[Mac][WK2] Stop using file* rules in WebProcess sandbox profiles
authorbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 21 Dec 2016 22:02:48 +0000 (22:02 +0000)
committerbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 21 Dec 2016 22:02:48 +0000 (22:02 +0000)
https://bugs.webkit.org/show_bug.cgi?id=165824
<rdar://problem/14024823>

Reviewed by Alexey Proskuryakov

Switch from blanket 'file*' sandbox rules, to the specific 'file-read*' and 'file-write*' rules
we actually need.

* DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in:
* PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in:
* WebProcess/com.apple.WebProcess.sb.in:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@210076 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit2/ChangeLog
Source/WebKit2/DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in
Source/WebKit2/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in
Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in

index 10af92c..6d88e99 100644 (file)
@@ -1,3 +1,18 @@
+2016-12-21  Brent Fulgham  <bfulgham@apple.com>
+
+        [Mac][WK2] Stop using file* rules in WebProcess sandbox profiles
+        https://bugs.webkit.org/show_bug.cgi?id=165824
+        <rdar://problem/14024823>
+
+        Reviewed by Alexey Proskuryakov
+
+        Switch from blanket 'file*' sandbox rules, to the specific 'file-read*' and 'file-write*' rules
+        we actually need.
+
+        * DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in:
+        * PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in:
+        * WebProcess/com.apple.WebProcess.sb.in:
+
 2016-12-21  Beth Dakin  <bdakin@apple.com>
 
         Holding down on candidates in the TouchBar should show panel on screen
index 7f4b158..6a1e717 100644 (file)
 (define (home-literal home-relative-literal)
     (literal (string-append (param "HOME_DIR") home-relative-literal)))
 
+(define (allow-read-write-directory-and-issue-read-write-extensions path)
+    (if path
+        (begin
+            (allow file-read* file-write* (subpath path))
+            (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") (subpath path)))
+            (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") (subpath path))))))
+
 ;; IOKit user clients
 (allow iokit-open
     (iokit-user-client-class "RootDomainUserClient"))
@@ -59,9 +66,9 @@
 (allow ipc-posix-shm-read* ipc-posix-shm-write-data
        (ipc-posix-name "com.apple.AppleDatabaseChanged"))
 (if (positive? (string-length (param "DARWIN_USER_CACHE_DIR")))
-    (allow file* (subpath (param "DARWIN_USER_CACHE_DIR"))))
+    (allow-read-write-directory-and-issue-read-write-extensions (param "DARWIN_USER_CACHE_DIR")))
 (if (positive? (string-length (param "DARWIN_USER_TEMP_DIR")))
-    (allow file* (subpath (param "DARWIN_USER_TEMP_DIR"))))
+    (allow-read-write-directory-and-issue-read-write-extensions (param "DARWIN_USER_TEMP_DIR")))
 
 ;; Read-only preferences and data
 (allow user-preference-read
index 78c2faa..dd30e63 100644 (file)
         (set! *uuid-pattern* (uuid-HEX-pattern-match-string)))
     *uuid-pattern*)
 
+(define (allow-read-write-directory-and-issue-read-write-extensions path)
+    (if path
+        (begin
+            (allow file-read* file-write* (subpath path))
+            (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") (subpath path)))
+            (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") (subpath path))))))
+
 ;; WebKit2 sandbox launcher needs to define an _OS_VERSION parameter
 ;; This parameter is the major OS Version number.
 (if (not (defined? 'os-version))
 ;; Configuration directories
 (allow file-read* (subpath (param "PLUGIN_PATH")))
 (allow file-read* (subpath (param "WEBKIT2_FRAMEWORK_DIR")))
-(allow file* (subpath (param "DARWIN_USER_TEMP_DIR")))
-(allow file* (subpath (param "DARWIN_USER_CACHE_DIR")))
-(allow file* (subpath (param "NSURL_CACHE_DIR")))
+(if (positive? (string-length (param "DARWIN_USER_CACHE_DIR")))
+    (allow-read-write-directory-and-issue-read-write-extensions (param "DARWIN_USER_CACHE_DIR")))
+(if (positive? (string-length (param "DARWIN_USER_TEMP_DIR")))
+    (allow-read-write-directory-and-issue-read-write-extensions (param "DARWIN_USER_TEMP_DIR")))
+(if (positive? (string-length (param "NSURL_CACHE_DIR")))
+    (allow-read-write-directory-and-issue-read-write-extensions (param "NSURL_CACHE_DIR")))
 
 ;; Allow the OpenGL Profiler to attach.
 (if (defined? 'mach-register)
index cd61734..44b014e 100644 (file)
             (allow file-read* (subpath path))
             (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") (subpath path))))))
 
+(define (allow-read-write-directory-and-issue-read-write-extensions path)
+    (if path
+        (begin
+            (allow file-read* file-write* (subpath path))
+            (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") (subpath path)))
+            (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") (subpath path))))))
+
 ;; Remove when <rdar://problem/29646094> is fixed.
 (define (HEX-pattern-match-generator pattern-descriptor)
     (letrec ((pattern-string ""))
     (preference-domain "com.apple.mediaaccessibility.public"))
 
 (if (positive? (string-length (param "DARWIN_USER_CACHE_DIR")))
-    (allow file* (subpath (param "DARWIN_USER_CACHE_DIR"))))
+    (allow-read-write-directory-and-issue-read-write-extensions (param "DARWIN_USER_CACHE_DIR")))
 
 (if (positive? (string-length (param "DARWIN_USER_TEMP_DIR")))
-    (allow file* (subpath (param "DARWIN_USER_TEMP_DIR"))))
+    (allow-read-write-directory-and-issue-read-write-extensions (param "DARWIN_USER_TEMP_DIR")))
 
 ;; IOKit user clients
 (allow iokit-open