[GTK] Add seccomp filters support
authormcatanzaro@igalia.com <mcatanzaro@igalia.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 19 Jul 2015 16:32:58 +0000 (16:32 +0000)
committermcatanzaro@igalia.com <mcatanzaro@igalia.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 19 Jul 2015 16:32:58 +0000 (16:32 +0000)
https://bugs.webkit.org/show_bug.cgi?id=110014

Reviewed by Žan Doberšek.

.:

Find needed compiler and linker flags for libseccomp.

* Source/cmake/OptionsGTK.cmake:

Source/WebKit2:

Allow building with ENABLE_SECCOMP_FILTERS=ON. Based on work by Thiago Marcos P. Santos.

* PlatformGTK.cmake: Support ENABLE_SECCOMP_FILTERS build option.
* WebProcess/gtk/SeccompFiltersWebProcessGtk.cpp: Added.
(WebKit::SeccompFiltersWebProcessGtk::SeccompFiltersWebProcessGtk):
(WebKit::SeccompFiltersWebProcessGtk::platformInitialize):
* WebProcess/gtk/SeccompFiltersWebProcessGtk.h: Added.
* WebProcess/soup/WebProcessSoup.cpp:
(WebKit::WebProcess::platformInitializeWebProcess): Initialize default
GTK+ web process seccomp filters.

Tools:

Add libseccomp to jhbuild modulesets.

* gtk/jhbuild.modules:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@187011 268f45cc-cd09-0410-ab3c-d52691b4dbfc

ChangeLog
Source/WebKit2/ChangeLog
Source/WebKit2/PlatformGTK.cmake
Source/WebKit2/WebProcess/gtk/SeccompFiltersWebProcessGtk.cpp [new file with mode: 0644]
Source/WebKit2/WebProcess/gtk/SeccompFiltersWebProcessGtk.h [new file with mode: 0644]
Source/WebKit2/WebProcess/soup/WebProcessSoup.cpp
Source/cmake/OptionsGTK.cmake
Tools/ChangeLog
Tools/gtk/jhbuild.modules

index ac36a1b..b14f0c2 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2015-07-19  Michael Catanzaro  <mcatanzaro@igalia.com>
+
+        [GTK] Add seccomp filters support
+        https://bugs.webkit.org/show_bug.cgi?id=110014
+
+        Reviewed by Žan Doberšek.
+
+        Find needed compiler and linker flags for libseccomp.
+
+        * Source/cmake/OptionsGTK.cmake:
+
 2015-07-17  Ting-Wei Lan  <lantw44@gmail.com>
 
         Bring back the GNU ar check to create thin archives on non-Linux systems
index 483edbd..84f102a 100644 (file)
@@ -1,3 +1,21 @@
+2015-07-19  Michael Catanzaro  <mcatanzaro@igalia.com>
+
+        [GTK] Add seccomp filters support
+        https://bugs.webkit.org/show_bug.cgi?id=110014
+
+        Reviewed by Žan Doberšek.
+
+        Allow building with ENABLE_SECCOMP_FILTERS=ON. Based on work by Thiago Marcos P. Santos.
+
+        * PlatformGTK.cmake: Support ENABLE_SECCOMP_FILTERS build option.
+        * WebProcess/gtk/SeccompFiltersWebProcessGtk.cpp: Added.
+        (WebKit::SeccompFiltersWebProcessGtk::SeccompFiltersWebProcessGtk):
+        (WebKit::SeccompFiltersWebProcessGtk::platformInitialize):
+        * WebProcess/gtk/SeccompFiltersWebProcessGtk.h: Added.
+        * WebProcess/soup/WebProcessSoup.cpp:
+        (WebKit::WebProcess::platformInitializeWebProcess): Initialize default
+        GTK+ web process seccomp filters.
+
 2015-07-18  Gyuyoung Kim  <gyuyoung.kim@webkit.org>
 
         Reduce PassRefPtr in WebKit2 - 3
index 73c374f..0ee8094 100644 (file)
@@ -15,9 +15,12 @@ configure_file(webkit2gtk-web-extension.pc.in ${WebKit2WebExtension_PKGCONFIG_FI
 
 add_definitions(-DBUILDING_WEBKIT)
 add_definitions(-DWEBKIT2_COMPILATION)
+
+add_definitions(-DLIBEXECDIR="${CMAKE_INSTALL_FULL_LIBEXECDIR}")
 add_definitions(-DPKGLIBEXECDIR="${LIBEXEC_INSTALL_DIR}")
 add_definitions(-DLOCALEDIR="${CMAKE_INSTALL_FULL_LOCALEDIR}")
 add_definitions(-DLIBDIR="${LIB_INSTALL_DIR}")
+add_definitions(-DDATADIR="${CMAKE_INSTALL_FULL_DATADIR}")
 
 set(WebKit2_USE_PREFIX_HEADER ON)
 
@@ -340,6 +343,8 @@ list(APPEND WebKit2_SOURCES
     WebProcess/WebPage/gtk/WebPageGtk.cpp
     WebProcess/WebPage/gtk/WebPrintOperationGtk.cpp
 
+    WebProcess/gtk/SeccompFiltersWebProcessGtk.cpp
+    WebProcess/gtk/SeccompFiltersWebProcessGtk.h
     WebProcess/gtk/WebGtkExtensionManager.cpp
     WebProcess/gtk/WebGtkInjectedBundleMain.cpp
     WebProcess/gtk/WebProcessMainGtk.cpp
@@ -474,6 +479,8 @@ list(APPEND WebKit2_INCLUDE_DIRECTORIES
     "${WEBKIT2_DIR}/Shared/Downloads/soup"
     "${WEBKIT2_DIR}/Shared/Plugins/unix"
     "${WEBKIT2_DIR}/Shared/gtk"
+    "${WEBKIT2_DIR}/Shared/linux"
+    "${WEBKIT2_DIR}/Shared/linux/SeccompFilters"
     "${WEBKIT2_DIR}/Shared/soup"
     "${WEBKIT2_DIR}/Shared/unix"
     "${WEBKIT2_DIR}/UIProcess/API/C/cairo"
@@ -558,6 +565,21 @@ list(APPEND WebKit2_LIBRARIES
 )
 endif ()
 
+if (ENABLE_SECCOMP_FILTERS)
+    list(APPEND WebKit2_LIBRARIES
+        ${LIBSECCOMP_LIBRARIES}
+    )
+    list(APPEND WebKit2_INCLUDE_DIRECTORIES
+        ${LIBSECCOMP_INCLUDE_DIRS}
+    )
+
+    # If building with WebKit jhbuild (not GNOME jhbuild), add the root build
+    # directory to the filesystem access policy.
+    if (DEVELOPER_MODE AND IS_DIRECTORY ${CMAKE_SOURCE_DIR}/WebKitBuild/DependenciesGTK)
+        add_definitions(-DSOURCE_DIR=\"${CMAKE_SOURCE_DIR}\")
+    endif ()
+endif ()
+
 ADD_WHOLE_ARCHIVE_TO_LIBRARIES(WebKit2_LIBRARIES)
 
 set(WebKit2_MARSHAL_LIST ${WEBKIT2_DIR}/UIProcess/API/gtk/webkit2marshal.list)
diff --git a/Source/WebKit2/WebProcess/gtk/SeccompFiltersWebProcessGtk.cpp b/Source/WebKit2/WebProcess/gtk/SeccompFiltersWebProcessGtk.cpp
new file mode 100644 (file)
index 0000000..3f986f8
--- /dev/null
@@ -0,0 +1,70 @@
+/*
+ * Copyright (C) 2013 Intel Corporation. All rights reserved.
+ * Copyright (C) 2015 Igalia S.L.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "SeccompFiltersWebProcessGtk.h"
+
+#if ENABLE(SECCOMP_FILTERS)
+
+#include "SeccompBroker.h"
+#include "WebProcessCreationParameters.h"
+#include <glib.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+namespace WebKit {
+
+SeccompFiltersWebProcessGtk::SeccompFiltersWebProcessGtk(const WebProcessCreationParameters& parameters)
+    : SeccompFilters(Allow)
+{
+    m_policy.addDefaultWebProcessPolicy(parameters);
+}
+
+void SeccompFiltersWebProcessGtk::platformInitialize()
+{
+    // TODO: We should block all the syscalls and whitelist
+    // what we need + trap what should be handled by the broker.
+    addRule("open", Trap);
+    addRule("openat", Trap);
+    addRule("creat", Trap);
+
+#if USE(GSTREAMER)
+    m_policy.addDirectoryPermission(String::fromUTF8(g_get_user_cache_dir()) + "/gstreamer-1.0", SyscallPolicy::ReadAndWrite);
+    m_policy.addDirectoryPermission(String::fromUTF8(g_get_user_data_dir()) + "/gstreamer-1.0", SyscallPolicy::ReadAndWrite);
+    m_policy.addDirectoryPermission(String::fromUTF8(LIBEXECDIR) + "/gstreamer-1.0", SyscallPolicy::Read);
+#endif
+
+    m_policy.addDirectoryPermission(String::fromUTF8(g_get_user_data_dir()) + "/gvfs-metadata", SyscallPolicy::ReadAndWrite);
+
+    // For libXau
+    m_policy.addDirectoryPermission(ASCIILiteral("/run/gdm"), SyscallPolicy::Read);
+
+    SeccompBroker::launchProcess(this, m_policy);
+}
+
+} // namespace WebKit
+
+#endif // ENABLE(SECCOMP_FILTERS)
diff --git a/Source/WebKit2/WebProcess/gtk/SeccompFiltersWebProcessGtk.h b/Source/WebKit2/WebProcess/gtk/SeccompFiltersWebProcessGtk.h
new file mode 100644 (file)
index 0000000..34391f7
--- /dev/null
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2013 Intel Corporation. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef SeccompFiltersWebProcessGtk_h
+#define SeccompFiltersWebProcessGtk_h
+
+#if ENABLE(SECCOMP_FILTERS)
+
+#include "SeccompFilters.h"
+#include "SyscallPolicy.h"
+
+namespace WebKit {
+
+class WebProcessCreationParameters;
+
+class SeccompFiltersWebProcessGtk : public SeccompFilters {
+public:
+    SeccompFiltersWebProcessGtk(const WebProcessCreationParameters&);
+
+private:
+    void platformInitialize() override;
+
+    SyscallPolicy m_policy;
+};
+
+} // namespace WebKit
+
+#endif // ENABLE(SECCOMP_FILTERS)
+
+#endif // SeccompFiltersWebProcessGtk_h
index fe2a3c6..325be46 100644 (file)
@@ -29,6 +29,8 @@
 
 #if PLATFORM(EFL)
 #include "SeccompFiltersWebProcessEfl.h"
+#elif PLATFORM(GTK)
+#include "SeccompFiltersWebProcessGtk.h"
 #endif
 
 #include "CertificateInfo.h"
@@ -127,6 +129,8 @@ void WebProcess::platformInitializeWebProcess(WebProcessCreationParameters&& par
     {
 #if PLATFORM(EFL)
         SeccompFiltersWebProcessEfl seccompFilters(parameters);
+#elif PLATFORM(GTK)
+        SeccompFiltersWebProcessGtk seccompFilters(parameters);
 #endif
         seccompFilters.initialize();
     }
index 2eb13f4..9810ee7 100644 (file)
@@ -338,6 +338,13 @@ if (ENABLE_PLUGIN_PROCESS_GTK2)
     find_package(GDK2 2.24.10 REQUIRED)
 endif ()
 
+if (ENABLE_SECCOMP_FILTERS)
+    find_package(LibSeccomp)
+    if (NOT PC_LIBSECCOMP_FOUND)
+        message(FATAL_ERROR "libseccomp is required for ENABLE_SECCOMP_FILTERS")
+    endif ()
+endif ()
+
 if (ENABLE_SPELLCHECK)
     find_package(Enchant)
     if (NOT PC_ENCHANT_FOUND)
index 9b23184..673f8d1 100644 (file)
@@ -1,3 +1,14 @@
+2015-07-19  Michael Catanzaro  <mcatanzaro@igalia.com>
+
+        [GTK] Add seccomp filters support
+        https://bugs.webkit.org/show_bug.cgi?id=110014
+
+        Reviewed by Žan Doberšek.
+
+        Add libseccomp to jhbuild modulesets.
+
+        * gtk/jhbuild.modules:
+
 2015-07-18  Simon Fraser  <simon.fraser@apple.com>
 
         MiniBrowser window title is just "Window" when page has no <title>
index 5a65d0b..5bf05dd 100644 (file)
@@ -32,6 +32,7 @@
       <dep package="xserver"/>
       <dep package="mesa"/>
       <dep package="openwebrtc"/>
+      <dep package="libseccomp"/>
     </dependencies>
   </metamodule>
 
              md5sum="f5898b29bbfd70502831a212d9249d10"/>
   </autotools>
 
+  <autotools id="libseccomp" autogen-sh="./autogen.sh; ./configure">
+    <branch repo="github.com" module="seccomp/libseccomp.git" tag="v2.2.3"/>
+  </autotools>
+
   <autotools id="gdk-pixbuf" autogen-sh="configure"
              autogenargs="--disable-introspection">
     <dependencies>