED <= 1080
+ (home-literal "/Library/Caches/Cache.db") ;; <rdar://problem/9422957>
+#endif
+ ;; FIXME: Should be removed after <rdar://problem/10463881> is fixed.
+ (home-literal "/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2")
+ (home-literal "/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2-journal"))
Property changes on: trunk/Source/WebKit2/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in
___________________________________________________________________
Added: svn:mime-type
Added: svn:eol-style
Modified: trunk/Source/WebKit2/WebKit2.xcodeproj/project.pbxproj (141334 => 141335)
--- trunk/Source/WebKit2/WebKit2.xcodeproj/project.pbxproj 2013-01-30 23:45:27 UTC (rev 141334)
+++ trunk/Source/WebKit2/WebKit2.xcodeproj/project.pbxproj 2013-01-30 23:52:53 UTC (rev 141335)
@@ -1057,6 +1057,7 @@
E1790901169BB4F9006904C7 /* SecItemShim.dylib in Copy Sec Item Shim */ = {isa = PBXBuildFile; fileRef = 510031F61379CACB00C8DFE4 /* SecItemShim.dylib */; };
E179FD9C134D38060015B883 /* ArgumentCodersMac.h in Headers */ = {isa = PBXBuildFile; fileRef = E179FD9B134D38060015B883 /* ArgumentCodersMac.h */; };
E179FD9F134D38250015B883 /* ArgumentCodersMac.mm in Sources */ = {isa = PBXBuildFile; fileRef = E179FD9E134D38250015B883 /* ArgumentCodersMac.mm */; };
+ E17AE2C316B9C63A001C42F1 /* com.apple.WebKit.NetworkProcess.sb in Resources */ = {isa = PBXBuildFile; fileRef = E17AE2C216B9C63A001C42F1 /* com.apple.WebKit.NetworkProcess.sb */; };
E18C92F412DB9E7100CF2AEB /* PrintInfo.cpp in Sources */ = {isa = PBXBuildFile; fileRef = E18C92F312DB9E7100CF2AEB /* PrintInfo.cpp */; };
E18E690B169B563F009B6670 /* SecItemShimProxy.cpp in Sources */ = {isa = PBXBuildFile; fileRef = E18E6909169B563F009B6670 /* SecItemShimProxy.cpp */; };
E18E690C169B563F009B6670 /* SecItemShimProxy.h in Headers */ = {isa = PBXBuildFile; fileRef = E18E690A169B563F009B6670 /* SecItemShimProxy.h */; };
@@ -2432,6 +2433,8 @@
E1513C65166EABB200149FCB /* ChildProcessProxy.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ChildProcessProxy.h; sourceTree = "<group>"; };
E179FD9B134D38060015B883 /* ArgumentCodersMac.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ArgumentCodersMac.h; sourceTree = "<group>"; };
E179FD9E134D38250015B883 /* ArgumentCodersMac.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = ArgumentCodersMac.mm; sourceTree = "<group>"; };
+ E17AE2C116B9C139001C42F1 /* com.apple.WebKit.NetworkProcess.sb.in */ = {isa = PBXFileReference; lastKnownFileType = text; path = com.apple.WebKit.NetworkProcess.sb.in; sourceTree = "<group>"; };
+ E17AE2C216B9C63A001C42F1 /* com.apple.WebKit.NetworkProcess.sb */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = com.apple.WebKit.NetworkProcess.sb; sourceTree = "<group>"; };
E18C92F312DB9E7100CF2AEB /* PrintInfo.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = PrintInfo.cpp; sourceTree = "<group>"; };
E18E6909169B563F009B6670 /* SecItemShimProxy.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = SecItemShimProxy.cpp; sourceTree = "<group>"; };
E18E690A169B563F009B6670 /* SecItemShimProxy.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecItemShimProxy.h; sourceTree = "<group>"; };
@@ -3324,6 +3327,7 @@
512C068F16390E6900ABB911 /* NetworkResourceLoadSchedulerMac.mm */,
E1B78470163F24690007B692 /* RemoteNetworkingContext.h */,
E1B78472163F253E0007B692 /* RemoteNetworkingContext.mm */,
+ E17AE2C116B9C139001C42F1 /* com.apple.WebKit.NetworkProcess.sb.in */,
);
name = mac;
path = NetworkProcess/mac;
@@ -4574,6 +4578,7 @@
children = (
512F58A012A883AD00629530 /* AuthenticationManagerMessageReceiver.cpp */,
512F58A112A883AD00629530 /* AuthenticationManagerMessages.h */,
+ E17AE2C216B9C63A001C42F1 /* com.apple.WebKit.NetworkProcess.sb */,
E1967E37150AB5E200C73169 /* com.apple.WebProcess.sb */,
2984F586164BA095004BC0C6 /* CustomProtocolManagerMessageReceiver.cpp */,
2984F587164BA095004BC0C6 /* CustomProtocolManagerMessages.h */,
@@ -5662,6 +5667,7 @@
8DC2EF530486A6940098B216 /* InfoPlist.strings in Resources */,
E11D35AD16B63D14006D23D7 /* com.apple.WebKit.SharedWorkerProcess.sb in Resources */,
E11D35AE16B63D1B006D23D7 /* com.apple.WebProcess.sb in Resources */,
+ E17AE2C316B9C63A001C42F1 /* com.apple.WebKit.NetworkProcess.sb in Resources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
