Diff
Modified: trunk/ChangeLog (200620 => 200621)
--- trunk/ChangeLog 2016-05-10 11:41:26 UTC (rev 200620)
+++ trunk/ChangeLog 2016-05-10 14:56:00 UTC (rev 200621)
@@ -1,3 +1,15 @@
+2016-05-10 Michael Catanzaro <mcatanz...@igalia.com>
+
+ [Linux] Remove seccomp filters support
+ https://bugs.webkit.org/show_bug.cgi?id=157380
+
+ Reviewed by Darin Adler.
+
+ * Source/cmake/FindLibSeccomp.cmake: Removed.
+ * Source/cmake/OptionsEfl.cmake:
+ * Source/cmake/OptionsGTK.cmake:
+ * Source/cmake/WebKitFeatures.cmake:
+
2016-05-06 Manuel Rego Casasnovas <r...@igalia.com>
[css-grid] Unprefix CSS Grid Layout properties
Modified: trunk/Source/WebKit2/ChangeLog (200620 => 200621)
--- trunk/Source/WebKit2/ChangeLog 2016-05-10 11:41:26 UTC (rev 200620)
+++ trunk/Source/WebKit2/ChangeLog 2016-05-10 14:56:00 UTC (rev 200621)
@@ -1,3 +1,48 @@
+2016-05-10 Michael Catanzaro <mcatanz...@igalia.com>
+
+ [Linux] Remove seccomp filters support
+ https://bugs.webkit.org/show_bug.cgi?id=157380
+
+ Reviewed by Darin Adler.
+
+ * NetworkProcess/NetworkProcessCreationParameters.cpp:
+ (WebKit::NetworkProcessCreationParameters::encode): Deleted.
+ (WebKit::NetworkProcessCreationParameters::decode): Deleted.
+ * NetworkProcess/NetworkProcessCreationParameters.h:
+ * PlatformEfl.cmake:
+ * PlatformGTK.cmake:
+ * Shared/WebProcessCreationParameters.cpp:
+ (WebKit::WebProcessCreationParameters::encode): Deleted.
+ (WebKit::WebProcessCreationParameters::decode): Deleted.
+ * Shared/WebProcessCreationParameters.h:
+ * Shared/linux/SeccompFilters/OpenSyscall.cpp: Removed.
+ * Shared/linux/SeccompFilters/OpenSyscall.h: Removed.
+ * Shared/linux/SeccompFilters/SeccompBroker.cpp: Removed.
+ * Shared/linux/SeccompFilters/SeccompBroker.h: Removed.
+ * Shared/linux/SeccompFilters/SeccompFilters.cpp: Removed.
+ * Shared/linux/SeccompFilters/SeccompFilters.h: Removed.
+ * Shared/linux/SeccompFilters/SigactionSyscall.cpp: Removed.
+ * Shared/linux/SeccompFilters/SigactionSyscall.h: Removed.
+ * Shared/linux/SeccompFilters/SigprocmaskSyscall.cpp: Removed.
+ * Shared/linux/SeccompFilters/SigprocmaskSyscall.h: Removed.
+ * Shared/linux/SeccompFilters/Syscall.cpp: Removed.
+ * Shared/linux/SeccompFilters/Syscall.h: Removed.
+ * Shared/linux/SeccompFilters/SyscallPolicy.cpp: Removed.
+ * Shared/linux/SeccompFilters/SyscallPolicy.h: Removed.
+ * Shared/linux/SeccompFilters/XDGBaseDirectory.h: Removed.
+ * Shared/linux/SeccompFilters/XDGBaseDirectoryGLib.cpp: Removed.
+ * UIProcess/WebProcessPool.cpp:
+ (WebKit::WebProcessPool::ensureNetworkProcess): Deleted.
+ (WebKit::WebProcessPool::createNewWebProcess): Deleted.
+ (WebKit::WebProcessPool::cookieStorageDirectory): Deleted.
+ * UIProcess/WebProcessPool.h:
+ * WebProcess/efl/SeccompFiltersWebProcessEfl.cpp: Removed.
+ * WebProcess/efl/SeccompFiltersWebProcessEfl.h: Removed.
+ * WebProcess/gtk/SeccompFiltersWebProcessGtk.cpp: Removed.
+ * WebProcess/gtk/SeccompFiltersWebProcessGtk.h: Removed.
+ * WebProcess/soup/WebProcessSoup.cpp:
+ (WebKit::WebProcess::platformInitializeWebProcess): Deleted.
+
2016-05-09 Tim Horton <timothy_hor...@apple.com>
REGRESSION (r191922): Zoom in/Zoom Out is not working for PDFs
Modified: trunk/Source/WebKit2/NetworkProcess/NetworkProcessCreationParameters.cpp (200620 => 200621)
--- trunk/Source/WebKit2/NetworkProcess/NetworkProcessCreationParameters.cpp 2016-05-10 11:41:26 UTC (rev 200620)
+++ trunk/Source/WebKit2/NetworkProcess/NetworkProcessCreationParameters.cpp 2016-05-10 14:56:00 UTC (rev 200621)
@@ -53,9 +53,6 @@
encoder << shouldEnableNetworkCacheSpeculativeRevalidation;
#endif
#endif
-#if ENABLE(SECCOMP_FILTERS)
- encoder << cookieStorageDirectory;
-#endif
#if PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101100
encoder << uiProcessCookieStorageIdentifier;
#endif
@@ -111,10 +108,6 @@
return false;
#endif
#endif
-#if ENABLE(SECCOMP_FILTERS)
- if (!decoder.decode(result.cookieStorageDirectory))
- return false;
-#endif
#if PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101100
if (!decoder.decode(result.uiProcessCookieStorageIdentifier))
return false;
Modified: trunk/Source/WebKit2/NetworkProcess/NetworkProcessCreationParameters.h (200620 => 200621)
--- trunk/Source/WebKit2/NetworkProcess/NetworkProcessCreationParameters.h 2016-05-10 11:41:26 UTC (rev 200620)
+++ trunk/Source/WebKit2/NetworkProcess/NetworkProcessCreationParameters.h 2016-05-10 14:56:00 UTC (rev 200621)
@@ -62,9 +62,6 @@
bool shouldEnableNetworkCacheSpeculativeRevalidation;
#endif
#endif
-#if ENABLE(SECCOMP_FILTERS)
- String cookieStorageDirectory;
-#endif
#if PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101100
Vector<uint8_t> uiProcessCookieStorageIdentifier;
#endif
Modified: trunk/Source/WebKit2/PlatformEfl.cmake (200620 => 200621)
--- trunk/Source/WebKit2/PlatformEfl.cmake 2016-05-10 11:41:26 UTC (rev 200620)
+++ trunk/Source/WebKit2/PlatformEfl.cmake 2016-05-10 14:56:00 UTC (rev 200621)
@@ -50,15 +50,6 @@
Shared/linux/WebMemorySamplerLinux.cpp
- Shared/linux/SeccompFilters/OpenSyscall.cpp
- Shared/linux/SeccompFilters/SeccompBroker.cpp
- Shared/linux/SeccompFilters/SeccompFilters.cpp
- Shared/linux/SeccompFilters/SigactionSyscall.cpp
- Shared/linux/SeccompFilters/SigprocmaskSyscall.cpp
- Shared/linux/SeccompFilters/Syscall.cpp
- Shared/linux/SeccompFilters/SyscallPolicy.cpp
- Shared/linux/SeccompFilters/XDGBaseDirectoryGLib.cpp
-
Shared/soup/WebCoreArgumentCodersSoup.cpp
Shared/unix/ChildProcessMain.cpp
@@ -219,7 +210,6 @@
WebProcess/WebPage/gstreamer/WebPageGStreamer.cpp
WebProcess/efl/ExtensionManagerEfl.cpp
- WebProcess/efl/SeccompFiltersWebProcessEfl.cpp
WebProcess/efl/WebProcessMainEfl.cpp
WebProcess/soup/WebKitSoupRequestInputStream.cpp
@@ -351,21 +341,6 @@
${SQLITE_LIBRARIES}
)
-if (ENABLE_SECCOMP_FILTERS)
- list(APPEND WebKit2_LIBRARIES
- ${LIBSECCOMP_LIBRARIES}
- )
- list(APPEND WebKit2_SYSTEM_INCLUDE_DIRECTORIES
- ${LIBSECCOMP_INCLUDE_DIRS}
- )
-
- # If building with jhbuild, add the root build directory to the
- # filesystem access policy.
- if (DEVELOPER_MODE AND IS_DIRECTORY ${CMAKE_SOURCE_DIR}/WebKitBuild/DependenciesEFL)
- add_definitions(-DSOURCE_DIR=\"${CMAKE_SOURCE_DIR}\")
- endif ()
-endif ()
-
if (ENABLE_ECORE_X)
list(APPEND WebProcess_LIBRARIES
${ECORE_X_LIBRARIES}
Modified: trunk/Source/WebKit2/PlatformGTK.cmake (200620 => 200621)
--- trunk/Source/WebKit2/PlatformGTK.cmake 2016-05-10 11:41:26 UTC (rev 200620)
+++ trunk/Source/WebKit2/PlatformGTK.cmake 2016-05-10 14:56:00 UTC (rev 200621)
@@ -76,15 +76,6 @@
Shared/linux/WebMemorySamplerLinux.cpp
- Shared/linux/SeccompFilters/OpenSyscall.cpp
- Shared/linux/SeccompFilters/SeccompBroker.cpp
- Shared/linux/SeccompFilters/SeccompFilters.cpp
- Shared/linux/SeccompFilters/SigactionSyscall.cpp
- Shared/linux/SeccompFilters/SigprocmaskSyscall.cpp
- Shared/linux/SeccompFilters/Syscall.cpp
- Shared/linux/SeccompFilters/SyscallPolicy.cpp
- Shared/linux/SeccompFilters/XDGBaseDirectoryGLib.cpp
-
Shared/soup/WebCoreArgumentCodersSoup.cpp
Shared/unix/ChildProcessMain.cpp
@@ -359,8 +350,6 @@
WebProcess/WebPage/gtk/WebPageGtk.cpp
WebProcess/WebPage/gtk/WebPrintOperationGtk.cpp
- WebProcess/gtk/SeccompFiltersWebProcessGtk.cpp
- WebProcess/gtk/SeccompFiltersWebProcessGtk.h
WebProcess/gtk/WebGtkExtensionManager.cpp
WebProcess/gtk/WebGtkInjectedBundleMain.cpp
WebProcess/gtk/WebProcessMainGtk.cpp
@@ -512,7 +501,6 @@
"${WEBKIT2_DIR}/Shared/glib"
"${WEBKIT2_DIR}/Shared/gtk"
"${WEBKIT2_DIR}/Shared/linux"
- "${WEBKIT2_DIR}/Shared/linux/SeccompFilters"
"${WEBKIT2_DIR}/Shared/soup"
"${WEBKIT2_DIR}/Shared/unix"
"${WEBKIT2_DIR}/UIProcess/API/C/cairo"
@@ -601,21 +589,6 @@
)
endif ()
-if (ENABLE_SECCOMP_FILTERS)
- list(APPEND WebKit2_LIBRARIES
- ${LIBSECCOMP_LIBRARIES}
- )
- list(APPEND WebKit2_SYSTEM_INCLUDE_DIRECTORIES
- ${LIBSECCOMP_INCLUDE_DIRS}
- )
-
- # If building with WebKit jhbuild (not GNOME jhbuild), add the root build
- # directory to the filesystem access policy.
- if (DEVELOPER_MODE AND IS_DIRECTORY ${CMAKE_SOURCE_DIR}/WebKitBuild/DependenciesGTK)
- add_definitions(-DSOURCE_DIR=\"${CMAKE_SOURCE_DIR}\")
- endif ()
-endif ()
-
ADD_WHOLE_ARCHIVE_TO_LIBRARIES(WebKit2_LIBRARIES)
set(WebKit2_MARSHAL_LIST ${WEBKIT2_DIR}/UIProcess/API/gtk/webkit2marshal.list)
Modified: trunk/Source/WebKit2/Shared/WebProcessCreationParameters.cpp (200620 => 200621)
--- trunk/Source/WebKit2/Shared/WebProcessCreationParameters.cpp 2016-05-10 11:41:26 UTC (rev 200620)
+++ trunk/Source/WebKit2/Shared/WebProcessCreationParameters.cpp 2016-05-10 14:56:00 UTC (rev 200621)
@@ -68,9 +68,6 @@
encoder << webSQLDatabaseDirectoryExtensionHandle;
encoder << mediaCacheDirectory;
encoder << mediaCacheDirectoryExtensionHandle;
-#if ENABLE(SECCOMP_FILTERS)
- encoder << cookieStorageDirectory;
-#endif
#if PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101100
encoder << uiProcessCookieStorageIdentifier;
#endif
@@ -169,10 +166,6 @@
return false;
if (!decoder.decode(parameters.mediaCacheDirectoryExtensionHandle))
return false;
-#if ENABLE(SECCOMP_FILTERS)
- if (!decoder.decode(parameters.cookieStorageDirectory))
- return false;
-#endif
#if PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101100
if (!decoder.decode(parameters.uiProcessCookieStorageIdentifier))
return false;
Modified: trunk/Source/WebKit2/Shared/WebProcessCreationParameters.h (200620 => 200621)
--- trunk/Source/WebKit2/Shared/WebProcessCreationParameters.h 2016-05-10 11:41:26 UTC (rev 200620)
+++ trunk/Source/WebKit2/Shared/WebProcessCreationParameters.h 2016-05-10 14:56:00 UTC (rev 200621)
@@ -75,9 +75,6 @@
SandboxExtension::Handle webSQLDatabaseDirectoryExtensionHandle;
String mediaCacheDirectory;
SandboxExtension::Handle mediaCacheDirectoryExtensionHandle;
-#if ENABLE(SECCOMP_FILTERS)
- String cookieStorageDirectory;
-#endif
#if PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101100
Vector<uint8_t> uiProcessCookieStorageIdentifier;
#endif
Modified: trunk/Source/WebKit2/UIProcess/WebProcessPool.cpp (200620 => 200621)
--- trunk/Source/WebKit2/UIProcess/WebProcessPool.cpp 2016-05-10 11:41:26 UTC (rev 200620)
+++ trunk/Source/WebKit2/UIProcess/WebProcessPool.cpp 2016-05-10 14:56:00 UTC (rev 200621)
@@ -353,10 +353,6 @@
if (!parameters.diskCacheDirectory.isEmpty())
SandboxExtension::createHandleForReadWriteDirectory(parameters.diskCacheDirectory, parameters.diskCacheDirectoryExtensionHandle);
-#if ENABLE(SECCOMP_FILTERS)
- parameters.cookieStorageDirectory = this->cookieStorageDirectory();
-#endif
-
#if PLATFORM(IOS)
String cookieStorageDirectory = this->cookieStorageDirectory();
if (!cookieStorageDirectory.isEmpty())
@@ -551,10 +547,6 @@
parameters.mediaCacheDirectory = m_configuration->mediaCacheDirectory();
if (!parameters.mediaCacheDirectory.isEmpty())
SandboxExtension::createHandleForReadWriteDirectory(parameters.mediaCacheDirectory, parameters.mediaCacheDirectoryExtensionHandle);
-
-#if ENABLE(SECCOMP_FILTERS)
- parameters.cookieStorageDirectory = this->cookieStorageDirectory();
-#endif
#if PLATFORM(IOS)
String cookieStorageDirectory = this->cookieStorageDirectory();
@@ -1082,17 +1074,6 @@
return platformDefaultIconDatabasePath();
}
-#if ENABLE(SECCOMP_FILTERS)
-String WebProcessPool::cookieStorageDirectory() const
-{
- if (!m_overrideCookieStorageDirectory.isEmpty())
- return m_overrideCookieStorageDirectory;
-
- // FIXME: This doesn't make much sense. Is this function used at all? We used to call platform code, but no existing platforms implemented that function.
- return emptyString();
-}
-#endif
-
void WebProcessPool::useTestingNetworkSession()
{
ASSERT(m_processes.isEmpty());
Modified: trunk/Source/WebKit2/UIProcess/WebProcessPool.h (200620 => 200621)
--- trunk/Source/WebKit2/UIProcess/WebProcessPool.h 2016-05-10 11:41:26 UTC (rev 200620)
+++ trunk/Source/WebKit2/UIProcess/WebProcessPool.h 2016-05-10 14:56:00 UTC (rev 200621)
@@ -401,7 +401,7 @@
String platformDefaultIconDatabasePath() const;
-#if PLATFORM(IOS) || ENABLE(SECCOMP_FILTERS)
+#if PLATFORM(IOS)
String cookieStorageDirectory() const;
#endif
Deleted: trunk/Source/WebKit2/WebProcess/efl/SeccompFiltersWebProcessEfl.cpp (200620 => 200621)
--- trunk/Source/WebKit2/WebProcess/efl/SeccompFiltersWebProcessEfl.cpp 2016-05-10 11:41:26 UTC (rev 200620)
+++ trunk/Source/WebKit2/WebProcess/efl/SeccompFiltersWebProcessEfl.cpp 2016-05-10 14:56:00 UTC (rev 200621)
@@ -1,79 +0,0 @@
-/*
- * Copyright (C) 2013 Intel Corporation. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
- * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
- * THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "config.h"
-#include "SeccompFiltersWebProcessEfl.h"
-
-#if ENABLE(SECCOMP_FILTERS)
-
-#include "WebProcessCreationParameters.h"
-#include <WebKit/SeccompBroker.h>
-#include <sys/types.h>
-#include <unistd.h>
-
-namespace WebKit {
-
-SeccompFiltersWebProcessEfl::SeccompFiltersWebProcessEfl(const WebProcessCreationParameters& parameters)
- : SeccompFilters(Allow)
-{
- m_policy.addDefaultWebProcessPolicy(parameters);
-}
-
-void SeccompFiltersWebProcessEfl::platformInitialize()
-{
- // TODO: We should block all the syscalls and whitelist
- // what we need + trap what should be handled by the broker.
- addRule("open", Trap);
- addRule("openat", Trap);
- addRule("creat", Trap);
-
- // Needed by Eeze on NetworkStateNotifierEfl.
- m_policy.addDirectoryPermission(ASCIILiteral("/sys/bus"), SyscallPolicy::Read);
- m_policy.addDirectoryPermission(ASCIILiteral("/sys/class"), SyscallPolicy::Read);
- m_policy.addDirectoryPermission(ASCIILiteral("/sys/devices"), SyscallPolicy::Read);
- m_policy.addFilePermission(ASCIILiteral("/etc/udev/udev.conf"), SyscallPolicy::Read);
-
- // Place where the theme and icons are installed.
- char* dataDir = canonicalize_file_name(DATA_DIR);
- if (dataDir) {
- m_policy.addDirectoryPermission(String::fromUTF8(dataDir), SyscallPolicy::Read);
- free(dataDir);
- }
-
-#if USE(GSTREAMER)
- // Video playback requires access to the root of the user cache dir which
- // is not right. We need to check with these directories on gstreamer
- // can be configured.
- char* homeDir = getenv("HOME");
- if (homeDir)
- m_policy.addDirectoryPermission(String::fromUTF8(homeDir) + "/.cache", SyscallPolicy::ReadAndWrite);
-#endif
-
- SeccompBroker::launchProcess(this, m_policy);
-}
-
-} // namespace WebKit
-
-#endif // ENABLE(SECCOMP_FILTERS)
Deleted: trunk/Source/WebKit2/WebProcess/efl/SeccompFiltersWebProcessEfl.h (200620 => 200621)
--- trunk/Source/WebKit2/WebProcess/efl/SeccompFiltersWebProcessEfl.h 2016-05-10 11:41:26 UTC (rev 200620)
+++ trunk/Source/WebKit2/WebProcess/efl/SeccompFiltersWebProcessEfl.h 2016-05-10 14:56:00 UTC (rev 200621)
@@ -1,52 +0,0 @@
-/*
- * Copyright (C) 2013 Intel Corporation. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
- * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
- * THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef SeccompFiltersWebProcessEfl_h
-#define SeccompFiltersWebProcessEfl_h
-
-#if ENABLE(SECCOMP_FILTERS)
-
-#include <WebKit/SeccompFilters.h>
-#include <WebKit/SyscallPolicy.h>
-
-namespace WebKit {
-
-class WebProcessCreationParameters;
-
-class SeccompFiltersWebProcessEfl : public SeccompFilters {
-public:
- SeccompFiltersWebProcessEfl(const WebProcessCreationParameters&);
-
-private:
- virtual void platformInitialize();
-
- SyscallPolicy m_policy;
-};
-
-} // namespace WebKit
-
-#endif // ENABLE(SECCOMP_FILTERS)
-
-#endif // SeccompFiltersWebProcessEfl_h
Deleted: trunk/Source/WebKit2/WebProcess/gtk/SeccompFiltersWebProcessGtk.cpp (200620 => 200621)
--- trunk/Source/WebKit2/WebProcess/gtk/SeccompFiltersWebProcessGtk.cpp 2016-05-10 11:41:26 UTC (rev 200620)
+++ trunk/Source/WebKit2/WebProcess/gtk/SeccompFiltersWebProcessGtk.cpp 2016-05-10 14:56:00 UTC (rev 200621)
@@ -1,70 +0,0 @@
-/*
- * Copyright (C) 2013 Intel Corporation. All rights reserved.
- * Copyright (C) 2015 Igalia S.L.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
- * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
- * THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "config.h"
-#include "SeccompFiltersWebProcessGtk.h"
-
-#if ENABLE(SECCOMP_FILTERS)
-
-#include "SeccompBroker.h"
-#include "WebProcessCreationParameters.h"
-#include <glib.h>
-#include <sys/types.h>
-#include <unistd.h>
-
-namespace WebKit {
-
-SeccompFiltersWebProcessGtk::SeccompFiltersWebProcessGtk(const WebProcessCreationParameters& parameters)
- : SeccompFilters(Allow)
-{
- m_policy.addDefaultWebProcessPolicy(parameters);
-}
-
-void SeccompFiltersWebProcessGtk::platformInitialize()
-{
- // TODO: We should block all the syscalls and whitelist
- // what we need + trap what should be handled by the broker.
- addRule("open", Trap);
- addRule("openat", Trap);
- addRule("creat", Trap);
-
-#if USE(GSTREAMER)
- m_policy.addDirectoryPermission(String::fromUTF8(g_get_user_cache_dir()) + "/gstreamer-1.0", SyscallPolicy::ReadAndWrite);
- m_policy.addDirectoryPermission(String::fromUTF8(g_get_user_data_dir()) + "/gstreamer-1.0", SyscallPolicy::ReadAndWrite);
- m_policy.addDirectoryPermission(String::fromUTF8(LIBEXECDIR) + "/gstreamer-1.0", SyscallPolicy::Read);
-#endif
-
- m_policy.addDirectoryPermission(String::fromUTF8(g_get_user_data_dir()) + "/gvfs-metadata", SyscallPolicy::ReadAndWrite);
-
- // For libXau
- m_policy.addDirectoryPermission(ASCIILiteral("/run/gdm"), SyscallPolicy::Read);
-
- SeccompBroker::launchProcess(this, m_policy);
-}
-
-} // namespace WebKit
-
-#endif // ENABLE(SECCOMP_FILTERS)
Deleted: trunk/Source/WebKit2/WebProcess/gtk/SeccompFiltersWebProcessGtk.h (200620 => 200621)
--- trunk/Source/WebKit2/WebProcess/gtk/SeccompFiltersWebProcessGtk.h 2016-05-10 11:41:26 UTC (rev 200620)
+++ trunk/Source/WebKit2/WebProcess/gtk/SeccompFiltersWebProcessGtk.h 2016-05-10 14:56:00 UTC (rev 200621)
@@ -1,52 +0,0 @@
-/*
- * Copyright (C) 2013 Intel Corporation. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
- * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
- * THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef SeccompFiltersWebProcessGtk_h
-#define SeccompFiltersWebProcessGtk_h
-
-#if ENABLE(SECCOMP_FILTERS)
-
-#include "SeccompFilters.h"
-#include "SyscallPolicy.h"
-
-namespace WebKit {
-
-struct WebProcessCreationParameters;
-
-class SeccompFiltersWebProcessGtk : public SeccompFilters {
-public:
- SeccompFiltersWebProcessGtk(const WebProcessCreationParameters&);
-
-private:
- void platformInitialize() override;
-
- SyscallPolicy m_policy;
-};
-
-} // namespace WebKit
-
-#endif // ENABLE(SECCOMP_FILTERS)
-
-#endif // SeccompFiltersWebProcessGtk_h
Modified: trunk/Source/WebKit2/WebProcess/soup/WebProcessSoup.cpp (200620 => 200621)
--- trunk/Source/WebKit2/WebProcess/soup/WebProcessSoup.cpp 2016-05-10 11:41:26 UTC (rev 200620)
+++ trunk/Source/WebKit2/WebProcess/soup/WebProcessSoup.cpp 2016-05-10 14:56:00 UTC (rev 200621)
@@ -27,12 +27,6 @@
#include "config.h"
#include "WebProcess.h"
-#if PLATFORM(EFL)
-#include "SeccompFiltersWebProcessEfl.h"
-#elif PLATFORM(GTK)
-#include "SeccompFiltersWebProcessGtk.h"
-#endif
-
#include "CertificateInfo.h"
#include "WebCookieManager.h"
#include "WebProcessCreationParameters.h"
@@ -84,16 +78,6 @@
void WebProcess::platformInitializeWebProcess(WebProcessCreationParameters&& parameters)
{
-#if ENABLE(SECCOMP_FILTERS)
- {
-#if PLATFORM(EFL)
- SeccompFiltersWebProcessEfl seccompFilters(parameters);
-#elif PLATFORM(GTK)
- SeccompFiltersWebProcessGtk seccompFilters(parameters);
-#endif
- seccompFilters.initialize();
- }
-#endif
}
void WebProcess::platformTerminate()
Deleted: trunk/Source/cmake/FindLibSeccomp.cmake (200620 => 200621)
--- trunk/Source/cmake/FindLibSeccomp.cmake 2016-05-10 11:41:26 UTC (rev 200620)
+++ trunk/Source/cmake/FindLibSeccomp.cmake 2016-05-10 14:56:00 UTC (rev 200621)
@@ -1,46 +0,0 @@
-# Copyright (c) 2013, Intel Corporation
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are met:
-#
-# * Redistributions of source code must retain the above copyright notice, this
-# list of conditions and the following disclaimer.
-# * Redistributions in binary form must reproduce the above copyright notice,
-# this list of conditions and the following disclaimer in the documentation
-# and/or other materials provided with the distribution.
-# * Neither the name of Intel Corporation nor the names of its contributors may
-# be used to endorse or promote products derived from this software without
-# specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
-# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-# POSSIBILITY OF SUCH DAMAGE.
-#
-# Try to find libseccomp include and library directories.
-#
-# After successful discovery, this will set for inclusion where needed:
-# LIBSECCOMP_INCLUDE_DIRS - containg the libseccomp headers
-# LIBSECCOMP_LIBRARIES - containg the libseccomp library
-
-include(FindPkgConfig)
-
-pkg_check_modules(PC_LIBSECCOMP libseccomp)
-
-find_path(LIBSECCOMP_INCLUDE_DIRS NAMES seccomp.h
- HINTS ${PC_LIBSECCOMP_INCLUDE_DIRS} ${PC_LIBSECCOMP_INCLUDEDIR}
-)
-
-find_library(LIBSECCOMP_LIBRARIES NAMES seccomp
- HINTS ${PC_LIBSECCOMP_LIBRARY_DIRS} ${PC_LIBSECCOMP_LIBDIR}
-)
-
-include(FindPackageHandleStandardArgs)
-FIND_PACKAGE_HANDLE_STANDARD_ARGS(seccomp DEFAULT_MSG LIBSECCOMP_INCLUDE_DIRS LIBSECCOMP_LIBRARIES)
Modified: trunk/Source/cmake/OptionsEfl.cmake (200620 => 200621)
--- trunk/Source/cmake/OptionsEfl.cmake 2016-05-10 11:41:26 UTC (rev 200620)
+++ trunk/Source/cmake/OptionsEfl.cmake 2016-05-10 14:56:00 UTC (rev 200621)
@@ -122,7 +122,6 @@
WEBKIT_OPTION_DEFAULT_PORT_VALUE(ENABLE_RESOLUTION_MEDIA_QUERY PUBLIC ON)
WEBKIT_OPTION_DEFAULT_PORT_VALUE(ENABLE_REQUEST_ANIMATION_FRAME PUBLIC ON)
WEBKIT_OPTION_DEFAULT_PORT_VALUE(ENABLE_SAMPLING_PROFILER PUBLIC ON)
-WEBKIT_OPTION_DEFAULT_PORT_VALUE(ENABLE_SECCOMP_FILTERS PUBLIC OFF)
WEBKIT_OPTION_DEFAULT_PORT_VALUE(ENABLE_SHADOW_DOM PRIVATE OFF)
WEBKIT_OPTION_DEFAULT_PORT_VALUE(ENABLE_SPEECH_SYNTHESIS PUBLIC ON)
WEBKIT_OPTION_DEFAULT_PORT_VALUE(ENABLE_SPELLCHECK PUBLIC ON)
@@ -273,10 +272,6 @@
endif ()
endif ()
-if (ENABLE_SECCOMP_FILTERS)
- find_package(LibSeccomp REQUIRED)
-endif ()
-
if (ENABLE_SPELLCHECK)
find_package(Enchant REQUIRED)
endif ()
Modified: trunk/Source/cmake/OptionsGTK.cmake (200620 => 200621)
--- trunk/Source/cmake/OptionsGTK.cmake 2016-05-10 11:41:26 UTC (rev 200620)
+++ trunk/Source/cmake/OptionsGTK.cmake 2016-05-10 14:56:00 UTC (rev 200621)
@@ -314,13 +314,6 @@
find_package(GDK2 2.24.10 REQUIRED)
endif ()
-if (ENABLE_SECCOMP_FILTERS)
- find_package(LibSeccomp)
- if (NOT PC_LIBSECCOMP_FOUND)
- message(FATAL_ERROR "libseccomp is required for ENABLE_SECCOMP_FILTERS")
- endif ()
-endif ()
-
if (ENABLE_SPELLCHECK)
find_package(Enchant)
if (NOT PC_ENCHANT_FOUND)
Modified: trunk/Source/cmake/WebKitFeatures.cmake (200620 => 200621)
--- trunk/Source/cmake/WebKitFeatures.cmake 2016-05-10 11:41:26 UTC (rev 200620)
+++ trunk/Source/cmake/WebKitFeatures.cmake 2016-05-10 14:56:00 UTC (rev 200621)
@@ -169,7 +169,6 @@
WEBKIT_OPTION_DEFINE(ENABLE_RESOURCE_USAGE "Toggle resource usage support" PRIVATE OFF)
WEBKIT_OPTION_DEFINE(ENABLE_RUBBER_BANDING "Toggle rubber banding support" PRIVATE OFF)
WEBKIT_OPTION_DEFINE(ENABLE_SAMPLING_PROFILER "Toggle sampling profiler support" PRIVATE ON)
- WEBKIT_OPTION_DEFINE(ENABLE_SECCOMP_FILTERS "Toggle Linux seccomp filters for the WebProcess support" PRIVATE OFF)
WEBKIT_OPTION_DEFINE(ENABLE_SERVICE_CONTROLS "Toggle service controls support" PRIVATE OFF)
WEBKIT_OPTION_DEFINE(ENABLE_SHADOW_DOM "Toggle shadow dom" PRIVATE OFF)
WEBKIT_OPTION_DEFINE(ENABLE_SMOOTH_SCROLLING "Toggle smooth scrolling" PRIVATE OFF)
Modified: trunk/Tools/ChangeLog (200620 => 200621)
--- trunk/Tools/ChangeLog 2016-05-10 11:41:26 UTC (rev 200620)
+++ trunk/Tools/ChangeLog 2016-05-10 14:56:00 UTC (rev 200621)
@@ -1,3 +1,17 @@
+2016-05-10 Michael Catanzaro <mcatanz...@igalia.com>
+
+ [Linux] Remove seccomp filters support
+ https://bugs.webkit.org/show_bug.cgi?id=157380
+
+ Reviewed by Darin Adler.
+
+ * Scripts/webkitperl/FeatureList.pm:
+ * TestWebKitAPI/PlatformEfl.cmake:
+ * TestWebKitAPI/PlatformGTK.cmake:
+ * TestWebKitAPI/Tests/WebKit2/SeccompFilters.cpp: Removed.
+ * efl/jhbuild.modules:
+ * gtk/jhbuild.modules:
+
2016-05-09 Simon Fraser <simon.fra...@apple.com>
[iOS] visibility:hidden -webkit-overflow-scrolling: touch divs can interfere with page scrolling
Modified: trunk/Tools/Scripts/webkitperl/FeatureList.pm (200620 => 200621)
--- trunk/Tools/Scripts/webkitperl/FeatureList.pm 2016-05-10 11:41:26 UTC (rev 200620)
+++ trunk/Tools/Scripts/webkitperl/FeatureList.pm 2016-05-10 14:56:00 UTC (rev 200621)
@@ -125,7 +125,6 @@
$requestAnimationFrameSupport,
$resourceTimingSupport,
$scriptedSpeechSupport,
- $seccompFiltersSupport,
$shadowDOMSupport,
$streamsAPISupport,
$styleScopedSupport,
@@ -386,9 +385,6 @@
{ option => "request-animation-frame", desc => "Toggle Request Animation Frame support",
define => "ENABLE_REQUEST_ANIMATION_FRAME", default => 1, value => \$requestAnimationFrameSupport },
- { option => "seccomp-filters", desc => "Toggle Seccomp Filter sandbox",
- define => "ENABLE_SECCOMP_FILTERS", default => 0, value => \$seccompFiltersSupport },
-
{ option => "scripted-speech", desc => "Toggle Scripted Speech support",
define => "ENABLE_SCRIPTED_SPEECH", default => 0, value => \$scriptedSpeechSupport },
Modified: trunk/Tools/TestWebKitAPI/PlatformEfl.cmake (200620 => 200621)
--- trunk/Tools/TestWebKitAPI/PlatformEfl.cmake 2016-05-10 11:41:26 UTC (rev 200620)
+++ trunk/Tools/TestWebKitAPI/PlatformEfl.cmake 2016-05-10 14:56:00 UTC (rev 200621)
@@ -132,12 +132,6 @@
WillLoad
)
-if (ENABLE_SECCOMP_FILTERS)
- list(APPEND test_webkit2_api_fail_BINARIES
- SeccompFilters
- )
-endif ()
-
# Tests disabled because of missing features on the test harness:
#
# SpacebarScrolling
Modified: trunk/Tools/TestWebKitAPI/PlatformGTK.cmake (200620 => 200621)
--- trunk/Tools/TestWebKitAPI/PlatformGTK.cmake 2016-05-10 11:41:26 UTC (rev 200620)
+++ trunk/Tools/TestWebKitAPI/PlatformGTK.cmake 2016-05-10 14:56:00 UTC (rev 200621)
@@ -124,20 +124,6 @@
set_tests_properties(TestWebKit2 PROPERTIES TIMEOUT 60)
set_target_properties(TestWebKit2 PROPERTIES RUNTIME_OUTPUT_DIRECTORY ${TESTWEBKITAPI_RUNTIME_OUTPUT_DIRECTORY}/WebKit2)
-if (ENABLE_SECCOMP_FILTERS)
- # This test needs to be in its own executable. It's a general test of the
- # seccomp filter mechanism, and the filters it sets are incompatible with
- # the correct operation of WebKit and the other tests.
- add_executable(TestSeccompFilters
- ${TESTWEBKITAPI_DIR}/Tests/WebKit2/SeccompFilters.cpp
- )
-
- target_link_libraries(TestSeccompFilters ${test_webkit2_api_LIBRARIES})
- add_test(TestSeccompFilters ${TESTWEBKITAPI_RUNTIME_OUTPUT_DIRECTORY}/WebKit2/TestWebKit2)
- set_tests_properties(TestSeccompFilters PROPERTIES TIMEOUT 5)
- set_target_properties(TestSeccompFilters PROPERTIES RUNTIME_OUTPUT_DIRECTORY ${TESTWEBKITAPI_RUNTIME_OUTPUT_DIRECTORY}/WebKit2)
-endif ()
-
set(TestWebCoreGtk_SOURCES
${TESTWEBKITAPI_DIR}/Tests/WebCore/gtk/UserAgentQuirks.cpp
)
Deleted: trunk/Tools/TestWebKitAPI/Tests/WebKit2/SeccompFilters.cpp (200620 => 200621)
--- trunk/Tools/TestWebKitAPI/Tests/WebKit2/SeccompFilters.cpp 2016-05-10 11:41:26 UTC (rev 200620)
+++ trunk/Tools/TestWebKitAPI/Tests/WebKit2/SeccompFilters.cpp 2016-05-10 14:56:00 UTC (rev 200621)
@@ -1,441 +0,0 @@
-/*
- * Copyright (C) 2013 Intel Corporation. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
- * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
- * THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <WebKit/SeccompBroker.h>
-#include <WebKit/SeccompFilters.h>
-#include <WebKit/SyscallPolicy.h>
-#include <errno.h>
-#include <fcntl.h>
-#include <pthread.h>
-#include <signal.h>
-#include <stdlib.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-#include <wtf/text/CString.h>
-#include <wtf/text/WTFString.h>
-
-using namespace WebKit;
-
-namespace TestWebKitAPI {
-
-DEPRECATED_DEFINE_STATIC_LOCAL(String, rootDir, (ASCIILiteral("/")));
-DEPRECATED_DEFINE_STATIC_LOCAL(String, homeDir, (String(getenv("HOME"))));
-DEPRECATED_DEFINE_STATIC_LOCAL(String, usrDir, (ASCIILiteral("/usr")));
-DEPRECATED_DEFINE_STATIC_LOCAL(String, usrSbinDir, (ASCIILiteral("/usr/sbin")));
-DEPRECATED_DEFINE_STATIC_LOCAL(String, testDirRead, (ASCIILiteral("/tmp/WebKitSeccompFilters/testRead")));
-DEPRECATED_DEFINE_STATIC_LOCAL(String, testDirWrite, (ASCIILiteral("/tmp/WebKitSeccompFilters/testWrite")));
-DEPRECATED_DEFINE_STATIC_LOCAL(String, testDirReadAndWrite, (ASCIILiteral("/tmp/WebKitSeccompFilters/testReadAndWrite")));
-DEPRECATED_DEFINE_STATIC_LOCAL(String, testDirNotAllowed, (ASCIILiteral("/tmp/WebKitSeccompFilters/testNotAllowed")));
-DEPRECATED_DEFINE_STATIC_LOCAL(String, testFileNotAllowed, (testDirReadAndWrite + "/testFilePolicy"));
-DEPRECATED_DEFINE_STATIC_LOCAL(String, testFileReadAndWrite, (testDirNotAllowed + "/testFilePolicy"));
-
-static const mode_t defaultMode = S_IRUSR | S_IWUSR | S_IXUSR;
-
-class SeccompEnvironment : public testing::Environment {
-public:
- virtual void SetUp()
- {
- ASSERT_TRUE(!homeDir.isEmpty());
-
- mkdir("/tmp/WebKitSeccompFilters", defaultMode);
- mkdir(testDirRead.utf8().data(), defaultMode);
- mkdir(testDirWrite.utf8().data(), defaultMode);
- mkdir(testDirReadAndWrite.utf8().data(), defaultMode);
- mkdir(testDirNotAllowed.utf8().data(), defaultMode);
-
- // Create a file for the Read only and NotAllowed directory before
- // loading the filters.
- String file = testDirRead + "/testFile";
- int fd = open(file.utf8().data(), O_RDWR | O_CREAT, defaultMode);
- ASSERT_NE(close(fd), -1);
- file = testDirNotAllowed + "/testFile";
- fd = open(file.utf8().data(), O_RDWR | O_CREAT, defaultMode);
- ASSERT_NE(close(fd), -1);
-
- // Create files for the file policy tests. File policies precedes the
- // directory policy. In this case, we create a file with read and write
- // policies inside a directory that is not allowed, and vice versa.
- fd = open(testFileNotAllowed.utf8().data(), O_RDWR | O_CREAT, defaultMode);
- ASSERT_NE(close(fd), -1);
- fd = open(testFileReadAndWrite.utf8().data(), O_RDWR | O_CREAT, defaultMode);
- ASSERT_NE(close(fd), -1);
-
- SyscallPolicy policy;
- policy.addDirectoryPermission(rootDir, SyscallPolicy::NotAllowed);
- policy.addDirectoryPermission(usrDir, SyscallPolicy::Read);
- policy.addDirectoryPermission(usrSbinDir, SyscallPolicy::NotAllowed);
- policy.addDirectoryPermission(testDirRead, SyscallPolicy::Read);
- policy.addDirectoryPermission(testDirWrite, SyscallPolicy::Write);
- policy.addDirectoryPermission(testDirReadAndWrite, SyscallPolicy::ReadAndWrite);
- policy.addDirectoryPermission(testDirNotAllowed, SyscallPolicy::NotAllowed);
- policy.addFilePermission(testFileNotAllowed, SyscallPolicy::NotAllowed);
- policy.addFilePermission(testFileReadAndWrite, SyscallPolicy::ReadAndWrite);
-
- SeccompFilters seccompFilters(SeccompFilters::Allow);
- seccompFilters.addRule("open", SeccompFilters::Trap);
- seccompFilters.addRule("openat", SeccompFilters::Trap);
- seccompFilters.addRule("creat", SeccompFilters::Trap);
-
- SeccompBroker::launchProcess(&seccompFilters, policy);
- seccompFilters.initialize();
- }
-
- virtual void TearDown()
- {
- // This will have to move to a separated process created before loading
- // the filters when we put the rmdir/unlink policies in place.
- unlink("/tmp/WebKitSeccompFilters/testNotAllowed/testFile");
- unlink("/tmp/WebKitSeccompFilters/testNotAllowed/testFilePolicy");
- unlink("/tmp/WebKitSeccompFilters/testReadAndWrite/testFile");
- unlink("/tmp/WebKitSeccompFilters/testReadAndWrite/testFile2");
- unlink("/tmp/WebKitSeccompFilters/testReadAndWrite/testFile3");
- unlink("/tmp/WebKitSeccompFilters/testReadAndWrite/testFilePolicy");
- unlink("/tmp/WebKitSeccompFilters/testWrite/testFile");
- unlink("/tmp/WebKitSeccompFilters/testWrite/testFile2");
- unlink("/tmp/WebKitSeccompFilters/testRead/testFile");
- rmdir("/tmp/WebKitSeccompFilters/testNotAllowed");
- rmdir("/tmp/WebKitSeccompFilters/testReadAndWrite");
- rmdir("/tmp/WebKitSeccompFilters/testWrite");
- rmdir("/tmp/WebKitSeccompFilters/testRead");
- rmdir("/tmp/WebKitSeccompFilters");
- }
-};
-
-::testing::Environment* const env = ::testing::AddGlobalTestEnvironment(new SeccompEnvironment);
-
-static void dummyHandler(int, siginfo_t*, void*)
-{
-}
-
-TEST(WebKit2, sigaction)
-{
- // Setting a handler should be enough to break any subsequent test if
- // not silently ignored by the sandbox.
- struct sigaction action;
- memset(&action, 0, sizeof(action));
- action.sa_sigaction = &dummyHandler;
- action.sa_flags = SA_SIGINFO;
-
- ASSERT_NE(sigaction(SIGSYS, &action, 0), -1);
-}
-
-TEST(WebKit2, sigprocmask)
-{
- // We test here the mechanism installed to prevent SIGSYS to be blocked. Any
- // attemp to add SIGSYS to the set of blocked signals will be silently
- // ignored (but other signals will be blocked just fine).
- sigset_t set, oldSet;
- sigemptyset(&set);
- sigaddset(&set, SIGSYS);
- sigaddset(&set, SIGUSR1);
-
- ASSERT_NE(sigprocmask(SIG_BLOCK, &set, 0), -1);
- ASSERT_NE(sigprocmask(SIG_BLOCK, 0, &oldSet), -1);
- ASSERT_FALSE(sigismember(&oldSet, SIGSYS)) << "SIGSYS should not be blocked.";
- ASSERT_TRUE(sigismember(&oldSet, SIGUSR1)) << "Other signals should be blocked normally.";
-
- sigemptyset(&set);
- sigaddset(&set, SIGSYS);
- sigaddset(&set, SIGUSR2);
-
- ASSERT_NE(sigprocmask(SIG_SETMASK, &set, &oldSet), -1);
- ASSERT_NE(sigprocmask(SIG_SETMASK, 0, &set), -1);
- ASSERT_FALSE(sigismember(&set, SIGSYS)) << "SIGSYS should not be blocked.";
- ASSERT_TRUE(sigismember(&set, SIGUSR2)) << "Other signals should be blocked normally.";
- ASSERT_FALSE(sigismember(&oldSet, SIGUSR2));
-
- ASSERT_NE(sigprocmask(SIG_SETMASK, &oldSet, 0), -1) << "Should restore the old signal set just fine.";
- ASSERT_NE(sigprocmask(SIG_SETMASK, 0, &set), -1);
- ASSERT_FALSE(sigismember(&set, SIGUSR2)) << "The restored set doesn't have SIGUSR2.";
-}
-
-TEST(WebKit2, open)
-{
- // Read only directory.
- String file = testDirRead + "/testFile";
- int fd = open(file.utf8().data(), O_RDWR);
- EXPECT_TRUE(fd == -1 && errno == EACCES);
-
- fd = open(file.utf8().data(), O_WRONLY);
- EXPECT_TRUE(fd == -1 && errno == EACCES);
-
- fd = open(file.utf8().data(), O_RDONLY | O_CREAT, defaultMode);
- EXPECT_TRUE(fd == -1 && errno == EACCES);
-
- fd = open(file.utf8().data(), O_RDONLY);
- EXPECT_NE(fd, -1);
- close(fd);
-
- file = testDirRead + "/ThisFileDoesNotExist";
- fd = open(file.utf8().data(), O_RDONLY);
- EXPECT_TRUE(fd == -1 && errno == ENOENT) << "Should return ENOENT when trying " \
- "to open a file that does not exit and the permissions are OK.";
-
- fd = open(file.utf8().data(), O_WRONLY);
- EXPECT_TRUE(fd == -1 && errno == EACCES) << "Should return EACCES when trying " \
- "to open a file that does not exit and the permissions are not OK.";
-
- // Write only directory.
- file = testDirWrite + "/testFile";
- fd = open(file.utf8().data(), O_WRONLY | O_CREAT, defaultMode);
- ASSERT_NE(fd, -1);
- close(fd);
-
- fd = open(file.utf8().data(), O_RDWR);
- EXPECT_TRUE(fd == -1 && errno == EACCES);
-
- fd = open(file.utf8().data(), O_RDONLY);
- EXPECT_TRUE(fd == -1 && errno == EACCES);
-
- fd = open(file.utf8().data(), O_WRONLY);
- EXPECT_NE(fd, -1);
- close(fd);
-
- // Read an write directory.
- file = testDirReadAndWrite + "/testFile";
- fd = open(file.utf8().data(), O_WRONLY | O_CREAT, defaultMode);
- ASSERT_NE(fd, -1);
- close(fd);
-
- fd = open(file.utf8().data(), O_RDWR);
- EXPECT_NE(fd, -1);
- close(fd);
-
- fd = open(file.utf8().data(), O_RDONLY);
- EXPECT_NE(fd, -1);
- close(fd);
-
- fd = open(file.utf8().data(), O_WRONLY);
- EXPECT_NE(fd, -1);
- close(fd);
-
- // NotAllowed directory.
- file = testDirNotAllowed + "/testFile";
- fd = open(file.utf8().data(), O_WRONLY | O_CREAT, defaultMode);
- EXPECT_TRUE(fd == -1 && errno == EACCES);
-
- fd = open(file.utf8().data(), O_RDWR);
- EXPECT_TRUE(fd == -1 && errno == EACCES);
-
- fd = open(file.utf8().data(), O_RDONLY);
- EXPECT_TRUE(fd == -1 && errno == EACCES);
-
- fd = open(file.utf8().data(), O_WRONLY);
- EXPECT_TRUE(fd == -1 && errno == EACCES);
-
-
- // The /usr directory here has read permissions, so it's subdirectories
- // should resolve to the /usr permissions unless explicitly specified.
- file = usrDir + "/bin/basename";
- fd = open(file.utf8().data(), O_RDONLY);
- EXPECT_NE(fd, -1) << "Subdirectories should with no policy should " \
- "inherit the parent's policies.";
- close(fd);
-
- file = usrSbinDir + "/adduser";
- fd = open(file.utf8().data(), O_RDONLY);
- EXPECT_TRUE(fd == -1 && errno == EACCES) << "This directory should have " \
- "its own policy instead of the parent's.";
-
- // Access to the rest of the files system is blocked and should
- // never return anything else other than EACCES regardless if the
- // file exists or not. The reason is because it will fallback to the
- // policy of the Root directory, marked as NotAllowed.
- file = homeDir + "/testFile";
- fd = open(file.utf8().data(), O_RDWR | O_CREAT, defaultMode);
- EXPECT_TRUE(fd == -1 && errno == EACCES);
-
- fd = open("/etc/passwd", O_RDONLY);
- EXPECT_TRUE(fd == -1 && errno == EACCES);
-
- file = testDirReadAndWrite + "/../../../etc/passwd";
- fd = open(file.utf8().data(), O_RDONLY);
- EXPECT_TRUE(fd == -1 && errno == EACCES);
-
- file = testDirReadAndWrite + "/../../.." + testDirReadAndWrite + "/../../../etc/passwd";
- fd = open(file.utf8().data(), O_RDONLY);
- EXPECT_TRUE(fd == -1 && errno == EACCES);
-
- // Here we test file policies. The have precedence over directory policies.
- // The file bellow lives inside a directory with ReadAndWrite policy.
- fd = open(testFileNotAllowed.utf8().data(), O_RDONLY);
- EXPECT_TRUE(fd == -1 && errno == EACCES);
-
- fd = open(testFileNotAllowed.utf8().data(), O_WRONLY);
- EXPECT_TRUE(fd == -1 && errno == EACCES);
-
- fd = open(testFileNotAllowed.utf8().data(), O_RDWR);
- EXPECT_TRUE(fd == -1 && errno == EACCES);
-
- file = testDirReadAndWrite + "/../../.." + testDirReadAndWrite + "/testFilePolicy";
- fd = open(file.utf8().data(), O_RDONLY);
- EXPECT_TRUE(fd == -1 && errno == EACCES);
-
- // The next file is located inside a directory marked as NotAllowed, but
- // it has its own file policy that precedes the directory policy.
- fd = open(testFileReadAndWrite.utf8().data(), O_RDONLY);
- EXPECT_NE(fd, -1);
- close(fd);
-
- fd = open(testFileReadAndWrite.utf8().data(), O_WRONLY);
- EXPECT_NE(fd, -1);
- close(fd);
-
- fd = open(testFileReadAndWrite.utf8().data(), O_RDWR);
- EXPECT_NE(fd, -1);
- close(fd);
-
- file = testDirReadAndWrite + "/../../.." + testDirNotAllowed + "/testFilePolicy";
- fd = open(file.utf8().data(), O_RDONLY);
- EXPECT_NE(fd, -1);
- close(fd);
-}
-
-TEST(WebKit2, creat)
-{
- // Read only directory.
- String file = testDirRead + "/testFile2";
- int fd = creat(file.utf8().data(), defaultMode);
- EXPECT_TRUE(fd == -1 && errno == EACCES);
-
- // Write only directory.
- file = testDirWrite + "/testFile2";
- fd = creat(file.utf8().data(), defaultMode);
- EXPECT_NE(fd, -1);
- close(fd);
-
- // Read an write directory.
- file = testDirReadAndWrite + "/testFile2";
- fd = creat(file.utf8().data(), defaultMode);
- EXPECT_NE(fd, -1);
- close(fd);
-
- // NotAllowed directory.
- file = testDirNotAllowed + "/testFile2";
- fd = creat(file.utf8().data(), defaultMode);
- EXPECT_TRUE(fd == -1 && errno == EACCES);
-}
-
-TEST(WebKit2, openat)
-{
- int dirFd = open(testDirReadAndWrite.utf8().data(), O_RDONLY);
- ASSERT_NE(dirFd, -1);
-
- int fd = openat(dirFd, "testFile3", O_RDWR | O_CREAT, defaultMode);
- EXPECT_NE(fd, -1);
- close(fd);
-
- fd = openat(dirFd, "testFile3", O_RDWR);
- EXPECT_NE(fd, -1);
- close(fd);
-
- fd = openat(dirFd, "testFile3", O_RDONLY);
- EXPECT_NE(fd, -1);
- close(fd);
-
- fd = openat(dirFd, "testFile3", O_WRONLY);
- EXPECT_NE(fd, -1);
-
- fd = openat(fd, "testFile3", O_WRONLY);
- EXPECT_TRUE(fd == -1 && errno == ENOTDIR) << "Should return ENOTDIR when the fd is a file.";
- close(fd);
-
- String file = "../../.." + testDirReadAndWrite + "/testFile3";
- fd = openat(dirFd, file.utf8().data(), O_WRONLY);
- EXPECT_NE(fd, -1);
- close(fd);
-
- file = "../../.." + testDirRead + "/testFile3";
- fd = openat(dirFd, file.utf8().data(), O_WRONLY);
- EXPECT_TRUE(fd == -1 && errno == EACCES);
-
- file = testDirReadAndWrite + "/testFile3";
- fd = openat(-1, file.utf8().data(), O_WRONLY);
- EXPECT_NE(fd, -1) << "Directory fd should be ignored when the path is absolute.";
- close(fd);
-
- fd = openat(-1, "testFile3", O_WRONLY);
- EXPECT_TRUE(fd == -1 && errno == EBADF) << "Should return EBADF when the fd is invalid.";
- close(dirFd);
-
- dirFd = open(testDirNotAllowed.utf8().data(), O_RDONLY);
- EXPECT_TRUE(dirFd == -1 && errno == EACCES);
-
- dirFd = open(testDirRead.utf8().data(), O_RDONLY);
- ASSERT_NE(dirFd, -1);
-
- fd = openat(dirFd, "testFile2", O_RDONLY | O_CREAT, defaultMode);
- EXPECT_TRUE(fd == -1 && errno == EACCES);
-
- fd = openat(dirFd, "testFile", O_WRONLY);
- EXPECT_TRUE(fd == -1 && errno == EACCES);
- close(dirFd);
-}
-
-static void* stressTest(void*)
-{
- for (int i = 0; i < 500; ++i) {
- int fd = open("/tmp/WebKitSeccompFilters/testRead/testFile", O_RDWR);
- EXPECT_TRUE(fd == -1 && errno == EACCES);
-
- fd = open("/tmp/WebKitSeccompFilters/testRead/testFile", O_RDONLY);
- EXPECT_NE(fd, -1);
- close(fd);
-
- fd = open("/tmp/WebKitSeccompFilters/testNotAllowed/testFile", O_RDONLY);
- EXPECT_TRUE(fd == -1 && errno == EACCES);
-
- fd = creat("/tmp/WebKitSeccompFilters/testNotAllowed/SholdNotBeAllowed", defaultMode);
- EXPECT_TRUE(fd == -1 && errno == EACCES);
-
- int dirFd = open("/tmp/WebKitSeccompFilters/testRead", O_RDONLY);
- EXPECT_NE(dirFd, -1);
-
- fd = openat(dirFd, "testFile", O_RDONLY);
- EXPECT_NE(fd, -1);
- close(fd);
- close(dirFd);
- }
-
- return 0;
-}
-
-TEST(WebKit2, threading)
-{
- // Tests if concurrent syscall execution works fine. It can be
- // also used for performance testing and leak detection. The test
- // is disabled on Debug mode because it can be way too verbose.
- pthread_t threads[5];
-
- for (int i = 0; i < sizeof(threads) / sizeof(pthread_t); ++i)
- pthread_create(&threads[i], 0, stressTest, 0);
-
- for (int i = 0; i < sizeof(threads) / sizeof(pthread_t); ++i)
- pthread_join(threads[i], 0);
-}
-
-} // namespace TestWebKitAPI
Modified: trunk/Tools/efl/jhbuild.modules (200620 => 200621)
--- trunk/Tools/efl/jhbuild.modules 2016-05-10 11:41:26 UTC (rev 200620)
+++ trunk/Tools/efl/jhbuild.modules 2016-05-10 14:56:00 UTC (rev 200621)
@@ -21,7 +21,6 @@
<dep package="gst-plugins-good"/>
<dep package="gst-plugins-bad"/>
<dep package="gst-libav"/>
- <dep package="libseccomp"/>
<dep package="atk"/>
<dep package="openwebrtc"/>
</dependencies>
@@ -267,13 +266,6 @@
</branch>
</autotools>
- <autotools id="libseccomp" autogen-sh="configure">
- <branch module="seccomp/libseccomp/releases/download/v2.2.3/libseccomp-2.2.3.tar.gz" version="2.2.3"
- repo="github.com"
- hash="sha256:d9b400b703cab7bb04b84b9b6e52076a630b673819d7541757bcc16467b6d49e">
- </branch>
- </autotools>
-
<autotools id="atk"
autogen-sh="configure"
autogenargs="--disable-introspection">
Modified: trunk/Tools/gtk/jhbuild.modules (200620 => 200621)
--- trunk/Tools/gtk/jhbuild.modules 2016-05-10 11:41:26 UTC (rev 200620)
+++ trunk/Tools/gtk/jhbuild.modules 2016-05-10 14:56:00 UTC (rev 200621)
@@ -33,7 +33,6 @@
<if condition-set="linux">
<dep package="xserver"/>
<dep package="mesa"/>
- <dep package="libseccomp"/>
<dep package="at-spi2-core"/>
<dep package="at-spi2-atk"/>
</if>
@@ -136,10 +135,6 @@
md5sum="f5898b29bbfd70502831a212d9249d10"/>
</autotools>
- <autotools id="libseccomp" supports-non-srcdir-builds="no" autogen-sh="./autogen.sh; ./configure">
- <branch repo="github.com" module="seccomp/libseccomp.git" tag="v2.2.3"/>
- </autotools>
-
<autotools id="gdk-pixbuf" autogen-sh="configure"
autogenargs="--disable-introspection">
<dependencies>
