[Mac][WK2] Stop using file* rules in WebProcess sandbox profiles
[WebKit-https.git] / Source / WebKit2 / PluginProcess / mac / com.apple.WebKit.plugin-common.sb.in
index 78c2faa..dd30e63 100644 (file)
         (set! *uuid-pattern* (uuid-HEX-pattern-match-string)))
     *uuid-pattern*)
 
+(define (allow-read-write-directory-and-issue-read-write-extensions path)
+    (if path
+        (begin
+            (allow file-read* file-write* (subpath path))
+            (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") (subpath path)))
+            (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") (subpath path))))))
+
 ;; WebKit2 sandbox launcher needs to define an _OS_VERSION parameter
 ;; This parameter is the major OS Version number.
 (if (not (defined? 'os-version))
 ;; Configuration directories
 (allow file-read* (subpath (param "PLUGIN_PATH")))
 (allow file-read* (subpath (param "WEBKIT2_FRAMEWORK_DIR")))
-(allow file* (subpath (param "DARWIN_USER_TEMP_DIR")))
-(allow file* (subpath (param "DARWIN_USER_CACHE_DIR")))
-(allow file* (subpath (param "NSURL_CACHE_DIR")))
+(if (positive? (string-length (param "DARWIN_USER_CACHE_DIR")))
+    (allow-read-write-directory-and-issue-read-write-extensions (param "DARWIN_USER_CACHE_DIR")))
+(if (positive? (string-length (param "DARWIN_USER_TEMP_DIR")))
+    (allow-read-write-directory-and-issue-read-write-extensions (param "DARWIN_USER_TEMP_DIR")))
+(if (positive? (string-length (param "NSURL_CACHE_DIR")))
+    (allow-read-write-directory-and-issue-read-write-extensions (param "NSURL_CACHE_DIR")))
 
 ;; Allow the OpenGL Profiler to attach.
 (if (defined? 'mach-register)