Changeset 149217 in webkit

Timestamp:

Apr 26, 2013, 3:22:53 PM (12 years ago)

Author:

ap@apple.com

Message:

2013-04-26 Simon Cooper <​scooper@apple.com>

Permit ~/Library or ~/Library/Preferences to be symlinks
​https://bugs.webkit.org/show_bug.cgi?id=115142
<rdar://problem/12953603>

Reviewed by Alexey Proskuryakov.

Pass in two new parameters which are the resolved paths to ~/Library
and ~/Library/Preferences. Added new expansion functions and
substituted the new functions for home-regex, home-subpath and
home-literal for places referencing resources in "~/Library" or
"~/Library/Preferences".

• Resources/PlugInSandboxProfiles/com.apple.QuickTime Plugin.plugin.sb:
• Resources/PlugInSandboxProfiles/com.apple.WebKit.plugin-common.sb:
• Resources/PlugInSandboxProfiles/com.apple.ist.ds.appleconnect.webplugin.sb:
• Resources/PlugInSandboxProfiles/com.macromedia.Flash Player.plugin.sb:
• Resources/PlugInSandboxProfiles/com.microsoft.SilverlightPlugin.sb:
• Resources/PlugInSandboxProfiles/com.oracle.java.JavaAppletPlugin.sb:
• Shared/mac/ChildProcessMac.mm: (WebKit::ChildProcess::initializeSandbox):

Location:

trunk/Source/WebKit2

Files:

• ChangeLog (modified) (1 diff)
• Resources/PlugInSandboxProfiles/com.apple.QuickTime Plugin.plugin.sb (modified) (1 diff)
• Resources/PlugInSandboxProfiles/com.apple.WebKit.plugin-common.sb (modified) (8 diffs)
• Resources/PlugInSandboxProfiles/com.apple.ist.ds.appleconnect.webplugin.sb (modified) (1 diff)
• Resources/PlugInSandboxProfiles/com.macromedia.Flash Player.plugin.sb (modified) (1 diff)
• Resources/PlugInSandboxProfiles/com.microsoft.SilverlightPlugin.sb (modified) (1 diff)
• Resources/PlugInSandboxProfiles/com.oracle.java.JavaAppletPlugin.sb (modified) (1 diff)
• Shared/mac/ChildProcessMac.mm (modified) (1 diff)

trunk/Source/WebKit2/ChangeLog

@@ +1 @@
+2013-04-26  Simon Cooper  <scooper@apple.com>
+
+        Permit ~/Library or ~/Library/Preferences to be symlinks
+        https://bugs.webkit.org/show_bug.cgi?id=115142
+        <rdar://problem/12953603>
+
+        Reviewed by Alexey Proskuryakov.
+
+        Pass in two new parameters which are the resolved paths to ~/Library
+        and ~/Library/Preferences. Added new expansion functions and
+        substituted the new functions for home-regex, home-subpath and
+        home-literal for places referencing resources in "~/Library" or
+        "~/Library/Preferences".
+
+        * Resources/PlugInSandboxProfiles/com.apple.QuickTime Plugin.plugin.sb:
+        * Resources/PlugInSandboxProfiles/com.apple.WebKit.plugin-common.sb:
+        * Resources/PlugInSandboxProfiles/com.apple.ist.ds.appleconnect.webplugin.sb:
+        * Resources/PlugInSandboxProfiles/com.macromedia.Flash Player.plugin.sb:
+        * Resources/PlugInSandboxProfiles/com.microsoft.SilverlightPlugin.sb:
+        * Resources/PlugInSandboxProfiles/com.oracle.java.JavaAppletPlugin.sb:
+        * Shared/mac/ChildProcessMac.mm:
+        (WebKit::ChildProcess::initializeSandbox):
+
 2013-04-26  Alexey Proskuryakov  <ap@apple.com>
 

trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.apple.QuickTime Plugin.plugin.sb

@@ -3 +3 @@
 
 (allow file-read* file-write*
-    (home-subpath "/Library/Caches/QuickTime")
-    (home-literal "/Library/Preferences/QuickTime Preferences"))
+    (home-library-subpath "/Caches/QuickTime")
+    (home-library-preferences-literal "/QuickTime Preferences"))
 
 (allow network-inbound (local udp))

trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.apple.WebKit.plugin-common.sb

@@ -6 +6 @@
 
 ;; Utility functions
-(define (home-regex home-relative-regex)
-    (regex (string-append "^" (regex-quote (param "HOME_DIR")) home-relative-regex)))
-
-(define (home-subpath home-relative-subpath)
-    (subpath (string-append (param "HOME_DIR") home-relative-subpath)))
-
 (define (home-literal home-relative-literal)
     (literal (string-append (param "HOME_DIR") home-relative-literal)))
+
+(define (home-library-regex home-library-relative-regex)
+    (regex (string-append "^" (regex-quote (param "HOME_LIBRARY_DIR")) home-library-relative-regex)))
+
+(define (home-library-subpath home-library-relative-subpath)
+    (subpath (string-append (param "HOME_LIBRARY_DIR") home-library-relative-subpath)))
+
+(define (home-library-literal home-library-relative-literal)
+    (literal (string-append (param "HOME_LIBRARY_DIR") home-library-relative-literal)))
+
+(define (home-library-preferences-regex home-library-preferences-relative-regex)
+    (regex (string-append "^" (regex-quote (param "HOME_LIBRARY_PREFERENCES_DIR")) home-library-preferences-relative-regex)))
+
+(define (home-library-preferences-subpath home-library-preferences-relative-subpath)
+    (subpath (string-append (param "HOME_LIBRARY_PREFERENCES_DIR") home-library-preferences-relative-subpath)))
+
+(define (home-library-preferences-literal home-library-preferences-relative-literal)
+    (literal (string-append (param "HOME_LIBRARY_PREFERENCES_DIR") home-library-preferences-relative-literal)))
 
 (define (shared-preferences-read . domains)
@@ -23 +35 @@
                 (allow file-read*
                        (literal (string-append "/Library/Preferences/" domain ".plist"))
-                       (home-literal (string-append "/Library/Preferences/" domain ".plist"))
-                       (home-regex (string-append #"/Library/Preferences/ByHost/" (regex-quote domain) #"\..*\.plist$")))))
+                       (home-library-preferences-literal (string-append "/" domain ".plist"))
+                       (home-library-preferences-regex (string-append #"/ByHost/" (regex-quote domain) #"\..*\.plist$")))))
             domains))
 
@@ -35 +47 @@
                 (allow file-read* file-write*
                        (literal (string-append "/Library/Preferences/" domain ".plist"))
-                       (home-literal (string-append "/Library/Preferences/" domain ".plist"))
-                       (home-regex (string-append #"/Library/Preferences/ByHost/" (regex-quote domain) #"\..*\.plist$")))))
+                       (home-library-preferences-literal (string-append "/" domain ".plist"))
+                       (home-library-preferences-regex (string-append #"/ByHost/" (regex-quote domain) #"\..*\.plist$")))))
             domains))
 
@@ -81 +93 @@
     "com.apple.universalaccess"
     "com.apple.WebFoundation"
+    "com.apple.WebKit.PluginProcess"
     "pbs"
     "com.apple.ServicesMenu.Services")
@@ -92 +105 @@
     (regex #"^/Library/Preferences/com\.apple\.security")
     (home-literal "/.CFUserTextEncoding")
-    (home-subpath "/Library/Audio")
-    (home-subpath "/Library/ColorPickers")
-    (home-subpath "/Library/ColorSync")
-    (home-subpath "/Library/Components")
+    (home-library-subpath "/Audio")
+    (home-library-subpath "/ColorPickers")
+    (home-library-subpath "/ColorSync")
+    (home-library-subpath "/Components")
     (subpath "/Library/Contextual Menu Items")
-    (home-subpath "/Library/Input Methods")
-    (home-subpath "/Library/KeyBindings")
-    (home-subpath "/Library/Keyboard Layouts")
+    (home-library-subpath "/Input Methods")
+    (home-library-subpath "/KeyBindings")
+    (home-library-subpath "/Keyboard Layouts")
     (subpath "/Library/Fonts")
-    (home-subpath "/Library/Fonts")
+    (home-library-subpath "/Fonts")
     (subpath "/Library/Spelling")
-    (home-subpath "/Library/Spelling")
+    (home-library-subpath "/Spelling")
     (subpath "/Library/PDF Services")
-    (home-subpath "/Library/PDF Services")
-    (home-literal "/Library/Preferences/QuickTime Preferences")
-
-    (home-literal "/Library/Caches/com.apple.coreaudio.components.plist")
+    (home-library-subpath "/PDF Services")
+    (home-library-preferences-literal "/QuickTime Preferences")
+
+    (home-library-literal "/Caches/com.apple.coreaudio.components.plist")
 
     (subpath "/Library/Audio/Plug-Ins/Components")
-    (home-subpath "/Library/Audio/Plug-Ins/Components")
+    (home-library-subpath "/Audio/Plug-Ins/Components")
     (subpath "/Library/Audio/Plug-Ins/HAL")
     (subpath "/Library/QuickTime")
-    (home-subpath "/Library/QuickTime")
+    (home-library-subpath "/QuickTime")
     (subpath "/Library/Video/Plug-Ins")
-    (home-subpath "/Library/Caches/QuickTime")
+    (home-library-subpath "/Caches/QuickTime")
 
     (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains")
 
-    (home-literal "/Library/Application Support/SyncServices/Local/ClientsWithChanges/com.apple.Keychain")
+    (home-library-literal "/Application Support/SyncServices/Local/ClientsWithChanges/com.apple.Keychain")
 
     (subpath "/Library/ColorSync")
@@ -130 +143 @@
 ;; Read-write preferences and data
 (allow file*
-    (home-regex #"/Library/Preferences/com\.apple\.WebKit\.PluginProcess\.plist")
-
     ;; FIXME: This should be removed when <rdar://problem/10479685> is fixed.
-    (home-subpath "/Library/Keychains"))
+    (home-library-subpath "/Keychains"))
 
 ;; IOKit user clients
@@ -227 +238 @@
         (subpath "/private/etc/cups/ppd")
         (subpath "/private/var/run/cupsd")
-        (home-literal "/Library/Preferences/org.cups.PrintingPrefs.plist")))
+        (shared-preferences-read "org.cups.PrintingPrefs")))
 
 ;; Text Services Manager
@@ -247 +258 @@
 ;; Silently block access to some resources
 (deny file-read* file-write* (with no-log)
-    (home-regex #"/Library/Preferences/com\.apple\.internetconfigpriv\.plist")
-    (home-regex #"/Library/Preferences/com\.apple\.internetconfig\.plist")
+    (home-library-preferences-regex #"/com\.apple\.internetconfig(priv)?\.plist")
 
     ;; FIXME: Should be removed after <rdar://problem/9422957> is fixed.
-    (home-literal "/Library/Caches/Cache.db")
+    (home-library-literal "/Caches/Cache.db")
 
     ;; FIXME: Should be removed after <rdar://problem/10463881> is fixed.
-    (home-literal "/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2")
-    (home-literal "/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2-journal"))
+    (home-library-preferences-literal "/com.apple.LaunchServices.QuarantineEventsV2")
+    (home-library-preferences-literal "/com.apple.LaunchServices.QuarantineEventsV2-journal"))
 
 (deny mach-lookup (with no-log)

trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.apple.ist.ds.appleconnect.webplugin.sb

@@ -23 +23 @@
     (subpath "/Library/KerberosPlugins/GSSAPI")
     (literal "/Library/Preferences/edu.mit.Kerberos")
-    (home-literal "/Library/Preferences/edu.mit.Kerberos"))
+    (home-library-preferences-literal "/edu.mit.Kerberos"))
 
 (allow file-read*

trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.macromedia.Flash Player.plugin.sb

@@ -6 +6 @@
 
 (deny file-read-xattr (with no-log)
-    (home-literal "/Library/Caches")
-    (home-literal "/Library/Preferences"))
+    (home-library-literal "/Caches")
+    (home-library-preferences-literal "/"))
 
 (allow file-read* file-write-create file-write-mode
-    (home-literal "/Library/Caches/Adobe")
-    (home-literal "/Library/Preferences/Macromedia"))
+    (home-library-literal "/Caches/Adobe")
+    (home-library-preferences-literal "/Macromedia"))
 
 (allow file-read* file-write*
     (literal "/Library/Application Support/Macromedia/mms.cfg")
-    (home-literal "/Library/Application Support/Macromedia/mms.cfg")
-    (home-subpath "/Library/Caches/Adobe/Flash Player")
-    (home-subpath "/Library/Preferences/Macromedia/Flash Player"))
+    (home-library-literal "/Application Support/Macromedia/mms.cfg")
+    (home-library-subpath "/Caches/Adobe/Flash Player")
+    (home-library-preferences-subpath "/Macromedia/Flash Player"))
 
 (allow file-read*
     (literal "/Library/PreferencePanes/Flash Player.prefPane")
-    (home-literal "/Library/PreferencePanes/Flash Player.prefPane")
-    (home-regex "/Library/Application Support/Macromedia/ss\.(cfg|cfn|sgn)$"))
+    (home-library-literal "/PreferencePanes/Flash Player.prefPane")
+    (home-library-regex "/Application Support/Macromedia/ss\.(cfg|cfn|sgn)$"))
 
 (allow file-read* file-write*

trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.microsoft.SilverlightPlugin.sb

@@ -9 +9 @@
 
 (allow file-write-create
-    (home-literal "/Library/Application Support/Microsoft"))
+    (home-library-literal "/Application Support/Microsoft"))
 
 (allow file-read* file-write*
     ;; Sigh, mode 777 in /Library.
     (subpath "/Library/Application Support/Microsoft/PlayReady")
-    (home-subpath "/Library/Application Support/Microsoft/PlayReady")
-    (home-subpath "/Library/Application Support/Microsoft/Silverlight")
-    (home-subpath "/Library/Caches/TemporaryItems"))
+    (home-library-subpath "/Application Support/Microsoft/PlayReady")
+    (home-library-subpath "/Application Support/Microsoft/Silverlight")
+    (home-library-subpath "/Caches/TemporaryItems"))
 
 ;; FIXME: <rdar://problem/13636078>

trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.oracle.java.JavaAppletPlugin.sb

@@ -20 +20 @@
 
 (allow file-read* file-write*
-    (home-subpath "/Library/Saved Application State/net.java.openjdk.cmd.savedState")
-    (home-subpath "/Library/Application Support/Oracle/Java/Deployment")
-    (home-subpath "/Library/Caches/Java"))
+    (home-library-subpath "/Saved Application State/net.java.openjdk.cmd.savedState")
+    (home-library-subpath "/Application Support/Oracle/Java/Deployment")
+    (home-library-subpath "/Caches/Java"))
 
 (allow file-write-create
-    (home-literal "/Library/Application Support/Oracle")
-    (home-literal "/Library/Application Support/Oracle/Java"))
+    (home-library-literal "/Application Support/Oracle")
+    (home-library-literal "/Application Support/Oracle/Java"))
 
 (allow network-bind network-outbound (subpath (param "DARWIN_USER_TEMP_DIR")))

trunk/Source/WebKit2/Shared/mac/ChildProcessMac.mm

@@ -140 +140 @@
     sandboxParameters.addPathParameter("HOME_DIR", pwd.pw_dir);
 
+    String path = String::fromUTF8(pwd.pw_dir);
+    path.append("/Library");
+
+    sandboxParameters.addPathParameter("HOME_LIBRARY_DIR", fileSystemRepresentation(path).data());
+
+    path.append("/Preferences");
+
+    sandboxParameters.addPathParameter("HOME_LIBRARY_PREFERENCES_DIR", fileSystemRepresentation(path).data());
+
     switch (sandboxParameters.mode()) {
     case SandboxInitializationParameters::UseDefaultSandboxProfilePath: