Eliminate plugin sandbox exceptions
authorggaren@apple.com <ggaren@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 3 Apr 2019 03:24:29 +0000 (03:24 +0000)
committerggaren@apple.com <ggaren@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 3 Apr 2019 03:24:29 +0000 (03:24 +0000)
https://bugs.webkit.org/show_bug.cgi?id=196510

Reviewed by Chris Dumez.

* PluginProcess/mac/PluginProcessMac.mm:
(WebKit::PluginProcess::initializeSandbox):
* UIProcess/Plugins/PluginInfoStore.cpp:
(WebKit::PluginInfoStore::shouldAllowPluginToRunUnsandboxed): Deleted.
* UIProcess/Plugins/PluginInfoStore.h:
* UIProcess/Plugins/mac/PluginInfoStoreMac.mm:
(WebKit::PluginInfoStore::shouldUsePlugin):
(WebKit::PluginInfoStore::shouldAllowPluginToRunUnsandboxed): Deleted.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@243784 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit/ChangeLog
Source/WebKit/PluginProcess/mac/PluginProcessMac.mm
Source/WebKit/UIProcess/Plugins/PluginInfoStore.cpp
Source/WebKit/UIProcess/Plugins/PluginInfoStore.h
Source/WebKit/UIProcess/Plugins/mac/PluginInfoStoreMac.mm

index d8dbe69..ea97a6a 100644 (file)
@@ -1,3 +1,19 @@
+2019-04-02  Geoffrey Garen  <ggaren@apple.com>
+
+        Eliminate plugin sandbox exceptions
+        https://bugs.webkit.org/show_bug.cgi?id=196510
+
+        Reviewed by Chris Dumez.
+
+        * PluginProcess/mac/PluginProcessMac.mm:
+        (WebKit::PluginProcess::initializeSandbox):
+        * UIProcess/Plugins/PluginInfoStore.cpp:
+        (WebKit::PluginInfoStore::shouldAllowPluginToRunUnsandboxed): Deleted.
+        * UIProcess/Plugins/PluginInfoStore.h:
+        * UIProcess/Plugins/mac/PluginInfoStoreMac.mm:
+        (WebKit::PluginInfoStore::shouldUsePlugin):
+        (WebKit::PluginInfoStore::shouldAllowPluginToRunUnsandboxed): Deleted.
+
 2019-04-02  Alex Christensen  <achristensen@webkit.org>
 
         Fix assertion in http/tests/adClickAttribution/store-ad-click-attribution.html
index 10630c2..bd3ab08 100644 (file)
@@ -474,9 +474,6 @@ void PluginProcess::initializeSandbox(const AuxiliaryProcessInitializationParame
         exit(EX_OSERR);
     }
 
-    if (PluginInfoStore::shouldAllowPluginToRunUnsandboxed(m_pluginBundleIdentifier))
-        return;
-
     bool parentIsSandboxed = parameters.connectionIdentifier.xpcConnection && connectedProcessIsSandboxed(parameters.connectionIdentifier.xpcConnection.get());
 
     if (parameters.extraInitializationData.get("disable-sandbox") == "1") {
index 6603b41..d305553 100644 (file)
@@ -159,12 +159,6 @@ static inline String pathExtension(const URL& url)
 
 #if !PLATFORM(COCOA)
 
-bool PluginInfoStore::shouldAllowPluginToRunUnsandboxed(const String& pluginBundleIdentifier)
-{
-    UNUSED_PARAM(pluginBundleIdentifier);
-    return false;
-}
-
 PluginModuleLoadPolicy PluginInfoStore::defaultLoadPolicyForPlugin(const PluginModuleInfo&)
 {
     return PluginModuleLoadNormally;
index 695d478..afb94c3 100644 (file)
@@ -64,8 +64,6 @@ public:
     void addSupportedPlugin(String&& matchingDomain, String&& identifier, HashSet<String>&& mimeTypes, HashSet<String> extensions);
     void clearSupportedPlugins() { m_supportedPlugins = WTF::nullopt; }
 
-    static bool shouldAllowPluginToRunUnsandboxed(const String& pluginBundleIdentifier);
-
 private:
     PluginModuleInfo findPluginForMIMEType(const String& mimeType, WebCore::PluginData::AllowedPluginTypes) const;
     PluginModuleInfo findPluginForExtension(const String& extension, String& mimeType, WebCore::PluginData::AllowedPluginTypes) const;
index a2713e5..c6a044a 100644 (file)
@@ -83,29 +83,6 @@ static bool shouldBlockPlugin(const PluginModuleInfo& plugin)
     return loadPolicy == PluginModuleBlockedForSecurity || loadPolicy == PluginModuleBlockedForCompatibility;
 }
 
-bool PluginInfoStore::shouldAllowPluginToRunUnsandboxed(const String& pluginBundleIdentifier)
-{
-    if (RuntimeEnabledFeatures::sharedFeatures().experimentalPlugInSandboxProfilesEnabled())
-        return false;
-
-    return pluginBundleIdentifier == "com.cisco.webex.plugin.gpc64"_s
-        || pluginBundleIdentifier == "com.google.googletalkbrowserplugin"_s
-        || pluginBundleIdentifier == "com.google.o1dbrowserplugin"_s
-        || pluginBundleIdentifier == "com.apple.NPSafeInput"_s
-        || pluginBundleIdentifier == "com.apple.BocomSubmitCtrl"_s
-        || pluginBundleIdentifier == "com.ftsafe.NPAPI-Core-Safe-SoftKeybaord.plugin.rfc1034identifier"_s
-        || pluginBundleIdentifier == "com.cfca.npSecEditCtl.MAC.BOC.plugin"_s
-        || pluginBundleIdentifier == "com.cfca.npSecEditCtl.MAC.BOCO"_s
-        || pluginBundleIdentifier == "cfca.com.npCryptoKit.MAC.BOC"_s
-        || pluginBundleIdentifier == "cfca.com.npP11CertEnroll.MAC.BOC"_s
-        || pluginBundleIdentifier == "cfca.com.npCryptoKit.UnionPay.MAC"_s
-        || pluginBundleIdentifier == "cfca.com.npP11CertEnroll.MAC.UnionPay"_s
-        || pluginBundleIdentifier == "Bocom.netsignplugin"_s
-        || pluginBundleIdentifier == "cfca.com.npP11CertEnroll.MAC.CGB"_s
-        || pluginBundleIdentifier == "cfca.com.npCryptoKit.CGB.MAC"_s
-        || pluginBundleIdentifier == "mw.icbc-safari-MW"_s;
-}
-
 bool PluginInfoStore::shouldUsePlugin(Vector<PluginModuleInfo>& alreadyLoadedPlugins, const PluginModuleInfo& plugin)
 {
     for (size_t i = 0; i < alreadyLoadedPlugins.size(); ++i) {
@@ -127,7 +104,7 @@ bool PluginInfoStore::shouldUsePlugin(Vector<PluginModuleInfo>& alreadyLoadedPlu
         return false;
     }
 
-    if (currentProcessIsSandboxed() && !plugin.hasSandboxProfile && !shouldAllowPluginToRunUnsandboxed(plugin.bundleIdentifier)) {
+    if (currentProcessIsSandboxed() && !plugin.hasSandboxProfile) {
         LOG(Plugins, "Ignoring unsandboxed plug-in %s", plugin.bundleIdentifier.utf8().data());
         return false;
     }