Changeset 170733 in webkit
- Timestamp:
- Jul 2, 2014 3:54:32 PM (10 years ago)
- Location:
- trunk/Source/WebKit2
- Files:
-
- 10 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebKit2/ChangeLog
r170732 r170733 1 2014-06-28 Oliver Hunt <oliver@apple.com> 2 3 Restrict network process sandbox 4 https://bugs.webkit.org/show_bug.cgi?id=134360 5 6 Reviewed by Sam Weinig. 7 8 Add more restrictions to the network process sandbox. 9 10 * NetworkProcess/cocoa/NetworkProcessCocoa.mm: 11 (WebKit::NetworkProcess::platformInitializeNetworkProcessCocoa): 12 Always use the cache directory provided in the initialization parameters, 13 and make sure we consume the cookie directory extension. 14 * Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb: 15 Make the sandbox profile much more restrictive. 16 * Shared/Network/NetworkProcessCreationParameters.cpp: 17 (WebKit::NetworkProcessCreationParameters::encode): 18 (WebKit::NetworkProcessCreationParameters::decode): 19 * Shared/Network/NetworkProcessCreationParameters.h: 20 The network process now requires an extension to access 21 its cookie storage. 22 * Shared/mac/SandboxUtilities.cpp: 23 (WebKit::pathForProcessContainer): 24 * Shared/mac/SandboxUtilities.h: 25 We need to be able to get hold of our container so 26 that we can get the correct cookie storage directory. 27 * UIProcess/WebContext.cpp: 28 (WebKit::WebContext::ensureNetworkProcess): 29 We have to pass in the an extension for the cookie storage directory when 30 initalising the network process 31 * UIProcess/mac/WebContextMac.mm: 32 (WebKit::WebContext::platformDefaultCookieStorageDirectory): 33 Make sure we provide the correct location on IOS 34 * WebProcess/cocoa/WebProcessCocoa.mm: 35 (WebKit::WebProcess::platformInitializeWebProcess): 36 Consume the cookie storage extension 37 1 38 2014-07-02 Csaba Osztrogonác <ossy@webkit.org> 2 39 -
trunk/Source/WebKit2/NetworkProcess/cocoa/NetworkProcessCocoa.mm
r170686 r170733 61 61 void NetworkProcess::platformInitializeNetworkProcessCocoa(const NetworkProcessCreationParameters& parameters) 62 62 { 63 SandboxExtension::consumePermanently(parameters.cookieStorageDirectoryExtensionHandle); 64 m_diskCacheDirectory = parameters.diskCacheDirectory; 65 66 if (!m_diskCacheDirectory.isNull()) { 67 SandboxExtension::consumePermanently(parameters.diskCacheDirectoryExtensionHandle); 63 68 #if PLATFORM(IOS) 64 if (!parameters.uiProcessBundleIdentifier.isNull()) {65 69 [NSURLCache setSharedURLCache:adoptNS([[NSURLCache alloc] 66 70 _initWithMemoryCapacity:parameters.nsURLCacheMemoryCapacity 67 71 diskCapacity:parameters.nsURLCacheDiskCapacity 68 72 relativePath:parameters.uiProcessBundleIdentifier]).get()]; 69 }70 73 #else 71 m_diskCacheDirectory = parameters.diskCacheDirectory;72 73 if (!m_diskCacheDirectory.isNull()) {74 SandboxExtension::consumePermanently(parameters.diskCacheDirectoryExtensionHandle);75 74 [NSURLCache setSharedURLCache:adoptNS([[NSURLCache alloc] 76 75 initWithMemoryCapacity:parameters.nsURLCacheMemoryCapacity 77 76 diskCapacity:parameters.nsURLCacheDiskCapacity 78 77 diskPath:parameters.diskCacheDirectory]).get()]; 78 #endif 79 79 } 80 #endif81 80 82 81 #if PLATFORM(IOS) || __MAC_OS_X_VERSION_MIN_REQUIRED >= 1090 -
trunk/Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb
r170686 r170733 23 23 24 24 (version 1) 25 (allow default) 25 (deny default (with partial-symbolication)) 26 (allow system-audit file-read-metadata) 26 27 27 28 (import "common.sb") 28 29 (import "removed-dev-nodes.sb") 30 31 ;; Access CFNetwork shared cookies 32 ;; This is too generous -- <rdar://problem/17496756> 33 (apple-cookie-access 'with-read-write) 34 35 ;; Sandbox extensions 36 (allow file-read* (container-subpath "Library/") 37 (extension "com.apple.webkit.read")) 38 39 ;; Access to client's cache folder & re-vending to CFNetwork. 40 (allow file-read* file-write* (require-all (container-subpath "Library/") 41 (extension "com.apple.nsurlstorage.extension-cache"))) 42 (allow file-issue-extension (require-all ((container-subpath "Library/") 43 (extension-class "com.apple.nsurlstorage.extension-cache"))) 44 45 ;; App sandbox extensions 46 (allow file-read* file-write* (require-all (container-subpath "Library/") 47 (extension "com.apple.app-sandbox.read-write"))) 48 49 ;; Access to own cache & temp folders. 50 (allow file-read* file-write* (require-all (container-subpath "") 51 (extension "com.apple.webkit.read-write"))) 52 53 ;; IOKit user clients 54 (allow iokit-open 55 (iokit-user-client-class "RootDomainUserClient")) 56 57 ;; Various services required by CFNetwork and other frameworks 58 (allow mach-lookup 59 (global-name "com.apple.PowerManagement.control")) 60 61 (network-client) 62 63 ;; Security framework 64 (allow mach-lookup 65 (global-name "com.apple.ocspd") 66 (global-name "com.apple.securityd")) 67 68 (deny file-write-create 69 (vnode-type SYMLINK)) -
trunk/Source/WebKit2/Shared/Network/NetworkProcessCreationParameters.cpp
r170686 r170733 43 43 encoder << diskCacheDirectory; 44 44 encoder << diskCacheDirectoryExtensionHandle; 45 encoder << cookieStorageDirectory; 46 encoder << cookieStorageDirectoryExtensionHandle; 45 47 encoder << shouldUseTestingNetworkSession; 46 48 #if ENABLE(CUSTOM_PROTOCOLS) … … 73 75 return false; 74 76 if (!decoder.decode(result.diskCacheDirectoryExtensionHandle)) 77 return false; 78 if (!decoder.decode(result.cookieStorageDirectory)) 79 return false; 80 if (!decoder.decode(result.cookieStorageDirectoryExtensionHandle)) 75 81 return false; 76 82 if (!decoder.decode(result.shouldUseTestingNetworkSession)) -
trunk/Source/WebKit2/Shared/Network/NetworkProcessCreationParameters.h
r170686 r170733 57 57 SandboxExtension::Handle diskCacheDirectoryExtensionHandle; 58 58 59 String cookieStorageDirectory; 60 SandboxExtension::Handle cookieStorageDirectoryExtensionHandle; 61 59 62 bool shouldUseTestingNetworkSession; 60 63 -
trunk/Source/WebKit2/Shared/mac/SandboxUtilities.cpp
r170686 r170733 28 28 29 29 #include <array> 30 #include <wtf/text/WTFString.h> 30 31 31 32 #if __has_include(<sandbox/private.h>) … … 68 69 } 69 70 71 String pathForProcessContainer() 72 { 73 std::array<char, MAXPATHLEN> path; 74 path[0] = 0; 75 sandbox_container_path_for_pid(getpid(), path.data(), path.size()); 76 77 return String::fromUTF8(path.data()); 70 78 } 79 80 } -
trunk/Source/WebKit2/Shared/mac/SandboxUtilities.h
r170686 r170733 28 28 29 29 #include <sys/types.h> 30 #include <wtf/Forward.h> 30 31 31 32 namespace WebKit { … … 34 35 bool processHasContainer(); 35 36 37 // Returns an empty string if the process is not in a container. 38 String pathForProcessContainer(); 39 36 40 } 37 41 -
trunk/Source/WebKit2/UIProcess/WebContext.cpp
r170686 r170733 412 412 SandboxExtension::createHandleForReadWriteDirectory(parameters.diskCacheDirectory, parameters.diskCacheDirectoryExtensionHandle); 413 413 414 parameters.cookieStorageDirectory = cookieStorageDirectory(); 415 if (!parameters.cookieStorageDirectory.isEmpty()) 416 SandboxExtension::createHandleForReadWriteDirectory(parameters.cookieStorageDirectory, parameters.cookieStorageDirectoryExtensionHandle); 417 414 418 parameters.shouldUseTestingNetworkSession = m_shouldUseTestingNetworkSession; 415 419 -
trunk/Source/WebKit2/UIProcess/mac/WebContextMac.mm
r170686 r170733 28 28 29 29 #import "PluginProcessManager.h" 30 #import "SandboxUtilities.h" 30 31 #import "TextChecker.h" 31 32 #import "WKBrowsingContextControllerInternal.h" … … 270 271 String WebContext::platformDefaultCookieStorageDirectory() const 271 272 { 273 #if PLATFORM(IOS) 274 String path = pathForProcessContainer(); 275 if (path.isEmpty()) 276 path = NSHomeDirectory(); 277 278 path = path + "/Library/Cookies"; 279 return stringByResolvingSymlinksInPath(path); 280 #else 272 281 notImplemented(); 273 282 return [@"" stringByStandardizingPath]; 283 #endif 274 284 } 275 285 -
trunk/Source/WebKit2/WebProcess/cocoa/WebProcessCocoa.mm
r170686 r170733 168 168 SandboxExtension::consumePermanently(parameters.applicationCacheDirectoryExtensionHandle); 169 169 SandboxExtension::consumePermanently(parameters.diskCacheDirectoryExtensionHandle); 170 SandboxExtension::consumePermanently(parameters.cookieStorageDirectoryExtensionHandle); 170 171 #endif 171 172
Note: See TracChangeset
for help on using the changeset viewer.