Modified: trunk/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp (272874 => 272875)
--- trunk/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp 2021-02-15 20:42:37 UTC (rev 272874)
+++ trunk/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp 2021-02-15 21:21:07 UTC (rev 272875)
@@ -25,7 +25,6 @@
#include <glib.h>
#include <seccomp.h>
#include <sys/ioctl.h>
-#include <unistd.h>
#include <wtf/FileSystem.h>
#include <wtf/glib/GLibUtilities.h>
#include <wtf/glib/GRefPtr.h>
@@ -129,28 +128,6 @@
return memfd;
}
-static int createFlatpakInfo()
-{
- static NeverDestroyed<GUniquePtr<char>> data;
- static size_t size;
-
- if (!data.get()) {
- // xdg-desktop-portal relates your name to certain permissions so we want
- // them to be application unique which is best done via GApplication.
- GApplication* app = g_application_get_default();
- if (!app) {
- g_warning("GApplication is required for xdg-desktop-portal access in the WebKit sandbox. Actions that require xdg-desktop-portal will be broken.");
- return -1;
- }
-
- GUniquePtr<GKeyFile> keyFile(g_key_file_new());
- g_key_file_set_string(keyFile.get(), "Application", "name", g_application_get_application_id(app));
- data->reset(g_key_file_to_data(keyFile.get(), &size, nullptr));
- }
-
- return createSealedMemFdWithData("flatpak-info", data->get(), size);
-}
-
enum class DBusAddressType {
Normal,
Abstract,
@@ -208,9 +185,6 @@
int proxyFd = argsToFd(proxyArgs, "dbus-proxy");
GUniquePtr<char> proxyArgsStr(g_strdup_printf("--args=%d", proxyFd));
- // We have to run xdg-dbus-proxy under bubblewrap because we need /.flatpak-info to exist in
- // xdg-dbus-proxy's mount namespace. Portals may use this as a trusted way to get the
- // sandboxed process's application ID, and will break if it's missing.
Vector<CString> args = {
DBUS_PROXY_EXECUTABLE,
proxyArgsStr.get(),
@@ -227,14 +201,11 @@
g_subprocess_launcher_set_child_setup(launcher.get(), childSetupFunc, GINT_TO_POINTER(syncFds[1]), nullptr);
g_subprocess_launcher_take_fd(launcher.get(), proxyFd, proxyFd);
g_subprocess_launcher_take_fd(launcher.get(), syncFds[1], syncFds[1]);
-
// We are purposefully leaving syncFds[0] open here.
// xdg-dbus-proxy will exit() itself once that is closed on our exit
- ProcessLauncher::LaunchOptions launchOptions;
- launchOptions.processType = ProcessLauncher::ProcessType::DBusProxy;
GUniqueOutPtr<GError> error;
- GRefPtr<GSubprocess> process = bubblewrapSpawn(launcher.get(), launchOptions, argv, &error.outPtr());
+ GRefPtr<GSubprocess> process = adoptGRef(g_subprocess_launcher_spawnv(launcher.get(), argv, &error.outPtr()));
if (!process.get())
g_error("Failed to start dbus proxy: %s", error->message);
@@ -721,6 +692,28 @@
return tmpfd;
}
+static int createFlatpakInfo()
+{
+ static NeverDestroyed<GUniquePtr<char>> data;
+ static size_t size;
+
+ if (!data.get()) {
+ // xdg-desktop-portal relates your name to certain permissions so we want
+ // them to be application unique which is best done via GApplication.
+ GApplication* app = g_application_get_default();
+ if (!app) {
+ g_warning("GApplication is required for xdg-desktop-portal access in the WebKit sandbox. Actions that require xdg-desktop-portal will be broken.");
+ return -1;
+ }
+
+ GUniquePtr<GKeyFile> keyFile(g_key_file_new());
+ g_key_file_set_string(keyFile.get(), "Application", "name", g_application_get_application_id(app));
+ data->reset(g_key_file_to_data(keyFile.get(), &size, nullptr));
+ }
+
+ return createSealedMemFdWithData("flatpak-info", data->get(), size);
+}
+
GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const ProcessLauncher::LaunchOptions& launchOptions, char** argv, GError **error)
{
ASSERT(launcher);
@@ -731,11 +724,11 @@
if (launchOptions.processType == ProcessLauncher::ProcessType::Network)
return adoptGRef(g_subprocess_launcher_spawnv(launcher, argv, error));
- const char* runDir = g_get_user_runtime_dir();
Vector<CString> sandboxArgs = {
"--die-with-parent",
"--unshare-pid",
"--unshare-uts",
+ "--unshare-net",
// We assume /etc has safe permissions.
// At a later point we can start masking privacy-concerning files.
@@ -744,8 +737,7 @@
"--proc", "/proc",
"--tmpfs", "/tmp",
"--unsetenv", "TMPDIR",
- "--dir", runDir,
- "--setenv", "XDG_RUNTIME_DIR", runDir,
+ "--dir", "/run",
"--symlink", "../run", "/var/run",
"--symlink", "../tmp", "/var/tmp",
"--ro-bind", "/sys/block", "/sys/block",
@@ -770,24 +762,6 @@
"--ro-bind-try", PKGLIBEXECDIR, PKGLIBEXECDIR,
};
-
- if (launchOptions.processType == ProcessLauncher::ProcessType::DBusProxy) {
- sandboxArgs.appendVector(Vector<CString>({
- "--ro-bind", "/usr/bin", "/usr/bin",
- // This is a lot of access, but xdg-dbus-proxy is trusted so that's OK. It's sandboxed
- // only because we have to mount .flatpak-info in its mount namespace. The user rundir
- // is where we mount our proxy socket.
- "--bind", runDir,
- }));
- } else {
- // xdg-dbus-proxy needs access to host abstract sockets to connect to the a11y bus. Secure
- // host services must not use abstract sockets. Otherwise, only the network process should
- // have network access, and the network process is not sandboxed at all.
- sandboxArgs.appendVector(Vector<CString>({
- "--unshare-net"
- }));
- }
-
// We would have to parse ld config files for more info.
bindPathVar(sandboxArgs, "LD_LIBRARY_PATH");