Changeset 240473 in webkit
- Timestamp:
- Jan 25, 2019 7:54:54 AM (5 years ago)
- Location:
- trunk/Source/WebKit
- Files:
-
- 10 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebKit/ChangeLog
r240466 r240473 1 2019-01-25 Patrick Griffis <pgriffis@igalia.com> 2 3 [GTK][WPE] Add API to add paths to sandbox 4 https://bugs.webkit.org/show_bug.cgi?id=193571 5 6 This allows applications to add paths to the web process 7 if required by web extensions. 8 9 Reviewed by Michael Catanzaro. 10 11 * UIProcess/API/glib/WebKitWebContext.cpp: 12 (webkit_web_context_add_path_to_sandbox): 13 * UIProcess/API/gtk/WebKitWebContext.h: 14 * UIProcess/API/gtk/docs/webkit2gtk-4.0-sections.txt: 15 * UIProcess/API/wpe/docs/wpe-0.1-sections.txt: 16 * UIProcess/Launcher/glib/BubblewrapLauncher.cpp: 17 (WebKit::bubblewrapSpawn): 18 * UIProcess/WebProcessPool.h: 19 * UIProcess/glib/WebProcessProxyGLib.cpp: 20 (WebKit::WebProcessProxy::platformGetLaunchOptions): 21 1 22 2019-01-24 Ryosuke Niwa <rniwa@webkit.org> 2 23 -
trunk/Source/WebKit/UIProcess/API/glib/WebKitWebContext.cpp
r240437 r240473 1160 1160 * This is only implemented on Linux and is a no-op otherwise. 1161 1161 * 1162 * The web process is granted read-only access to the subdirectory matching g_get_prgname()1163 * in `$XDG_CONFIG_HOME`, `$XDG_CACHE_HOME`, and `$XDG_DATA_HOME` if it exists before the1164 * process is created. This behavior may change in the future.1165 *1166 1162 * Since: 2.24 1167 1163 */ … … 1174 1170 1175 1171 context->priv->processPool->setSandboxEnabled(enabled); 1172 } 1173 1174 /** 1175 * webkit_web_context_add_path_to_sandbox: 1176 * @context: a #WebKitWebContext 1177 * @path: (type filename): an absolute path to mount in the sandbox 1178 * @read_only: if %TRUE the path will be read-only 1179 * 1180 * Adds a path to be mounted in the sandbox. @path must exist before any web process 1181 * has been created otherwise it will be silently ignored. It is a fatal error to 1182 * add paths after a web process has been spawned. 1183 * 1184 * See also webkit_web_context_set_sandbox_enabled() 1185 * 1186 * Since: 2.24 1187 */ 1188 void webkit_web_context_add_path_to_sandbox(WebKitWebContext* context, const char* path, gboolean readOnly) 1189 { 1190 g_return_if_fail(WEBKIT_IS_WEB_CONTEXT(context)); 1191 g_return_if_fail(g_path_is_absolute(path)); 1192 1193 if (context->priv->processPool->processes().size()) 1194 g_error("Sandbox paths cannot be changed after subprocesses were spawned."); 1195 1196 auto permission = readOnly ? SandboxPermission::ReadOnly : SandboxPermission::ReadWrite; 1197 context->priv->processPool->addSandboxPath(path, permission); 1176 1198 } 1177 1199 -
trunk/Source/WebKit/UIProcess/API/gtk/WebKitWebContext.h
r237107 r240473 255 255 webkit_web_context_get_sandbox_enabled (WebKitWebContext *context); 256 256 257 WEBKIT_API void 258 webkit_web_context_add_path_to_sandbox (WebKitWebContext *context, 259 const char *path, 260 gboolean read_only); 261 257 262 WEBKIT_API gboolean 258 263 webkit_web_context_get_spell_checking_enabled (WebKitWebContext *context); -
trunk/Source/WebKit/UIProcess/API/gtk/docs/webkit2gtk-4.0-sections.txt
r239278 r240473 54 54 webkit_web_context_get_sandbox_enabled 55 55 webkit_web_context_set_sandbox_enabled 56 webkit_web_context_add_path_to_sandbox 56 57 webkit_web_context_get_spell_checking_enabled 57 58 webkit_web_context_set_spell_checking_enabled -
trunk/Source/WebKit/UIProcess/API/wpe/WebKitWebContext.h
r238853 r240473 255 255 webkit_web_context_get_sandbox_enabled (WebKitWebContext *context); 256 256 257 WEBKIT_API void 258 webkit_web_context_add_path_to_sandbox (WebKitWebContext *context, 259 const char *path, 260 gboolean read_only); 261 257 262 WEBKIT_API gboolean 258 263 webkit_web_context_get_spell_checking_enabled (WebKitWebContext *context); -
trunk/Source/WebKit/UIProcess/API/wpe/docs/wpe-0.1-sections.txt
r239278 r240473 32 32 webkit_web_context_get_sandbox_enabled 33 33 webkit_web_context_set_sandbox_enabled 34 webkit_web_context_add_path_to_sandbox 34 35 webkit_web_context_get_spell_checking_enabled 35 36 webkit_web_context_set_spell_checking_enabled -
trunk/Source/WebKit/UIProcess/Launcher/ProcessLauncher.h
r238388 r240473 42 42 namespace WebKit { 43 43 44 #if PLATFORM(GTK) || PLATFORM(WPE) 45 enum class SandboxPermission { 46 ReadOnly, 47 ReadWrite, 48 }; 49 #endif 50 44 51 class ProcessLauncher : public ThreadSafeRefCounted<ProcessLauncher>, public CanMakeWeakPtr<ProcessLauncher> { 45 52 public: … … 69 76 CString customWebContentServiceBundleIdentifier; 70 77 71 #if ENABLE(DEVELOPER_MODE) && (PLATFORM(GTK) || PLATFORM(WPE)) 78 #if PLATFORM(GTK) || PLATFORM(WPE) 79 HashMap<CString, SandboxPermission> extraWebProcessSandboxPaths; 80 #if ENABLE(DEVELOPER_MODE) 72 81 String processCmdPrefix; 82 #endif 73 83 #endif 74 84 }; -
trunk/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
r240437 r240473 760 760 bindX11(sandboxArgs); 761 761 762 // NOTE: This is not a great solution but we just assume that applications create this directory 763 // ahead of time if they require it. 764 GUniquePtr<char> configDir(g_build_filename(g_get_user_config_dir(), g_get_prgname(), nullptr)); 765 GUniquePtr<char> cacheDir(g_build_filename(g_get_user_cache_dir(), g_get_prgname(), nullptr)); 766 GUniquePtr<char> dataDir(g_build_filename(g_get_user_data_dir(), g_get_prgname(), nullptr)); 767 768 sandboxArgs.appendVector(Vector<CString>({ 769 "--ro-bind-try", cacheDir.get(), cacheDir.get(), 770 "--ro-bind-try", configDir.get(), configDir.get(), 771 "--ro-bind-try", dataDir.get(), dataDir.get(), 772 })); 762 for (const auto& pathAndPermission : launchOptions.extraWebProcessSandboxPaths) { 763 sandboxArgs.appendVector(Vector<CString>({ 764 pathAndPermission.value == SandboxPermission::ReadOnly ? "--ro-bind-try": "--bind-try", 765 pathAndPermission.key, pathAndPermission.key 766 })); 767 } 773 768 774 769 Vector<String> extraPaths = { "applicationCacheDirectory", "waylandSocket"}; -
trunk/Source/WebKit/UIProcess/WebProcessPool.h
r240443 r240473 470 470 #if PLATFORM(GTK) || PLATFORM(WPE) 471 471 void setSandboxEnabled(bool enabled) { m_sandboxEnabled = enabled; }; 472 void addSandboxPath(const CString& path, SandboxPermission permission) { m_extraSandboxPaths.add(path, permission); }; 473 const HashMap<CString, SandboxPermission>& sandboxPaths() const { return m_extraSandboxPaths; }; 472 474 bool sandboxEnabled() const { return m_sandboxEnabled; }; 473 475 #endif … … 729 731 #if PLATFORM(GTK) || PLATFORM(WPE) 730 732 bool m_sandboxEnabled { false }; 733 HashMap<CString, SandboxPermission> m_extraSandboxPaths; 731 734 #endif 732 735 }; -
trunk/Source/WebKit/UIProcess/glib/WebProcessProxyGLib.cpp
r240437 r240473 45 45 launchOptions.extraInitializationData.set("applicationCacheDirectory", websiteDataStore().resolvedApplicationCacheDirectory()); 46 46 47 launchOptions.extraWebProcessSandboxPaths = m_processPool->sandboxPaths(); 48 47 49 #if PLATFORM(WAYLAND) && USE(EGL) 48 50 if (PlatformDisplay::sharedDisplay().type() == PlatformDisplay::Type::Wayland) {
Note: See TracChangeset
for help on using the changeset viewer.