Restructure initial distinct sandbox profiles
authoroliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 2 Jun 2014 17:22:33 +0000 (17:22 +0000)
committeroliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 2 Jun 2014 17:22:33 +0000 (17:22 +0000)
https://bugs.webkit.org/show_bug.cgi?id=133415

Reviewed by Alexey Proskuryakov.

Add support for manually instantiating the network and
content process sandboxes, and add initial profiles.
These profiles are completely generic so we can make sure
nothing is broken by enabling them.

This also adds a target to the WebKit2 project to correctly
process the profiles.

* DatabaseProcess/ios/DatabaseProcessIOS.mm:
(WebKit::DatabaseProcess::initializeSandbox):
* DatabaseProcess/ios/com.apple.WebKit.DatabasesIOS.sb: Removed.
* NetworkProcess/ios/NetworkProcessIOS.mm:
(WebKit::NetworkProcess::initializeSandbox):
* Resources/SandboxProfiles/ios/com.apple.WebKit.Databases.sb: Added.
* Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb: Added.
* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb: Added.
* WebKit2.xcodeproj/project.pbxproj:
* WebProcess/cocoa/WebProcessCocoa.mm:
(WebKit::WebProcess::initializeSandbox):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@169533 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit2/ChangeLog
Source/WebKit2/DatabaseProcess/ios/DatabaseProcessIOS.mm
Source/WebKit2/DatabaseProcess/ios/com.apple.WebKit.DatabasesIOS.sb [deleted file]
Source/WebKit2/NetworkProcess/ios/NetworkProcessIOS.mm
Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.Databases.sb [new file with mode: 0644]
Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb [new file with mode: 0644]
Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb [new file with mode: 0644]
Source/WebKit2/WebKit2.xcodeproj/project.pbxproj
Source/WebKit2/WebKit2Prefix.h
Source/WebKit2/WebProcess/cocoa/WebProcessCocoa.mm

index 19ef4c3058c51bc1dc42c1051013f31823ad60d7..dc0197f4156f48027eab5be43f3d09f9ccfb94db 100644 (file)
@@ -1,3 +1,30 @@
+2014-05-31  Oliver Hunt  <oliver@apple.com>
+
+        Restructure initial distinct sandbox profiles
+        https://bugs.webkit.org/show_bug.cgi?id=133415
+
+        Reviewed by Alexey Proskuryakov.
+
+        Add support for manually instantiating the network and
+        content process sandboxes, and add initial profiles.
+        These profiles are completely generic so we can make sure
+        nothing is broken by enabling them.
+
+        This also adds a target to the WebKit2 project to correctly
+        process the profiles.
+
+        * DatabaseProcess/ios/DatabaseProcessIOS.mm:
+        (WebKit::DatabaseProcess::initializeSandbox):
+        * DatabaseProcess/ios/com.apple.WebKit.DatabasesIOS.sb: Removed.
+        * NetworkProcess/ios/NetworkProcessIOS.mm:
+        (WebKit::NetworkProcess::initializeSandbox):
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.Databases.sb: Added.
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb: Added.
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb: Added.
+        * WebKit2.xcodeproj/project.pbxproj:
+        * WebProcess/cocoa/WebProcessCocoa.mm:
+        (WebKit::WebProcess::initializeSandbox):
+
 2014-06-01  Sam Weinig  <sam@webkit.org>
 
         [Cocoa] Add SPI to get a WebArchive of the WKWebView
index 56b786ca896efc74c9169672a713a1eff709d4e7..4e820b057781a754e66d434a9952f704c77b0731 100644 (file)
@@ -52,9 +52,9 @@ void DatabaseProcess::initializeProcessName(const ChildProcessInitializationPara
 void DatabaseProcess::initializeSandbox(const ChildProcessInitializationParameters& parameters, SandboxInitializationParameters& sandboxParameters)
 {
 #if ENABLE_MANUAL_DATABASE_SANDBOXING
-    // Need to overide the default, because service has a different bundle ID.
+    // Need to override the default, because service has a different bundle ID.
     NSBundle *webkit2Bundle = [NSBundle bundleForClass:NSClassFromString(@"WKView")];
-    sandboxParameters.setOverrideSandboxProfilePath([webkit2Bundle pathForResource:@"com.apple.WebKit.DatabasesIOS" ofType:@"sb"]);
+    sandboxParameters.setOverrideSandboxProfilePath([webkit2Bundle pathForResource:@"com.apple.WebKit.Databases" ofType:@"sb"]);
     ChildProcess::initializeSandbox(parameters, sandboxParameters);
 #endif
 }
diff --git a/Source/WebKit2/DatabaseProcess/ios/com.apple.WebKit.DatabasesIOS.sb b/Source/WebKit2/DatabaseProcess/ios/com.apple.WebKit.DatabasesIOS.sb
deleted file mode 100644 (file)
index 0727b89..0000000
+++ /dev/null
@@ -1,53 +0,0 @@
-; Copyright (C) 2014 Apple Inc. All rights reserved.
-;
-; Redistribution and use in source and binary forms, with or without
-; modification, are permitted provided that the following conditions
-; are met:
-; 1. Redistributions of source code must retain the above copyright
-;    notice, this list of conditions and the following disclaimer.
-; 2. Redistributions in binary form must reproduce the above copyright
-;    notice, this list of conditions and the following disclaimer in the
-;    documentation and/or other materials provided with the distribution.
-;
-; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
-; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
-; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
-; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
-; THE POSSIBILITY OF SUCH DAMAGE.
-
-(version 1)
-(deny default (with partial-symbolication))
-(allow system-audit file-read-metadata)
-
-(import "common.sb")
-(import "removed-dev-nodes.sb")
-
-;; Sandbox extensions
-(define (apply-read-and-issue-extension op path-filter)
-    (op file-read* path-filter)
-    (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") path-filter)))
-(define (apply-write-and-issue-extension op path-filter)
-    (op file-write* path-filter)
-    (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") path-filter)))
-(define (read-only-and-issue-extensions path-filter)
-    (apply-read-and-issue-extension allow path-filter))
-(define (read-write-and-issue-extensions path-filter)
-    (apply-read-and-issue-extension allow path-filter)
-    (apply-write-and-issue-extension allow path-filter))
-(read-only-and-issue-extensions (extension "com.apple.app-sandbox.read"))
-(read-write-and-issue-extensions (extension "com.apple.app-sandbox.read-write"))
-
-;; FIXME: Should be removed once <rdar://problem/16329087> is fixed.
-(deny file-write-xattr (xattr "com.apple.quarantine") (with no-log))
-
-;; Reserve a namespace for additional protected extended attributes.
-(deny file-read-xattr file-write-xattr (xattr-regex #"^com\.apple\.security\.private\."))
-
-(if (defined? 'vnode-type)
-    (deny file-write-create (vnode-type SYMLINK)))
index 8da3f2cf8d284f5a74b7e2a8e6d61499aee00fb1..ba01488b9feb4791c95100bb67ef37b2720e7284 100644 (file)
 #if PLATFORM(IOS) && ENABLE(NETWORK_PROCESS)
 
 #import "NetworkProcessCreationParameters.h"
+#import "SandboxInitializationParameters.h"
 #import <WebCore/CertificateInfo.h>
 #import <WebCore/NotImplemented.h>
 #import <WebCore/WebCoreThreadSystemInterface.h>
 
+#define ENABLE_MANUAL_NETWORK_SANDBOXING 0
+
 @interface NSURLRequest (WKDetails)
 + (void)setAllowsSpecificHTTPSCertificate:(NSArray *)certificateChain forHost:(NSString *)host;
 @end
@@ -51,9 +54,18 @@ void NetworkProcess::initializeProcessName(const ChildProcessInitializationParam
     notImplemented();
 }
 
-void NetworkProcess::initializeSandbox(const ChildProcessInitializationParameters&, SandboxInitializationParameters&)
+void NetworkProcess::initializeSandbox(const ChildProcessInitializationParameters& parameters, SandboxInitializationParameters& sandboxParameters)
 {
-    notImplemented();
+#if ENABLE_MANUAL_NETWORK_SANDBOXING
+    // Need to override the default, because service has a different bundle ID.
+    NSBundle *webkit2Bundle = [NSBundle bundleForClass:NSClassFromString(@"WKView")];
+    sandboxParameters.setOverrideSandboxProfilePath([webkit2Bundle pathForResource:@"com.apple.WebKit.NetworkProcess" ofType:@"sb"]);
+
+    ChildProcess::initializeSandbox(parameters, sandboxParameters);
+#else
+    UNUSED_PARAM(parameters);
+    UNUSED_PARAM(sandboxParameters);
+#endif
 }
 
 void NetworkProcess::allowSpecificHTTPSCertificateForHost(const CertificateInfo& certificateInfo, const String& host)
diff --git a/Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.Databases.sb b/Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.Databases.sb
new file mode 100644 (file)
index 0000000..879c520
--- /dev/null
@@ -0,0 +1,28 @@
+; Copyright (C) 2014 Apple Inc. All rights reserved.
+;
+; Redistribution and use in source and binary forms, with or without
+; modification, are permitted provided that the following conditions
+; are met:
+; 1. Redistributions of source code must retain the above copyright
+; notice, this list of conditions and the following disclaimer.
+; 2. Redistributions in binary form must reproduce the above copyright
+; notice, this list of conditions and the following disclaimer in the
+; documentation and/or other materials provided with the distribution.
+;
+; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+; THE POSSIBILITY OF SUCH DAMAGE.
+
+(version 1)
+(allow default)
+
+(import "common.sb")
+(import "removed-dev-nodes.sb")
diff --git a/Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb b/Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb
new file mode 100644 (file)
index 0000000..879c520
--- /dev/null
@@ -0,0 +1,28 @@
+; Copyright (C) 2014 Apple Inc. All rights reserved.
+;
+; Redistribution and use in source and binary forms, with or without
+; modification, are permitted provided that the following conditions
+; are met:
+; 1. Redistributions of source code must retain the above copyright
+; notice, this list of conditions and the following disclaimer.
+; 2. Redistributions in binary form must reproduce the above copyright
+; notice, this list of conditions and the following disclaimer in the
+; documentation and/or other materials provided with the distribution.
+;
+; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+; THE POSSIBILITY OF SUCH DAMAGE.
+
+(version 1)
+(allow default)
+
+(import "common.sb")
+(import "removed-dev-nodes.sb")
diff --git a/Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb b/Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb
new file mode 100644 (file)
index 0000000..879c520
--- /dev/null
@@ -0,0 +1,28 @@
+; Copyright (C) 2014 Apple Inc. All rights reserved.
+;
+; Redistribution and use in source and binary forms, with or without
+; modification, are permitted provided that the following conditions
+; are met:
+; 1. Redistributions of source code must retain the above copyright
+; notice, this list of conditions and the following disclaimer.
+; 2. Redistributions in binary form must reproduce the above copyright
+; notice, this list of conditions and the following disclaimer in the
+; documentation and/or other materials provided with the distribution.
+;
+; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+; THE POSSIBILITY OF SUCH DAMAGE.
+
+(version 1)
+(allow default)
+
+(import "common.sb")
+(import "removed-dev-nodes.sb")
index a4cfe8b905144cc963ec4a71c565ee2470004602..cdab7598056c2f0863d120a26f0fb6ea3bc3cd35 100644 (file)
                        name = All;
                        productName = WebKit2;
                };
+               A7AADA1019395CA9003EA1C7 /* WebKit2SandboxProfiles */ = {
+                       isa = PBXAggregateTarget;
+                       buildConfigurationList = A7AADA1419395CA9003EA1C7 /* Build configuration list for PBXAggregateTarget "WebKit2SandboxProfiles" */;
+                       buildPhases = (
+                               A7AADA1519395CC3003EA1C7 /* CopyFiles */,
+                       );
+                       dependencies = (
+                       );
+                       name = WebKit2SandboxProfiles;
+                       productName = WebKit2SandboxProfiles;
+               };
                C0CE72851247E66800BC0EC4 /* Derived Sources */ = {
                        isa = PBXAggregateTarget;
                        buildConfigurationList = C0CE72891247E68600BC0EC4 /* Build configuration list for PBXAggregateTarget "Derived Sources" */;
                A58B6F0818FCA733008CBA53 /* WKFileUploadPanel.h in Headers */ = {isa = PBXBuildFile; fileRef = A58B6F0618FCA733008CBA53 /* WKFileUploadPanel.h */; };
                A58B6F0918FCA733008CBA53 /* WKFileUploadPanel.mm in Sources */ = {isa = PBXBuildFile; fileRef = A58B6F0718FCA733008CBA53 /* WKFileUploadPanel.mm */; };
                A5EFD38C16B0E88C00B2F0E8 /* WKPageVisibilityTypes.h in Headers */ = {isa = PBXBuildFile; fileRef = A5EFD38B16B0E88C00B2F0E8 /* WKPageVisibilityTypes.h */; settings = {ATTRIBUTES = (Private, ); }; };
+               A78CCDDA193AC9F4005ECC25 /* com.apple.WebKit.Databases.sb in CopyFiles */ = {isa = PBXBuildFile; fileRef = A78CCDD7193AC9E3005ECC25 /* com.apple.WebKit.Databases.sb */; };
+               A78CCDDB193AC9F8005ECC25 /* com.apple.WebKit.Networking.sb in CopyFiles */ = {isa = PBXBuildFile; fileRef = A78CCDD8193AC9E3005ECC25 /* com.apple.WebKit.Networking.sb */; };
+               A78CCDDC193AC9FB005ECC25 /* com.apple.WebKit.WebContent.sb in CopyFiles */ = {isa = PBXBuildFile; fileRef = A78CCDD9193AC9E3005ECC25 /* com.apple.WebKit.WebContent.sb */; };
                A7D792D61767CB6E00881CBE /* ActivityAssertion.cpp in Sources */ = {isa = PBXBuildFile; fileRef = A7D792D51767CB6E00881CBE /* ActivityAssertion.cpp */; };
                A7D792D81767CCA300881CBE /* ActivityAssertion.h in Headers */ = {isa = PBXBuildFile; fileRef = A7D792D41767CB0900881CBE /* ActivityAssertion.h */; };
                A7E93CED1925331100A1DC48 /* ChildProcessIOS.mm in Sources */ = {isa = PBXBuildFile; fileRef = A7E93CEB192531AA00A1DC48 /* ChildProcessIOS.mm */; };
                E18E6918169B667B009B6670 /* SecItemShimProxyMessages.h in Headers */ = {isa = PBXBuildFile; fileRef = E18E6914169B667B009B6670 /* SecItemShimProxyMessages.h */; };
                E19582D3153CBFD700B60875 /* PDFKitImports.h in Headers */ = {isa = PBXBuildFile; fileRef = E19582D2153CBFD700B60875 /* PDFKitImports.h */; };
                E19582D6153CC05400B60875 /* PDFKitImports.mm in Sources */ = {isa = PBXBuildFile; fileRef = E19582D4153CC05300B60875 /* PDFKitImports.mm */; };
+               E19BDA86193665E300B97F57 /* com.apple.appstore.CodeRedeemerNetscapePlugin.sb in Copy Plug-in Sandbox Profiles */ = {isa = PBXBuildFile; fileRef = E19BDA8419365F4B00B97F57 /* com.apple.appstore.CodeRedeemerNetscapePlugin.sb */; };
                E19BDA8A193686A400B97F57 /* SandboxUtilities.h in Headers */ = {isa = PBXBuildFile; fileRef = E19BDA88193686A400B97F57 /* SandboxUtilities.h */; };
                E19BDA8B19368D4600B97F57 /* SandboxUtilities.cpp in Sources */ = {isa = PBXBuildFile; fileRef = E19BDA87193686A400B97F57 /* SandboxUtilities.cpp */; };
-               E19BDA86193665E300B97F57 /* com.apple.appstore.CodeRedeemerNetscapePlugin.sb in Copy Plug-in Sandbox Profiles */ = {isa = PBXBuildFile; fileRef = E19BDA8419365F4B00B97F57 /* com.apple.appstore.CodeRedeemerNetscapePlugin.sb */; };
                E1A31732134CEA6C007C9A4F /* AttributedString.h in Headers */ = {isa = PBXBuildFile; fileRef = E1A31731134CEA6C007C9A4F /* AttributedString.h */; };
                E1A31735134CEA80007C9A4F /* AttributedString.mm in Sources */ = {isa = PBXBuildFile; fileRef = E1A31734134CEA80007C9A4F /* AttributedString.mm */; };
                E1A9A852169E2025002D7176 /* WebKit.icns in Resources */ = {isa = PBXBuildFile; fileRef = E133FD891423DD7F00FC7BFB /* WebKit.icns */; };
                        name = "Copy Plug-in Sandbox Profiles";
                        runOnlyForDeploymentPostprocessing = 0;
                };
+               A7AADA1519395CC3003EA1C7 /* CopyFiles */ = {
+                       isa = PBXCopyFilesBuildPhase;
+                       buildActionMask = 2147483647;
+                       dstPath = /usr/local/share/sandbox/embedded/profiles/builtin;
+                       dstSubfolderSpec = 0;
+                       files = (
+                               A78CCDDA193AC9F4005ECC25 /* com.apple.WebKit.Databases.sb in CopyFiles */,
+                               A78CCDDB193AC9F8005ECC25 /* com.apple.WebKit.Networking.sb in CopyFiles */,
+                               A78CCDDC193AC9FB005ECC25 /* com.apple.WebKit.WebContent.sb in CopyFiles */,
+                       );
+                       runOnlyForDeploymentPostprocessing = 0;
+               };
                BCDE093C13272496001259FB /* Copy Plug-in Process Shim */ = {
                        isa = PBXCopyFilesBuildPhase;
                        buildActionMask = 2147483647;
                A58B6F0718FCA733008CBA53 /* WKFileUploadPanel.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; name = WKFileUploadPanel.mm; path = ios/forms/WKFileUploadPanel.mm; sourceTree = "<group>"; };
                A5EFD38B16B0E88C00B2F0E8 /* WKPageVisibilityTypes.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WKPageVisibilityTypes.h; sourceTree = "<group>"; };
                A72D5D7F1236CBA800A88B15 /* WebSerializedScriptValue.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WebSerializedScriptValue.h; sourceTree = "<group>"; };
+               A78CCDD7193AC9E3005ECC25 /* com.apple.WebKit.Databases.sb */ = {isa = PBXFileReference; lastKnownFileType = text; path = com.apple.WebKit.Databases.sb; sourceTree = "<group>"; };
+               A78CCDD8193AC9E3005ECC25 /* com.apple.WebKit.Networking.sb */ = {isa = PBXFileReference; lastKnownFileType = text; path = com.apple.WebKit.Networking.sb; sourceTree = "<group>"; };
+               A78CCDD9193AC9E3005ECC25 /* com.apple.WebKit.WebContent.sb */ = {isa = PBXFileReference; lastKnownFileType = text; path = com.apple.WebKit.WebContent.sb; sourceTree = "<group>"; };
                A7D792D41767CB0900881CBE /* ActivityAssertion.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = ActivityAssertion.h; sourceTree = "<group>"; };
                A7D792D51767CB6E00881CBE /* ActivityAssertion.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ActivityAssertion.cpp; sourceTree = "<group>"; };
-               A7E93CE9192527B600A1DC48 /* com.apple.WebKit.DatabasesIOS.sb */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = com.apple.WebKit.DatabasesIOS.sb; sourceTree = "<group>"; };
                A7E93CEB192531AA00A1DC48 /* ChildProcessIOS.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; name = ChildProcessIOS.mm; path = ios/ChildProcessIOS.mm; sourceTree = "<group>"; };
                B396EA5512E0ED2D00F4FEB7 /* config.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = config.h; sourceTree = "<group>"; };
                B62E730F143047A60069EC35 /* WKHitTestResult.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = WKHitTestResult.cpp; sourceTree = "<group>"; };
                E19582D2153CBFD700B60875 /* PDFKitImports.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = PDFKitImports.h; sourceTree = "<group>"; };
                E19582D4153CC05300B60875 /* PDFKitImports.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = PDFKitImports.mm; sourceTree = "<group>"; };
                E1967E37150AB5E200C73169 /* com.apple.WebProcess.sb */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = com.apple.WebProcess.sb; sourceTree = "<group>"; };
+               E19BDA8419365F4B00B97F57 /* com.apple.appstore.CodeRedeemerNetscapePlugin.sb */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = com.apple.appstore.CodeRedeemerNetscapePlugin.sb; sourceTree = "<group>"; };
                E19BDA87193686A400B97F57 /* SandboxUtilities.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = SandboxUtilities.cpp; sourceTree = "<group>"; };
                E19BDA88193686A400B97F57 /* SandboxUtilities.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SandboxUtilities.h; sourceTree = "<group>"; };
-               E19BDA8419365F4B00B97F57 /* com.apple.appstore.CodeRedeemerNetscapePlugin.sb */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = com.apple.appstore.CodeRedeemerNetscapePlugin.sb; sourceTree = "<group>"; };
                E1A31731134CEA6C007C9A4F /* AttributedString.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = AttributedString.h; sourceTree = "<group>"; };
                E1A31734134CEA80007C9A4F /* AttributedString.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = AttributedString.mm; sourceTree = "<group>"; };
                E1AEA22D14687BDB00804569 /* WKFullKeyboardAccessWatcher.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WKFullKeyboardAccessWatcher.h; sourceTree = "<group>"; };
                089C1665FE841158C02AAC07 /* Resources */ = {
                        isa = PBXGroup;
                        children = (
+                               A78CCDD5193AC9E3005ECC25 /* SandboxProfiles */,
                                7CB16FE11724B9B5007A0A95 /* PlugInSandboxProfiles */,
                                6D8A91A511F0EFD100DD01FE /* com.apple.WebProcess.sb.in */,
                                1CBC945D16515ED200D68AAE /* DockBottom.pdf */,
                        path = mac;
                        sourceTree = "<group>";
                };
+               A78CCDD5193AC9E3005ECC25 /* SandboxProfiles */ = {
+                       isa = PBXGroup;
+                       children = (
+                               A78CCDD6193AC9E3005ECC25 /* ios */,
+                       );
+                       name = SandboxProfiles;
+                       path = Resources/SandboxProfiles;
+                       sourceTree = "<group>";
+               };
+               A78CCDD6193AC9E3005ECC25 /* ios */ = {
+                       isa = PBXGroup;
+                       children = (
+                               A78CCDD7193AC9E3005ECC25 /* com.apple.WebKit.Databases.sb */,
+                               A78CCDD8193AC9E3005ECC25 /* com.apple.WebKit.Networking.sb */,
+                               A78CCDD9193AC9E3005ECC25 /* com.apple.WebKit.WebContent.sb */,
+                       );
+                       path = ios;
+                       sourceTree = "<group>";
+               };
                BC017D1016260FFD007054F5 /* DOM */ = {
                        isa = PBXGroup;
                        children = (
                        isa = PBXGroup;
                        children = (
                                E1FEF39C190F791C00731658 /* DatabaseProcessIOS.mm */,
-                               A7E93CE9192527B600A1DC48 /* com.apple.WebKit.DatabasesIOS.sb */,
                        );
                        path = ios;
                        sourceTree = "<group>";
                                BC82843116B4FE1300A278FE /* Plugin.Development */,
                                51F7DC3F180CC93600212CA3 /* Databases */,
                                5180C713180CCA3100FDA612 /* Databases.Development */,
+                               A7AADA1019395CA9003EA1C7 /* WebKit2SandboxProfiles */,
                        );
                };
 /* End PBXProject section */
                        };
                        name = Production;
                };
+               A7AADA1119395CA9003EA1C7 /* Debug */ = {
+                       isa = XCBuildConfiguration;
+                       buildSettings = {
+                               PRODUCT_NAME = "$(TARGET_NAME)";
+                       };
+                       name = Debug;
+               };
+               A7AADA1219395CA9003EA1C7 /* Release */ = {
+                       isa = XCBuildConfiguration;
+                       buildSettings = {
+                               PRODUCT_NAME = "$(TARGET_NAME)";
+                       };
+                       name = Release;
+               };
+               A7AADA1319395CA9003EA1C7 /* Production */ = {
+                       isa = XCBuildConfiguration;
+                       buildSettings = {
+                               PRODUCT_NAME = "$(TARGET_NAME)";
+                       };
+                       name = Production;
+               };
                BC3DE47315A91764008D26FC /* Debug */ = {
                        isa = XCBuildConfiguration;
                        baseConfigurationReference = BCACC40E16B0B8A800B6E092 /* WebContentService.xcconfig */;
                        defaultConfigurationIsVisible = 0;
                        defaultConfigurationName = Production;
                };
+               A7AADA1419395CA9003EA1C7 /* Build configuration list for PBXAggregateTarget "WebKit2SandboxProfiles" */ = {
+                       isa = XCConfigurationList;
+                       buildConfigurations = (
+                               A7AADA1119395CA9003EA1C7 /* Debug */,
+                               A7AADA1219395CA9003EA1C7 /* Release */,
+                               A7AADA1319395CA9003EA1C7 /* Production */,
+                       );
+                       defaultConfigurationIsVisible = 0;
+                       defaultConfigurationName = Production;
+               };
                BC3DE47615A91764008D26FC /* Build configuration list for PBXNativeTarget "WebContent" */ = {
                        isa = XCConfigurationList;
                        buildConfigurations = (
index 4a27b26ca43076e48f61c359d1c3401b6463cb23..f189a0846d054bc89947de246866c7ac1701542b 100644 (file)
 
 #if !PLATFORM(IOS)
 #define ENABLE_SANDBOX_EXTENSIONS 1
-#define ENABLE_WEB_PROCESS_SANDBOX 1
 #endif
 
+#define ENABLE_WEB_PROCESS_SANDBOX 1
+
 #define ENABLE_NETWORK_PROCESS 1
 
 #define ENABLE_DATABASE_PROCESS 1
index 96f9b4219aaef6ecd69816e6a823cc0f9eb627e3..6de4cd37c189836c0309ac5be357bc51bcaf3568 100644 (file)
@@ -54,6 +54,8 @@
 #import <objc/runtime.h>
 #import <stdio.h>
 
+#define ENABLE_MANUAL_WEBPROCESS_SANDBOXING !PLATFORM(IOS)
+
 #if PLATFORM(IOS)
 @interface NSURLCache (WKDetails)
 -(id)_initWithMemoryCapacity:(NSUInteger)memoryCapacity diskCapacity:(NSUInteger)diskCapacity relativePath:(NSString *)path;
@@ -242,10 +244,15 @@ void WebProcess::platformTerminate()
 void WebProcess::initializeSandbox(const ChildProcessInitializationParameters& parameters, SandboxInitializationParameters& sandboxParameters)
 {
 #if ENABLE(WEB_PROCESS_SANDBOX)
-    // Need to overide the default, because service has a different bundle ID.
+#if ENABLE_MANUAL_WEBPROCESS_SANDBOXING
+    // Need to override the default, because service has a different bundle ID.
     NSBundle *webkit2Bundle = [NSBundle bundleForClass:NSClassFromString(@"WKView")];
+#if PLATFORM(IOS)
+    sandboxParameters.setOverrideSandboxProfilePath([webkit2Bundle pathForResource:@"com.apple.WebKit.WebContent" ofType:@"sb"]);
+#else
     sandboxParameters.setOverrideSandboxProfilePath([webkit2Bundle pathForResource:@"com.apple.WebProcess" ofType:@"sb"]);
-
+#endif
+#endif
     ChildProcess::initializeSandbox(parameters, sandboxParameters);
 #else
     UNUSED_PARAM(parameters);