Diff
Modified: trunk/ChangeLog (242708 => 242709)
--- trunk/ChangeLog 2019-03-11 16:40:55 UTC (rev 242708)
+++ trunk/ChangeLog 2019-03-11 16:47:21 UTC (rev 242709)
@@ -1,3 +1,14 @@
+2019-03-11 Michael Catanzaro <mcatanz...@igalia.com>
+
+ [WPE] Enable web process sandbox
+ https://bugs.webkit.org/show_bug.cgi?id=195169
+
+ Reviewed by Daniel Bates.
+
+ * Source/cmake/BubblewrapSandboxChecks.cmake: Added.
+ * Source/cmake/OptionsGTK.cmake:
+ * Source/cmake/OptionsWPE.cmake:
+
2019-03-07 Commit Queue <commit-qu...@webkit.org>
Unreviewed, rolling out r242354.
Modified: trunk/Source/WebKit/ChangeLog (242708 => 242709)
--- trunk/Source/WebKit/ChangeLog 2019-03-11 16:40:55 UTC (rev 242708)
+++ trunk/Source/WebKit/ChangeLog 2019-03-11 16:47:21 UTC (rev 242709)
@@ -1,3 +1,14 @@
+2019-03-11 Michael Catanzaro <mcatanz...@igalia.com>
+
+ [WPE] Enable web process sandbox
+ https://bugs.webkit.org/show_bug.cgi?id=195169
+
+ Reviewed by Daniel Bates.
+
+ * PlatformWPE.cmake:
+ * UIProcess/Launcher/glib/BubblewrapLauncher.cpp:
+ (WebKit::bubblewrapSpawn):
+
2019-03-11 Truitt Savell <tsav...@apple.com>
Unreviewed, rolling out r242697.
Modified: trunk/Source/WebKit/PlatformWPE.cmake (242708 => 242709)
--- trunk/Source/WebKit/PlatformWPE.cmake 2019-03-11 16:40:55 UTC (rev 242708)
+++ trunk/Source/WebKit/PlatformWPE.cmake 2019-03-11 16:47:21 UTC (rev 242709)
@@ -16,6 +16,7 @@
add_definitions(-DWEBKIT2_COMPILATION)
+add_definitions(-DLIBDIR="${LIB_INSTALL_DIR}")
add_definitions(-DPKGLIBDIR="${LIB_INSTALL_DIR}/wpe-webkit-${WPE_API_VERSION}")
add_definitions(-DPKGLIBEXECDIR="${LIBEXEC_INSTALL_DIR}")
add_definitions(-DDATADIR="${CMAKE_INSTALL_FULL_DATADIR}")
@@ -279,6 +280,7 @@
${GLIB_INCLUDE_DIRS}
${GSTREAMER_INCLUDE_DIRS}
${HARFBUZZ_INCLUDE_DIRS}
+ ${LIBSECCOMP_INCLUDE_DIRS}
${LIBSOUP_INCLUDE_DIRS}
${WPE_INCLUDE_DIRS}
)
@@ -291,6 +293,7 @@
${GLIB_GMODULE_LIBRARIES}
${GSTREAMER_LIBRARIES}
${HARFBUZZ_LIBRARIES}
+ ${LIBSECCOMP_LIBRARIES}
${LIBSOUP_LIBRARIES}
${WPE_LIBRARIES}
)
Modified: trunk/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp (242708 => 242709)
--- trunk/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp 2019-03-11 16:40:55 UTC (rev 242708)
+++ trunk/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp 2019-03-11 16:47:21 UTC (rev 242709)
@@ -668,11 +668,13 @@
{
ASSERT(launcher);
+#if ENABLE(NETSCAPE_PLUGIN_API)
// It is impossible to know what access arbitrary plugins need and since it is for legacy
// reasons lets just leave it unsandboxed.
if (launchOptions.processType == ProcessLauncher::ProcessType::Plugin64
|| launchOptions.processType == ProcessLauncher::ProcessType::Plugin32)
return adoptGRef(g_subprocess_launcher_spawnv(launcher, argv, error));
+#endif
// For now we are just considering the network process trusted as it
// requires a lot of access but doesn't execute arbitrary code like
Added: trunk/Source/cmake/BubblewrapSandboxChecks.cmake (0 => 242709)
--- trunk/Source/cmake/BubblewrapSandboxChecks.cmake (rev 0)
+++ trunk/Source/cmake/BubblewrapSandboxChecks.cmake 2019-03-11 16:47:21 UTC (rev 242709)
@@ -0,0 +1,31 @@
+if (ENABLE_BUBBLEWRAP_SANDBOX)
+ find_program(BWRAP_EXECUTABLE bwrap)
+ if (NOT BWRAP_EXECUTABLE)
+ message(FATAL_ERROR "bwrap executable is needed for ENABLE_BUBBLEWRAP_SANDBOX")
+ endif ()
+ add_definitions(-DBWRAP_EXECUTABLE="${BWRAP_EXECUTABLE}")
+
+ execute_process(
+ COMMAND "${BWRAP_EXECUTABLE}" --version
+ RESULT_VARIABLE BWRAP_RET
+ OUTPUT_VARIABLE BWRAP_OUTPUT
+ )
+ if (BWRAP_RET)
+ message(FATAL_ERROR "Failed to run ${BWRAP_EXECUTABLE}")
+ endif ()
+ string(REGEX MATCH "([0-9]+.[0-9]+.[0-9]+)" BWRAP_VERSION "${BWRAP_OUTPUT}")
+ if (NOT "${BWRAP_VERSION}" VERSION_GREATER_EQUAL "0.3.1")
+ message(FATAL_ERROR "bwrap must be >= 0.3.1 but ${BWRAP_VERSION} found")
+ endif ()
+
+ find_package(Libseccomp)
+ if (NOT LIBSECCOMP_FOUND)
+ message(FATAL_ERROR "libseccomp is needed for ENABLE_BUBBLEWRAP_SANDBOX")
+ endif ()
+
+ find_program(DBUS_PROXY_EXECUTABLE xdg-dbus-proxy)
+ if (NOT DBUS_PROXY_EXECUTABLE)
+ message(FATAL_ERROR "xdg-dbus-proxy not found and is needed for ENABLE_BUBBLEWRAP_SANDBOX")
+ endif ()
+ add_definitions(-DDBUS_PROXY_EXECUTABLE="${DBUS_PROXY_EXECUTABLE}")
+endif ()
Modified: trunk/Source/cmake/OptionsGTK.cmake (242708 => 242709)
--- trunk/Source/cmake/OptionsGTK.cmake 2019-03-11 16:40:55 UTC (rev 242708)
+++ trunk/Source/cmake/OptionsGTK.cmake 2019-03-11 16:47:21 UTC (rev 242709)
@@ -123,7 +123,7 @@
if (CMAKE_SYSTEM_NAME MATCHES "Linux" AND NOT EXISTS "/.flatpak-info")
WEBKIT_OPTION_DEFAULT_PORT_VALUE(ENABLE_BUBBLEWRAP_SANDBOX PUBLIC ON)
else ()
- WEBKIT_OPTION_DEFAULT_PORT_VALUE(ENABLE_BUBBLEWRAP_SANDBOX PRIVATE OFF)
+ WEBKIT_OPTION_DEFAULT_PORT_VALUE(ENABLE_BUBBLEWRAP_SANDBOX PUBLIC OFF)
endif ()
# Enable variation fonts when cairo >= 1.16, fontconfig >= 2.13.0, freetype >= 2.9.0 and harfbuzz >= 1.4.2.
@@ -215,38 +215,6 @@
endif ()
endif ()
-if (ENABLE_BUBBLEWRAP_SANDBOX)
- find_program(BWRAP_EXECUTABLE bwrap)
- if (NOT BWRAP_EXECUTABLE)
- message(FATAL_ERROR "bwrap executable is needed for ENABLE_BUBBLEWRAP_SANDBOX")
- endif ()
- add_definitions(-DBWRAP_EXECUTABLE="${BWRAP_EXECUTABLE}")
-
- execute_process(
- COMMAND "${BWRAP_EXECUTABLE}" --version
- RESULT_VARIABLE BWRAP_RET
- OUTPUT_VARIABLE BWRAP_OUTPUT
- )
- if (BWRAP_RET)
- message(FATAL_ERROR "Failed to run ${BWRAP_EXECUTABLE}")
- endif ()
- string(REGEX MATCH "([0-9]+.[0-9]+.[0-9]+)" BWRAP_VERSION "${BWRAP_OUTPUT}")
- if (NOT "${BWRAP_VERSION}" VERSION_GREATER_EQUAL "0.3.1")
- message(FATAL_ERROR "bwrap must be >= 0.3.1 but ${BWRAP_VERSION} found")
- endif ()
-
- find_package(Libseccomp)
- if (NOT LIBSECCOMP_FOUND)
- message(FATAL_ERROR "libseccomp is needed for ENABLE_BUBBLEWRAP_SANDBOX")
- endif ()
-
- find_program(DBUS_PROXY_EXECUTABLE xdg-dbus-proxy)
- if (NOT DBUS_PROXY_EXECUTABLE)
- message(FATAL_ERROR "xdg-dbus-proxy not found and is needed for ENABLE_BUBBLEWRAP_SANDBOX")
- endif ()
- add_definitions(-DDBUS_PROXY_EXECUTABLE="${DBUS_PROXY_EXECUTABLE}")
-endif ()
-
if (USE_LIBSECRET)
find_package(Libsecret)
if (NOT LIBSECRET_FOUND)
@@ -470,4 +438,5 @@
endif ()
endmacro()
+include(BubblewrapSandboxChecks)
include(GStreamerChecks)
Modified: trunk/Source/cmake/OptionsWPE.cmake (242708 => 242709)
--- trunk/Source/cmake/OptionsWPE.cmake 2019-03-11 16:40:55 UTC (rev 242708)
+++ trunk/Source/cmake/OptionsWPE.cmake 2019-03-11 16:47:21 UTC (rev 242709)
@@ -86,6 +86,12 @@
WEBKIT_OPTION_DEFAULT_PORT_VALUE(ENABLE_MINIBROWSER PUBLIC ON)
endif ()
+if (CMAKE_SYSTEM_NAME MATCHES "Linux" AND NOT EXISTS "/.flatpak-info")
+ WEBKIT_OPTION_DEFAULT_PORT_VALUE(ENABLE_BUBBLEWRAP_SANDBOX PUBLIC ON)
+else ()
+ WEBKIT_OPTION_DEFAULT_PORT_VALUE(ENABLE_BUBBLEWRAP_SANDBOX PUBLIC OFF)
+endif ()
+
# Enable variation fonts when cairo >= 1.16, fontconfig >= 2.13.0, freetype >= 2.9.0 and harfbuzz >= 1.4.2.
if (("${PC_CAIRO_VERSION}" VERSION_GREATER "1.16.0" OR "${PC_CAIRO_VERSION}" STREQUAL "1.16.0")
AND ("${PC_FONTCONFIG_VERSION}" VERSION_GREATER "2.13.0" OR "${PC_FONTCONFIG_VERSION}" STREQUAL "2.13.0")
@@ -183,4 +189,5 @@
set(WPE_PKGCONFIG_FILE ${CMAKE_BINARY_DIR}/wpe-webkit-${WPE_API_VERSION}.pc)
set(WPEWebExtension_PKGCONFIG_FILE ${CMAKE_BINARY_DIR}/wpe-web-extension-${WPE_API_VERSION}.pc)
+include(BubblewrapSandboxChecks)
include(GStreamerChecks)
Modified: trunk/Tools/ChangeLog (242708 => 242709)
--- trunk/Tools/ChangeLog 2019-03-11 16:40:55 UTC (rev 242708)
+++ trunk/Tools/ChangeLog 2019-03-11 16:47:21 UTC (rev 242709)
@@ -1,3 +1,13 @@
+2019-03-11 Michael Catanzaro <mcatanz...@igalia.com>
+
+ [WPE] Enable web process sandbox
+ https://bugs.webkit.org/show_bug.cgi?id=195169
+
+ Reviewed by Daniel Bates.
+
+ * wpe/install-dependencies:
+ * wpe/jhbuild.modules:
+
2019-03-11 Aakash Jain <aakash_j...@apple.com>
[ews-app] Use port 17000 for worker communication
Modified: trunk/Tools/wpe/install-dependencies (242708 => 242709)
--- trunk/Tools/wpe/install-dependencies 2019-03-11 16:40:55 UTC (rev 242708)
+++ trunk/Tools/wpe/install-dependencies 2019-03-11 16:47:21 UTC (rev 242709)
@@ -58,6 +58,7 @@
automake \
autopoint \
autotools-dev \
+ bubblewrap \
cmake \
g++ \
gawk \
@@ -77,6 +78,7 @@
libjpeg-dev \
libfile-copy-recursive-perl \
$(aptIfElse libpng-dev libpng12-dev) \
+ libseccomp-dev \
libsqlite3-dev \
libtasn1-6-dev \
libtool \
@@ -148,6 +150,7 @@
alsa-lib \
autoconf \
automake \
+ bubblewrap \
cmake \
file \
findutils \
@@ -168,6 +171,7 @@
libevent \
libjpeg-turbo \
libpng \
+ libseccomp \
libtasn1 \
libtool \
libwebp \
@@ -247,6 +251,7 @@
autoconf \
automake \
alsa-lib-devel \
+ bubblewrap \
cmake \
gcc-c++ \
gnutls-devel \
@@ -261,6 +266,7 @@
libicu-devel \
libjpeg-turbo-devel \
libpng-devel \
+ libseccomp-devel \
libtasn1-devel \
libtool \
libwebp-devel \
Modified: trunk/Tools/wpe/jhbuild.modules (242708 => 242709)
--- trunk/Tools/wpe/jhbuild.modules 2019-03-11 16:40:55 UTC (rev 242708)
+++ trunk/Tools/wpe/jhbuild.modules 2019-03-11 16:47:21 UTC (rev 242709)
@@ -26,6 +26,7 @@
<dep package="libepoxy"/>
<dep package="wayland-protocols"/>
<dep package="openjpeg"/>
+ <dep package="xdg-dbus-proxy"/>
</dependencies>
</metamodule>
@@ -265,4 +266,15 @@
</dependencies>
</distutils>
+ <autotools id="xdg-dbus-proxy" autogen-sh="configure">
+ <branch repo="github-tarball"
+ version="0.1.0"
+ module="flatpak/xdg-dbus-proxy/releases/download/${version}/xdg-dbus-proxy-${version}.tar.xz"
+ checkoutdir="xdg-dbus-proxy-${version}"
+ hash="sha256:9eefd30fe66940c8daf0e8ce6479307694814edb8b636caeb5aa6d6a46a4bc14"/>
+ <dependencies>
+ <dep package="glib"/>
+ </dependencies>
+ </autotools>
+
</moduleset>
