Update sandbox rules

        https://bugs.webkit.org/show_bug.cgi?id=73675
        <rdar://problem/9276430>

        Reviewed by Sam Weinig.

        * WebProcess/com.apple.WebProcess.sb:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@101860 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/Source/WebKit2/ChangeLog b/Source/WebKit2/ChangeLog
index e826268..db0d4a9 100644 (file)
--- a/Source/WebKit2/ChangeLog
+++ b/Source/WebKit2/ChangeLog
@@ -1,3 +1,13 @@
+2011-12-02  Alexey Proskuryakov  <ap@apple.com>
+
+        Update sandbox rules
+        https://bugs.webkit.org/show_bug.cgi?id=73675
+        <rdar://problem/9276430>
+
+        Reviewed by Sam Weinig.
+
+        * WebProcess/com.apple.WebProcess.sb:
+
 2011-12-02  Andy Estes  <aestes@apple.com>
 
         WebKit2: Freeze the state of the layer tree until frame load completion if incremental rendering is suppressed

diff --git a/Source/WebKit2/WebProcess/com.apple.WebProcess.sb b/Source/WebKit2/WebProcess/com.apple.WebProcess.sb
index 4bd77bf..8f45e4c 100644 (file)
--- a/Source/WebKit2/WebProcess/com.apple.WebProcess.sb
+++ b/Source/WebKit2/WebProcess/com.apple.WebProcess.sb
@@ -24,11 +24,13 @@
        (subpath "/Library/Dictionaries")
        (subpath "/Library/Fonts")
        (subpath "/Library/Frameworks")
-       (subpath "/Library/Keychains")
        (subpath "/private/var/db/mds")
        (subpath "/private/var/db/DetachedSignatures")
        (regex #"^/private/etc/(hosts|group|passwd)$")
 
+       ;; FIXME: This should be removed when <rdar://problem/10479685> is fixed.
+       (subpath "/Library/Keychains")
+
        ;; System and user preferences
        (literal "/Library/Preferences/.GlobalPreferences.plist")
        (literal "/Library/Preferences/com.apple.crypto.plist")
@@ -86,15 +88,9 @@
        (home-subpath "/Library/Caches/com.apple.WebProcess")
        (home-regex "/Library/Preferences/ByHost/com\.apple\.HIToolbox\.")
        (home-regex "/Library/Preferences/com\.apple\.WebProcess\.")
-       (home-subpath "/Library/Keychains")
-
-       ;; FIXME: This should be removed when <rdar://problem/9276430> is fixed.
-       (home-literal "/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2")
-       (home-literal "/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2-journal"))
 
-(allow file-read-data
-       ;; FIXME: This should be removed when <rdar://problem/9276430> is fixed.
-       (home-literal "/Library/Preferences"))
+       ;; FIXME: This should be removed when <rdar://problem/10479685> is fixed.
+       (home-subpath "/Library/Keychains"))
 
 ;; Non-user Security mds caches
 (allow file*
@@ -166,8 +162,6 @@
        (global-name "com.apple.system.opendirectoryd.api")
        (global-name "com.apple.window_proxies")
        (global-name "com.apple.windowserver.active")
-
-        ;; FIXME: This will be superfluous once <rdar://problem/10420555> is fixed.
        (global-name "com.apple.cfnetwork.AuthBrokerAgent")
 
        ;; FIXME: This should be removed when <rdar://problem/9276393> is fixed.
@@ -209,6 +203,10 @@
         (literal "/private/etc/services")
         (literal "/private/etc/host"))
 
-;; FIXME: Should be removed after <rdar://problem/9422957> is fixed
 (deny file-read* file-write* (with no-log)
-      (home-literal "/Library/Caches/Cache.db"))
+       ;; FIXME: Should be removed after <rdar://problem/9422957> is fixed.
+       (home-literal "/Library/Caches/Cache.db")
+
+       ;; FIXME: Should be removed after <rdar://problem/10463881> is fixed.
+       (home-literal "/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2")
+       (home-literal "/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2-journal"))