Restructure initial distinct sandbox profiles
authoroliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 2 Jun 2014 17:22:33 +0000 (17:22 +0000)
committeroliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 2 Jun 2014 17:22:33 +0000 (17:22 +0000)
https://bugs.webkit.org/show_bug.cgi?id=133415

Reviewed by Alexey Proskuryakov.

Add support for manually instantiating the network and
content process sandboxes, and add initial profiles.
These profiles are completely generic so we can make sure
nothing is broken by enabling them.

This also adds a target to the WebKit2 project to correctly
process the profiles.

* DatabaseProcess/ios/DatabaseProcessIOS.mm:
(WebKit::DatabaseProcess::initializeSandbox):
* DatabaseProcess/ios/com.apple.WebKit.DatabasesIOS.sb: Removed.
* NetworkProcess/ios/NetworkProcessIOS.mm:
(WebKit::NetworkProcess::initializeSandbox):
* Resources/SandboxProfiles/ios/com.apple.WebKit.Databases.sb: Added.
* Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb: Added.
* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb: Added.
* WebKit2.xcodeproj/project.pbxproj:
* WebProcess/cocoa/WebProcessCocoa.mm:
(WebKit::WebProcess::initializeSandbox):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@169533 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit2/ChangeLog
Source/WebKit2/DatabaseProcess/ios/DatabaseProcessIOS.mm
Source/WebKit2/DatabaseProcess/ios/com.apple.WebKit.DatabasesIOS.sb [deleted file]
Source/WebKit2/NetworkProcess/ios/NetworkProcessIOS.mm
Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.Databases.sb [new file with mode: 0644]
Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb [new file with mode: 0644]
Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb [new file with mode: 0644]
Source/WebKit2/WebKit2.xcodeproj/project.pbxproj
Source/WebKit2/WebKit2Prefix.h
Source/WebKit2/WebProcess/cocoa/WebProcessCocoa.mm

index 19ef4c3..dc0197f 100644 (file)
@@ -1,3 +1,30 @@
+2014-05-31  Oliver Hunt  <oliver@apple.com>
+
+        Restructure initial distinct sandbox profiles
+        https://bugs.webkit.org/show_bug.cgi?id=133415
+
+        Reviewed by Alexey Proskuryakov.
+
+        Add support for manually instantiating the network and
+        content process sandboxes, and add initial profiles.
+        These profiles are completely generic so we can make sure
+        nothing is broken by enabling them.
+
+        This also adds a target to the WebKit2 project to correctly
+        process the profiles.
+
+        * DatabaseProcess/ios/DatabaseProcessIOS.mm:
+        (WebKit::DatabaseProcess::initializeSandbox):
+        * DatabaseProcess/ios/com.apple.WebKit.DatabasesIOS.sb: Removed.
+        * NetworkProcess/ios/NetworkProcessIOS.mm:
+        (WebKit::NetworkProcess::initializeSandbox):
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.Databases.sb: Added.
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb: Added.
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb: Added.
+        * WebKit2.xcodeproj/project.pbxproj:
+        * WebProcess/cocoa/WebProcessCocoa.mm:
+        (WebKit::WebProcess::initializeSandbox):
+
 2014-06-01  Sam Weinig  <sam@webkit.org>
 
         [Cocoa] Add SPI to get a WebArchive of the WKWebView
index 56b786c..4e820b0 100644 (file)
@@ -52,9 +52,9 @@ void DatabaseProcess::initializeProcessName(const ChildProcessInitializationPara
 void DatabaseProcess::initializeSandbox(const ChildProcessInitializationParameters& parameters, SandboxInitializationParameters& sandboxParameters)
 {
 #if ENABLE_MANUAL_DATABASE_SANDBOXING
-    // Need to overide the default, because service has a different bundle ID.
+    // Need to override the default, because service has a different bundle ID.
     NSBundle *webkit2Bundle = [NSBundle bundleForClass:NSClassFromString(@"WKView")];
-    sandboxParameters.setOverrideSandboxProfilePath([webkit2Bundle pathForResource:@"com.apple.WebKit.DatabasesIOS" ofType:@"sb"]);
+    sandboxParameters.setOverrideSandboxProfilePath([webkit2Bundle pathForResource:@"com.apple.WebKit.Databases" ofType:@"sb"]);
     ChildProcess::initializeSandbox(parameters, sandboxParameters);
 #endif
 }
diff --git a/Source/WebKit2/DatabaseProcess/ios/com.apple.WebKit.DatabasesIOS.sb b/Source/WebKit2/DatabaseProcess/ios/com.apple.WebKit.DatabasesIOS.sb
deleted file mode 100644 (file)
index 0727b89..0000000
+++ /dev/null
@@ -1,53 +0,0 @@
-; Copyright (C) 2014 Apple Inc. All rights reserved.
-;
-; Redistribution and use in source and binary forms, with or without
-; modification, are permitted provided that the following conditions
-; are met:
-; 1. Redistributions of source code must retain the above copyright
-;    notice, this list of conditions and the following disclaimer.
-; 2. Redistributions in binary form must reproduce the above copyright
-;    notice, this list of conditions and the following disclaimer in the
-;    documentation and/or other materials provided with the distribution.
-;
-; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
-; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
-; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
-; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
-; THE POSSIBILITY OF SUCH DAMAGE.
-
-(version 1)
-(deny default (with partial-symbolication))
-(allow system-audit file-read-metadata)
-
-(import "common.sb")
-(import "removed-dev-nodes.sb")
-
-;; Sandbox extensions
-(define (apply-read-and-issue-extension op path-filter)
-    (op file-read* path-filter)
-    (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") path-filter)))
-(define (apply-write-and-issue-extension op path-filter)
-    (op file-write* path-filter)
-    (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") path-filter)))
-(define (read-only-and-issue-extensions path-filter)
-    (apply-read-and-issue-extension allow path-filter))
-(define (read-write-and-issue-extensions path-filter)
-    (apply-read-and-issue-extension allow path-filter)
-    (apply-write-and-issue-extension allow path-filter))
-(read-only-and-issue-extensions (extension "com.apple.app-sandbox.read"))
-(read-write-and-issue-extensions (extension "com.apple.app-sandbox.read-write"))
-
-;; FIXME: Should be removed once <rdar://problem/16329087> is fixed.
-(deny file-write-xattr (xattr "com.apple.quarantine") (with no-log))
-
-;; Reserve a namespace for additional protected extended attributes.
-(deny file-read-xattr file-write-xattr (xattr-regex #"^com\.apple\.security\.private\."))
-
-(if (defined? 'vnode-type)
-    (deny file-write-create (vnode-type SYMLINK)))
index 8da3f2c..ba01488 100644 (file)
 #if PLATFORM(IOS) && ENABLE(NETWORK_PROCESS)
 
 #import "NetworkProcessCreationParameters.h"
+#import "SandboxInitializationParameters.h"
 #import <WebCore/CertificateInfo.h>
 #import <WebCore/NotImplemented.h>
 #import <WebCore/WebCoreThreadSystemInterface.h>
 
+#define ENABLE_MANUAL_NETWORK_SANDBOXING 0
+
 @interface NSURLRequest (WKDetails)
 + (void)setAllowsSpecificHTTPSCertificate:(NSArray *)certificateChain forHost:(NSString *)host;
 @end
@@ -51,9 +54,18 @@ void NetworkProcess::initializeProcessName(const ChildProcessInitializationParam
     notImplemented();
 }
 
-void NetworkProcess::initializeSandbox(const ChildProcessInitializationParameters&, SandboxInitializationParameters&)
+void NetworkProcess::initializeSandbox(const ChildProcessInitializationParameters& parameters, SandboxInitializationParameters& sandboxParameters)
 {
-    notImplemented();
+#if ENABLE_MANUAL_NETWORK_SANDBOXING
+    // Need to override the default, because service has a different bundle ID.
+    NSBundle *webkit2Bundle = [NSBundle bundleForClass:NSClassFromString(@"WKView")];
+    sandboxParameters.setOverrideSandboxProfilePath([webkit2Bundle pathForResource:@"com.apple.WebKit.NetworkProcess" ofType:@"sb"]);
+
+    ChildProcess::initializeSandbox(parameters, sandboxParameters);
+#else
+    UNUSED_PARAM(parameters);
+    UNUSED_PARAM(sandboxParameters);
+#endif
 }
 
 void NetworkProcess::allowSpecificHTTPSCertificateForHost(const CertificateInfo& certificateInfo, const String& host)
diff --git a/Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.Databases.sb b/Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.Databases.sb
new file mode 100644 (file)
index 0000000..879c520
--- /dev/null
@@ -0,0 +1,28 @@
+; Copyright (C) 2014 Apple Inc. All rights reserved.
+;
+; Redistribution and use in source and binary forms, with or without
+; modification, are permitted provided that the following conditions
+; are met:
+; 1. Redistributions of source code must retain the above copyright
+; notice, this list of conditions and the following disclaimer.
+; 2. Redistributions in binary form must reproduce the above copyright
+; notice, this list of conditions and the following disclaimer in the
+; documentation and/or other materials provided with the distribution.
+;
+; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+; THE POSSIBILITY OF SUCH DAMAGE.
+
+(version 1)
+(allow default)
+
+(import "common.sb")
+(import "removed-dev-nodes.sb")
diff --git a/Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb b/Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb
new file mode 100644 (file)
index 0000000..879c520
--- /dev/null
@@ -0,0 +1,28 @@
+; Copyright (C) 2014 Apple Inc. All rights reserved.
+;
+; Redistribution and use in source and binary forms, with or without
+; modification, are permitted provided that the following conditions
+; are met:
+; 1. Redistributions of source code must retain the above copyright
+; notice, this list of conditions and the following disclaimer.
+; 2. Redistributions in binary form must reproduce the above copyright
+; notice, this list of conditions and the following disclaimer in the
+; documentation and/or other materials provided with the distribution.
+;
+; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+; THE POSSIBILITY OF SUCH DAMAGE.
+
+(version 1)
+(allow default)
+
+(import "common.sb")
+(import "removed-dev-nodes.sb")
diff --git a/Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb b/Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb
new file mode 100644 (file)
index 0000000..879c520
--- /dev/null
@@ -0,0 +1,28 @@
+; Copyright (C) 2014 Apple Inc. All rights reserved.
+;
+; Redistribution and use in source and binary forms, with or without
+; modification, are permitted provided that the following conditions
+; are met:
+; 1. Redistributions of source code must retain the above copyright
+; notice, this list of conditions and the following disclaimer.
+; 2. Redistributions in binary form must reproduce the above copyright
+; notice, this list of conditions and the following disclaimer in the
+; documentation and/or other materials provided with the distribution.
+;
+; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+; THE POSSIBILITY OF SUCH DAMAGE.
+
+(version 1)
+(allow default)
+
+(import "common.sb")
+(import "removed-dev-nodes.sb")
index a4cfe8b..cdab759 100644 (file)
                        name = All;
                        productName = WebKit2;
                };
+               A7AADA1019395CA9003EA1C7 /* WebKit2SandboxProfiles */ = {
+                       isa = PBXAggregateTarget;
+                       buildConfigurationList = A7AADA1419395CA9003EA1C7 /* Build configuration list for PBXAggregateTarget "WebKit2SandboxProfiles" */;
+                       buildPhases = (
+                               A7AADA1519395CC3003EA1C7 /* CopyFiles */,
+                       );
+                       dependencies = (
+                       );
+                       name = WebKit2SandboxProfiles;
+                       productName = WebKit2SandboxProfiles;
+               };
                C0CE72851247E66800BC0EC4 /* Derived Sources */ = {
                        isa = PBXAggregateTarget;
                        buildConfigurationList = C0CE72891247E68600BC0EC4 /* Build configuration list for PBXAggregateTarget "Derived Sources" */;
                A58B6F0818FCA733008CBA53 /* WKFileUploadPanel.h in Headers */ = {isa = PBXBuildFile; fileRef = A58B6F0618FCA733008CBA53 /* WKFileUploadPanel.h */; };
                A58B6F0918FCA733008CBA53 /* WKFileUploadPanel.mm in Sources */ = {isa = PBXBuildFile; fileRef = A58B6F0718FCA733008CBA53 /* WKFileUploadPanel.mm */; };
                A5EFD38C16B0E88C00B2F0E8 /* WKPageVisibilityTypes.h in Headers */ = {isa = PBXBuildFile; fileRef = A5EFD38B16B0E88C00B2F0E8 /* WKPageVisibilityTypes.h */; settings = {ATTRIBUTES = (Private, ); }; };
+               A78CCDDA193AC9F4005ECC25 /* com.apple.WebKit.Databases.sb in CopyFiles */ = {isa = PBXBuildFile; fileRef = A78CCDD7193AC9E3005ECC25 /* com.apple.WebKit.Databases.sb */; };
+               A78CCDDB193AC9F8005ECC25 /* com.apple.WebKit.Networking.sb in CopyFiles */ = {isa = PBXBuildFile; fileRef = A78CCDD8193AC9E3005ECC25 /* com.apple.WebKit.Networking.sb */; };
+               A78CCDDC193AC9FB005ECC25 /* com.apple.WebKit.WebContent.sb in CopyFiles */ = {isa = PBXBuildFile; fileRef = A78CCDD9193AC9E3005ECC25 /* com.apple.WebKit.WebContent.sb */; };
                A7D792D61767CB6E00881CBE /* ActivityAssertion.cpp in Sources */ = {isa = PBXBuildFile; fileRef = A7D792D51767CB6E00881CBE /* ActivityAssertion.cpp */; };
                A7D792D81767CCA300881CBE /* ActivityAssertion.h in Headers */ = {isa = PBXBuildFile; fileRef = A7D792D41767CB0900881CBE /* ActivityAssertion.h */; };
                A7E93CED1925331100A1DC48 /* ChildProcessIOS.mm in Sources */ = {isa = PBXBuildFile; fileRef = A7E93CEB192531AA00A1DC48 /* ChildProcessIOS.mm */; };
                E18E6918169B667B009B6670 /* SecItemShimProxyMessages.h in Headers */ = {isa = PBXBuildFile; fileRef = E18E6914169B667B009B6670 /* SecItemShimProxyMessages.h */; };
                E19582D3153CBFD700B60875 /* PDFKitImports.h in Headers */ = {isa = PBXBuildFile; fileRef = E19582D2153CBFD700B60875 /* PDFKitImports.h */; };
                E19582D6153CC05400B60875 /* PDFKitImports.mm in Sources */ = {isa = PBXBuildFile; fileRef = E19582D4153CC05300B60875 /* PDFKitImports.mm */; };
+               E19BDA86193665E300B97F57 /* com.apple.appstore.CodeRedeemerNetscapePlugin.sb in Copy Plug-in Sandbox Profiles */ = {isa = PBXBuildFile; fileRef = E19BDA8419365F4B00B97F57 /* com.apple.appstore.CodeRedeemerNetscapePlugin.sb */; };
                E19BDA8A193686A400B97F57 /* SandboxUtilities.h in Headers */ = {isa = PBXBuildFile; fileRef = E19BDA88193686A400B97F57 /* SandboxUtilities.h */; };
                E19BDA8B19368D4600B97F57 /* SandboxUtilities.cpp in Sources */ = {isa = PBXBuildFile; fileRef = E19BDA87193686A400B97F57 /* SandboxUtilities.cpp */; };
-               E19BDA86193665E300B97F57 /* com.apple.appstore.CodeRedeemerNetscapePlugin.sb in Copy Plug-in Sandbox Profiles */ = {isa = PBXBuildFile; fileRef = E19BDA8419365F4B00B97F57 /* com.apple.appstore.CodeRedeemerNetscapePlugin.sb */; };
                E1A31732134CEA6C007C9A4F /* AttributedString.h in Headers */ = {isa = PBXBuildFile; fileRef = E1A31731134CEA6C007C9A4F /* AttributedString.h */; };
                E1A31735134CEA80007C9A4F /* AttributedString.mm in Sources */ = {isa = PBXBuildFile; fileRef = E1A31734134CEA80007C9A4F /* AttributedString.mm */; };
                E1A9A852169E2025002D7176 /* WebKit.icns in Resources */ = {isa = PBXBuildFile; fileRef = E133FD891423DD7F00FC7BFB /* WebKit.icns */; };
                        name = "Copy Plug-in Sandbox Profiles";
                        runOnlyForDeploymentPostprocessing = 0;
                };
+               A7AADA1519395CC3003EA1C7 /* CopyFiles */ = {
+                       isa = PBXCopyFilesBuildPhase;
+                       buildActionMask = 2147483647;
+                       dstPath = /usr/local/share/sandbox/embedded/profiles/builtin;
+                       dstSubfolderSpec = 0;
+                       files = (
+                               A78CCDDA193AC9F4005ECC25 /* com.apple.WebKit.Databases.sb in CopyFiles */,
+                               A78CCDDB193AC9F8005ECC25 /* com.apple.WebKit.Networking.sb in CopyFiles */,
+                               A78CCDDC193AC9FB005ECC25 /* com.apple.WebKit.WebContent.sb in CopyFiles */,
+                       );
+                       runOnlyForDeploymentPostprocessing = 0;
+               };
                BCDE093C13272496001259FB /* Copy Plug-in Process Shim */ = {
                        isa = PBXCopyFilesBuildPhase;
                        buildActionMask = 2147483647;
                A58B6F0718FCA733008CBA53 /* WKFileUploadPanel.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; name = WKFileUploadPanel.mm; path = ios/forms/WKFileUploadPanel.mm; sourceTree = "<group>"; };
                A5EFD38B16B0E88C00B2F0E8 /* WKPageVisibilityTypes.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WKPageVisibilityTypes.h; sourceTree = "<group>"; };
                A72D5D7F1236CBA800A88B15 /* WebSerializedScriptValue.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WebSerializedScriptValue.h; sourceTree = "<group>"; };
+               A78CCDD7193AC9E3005ECC25 /* com.apple.WebKit.Databases.sb */ = {isa = PBXFileReference; lastKnownFileType = text; path = com.apple.WebKit.Databases.sb; sourceTree = "<group>"; };
+               A78CCDD8193AC9E3005ECC25 /* com.apple.WebKit.Networking.sb */ = {isa = PBXFileReference; lastKnownFileType = text; path = com.apple.WebKit.Networking.sb; sourceTree = "<group>"; };
+               A78CCDD9193AC9E3005ECC25 /* com.apple.WebKit.WebContent.sb */ = {isa = PBXFileReference; lastKnownFileType = text; path = com.apple.WebKit.WebContent.sb; sourceTree = "<group>"; };
                A7D792D41767CB0900881CBE /* ActivityAssertion.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = ActivityAssertion.h; sourceTree = "<group>"; };
                A7D792D51767CB6E00881CBE /* ActivityAssertion.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ActivityAssertion.cpp; sourceTree = "<group>"; };
-               A7E93CE9192527B600A1DC48 /* com.apple.WebKit.DatabasesIOS.sb */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = com.apple.WebKit.DatabasesIOS.sb; sourceTree = "<group>"; };
                A7E93CEB192531AA00A1DC48 /* ChildProcessIOS.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; name = ChildProcessIOS.mm; path = ios/ChildProcessIOS.mm; sourceTree = "<group>"; };
                B396EA5512E0ED2D00F4FEB7 /* config.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = config.h; sourceTree = "<group>"; };
                B62E730F143047A60069EC35 /* WKHitTestResult.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = WKHitTestResult.cpp; sourceTree = "<group>"; };
                E19582D2153CBFD700B60875 /* PDFKitImports.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = PDFKitImports.h; sourceTree = "<group>"; };
                E19582D4153CC05300B60875 /* PDFKitImports.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = PDFKitImports.mm; sourceTree = "<group>"; };
                E1967E37150AB5E200C73169 /* com.apple.WebProcess.sb */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = com.apple.WebProcess.sb; sourceTree = "<group>"; };
+               E19BDA8419365F4B00B97F57 /* com.apple.appstore.CodeRedeemerNetscapePlugin.sb */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = com.apple.appstore.CodeRedeemerNetscapePlugin.sb; sourceTree = "<group>"; };
                E19BDA87193686A400B97F57 /* SandboxUtilities.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = SandboxUtilities.cpp; sourceTree = "<group>"; };
                E19BDA88193686A400B97F57 /* SandboxUtilities.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SandboxUtilities.h; sourceTree = "<group>"; };
-               E19BDA8419365F4B00B97F57 /* com.apple.appstore.CodeRedeemerNetscapePlugin.sb */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = com.apple.appstore.CodeRedeemerNetscapePlugin.sb; sourceTree = "<group>"; };
                E1A31731134CEA6C007C9A4F /* AttributedString.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = AttributedString.h; sourceTree = "<group>"; };
                E1A31734134CEA80007C9A4F /* AttributedString.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = AttributedString.mm; sourceTree = "<group>"; };
                E1AEA22D14687BDB00804569 /* WKFullKeyboardAccessWatcher.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WKFullKeyboardAccessWatcher.h; sourceTree = "<group>"; };
                089C1665FE841158C02AAC07 /* Resources */ = {
                        isa = PBXGroup;
                        children = (
+                               A78CCDD5193AC9E3005ECC25 /* SandboxProfiles */,
                                7CB16FE11724B9B5007A0A95 /* PlugInSandboxProfiles */,
                                6D8A91A511F0EFD100DD01FE /* com.apple.WebProcess.sb.in */,
                                1CBC945D16515ED200D68AAE /* DockBottom.pdf */,
                        path = mac;
                        sourceTree = "<group>";
                };
+               A78CCDD5193AC9E3005ECC25 /* SandboxProfiles */ = {
+                       isa = PBXGroup;
+                       children = (
+                               A78CCDD6193AC9E3005ECC25 /* ios */,
+                       );
+                       name = SandboxProfiles;
+                       path = Resources/SandboxProfiles;
+                       sourceTree = "<group>";
+               };
+               A78CCDD6193AC9E3005ECC25 /* ios */ = {
+                       isa = PBXGroup;
+                       children = (
+                               A78CCDD7193AC9E3005ECC25 /* com.apple.WebKit.Databases.sb */,
+                               A78CCDD8193AC9E3005ECC25 /* com.apple.WebKit.Networking.sb */,
+                               A78CCDD9193AC9E3005ECC25 /* com.apple.WebKit.WebContent.sb */,
+                       );
+                       path = ios;
+                       sourceTree = "<group>";
+               };
                BC017D1016260FFD007054F5 /* DOM */ = {
                        isa = PBXGroup;
                        children = (
                        isa = PBXGroup;
                        children = (
                                E1FEF39C190F791C00731658 /* DatabaseProcessIOS.mm */,
-                               A7E93CE9192527B600A1DC48 /* com.apple.WebKit.DatabasesIOS.sb */,
                        );
                        path = ios;
                        sourceTree = "<group>";
                                BC82843116B4FE1300A278FE /* Plugin.Development */,
                                51F7DC3F180CC93600212CA3 /* Databases */,
                                5180C713180CCA3100FDA612 /* Databases.Development */,
+                               A7AADA1019395CA9003EA1C7 /* WebKit2SandboxProfiles */,
                        );
                };
 /* End PBXProject section */
                        };
                        name = Production;
                };
+               A7AADA1119395CA9003EA1C7 /* Debug */ = {
+                       isa = XCBuildConfiguration;
+                       buildSettings = {
+                               PRODUCT_NAME = "$(TARGET_NAME)";
+                       };
+                       name = Debug;
+               };
+               A7AADA1219395CA9003EA1C7 /* Release */ = {
+                       isa = XCBuildConfiguration;
+                       buildSettings = {
+                               PRODUCT_NAME = "$(TARGET_NAME)";
+                       };
+                       name = Release;
+               };
+               A7AADA1319395CA9003EA1C7 /* Production */ = {
+                       isa = XCBuildConfiguration;
+                       buildSettings = {
+                               PRODUCT_NAME = "$(TARGET_NAME)";
+                       };
+                       name = Production;
+               };
                BC3DE47315A91764008D26FC /* Debug */ = {
                        isa = XCBuildConfiguration;
                        baseConfigurationReference = BCACC40E16B0B8A800B6E092 /* WebContentService.xcconfig */;
                        defaultConfigurationIsVisible = 0;
                        defaultConfigurationName = Production;
                };
+               A7AADA1419395CA9003EA1C7 /* Build configuration list for PBXAggregateTarget "WebKit2SandboxProfiles" */ = {
+                       isa = XCConfigurationList;
+                       buildConfigurations = (
+                               A7AADA1119395CA9003EA1C7 /* Debug */,
+                               A7AADA1219395CA9003EA1C7 /* Release */,
+                               A7AADA1319395CA9003EA1C7 /* Production */,
+                       );
+                       defaultConfigurationIsVisible = 0;
+                       defaultConfigurationName = Production;
+               };
                BC3DE47615A91764008D26FC /* Build configuration list for PBXNativeTarget "WebContent" */ = {
                        isa = XCConfigurationList;
                        buildConfigurations = (
index 4a27b26..f189a08 100644 (file)
 
 #if !PLATFORM(IOS)
 #define ENABLE_SANDBOX_EXTENSIONS 1
-#define ENABLE_WEB_PROCESS_SANDBOX 1
 #endif
 
+#define ENABLE_WEB_PROCESS_SANDBOX 1
+
 #define ENABLE_NETWORK_PROCESS 1
 
 #define ENABLE_DATABASE_PROCESS 1
index 96f9b42..6de4cd3 100644 (file)
@@ -54,6 +54,8 @@
 #import <objc/runtime.h>
 #import <stdio.h>
 
+#define ENABLE_MANUAL_WEBPROCESS_SANDBOXING !PLATFORM(IOS)
+
 #if PLATFORM(IOS)
 @interface NSURLCache (WKDetails)
 -(id)_initWithMemoryCapacity:(NSUInteger)memoryCapacity diskCapacity:(NSUInteger)diskCapacity relativePath:(NSString *)path;
@@ -242,10 +244,15 @@ void WebProcess::platformTerminate()
 void WebProcess::initializeSandbox(const ChildProcessInitializationParameters& parameters, SandboxInitializationParameters& sandboxParameters)
 {
 #if ENABLE(WEB_PROCESS_SANDBOX)
-    // Need to overide the default, because service has a different bundle ID.
+#if ENABLE_MANUAL_WEBPROCESS_SANDBOXING
+    // Need to override the default, because service has a different bundle ID.
     NSBundle *webkit2Bundle = [NSBundle bundleForClass:NSClassFromString(@"WKView")];
+#if PLATFORM(IOS)
+    sandboxParameters.setOverrideSandboxProfilePath([webkit2Bundle pathForResource:@"com.apple.WebKit.WebContent" ofType:@"sb"]);
+#else
     sandboxParameters.setOverrideSandboxProfilePath([webkit2Bundle pathForResource:@"com.apple.WebProcess" ofType:@"sb"]);
-
+#endif
+#endif
     ChildProcess::initializeSandbox(parameters, sandboxParameters);
 #else
     UNUSED_PARAM(parameters);