Changeset 242709 in webkit

Timestamp:

Mar 11, 2019 9:47:21 AM (5 years ago)

Author:

Michael Catanzaro

Message:

[WPE] Enable web process sandbox
​https://bugs.webkit.org/show_bug.cgi?id=195169

Reviewed by Daniel Bates.

.:

• Source/cmake/BubblewrapSandboxChecks.cmake: Added.
• Source/cmake/OptionsGTK.cmake:
• Source/cmake/OptionsWPE.cmake:

Source/WebKit:

• PlatformWPE.cmake:
• UIProcess/Launcher/glib/BubblewrapLauncher.cpp:

(WebKit::bubblewrapSpawn):

Tools:

• wpe/install-dependencies:
• wpe/jhbuild.modules:

Location:

trunk

Files:

• ChangeLog (modified) (1 diff)
• Source/WebKit/ChangeLog (modified) (1 diff)
• Source/WebKit/PlatformWPE.cmake (modified) (3 diffs)
• Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp (modified) (2 diffs)
• Source/cmake/BubblewrapSandboxChecks.cmake (added)
• Source/cmake/OptionsGTK.cmake (modified) (3 diffs)
• Source/cmake/OptionsWPE.cmake (modified) (2 diffs)
• Tools/ChangeLog (modified) (1 diff)
• Tools/wpe/install-dependencies (modified) (6 diffs)
• Tools/wpe/jhbuild.modules (modified) (2 diffs)

trunk/ChangeLog

@@ +1 @@
+2019-03-11  Michael Catanzaro  <mcatanzaro@igalia.com>
+
+        [WPE] Enable web process sandbox
+        https://bugs.webkit.org/show_bug.cgi?id=195169
+
+        Reviewed by Daniel Bates.
+
+        * Source/cmake/BubblewrapSandboxChecks.cmake: Added.
+        * Source/cmake/OptionsGTK.cmake:
+        * Source/cmake/OptionsWPE.cmake:
+
 2019-03-07  Commit Queue  <commit-queue@webkit.org>
 

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2019-03-11  Michael Catanzaro  <mcatanzaro@igalia.com>
+
+        [WPE] Enable web process sandbox
+        https://bugs.webkit.org/show_bug.cgi?id=195169
+
+        Reviewed by Daniel Bates.
+
+        * PlatformWPE.cmake:
+        * UIProcess/Launcher/glib/BubblewrapLauncher.cpp:
+        (WebKit::bubblewrapSpawn):
+
 2019-03-11  Truitt Savell  <tsavell@apple.com>
 

trunk/Source/WebKit/PlatformWPE.cmake

@@ -17 +17 @@
 add_definitions(-DWEBKIT2_COMPILATION)
 
+add_definitions(-DLIBDIR="${LIB_INSTALL_DIR}")
 add_definitions(-DPKGLIBDIR="${LIB_INSTALL_DIR}/wpe-webkit-${WPE_API_VERSION}")
 add_definitions(-DPKGLIBEXECDIR="${LIBEXEC_INSTALL_DIR}")
@@ -280 +281 @@
     ${GSTREAMER_INCLUDE_DIRS}
     ${HARFBUZZ_INCLUDE_DIRS}
+    ${LIBSECCOMP_INCLUDE_DIRS}
     ${LIBSOUP_INCLUDE_DIRS}
     ${WPE_INCLUDE_DIRS}
@@ -292 +294 @@
         ${GSTREAMER_LIBRARIES}
         ${HARFBUZZ_LIBRARIES}
+        ${LIBSECCOMP_LIBRARIES}
         ${LIBSOUP_LIBRARIES}
         ${WPE_LIBRARIES}

trunk/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp

@@ -669 +669 @@
     ASSERT(launcher);
 
+#if ENABLE(NETSCAPE_PLUGIN_API)
     // It is impossible to know what access arbitrary plugins need and since it is for legacy
     // reasons lets just leave it unsandboxed.
@@ -674 +675 @@
         || launchOptions.processType == ProcessLauncher::ProcessType::Plugin32)
         return adoptGRef(g_subprocess_launcher_spawnv(launcher, argv, error));
+#endif
 
     // For now we are just considering the network process trusted as it

trunk/Source/cmake/OptionsGTK.cmake

@@ -124 +124 @@
     WEBKIT_OPTION_DEFAULT_PORT_VALUE(ENABLE_BUBBLEWRAP_SANDBOX PUBLIC ON)
 else ()
-    WEBKIT_OPTION_DEFAULT_PORT_VALUE(ENABLE_BUBBLEWRAP_SANDBOX PRIVATE OFF)
+    WEBKIT_OPTION_DEFAULT_PORT_VALUE(ENABLE_BUBBLEWRAP_SANDBOX PUBLIC OFF)
 endif ()
 
@@ -214 +214 @@
         message(FATAL_ERROR "CairoGL is needed for ENABLE_ACCELERATED_2D_CANVAS")
     endif ()
-endif ()
-
-if (ENABLE_BUBBLEWRAP_SANDBOX)
-    find_program(BWRAP_EXECUTABLE bwrap)
-    if (NOT BWRAP_EXECUTABLE)
-        message(FATAL_ERROR "bwrap executable is needed for ENABLE_BUBBLEWRAP_SANDBOX")
-    endif ()
-    add_definitions(-DBWRAP_EXECUTABLE="${BWRAP_EXECUTABLE}")
-
-    execute_process(
-        COMMAND "${BWRAP_EXECUTABLE}" --version
-        RESULT_VARIABLE BWRAP_RET
-        OUTPUT_VARIABLE BWRAP_OUTPUT
-    )
-    if (BWRAP_RET)
-        message(FATAL_ERROR "Failed to run ${BWRAP_EXECUTABLE}")
-    endif ()
-    string(REGEX MATCH "([0-9]+.[0-9]+.[0-9]+)" BWRAP_VERSION "${BWRAP_OUTPUT}")
-    if (NOT "${BWRAP_VERSION}" VERSION_GREATER_EQUAL "0.3.1")
-        message(FATAL_ERROR "bwrap must be >= 0.3.1 but ${BWRAP_VERSION} found")
-    endif ()
-
-    find_package(Libseccomp)
-    if (NOT LIBSECCOMP_FOUND)
-        message(FATAL_ERROR "libseccomp is needed for ENABLE_BUBBLEWRAP_SANDBOX")
-    endif ()
-
-    find_program(DBUS_PROXY_EXECUTABLE xdg-dbus-proxy)
-    if (NOT DBUS_PROXY_EXECUTABLE)
-        message(FATAL_ERROR "xdg-dbus-proxy not found and is needed for ENABLE_BUBBLEWRAP_SANDBOX")
-    endif ()
-    add_definitions(-DDBUS_PROXY_EXECUTABLE="${DBUS_PROXY_EXECUTABLE}")
 endif ()
 
@@ -471 +439 @@
 endmacro()
 
+include(BubblewrapSandboxChecks)
 include(GStreamerChecks)

trunk/Source/cmake/OptionsWPE.cmake

@@ -85 +85 @@
     WEBKIT_OPTION_DEFAULT_PORT_VALUE(ENABLE_API_TESTS PRIVATE ON)
     WEBKIT_OPTION_DEFAULT_PORT_VALUE(ENABLE_MINIBROWSER PUBLIC ON)
+endif ()
+
+if (CMAKE_SYSTEM_NAME MATCHES "Linux" AND NOT EXISTS "/.flatpak-info")
+    WEBKIT_OPTION_DEFAULT_PORT_VALUE(ENABLE_BUBBLEWRAP_SANDBOX PUBLIC ON)
+else ()
+    WEBKIT_OPTION_DEFAULT_PORT_VALUE(ENABLE_BUBBLEWRAP_SANDBOX PUBLIC OFF)
 endif ()
 
@@ -184 +190 @@
 set(WPEWebExtension_PKGCONFIG_FILE ${CMAKE_BINARY_DIR}/wpe-web-extension-${WPE_API_VERSION}.pc)
 
+include(BubblewrapSandboxChecks)
 include(GStreamerChecks)

trunk/Tools/ChangeLog

@@ +1 @@
+2019-03-11  Michael Catanzaro  <mcatanzaro@igalia.com>
+
+        [WPE] Enable web process sandbox
+        https://bugs.webkit.org/show_bug.cgi?id=195169
+
+        Reviewed by Daniel Bates.
+
+        * wpe/install-dependencies:
+        * wpe/jhbuild.modules:
+
 2019-03-11  Aakash Jain  <aakash_jain@apple.com>
 

trunk/Tools/wpe/install-dependencies

@@ -59 +59 @@
         autopoint \
         autotools-dev \
+        bubblewrap \
         cmake \
         g++ \
@@ -78 +79 @@
         libfile-copy-recursive-perl \
         $(aptIfElse libpng-dev libpng12-dev) \
+        libseccomp-dev \
         libsqlite3-dev \
         libtasn1-6-dev \
@@ -149 +151 @@
         autoconf \
         automake \
+        bubblewrap \
         cmake \
         file \
@@ -169 +172 @@
         libjpeg-turbo \
         libpng \
+        libseccomp \
         libtasn1 \
         libtool \
@@ -248 +252 @@
         automake \
         alsa-lib-devel \
+        bubblewrap \
         cmake \
         gcc-c++ \
@@ -262 +267 @@
         libjpeg-turbo-devel \
         libpng-devel \
+        libseccomp-devel \
         libtasn1-devel \
         libtool \

trunk/Tools/wpe/jhbuild.modules

@@ -27 +27 @@
       <dep package="wayland-protocols"/>
       <dep package="openjpeg"/>
+      <dep package="xdg-dbus-proxy"/>
     </dependencies>
   </metamodule>
@@ -266 +267 @@
   </distutils>
 
+  <autotools id="xdg-dbus-proxy" autogen-sh="configure">
+    <branch repo="github-tarball"
+            version="0.1.0"
+            module="flatpak/xdg-dbus-proxy/releases/download/${version}/xdg-dbus-proxy-${version}.tar.xz"
+            checkoutdir="xdg-dbus-proxy-${version}"
+            hash="sha256:9eefd30fe66940c8daf0e8ce6479307694814edb8b636caeb5aa6d6a46a4bc14"/>
+    <dependencies>
+      <dep package="glib"/>
+    </dependencies>
+  </autotools>
+
 </moduleset>