WebKit2

weinig Mon, 22 Apr 2013 12:46:13 -0700

Title: [148902] trunk/Source/WebKit2

Revision: 148902
Author: wei...@apple.com
Date: 2013-04-22 12:47:57 -0700 (Mon, 22 Apr 2013)

Log Message

Hard code plug-in sandbox profile lookup directories and move
the profiles to WebKit2.


Reviewed by Anders Carlsson.

* PluginProcess/EntryPoint/mac/LegacyProcess/PluginProcessMain.mm:
(WebKit::PluginProcessMainDelegate::getExtraInitializationData):
* PluginProcess/EntryPoint/mac/XPCService/PluginServiceEntryPoint.mm:
(WebKit::PluginServiceInitializerDelegate::getExtraInitializationData):
* UIProcess/Plugins/mac/PluginProcessProxyMac.mm:
(WebKit::PluginProcessProxy::platformGetLaunchOptions):
Stop passing the sandbox-profile-directory-path to the plug-in process.

* PluginProcess/mac/PluginProcessMac.mm:
(WebKit::loadSandboxProfileForDirectory):
(WebKit::loadSandboxProfile):
(WebKit::PluginProcess::initializeSandbox):
Hard code the plug-in sandbox profile lookup to only look in the WebKit2 bundle
and /System/Library/Sandbox/Profiles/.

* Resources/PlugInSandboxProfiles: Added.
Add profiles.

* WebKit2.xcodeproj/project.pbxproj:
Copy the profiles to the bundle.

Modified Paths

trunk/Source/WebKit2/ChangeLog
trunk/Source/WebKit2/PluginProcess/EntryPoint/mac/LegacyProcess/PluginProcessMain.mm
trunk/Source/WebKit2/PluginProcess/EntryPoint/mac/XPCService/PluginServiceEntryPoint.mm
trunk/Source/WebKit2/PluginProcess/mac/PluginProcessMac.mm
trunk/Source/WebKit2/UIProcess/Plugins/mac/PluginProcessProxyMac.mm
trunk/Source/WebKit2/WebKit2.xcodeproj/project.pbxproj

Added Paths

trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/
trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.apple.QuickTime Plugin.plugin.sb
trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.apple.WebKit.plugin-common.sb
trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.apple.ist.ds.appleconnect.webplugin.sb
trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.macromedia.Flash Player.plugin.sb
trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.microsoft.SilverlightPlugin.sb
trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.oracle.java.JavaAppletPlugin.sb

Diff

Modified: trunk/Source/WebKit2/ChangeLog (148901 => 148902)


--- trunk/Source/WebKit2/ChangeLog	2013-04-22 19:37:01 UTC (rev 148901)
+++ trunk/Source/WebKit2/ChangeLog	2013-04-22 19:47:57 UTC (rev 148902)
@@ -1,3 +1,31 @@
+2013-04-22  Sam Weinig  <s...@webkit.org>
+
+        Hard code plug-in sandbox profile lookup directories and move
+        the profiles to WebKit2.
+
+        Reviewed by Anders Carlsson.
+
+        * PluginProcess/EntryPoint/mac/LegacyProcess/PluginProcessMain.mm:
+        (WebKit::PluginProcessMainDelegate::getExtraInitializationData):
+        * PluginProcess/EntryPoint/mac/XPCService/PluginServiceEntryPoint.mm:
+        (WebKit::PluginServiceInitializerDelegate::getExtraInitializationData):
+        * UIProcess/Plugins/mac/PluginProcessProxyMac.mm:
+        (WebKit::PluginProcessProxy::platformGetLaunchOptions):
+        Stop passing the sandbox-profile-directory-path to the plug-in process.
+
+        * PluginProcess/mac/PluginProcessMac.mm:
+        (WebKit::loadSandboxProfileForDirectory):
+        (WebKit::loadSandboxProfile):
+        (WebKit::PluginProcess::initializeSandbox):
+        Hard code the plug-in sandbox profile lookup to only look in the WebKit2 bundle
+        and /System/Library/Sandbox/Profiles/.
+
+        * Resources/PlugInSandboxProfiles: Added.
+        Add profiles.
+
+        * WebKit2.xcodeproj/project.pbxproj:
+        Copy the profiles to the bundle.
+
 2013-04-15  Jer Noble  <jer.no...@apple.com>
 
         Refactor creation of the full screen window into an (overridable) method.

Modified: trunk/Source/WebKit2/PluginProcess/EntryPoint/mac/LegacyProcess/PluginProcessMain.mm (148901 => 148902)


--- trunk/Source/WebKit2/PluginProcess/EntryPoint/mac/LegacyProcess/PluginProcessMain.mm	2013-04-22 19:37:01 UTC (rev 148901)
+++ trunk/Source/WebKit2/PluginProcess/EntryPoint/mac/LegacyProcess/PluginProcessMain.mm	2013-04-22 19:47:57 UTC (rev 148902)
@@ -87,12 +87,6 @@
             return false;
         extraInitializationData.add("plugin-path", pluginPath);
 
-        // FIXME: We should stop passing this and have it in a hard coded place. For now
-        // though, let the absence of a sandboxProfileDirectoryPath indicate no plugin
-        // sandboxing should take place.
-        String sandboxProfileDirectoryPath = m_commandLine["sandbox-profile-directory-path"];
-        extraInitializationData.add("sandbox-profile-directory-path", sandboxProfileDirectoryPath);
-
         return true;
     }

Modified: trunk/Source/WebKit2/PluginProcess/EntryPoint/mac/XPCService/PluginServiceEntryPoint.mm (148901 => 148902)


--- trunk/Source/WebKit2/PluginProcess/EntryPoint/mac/XPCService/PluginServiceEntryPoint.mm	2013-04-22 19:37:01 UTC (rev 148901)
+++ trunk/Source/WebKit2/PluginProcess/EntryPoint/mac/XPCService/PluginServiceEntryPoint.mm	2013-04-22 19:47:57 UTC (rev 148902)
@@ -51,12 +51,6 @@
             return false;
         extraInitializationData.add("plugin-path", pluginPath);
 
-        // FIXME: We should stop passing this and have it in a hard coded place. For now
-        // though, let the absence of a sandboxProfileDirectoryPath indicate no plugin
-        // sandboxing should take place.
-        String sandboxProfileDirectoryPath = xpc_dictionary_get_string(extraDataInitializationDataObject, "sandbox-profile-directory-path");
-        extraInitializationData.add("sandbox-profile-directory-path", sandboxProfileDirectoryPath);
-
         return true;
     }
 };

Modified: trunk/Source/WebKit2/PluginProcess/mac/PluginProcessMac.mm (148901 => 148902)


--- trunk/Source/WebKit2/PluginProcess/mac/PluginProcessMac.mm	2013-04-22 19:37:01 UTC (rev 148901)
+++ trunk/Source/WebKit2/PluginProcess/mac/PluginProcessMac.mm	2013-04-22 19:47:57 UTC (rev 148902)
@@ -280,11 +280,8 @@
     parentProcessConnection()->send(Messages::PluginProcessProxy::SetFullscreenWindowIsShowing(fullscreenWindowIsShowing), 0);
 }
 
-static String loadSandboxProfile(const String& pluginPath, const String& sandboxProfileDirectoryPath)
+static String loadSandboxProfileForDirectory(const String& pluginPath, NSString *sandboxProfileDirectoryPath)
 {
-    if (sandboxProfileDirectoryPath.isEmpty())
-        return String();
-
     RetainPtr<CFURLRef> pluginURL = adoptCF(CFURLCreateWithFileSystemPath(0, pluginPath.createCFString().get(), kCFURLPOSIXPathStyle, false));
     if (!pluginURL)
         return String();
@@ -300,7 +297,7 @@
     // Fold all / characters to : to prevent the plugin bundle-id from trying to escape the profile directory
     bundleIdentifier.replace('/', ':');
 
-    RetainPtr<CFURLRef> sandboxProfileDirectory = adoptCF(CFURLCreateWithFileSystemPath(0, sandboxProfileDirectoryPath.createCFString().get(), kCFURLPOSIXPathStyle, TRUE));
+    RetainPtr<CFURLRef> sandboxProfileDirectory = adoptCF(CFURLCreateWithFileSystemPath(0, (CFStringRef)sandboxProfileDirectoryPath, kCFURLPOSIXPathStyle, TRUE));
 
     RetainPtr<CFStringRef> sandboxFileName = adoptCF(CFStringCreateWithFormat(0, 0, CFSTR("%@.sb"), bundleIdentifier.createCFString().get()));
     RetainPtr<CFURLRef> sandboxURL = adoptCF(CFURLCreateWithFileSystemPathRelativeToBase(0, sandboxFileName.get(), kCFURLPOSIXPathStyle, FALSE, sandboxProfileDirectory.get()));
@@ -318,6 +315,21 @@
     return [commonProfileString.get() stringByAppendingString:profileString.get()];
 }
 
+static String loadSandboxProfile(const String& pluginPath)
+{
+    // First look in the WebKit2 bundle.
+    String sandboxProfile = loadSandboxProfileForDirectory(pluginPath, [[[NSBundle bundleForClass:NSClassFromString(@"WKView")] resourcePath] stringByAppendingPathComponent:@"PlugInSandboxProfiles"]);
+    if (!sandboxProfile.isEmpty())
+        return sandboxProfile;
+
+    // Then try /System/Library/Sandbox/Profiles/.
+    sandboxProfile = loadSandboxProfileForDirectory(pluginPath, @"/System/Library/Sandbox/Profiles/");
+    if (!sandboxProfile.isEmpty())
+        return sandboxProfile;
+
+    return String();
+}
+
 static void muteAudio(void)
 {
     AudioObjectPropertyAddress propertyAddress = { kAudioHardwarePropertyProcessIsAudible, kAudioObjectPropertyScopeGlobal, kAudioObjectPropertyElementMaster };
@@ -362,7 +374,7 @@
 
 void PluginProcess::initializeSandbox(const ChildProcessInitializationParameters& parameters, SandboxInitializationParameters& sandboxParameters)
 {
-    String sandboxProfile = loadSandboxProfile(m_pluginPath, parameters.extraInitializationData.get("sandbox-profile-directory-path"));
+    String sandboxProfile = loadSandboxProfile(m_pluginPath);
     if (sandboxProfile.isEmpty())
         return;

Added: trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.apple.QuickTime Plugin.plugin.sb (0 => 148902)


--- trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.apple.QuickTime Plugin.plugin.sb	                        (rev 0)
+++ trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.apple.QuickTime Plugin.plugin.sb	2013-04-22 19:47:57 UTC (rev 148902)
@@ -0,0 +1,9 @@
+(webkit-powerbox)
+(shared-preferences-read "com.apple.quicktime.plugin.preferences")
+
+(allow file-read* file-write*
+    (home-subpath "/Library/Caches/QuickTime")
+    (home-literal "/Library/Preferences/QuickTime Preferences"))
+
+(allow network-inbound (local udp))
+(allow network-outbound (remote udp))

Added: trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.apple.WebKit.plugin-common.sb (0 => 148902)


--- trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.apple.WebKit.plugin-common.sb	                        (rev 0)
+++ trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.apple.WebKit.plugin-common.sb	2013-04-22 19:47:57 UTC (rev 148902)
@@ -0,0 +1,263 @@
+(version 1)
+(deny default)
+(allow system-audit file-read-metadata)
+
+(import "system.sb")
+
+;; Utility functions
+(define (home-regex home-relative-regex)
+    (regex (string-append "^" (regex-quote (param "HOME_DIR")) home-relative-regex)))
+
+(define (home-subpath home-relative-subpath)
+    (subpath (string-append (param "HOME_DIR") home-relative-subpath)))
+
+(define (home-literal home-relative-literal)
+    (literal (string-append (param "HOME_DIR") home-relative-literal)))
+
+(define (shared-preferences-read . domains)
+  (for-each (lambda (domain)
+              (begin
+                (if (defined? `user-preference-read)
+                    (allow user-preference-read (preference-domain domain)))
+                ; (Temporary) backward compatibility with non-CFPreferences readers.
+                (allow file-read*
+                       (literal (string-append "/Library/Preferences/" domain ".plist"))
+                       (home-literal (string-append "/Library/Preferences/" domain ".plist"))
+                       (home-regex (string-append #"/Library/Preferences/ByHost/" (regex-quote domain) #"\..*\.plist$")))))
+            domains))
+
+(define (shared-preferences-read-write . domains)
+  (for-each (lambda (domain)
+              (begin
+                (if (defined? `user-preference-write)
+                    (allow user-preference-read user-preference-write (preference-domain domain)))
+                ; (Temporary) backward compatibility with non-CFPreferences readers / writers.
+                (allow file-read* file-write*
+                       (literal (string-append "/Library/Preferences/" domain ".plist"))
+                       (home-literal (string-append "/Library/Preferences/" domain ".plist"))
+                       (home-regex (string-append #"/Library/Preferences/ByHost/" (regex-quote domain) #"\..*\.plist$")))))
+            domains))
+
+
+;; Graphics
+(if (defined? 'system-graphics)
+    (system-graphics)
+    (begin
+        (shared-preferences-read
+            "com.apple.opengl"
+            "com.nvidia.OpenGL")
+        (allow mach-lookup (global-name "com.apple.cvmsServ"))
+        (allow iokit-open
+            (iokit-connection "IOAccelerator")
+            (iokit-user-client-class "IOAccelerationUserClient")
+            (iokit-user-client-class "IOSurfaceRootUserClient")
+            (iokit-user-client-class "IOSurfaceSendRight")
+            (iokit-user-client-class "IOFramebufferSharedUserClient")
+            (iokit-user-client-class "AppleSNBFBUserClient")
+            (iokit-user-client-class "AGPMClient")
+            (iokit-user-client-class "AppleGraphicsControlClient")
+            (iokit-user-client-class "AppleGraphicsPolicyClient"))))
+
+;; Read-only preferences
+(shared-preferences-read
+    ".GlobalPreferences"
+    "com.apple.Bluetooth"
+    "com.apple.QuickTime"
+    "com.apple.HIToolbox"
+    "com.apple.ATS"
+    "com.apple.driver.AppleBluetoothMultitouch.mouse"
+    "com.apple.driver.AppleBluetoothMultitouch.trackpad"
+    "com.apple.driver.AppleHIDMouse"
+    "com.apple.inputmethodkit"
+    "com.apple.iWork.Pages"
+    "com.apple.LaunchServices"
+    "com.apple.MultitouchSupport"
+    "com.apple.security"
+    "com.apple.security_common"
+    "com.apple.speech.voice.prefs"
+    "com.apple.speech.synthesis.general.prefs"
+    "com.apple.speech.recognition.AppleSpeechRecognition.prefs"
+    "com.apple.systemsound"
+    "com.apple.universalaccess"
+    "com.apple.WebFoundation"
+    "pbs"
+    "com.apple.ServicesMenu.Services")
+
+;; Read-only data
+(allow file-read*
+    (literal "/")
+    (subpath "/Library/Frameworks")
+    (subpath "/private/var/db/mds")
+
+    (regex #"^/Library/Preferences/com\.apple\.security")
+    (home-literal "/.CFUserTextEncoding")
+    (home-subpath "/Library/Audio")
+    (home-subpath "/Library/ColorPickers")
+    (home-subpath "/Library/ColorSync")
+    (home-subpath "/Library/Components")
+    (subpath "/Library/Contextual Menu Items")
+    (home-subpath "/Library/Input Methods")
+    (home-subpath "/Library/KeyBindings")
+    (home-subpath "/Library/Keyboard Layouts")
+    (subpath "/Library/Fonts")
+    (home-subpath "/Library/Fonts")
+    (subpath "/Library/Spelling")
+    (home-subpath "/Library/Spelling")
+    (subpath "/Library/PDF Services")
+    (home-subpath "/Library/PDF Services")
+    (home-literal "/Library/Preferences/QuickTime Preferences")
+
+    (home-literal "/Library/Caches/com.apple.coreaudio.components.plist")
+
+    (subpath "/Library/Audio/Plug-Ins/Components")
+    (home-subpath "/Library/Audio/Plug-Ins/Components")
+    (subpath "/Library/Audio/Plug-Ins/HAL")
+    (subpath "/Library/QuickTime")
+    (home-subpath "/Library/QuickTime")
+    (subpath "/Library/Video/Plug-Ins")
+    (home-subpath "/Library/Caches/QuickTime")
+
+    (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains")
+
+    (home-literal "/Library/Application Support/SyncServices/Local/ClientsWithChanges/com.apple.Keychain")
+
+    (subpath "/Library/ColorSync")
+
+    ;; FIXME: This should be removed when <rdar://problem/10479685> is fixed.
+    (subpath "/Library/Keychains"))
+
+
+;; Read-write preferences and data
+(allow file*
+    (home-regex #"/Library/Preferences/com\.apple\.WebKit\.PluginProcess\.plist")
+
+    ;; FIXME: This should be removed when <rdar://problem/10479685> is fixed.
+    (home-subpath "/Library/Keychains"))
+
+;; IOKit user clients
+(allow iokit-open
+    (iokit-user-client-class "IOAudioControlUserClient")
+    (iokit-user-client-class "IOAudioEngineUserClient")
+    (iokit-user-client-class "IOHIDParamUserClient")
+    (iokit-user-client-class "RootDomainUserClient"))
+
+;; Various services required by AppKit and other frameworks
+(allow mach-lookup
+    (global-name "com.apple.CoreServices.coreservicesd")
+    (global-name "com.apple.DiskArbitration.diskarbitrationd")
+    (global-name "com.apple.FileCoordination")
+    (global-name "com.apple.FontObjectsServer")
+    (global-name "com.apple.FontServer")
+    (global-name "com.apple.ImageCaptureExtension2.presence")
+    (global-name "com.apple.PowerManagement.control")
+    (global-name "com.apple.SecurityServer")
+    (global-name "com.apple.SystemConfiguration.PPPController")
+    (global-name "com.apple.SystemConfiguration.configd")
+    (global-name "com.apple.UNCUserNotification")
+    (global-name "com.apple.audio.VDCAssistant")
+    (global-name "com.apple.audio.audiohald")
+    (global-name "com.apple.audio.coreaudiod")
+    (global-name "com.apple.cfnetwork.AuthBrokerAgent")
+    (global-name "com.apple.cmio.VDCAssistant")
+    (global-name "com.apple.cookied") ;; FIXME: <rdar://problem/10790768> Limit access to cookies.
+    (global-name "com.apple.ocspd")
+    (global-name "com.apple.pasteboard.1")
+    (global-name "com.apple.pbs.fetch_services")
+    (global-name "com.apple.tccd.system")
+    (global-name "com.apple.tsm.uiserver")
+    (global-name "com.apple.window_proxies")
+    (global-name "com.apple.windowserver.active")
+    (local-name "com.apple.tsm.portname")
+    (global-name-regex #"_OpenStep$"))
+
+
+;; Configuration directories
+(allow file-read* (subpath (param "PLUGIN_PATH")))
+(allow file-read* (subpath (param "WEBKIT2_FRAMEWORK_DIR")))
+(allow file* (subpath (param "DARWIN_USER_TEMP_DIR")))
+(allow file* (subpath (param "DARWIN_USER_CACHE_DIR")))
+(allow file* (subpath (param "NSURL_CACHE_DIR")))
+
+
+;; Networking
+(if (defined? 'system-network)
+    (system-network)
+    (begin
+      (allow file-read* (literal "/Library/Preferences/com.apple.networkd.plist"))
+      (allow mach-lookup
+             (global-name "com.apple.SystemConfiguration.SCNetworkReachability")
+             (global-name "com.apple.networkd"))
+      (allow network-outbound
+             (control-name "com.apple.netsrc")
+             (control-name "com.apple.network.statistics"))
+      (allow system-socket
+             (require-all (socket-domain AF_SYSTEM)
+                          (socket-protocol 2)) ; SYSPROTO_CONTROL
+             (socket-domain AF_ROUTE))))
+
+(allow network-outbound
+    ;; Local mDNSResponder for DNS, arbitrary outbound TCP
+    (literal "/private/var/run/mDNSResponder")
+    (remote tcp))
+
+
+;; Open and Save panels
+(define (webkit-powerbox)
+    (allow file-read* file-write* (extension "com.apple.app-sandbox.read-write"))
+    (allow file-issue-extension
+        (require-all
+            (extension-class "com.apple.app-sandbox.read")
+            (extension "com.apple.app-sandbox.read-write"))
+        (require-all
+            (extension-class "com.apple.app-sandbox.read-write")
+            (extension "com.apple.app-sandbox.read-write"))))
+
+;; Printing
+(define (webkit-printing)
+    (allow network-outbound (literal "/private/var/run/cupsd"))
+    (allow mach-lookup
+        (global-name "com.apple.printuitool.agent")
+        (global-name "com.apple.printtool.agent")
+        (global-name "com.apple.printtool.daemon"))
+    (allow file-read*
+        (home-literal "/.cups/lpoptions")
+        (home-literal "/.cups/client.conf")
+        (literal "/private/etc/cups/client.conf")
+        (literal "/private/etc/cups/lpoptions")
+        (subpath "/private/etc/cups/ppd")
+        (subpath "/private/var/run/cupsd")
+        (home-literal "/Library/Preferences/org.cups.PrintingPrefs.plist")))
+
+;; Text Services Manager
+(allow iokit-set-properties (iokit-property "CapsLockDelayOverride"))
+
+;; Image Capture
+(define (webkit-imagecapture)
+    (allow appleevent-send (appleevent-destination "com.apple.imagecaptureextension2")))
+
+(allow ipc-posix-shm*
+    (ipc-posix-name-regex #"^AudioIO")
+    (ipc-posix-name-regex #"^CFPBS:")
+    (ipc-posix-name "_CS_GSHMEMLOCK")
+    (ipc-posix-name "_CS_DSHMEMLOCK"))
+
+(allow ipc-posix-shm-read*
+    (ipc-posix-name "apple.shm.notification_center"))
+
+;; Silently block access to some resources
+(deny file-read* file-write* (with no-log)
+    (home-regex #"/Library/Preferences/com\.apple\.internetconfigpriv\.plist")
+    (home-regex #"/Library/Preferences/com\.apple\.internetconfig\.plist")
+
+    ;; FIXME: Should be removed after <rdar://problem/9422957> is fixed.
+    (home-literal "/Library/Caches/Cache.db")
+
+    ;; FIXME: Should be removed after <rdar://problem/10463881> is fixed.
+    (home-literal "/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2")
+    (home-literal "/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2-journal"))
+
+(deny mach-lookup (with no-log)
+    (global-name "com.apple.FSEvents")
+    (global-name "com.apple.coreservices.appleevents")
+    (global-name "com.apple.dock.server")
+    (global-name-regex #"^com\.apple\.distributed_notifications"))

Added: trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.apple.ist.ds.appleconnect.webplugin.sb (0 => 148902)


--- trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.apple.ist.ds.appleconnect.webplugin.sb	                        (rev 0)
+++ trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.apple.ist.ds.appleconnect.webplugin.sb	2013-04-22 19:47:57 UTC (rev 148902)
@@ -0,0 +1,37 @@
+(allow mach-lookup
+    (global-name "com.apple.ist.ds.appleconnect2.service.admin")
+    (global-name "com.apple.ist.ds.appleconnect2.service.agent")
+    (global-name "com.apple.ist.ds.appleconnect2.service.kdctunnelcontroller")
+    (global-name "com.apple.ist.ds.appleconnect2.service.menuextra")
+    (global-name "org.h5l.kcm"))
+;; FIXME: This is explicitly being called out <rdar://problem/13481170>
+(deny mach-lookup
+    (global-name-regex #"^com\.apple\.ist\.ds\.appleconnect2\.service\..*\[[0-9]+\]$"))
+(allow mach-lookup
+    (global-name-regex #"^com\.apple\.ist\.ds\.appleconnect2\.service\.PluginProcess\[[0-9]+\]$"))
+
+(shared-preferences-read
+    "com.apple.GSS"
+    "com.apple.ist.ds.appleconnect2"
+    "com.apple.ist.ds.appleconnect2.acceptanceTest"
+    "com.apple.ist.ds.appleconnect2.production"
+    "com.apple.ist.ds.appleconnect2.uat"
+    "com.apple.Kerberos"
+    "edu.mit.Kerberos")
+
+(allow file-read*
+    (subpath "/Library/KerberosPlugins/GSSAPI")
+    (literal "/Library/Preferences/edu.mit.Kerberos")
+    (home-literal "/Library/Preferences/edu.mit.Kerberos"))
+
+(allow file-read*
+    (literal "/private/etc/services"))
+
+(if (defined? 'mach-register)
+    (allow mach-register
+        (global-name-regex #"^com\.apple\.ist\.ds\.appleconnect2\.service\.PluginProcess\[[0-9]+\]$")))
+
+(allow network-outbound
+   (remote udp "*:4160" "*:88"))
+(allow network-inbound
+   (local udp))

Added: trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.macromedia.Flash Player.plugin.sb (0 => 148902)


--- trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.macromedia.Flash Player.plugin.sb	                        (rev 0)
+++ trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.macromedia.Flash Player.plugin.sb	2013-04-22 19:47:57 UTC (rev 148902)
@@ -0,0 +1,18 @@
+(allow ipc-posix-sem (ipc-posix-name "MacromediaSemaphoreDig"))
+
+(allow file-read*
+    (home-literal "/mm.cfg")
+    (home-literal "/mms.cfg"))
+
+(deny file-read-xattr (with no-log)
+    (home-literal "/Library/Caches")
+    (home-literal "/Library/Preferences"))
+
+(allow file-read* file-write-create file-write-mode
+    (home-literal "/Library/Caches/Adobe")
+    (home-literal "/Library/Preferences/Macromedia"))
+
+(allow file-read* file-write*
+    (literal "/Library/Application Support/Macromedia/mms.cfg")
+    (home-subpath "/Library/Caches/Adobe/Flash Player")
+    (home-subpath "/Library/Preferences/Macromedia/Flash Player"))

Added: trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.microsoft.SilverlightPlugin.sb (0 => 148902)


--- trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.microsoft.SilverlightPlugin.sb	                        (rev 0)
+++ trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.microsoft.SilverlightPlugin.sb	2013-04-22 19:47:57 UTC (rev 148902)
@@ -0,0 +1,22 @@
+(allow iokit-open
+    (iokit-user-client-class "IOHIDLibUserClient")
+    (iokit-user-client-class "IOBluetoothHCIUserClient"))
+
+(shared-preferences-read
+    "com.microsoft.PlayReady"
+    "com.microsoft.autoupdate2")
+(shared-preferences-read-write "com.microsoft.silverlight")
+
+(allow file-write-create
+    (home-literal "/Library/Application Support/Microsoft"))
+
+(allow file-read* file-write*
+    ;; Sigh, mode 777 in /Library.
+    (subpath "/Library/Application Support/Microsoft/PlayReady")
+    (home-subpath "/Library/Application Support/Microsoft/PlayReady")
+    (home-subpath "/Library/Application Support/Microsoft/Silverlight")
+    (home-subpath "/Library/Caches/TemporaryItems"))
+
+;; FIXME: <rdar://problem/13636078>
+(allow ipc-posix-shm*
+    (ipc-posix-name-regex #"^CoreCLR_"))

Added: trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.oracle.java.JavaAppletPlugin.sb (0 => 148902)


--- trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.oracle.java.JavaAppletPlugin.sb	                        (rev 0)
+++ trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.oracle.java.JavaAppletPlugin.sb	2013-04-22 19:47:57 UTC (rev 148902)
@@ -0,0 +1,37 @@
+(allow signal network-inbound)
+(allow process-fork)
+(allow process-exec
+    (subpath "/System/Library/Java/JavaVirtualMachines")
+    (subpath "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin"))
+
+(allow mach-lookup (global-name "com.apple.coreservices.launchservicesd"))
+
+(allow file-read*
+    (literal "/dev/fd")
+    (literal "/usr/bin")
+    (literal "/private/etc/hosts")
+    (subpath "/Library/Java")
+    (subpath "/System/Library/Java"))
+
+(shared-preferences-read
+    "com.apple.java.JavaPreferences"
+    "com.apple.java.util.prefs")
+(shared-preferences-read-write "com.oracle.javadeployment.plist")
+
+(allow file-read* file-write*
+    (home-subpath "/Library/Saved Application State/net.java.openjdk.cmd.savedState")
+    (home-subpath "/Library/Application Support/Oracle/Java/Deployment")
+    (home-subpath "/Library/Caches/Java"))
+
+(allow file-write-create
+    (home-literal "/Library/Application Support/Oracle")
+    (home-literal "/Library/Application Support/Oracle/Java"))
+
+(allow network-bind network-outbound (subpath (param "DARWIN_USER_TEMP_DIR")))
+
+(deny mach-lookup (with no-log)
+    (global-name "com.apple.ls.boxd")
+    (global-name-regex #"^PlaceHolderServerName-"))
+
+(deny job-creation (with no-log))
+(deny file-write* (with no-log) (subpath "/Library/Application Support/Oracle"))

Modified: trunk/Source/WebKit2/UIProcess/Plugins/mac/PluginProcessProxyMac.mm (148901 => 148902)


--- trunk/Source/WebKit2/UIProcess/Plugins/mac/PluginProcessProxyMac.mm	2013-04-22 19:37:01 UTC (rev 148901)
+++ trunk/Source/WebKit2/UIProcess/Plugins/mac/PluginProcessProxyMac.mm	2013-04-22 19:47:57 UTC (rev 148902)
@@ -53,8 +53,6 @@
 
 @end
 
-NSString * const WebKit2PlugInSandboxProfileDirectoryPathKey = @"WebKit2PlugInSandboxProfileDirectoryPath";
-
 using namespace WebCore;
 
 namespace WebKit {
@@ -140,14 +138,8 @@
 {
     launchOptions.architecture = pluginInfo.pluginArchitecture;
     launchOptions.executableHeap = PluginProcessProxy::pluginNeedsExecutableHeap(pluginInfo);
-
     launchOptions.extraInitializationData.add("plugin-path", pluginInfo.path);
 
-    // FIXME: We should rip this out once we have a good place to install plug-in sandbox profiles.
-    NSString* sandboxProfileDirectoryPath = [[NSUserDefaults standardUserDefaults] stringForKey:WebKit2PlugInSandboxProfileDirectoryPathKey];
-    if (sandboxProfileDirectoryPath)
-        launchOptions.extraInitializationData.add("sandbox-profile-directory-path", String(sandboxProfileDirectoryPath));
-
 #if HAVE(XPC)
     launchOptions.useXPC = shouldUseXPC();
 #endif

Modified: trunk/Source/WebKit2/WebKit2.xcodeproj/project.pbxproj (148901 => 148902)


--- trunk/Source/WebKit2/WebKit2.xcodeproj/project.pbxproj	2013-04-22 19:37:01 UTC (rev 148901)
+++ trunk/Source/WebKit2/WebKit2.xcodeproj/project.pbxproj	2013-04-22 19:47:57 UTC (rev 148902)
@@ -11,7 +11,7 @@
 			isa = PBXAggregateTarget;
 			buildConfigurationList = 1A50DB48110A3C27000D3FE5 /* Build configuration list for PBXAggregateTarget "All" */;
 			buildPhases = (
-				1A50DB70110A3D67000D3FE5 /* CopyFiles */,
+				1A50DB70110A3D67000D3FE5 /* Copy Files */,
 				BCFFCA8A160D6DEA003DF315 /* Add XPCServices symlink */,
 				BCFFCA8B160D6E7B003DF315 /* Copy XPC services for engineering builds */,
 			);
@@ -146,7 +146,7 @@
 		1A4A9C5612B816CF008FE984 /* NetscapePluginModule.h in Headers */ = {isa = PBXBuildFile; fileRef = 1A4A9C5412B816CF008FE984 /* NetscapePluginModule.h */; };
 		1A4A9C9A12B821CD008FE984 /* NetscapePluginModuleMac.mm in Sources */ = {isa = PBXBuildFile; fileRef = 1A4A9C9912B821CD008FE984 /* NetscapePluginModuleMac.mm */; };
 		1A4A9F3312B844E2008FE984 /* PluginQuirks.h in Headers */ = {isa = PBXBuildFile; fileRef = 1A4A9F3112B844E2008FE984 /* PluginQuirks.h */; };
-		1A50DB66110A3D57000D3FE5 /* WebProcess.app in CopyFiles */ = {isa = PBXBuildFile; fileRef = 1A50DB1E110A3BDC000D3FE5 /* WebProcess.app */; };
+		1A50DB66110A3D57000D3FE5 /* WebProcess.app in Copy Files */ = {isa = PBXBuildFile; fileRef = 1A50DB1E110A3BDC000D3FE5 /* WebProcess.app */; };
 		1A594ABA112A1FB6009DE7C7 /* WebUIClient.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 1A594AB8112A1FB6009DE7C7 /* WebUIClient.cpp */; };
 		1A594ABB112A1FB6009DE7C7 /* WebUIClient.h in Headers */ = {isa = PBXBuildFile; fileRef = 1A594AB9112A1FB6009DE7C7 /* WebUIClient.h */; };
 		1A5E4DA412D3BD3D0099A2BB /* TextCheckerState.h in Headers */ = {isa = PBXBuildFile; fileRef = 1A5E4DA312D3BD3D0099A2BB /* TextCheckerState.h */; };
@@ -404,7 +404,7 @@
 		51021E9C12B16788005C033C /* WebContextMenuClientMac.mm in Sources */ = {isa = PBXBuildFile; fileRef = 51021E9B12B16788005C033C /* WebContextMenuClientMac.mm */; };
 		510AFFB916542048001BA05E /* WebResourceLoader.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 510AFFB716542048001BA05E /* WebResourceLoader.cpp */; };
 		510AFFBA16542048001BA05E /* WebResourceLoader.h in Headers */ = {isa = PBXBuildFile; fileRef = 510AFFB816542048001BA05E /* WebResourceLoader.h */; };
-		510CC8491613C85C00D03ED3 /* NetworkProcess.app in CopyFiles */ = {isa = PBXBuildFile; fileRef = 510CC80E1613C79900D03ED3 /* NetworkProcess.app */; };
+		510CC8491613C85C00D03ED3 /* NetworkProcess.app in Copy Files */ = {isa = PBXBuildFile; fileRef = 510CC80E1613C79900D03ED3 /* NetworkProcess.app */; };
 		510FBB9A1288C95E00AFFDF4 /* WebContextMenuItemData.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 510FBB981288C95E00AFFDF4 /* WebContextMenuItemData.cpp */; };
 		510FBB9B1288C95E00AFFDF4 /* WebContextMenuItemData.h in Headers */ = {isa = PBXBuildFile; fileRef = 510FBB991288C95E00AFFDF4 /* WebContextMenuItemData.h */; };
 		5110AE0C133C16CB0072717A /* WKIconDatabase.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 5110AE0A133C16CB0072717A /* WKIconDatabase.cpp */; };
@@ -569,6 +569,12 @@
 		762B748D120BC75C00819339 /* WKPreferencesPrivate.h in Headers */ = {isa = PBXBuildFile; fileRef = 762B7484120BBA2D00819339 /* WKPreferencesPrivate.h */; settings = {ATTRIBUTES = (Private, ); }; };
 		7801C099142290C400FAF9AF /* WebHitTestResult.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 7801C095142290C400FAF9AF /* WebHitTestResult.cpp */; };
 		7801C09A142290C400FAF9AF /* WebHitTestResult.h in Headers */ = {isa = PBXBuildFile; fileRef = 7801C096142290C400FAF9AF /* WebHitTestResult.h */; };
+		7CB16FEF1724BA23007A0A95 /* com.apple.ist.ds.appleconnect.webplugin.sb in Copy Plug-in Sandbox Profiles */ = {isa = PBXBuildFile; fileRef = 7CB16FE21724B9B5007A0A95 /* com.apple.ist.ds.appleconnect.webplugin.sb */; };
+		7CB16FF01724BA24007A0A95 /* com.apple.QuickTime Plugin.plugin.sb in Copy Plug-in Sandbox Profiles */ = {isa = PBXBuildFile; fileRef = 7CB16FE31724B9B5007A0A95 /* com.apple.QuickTime Plugin.plugin.sb */; };
+		7CB16FF11724BA26007A0A95 /* com.apple.WebKit.plugin-common.sb in Copy Plug-in Sandbox Profiles */ = {isa = PBXBuildFile; fileRef = 7CB16FE41724B9B5007A0A95 /* com.apple.WebKit.plugin-common.sb */; };
+		7CB16FF21724BA28007A0A95 /* com.macromedia.Flash Player.plugin.sb in Copy Plug-in Sandbox Profiles */ = {isa = PBXBuildFile; fileRef = 7CB16FE51724B9B5007A0A95 /* com.macromedia.Flash Player.plugin.sb */; };
+		7CB16FF31724BA2F007A0A95 /* com.microsoft.SilverlightPlugin.sb in Copy Plug-in Sandbox Profiles */ = {isa = PBXBuildFile; fileRef = 7CB16FE61724B9B5007A0A95 /* com.microsoft.SilverlightPlugin.sb */; };
+		7CB16FF41724BA30007A0A95 /* com.oracle.java.JavaAppletPlugin.sb in Copy Plug-in Sandbox Profiles */ = {isa = PBXBuildFile; fileRef = 7CB16FE71724B9B5007A0A95 /* com.oracle.java.JavaAppletPlugin.sb */; };
 		8CFECE941490F140002AAA32 /* EditorState.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 8CFECE931490F140002AAA32 /* EditorState.cpp */; };
 		8DC2EF530486A6940098B216 /* InfoPlist.strings in Resources */ = {isa = PBXBuildFile; fileRef = 089C1666FE841158C02AAC07 /* InfoPlist.strings */; };
 		909854EC12BC4E17000AD080 /* WebMemorySampler.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 905620E812BC248B000799B6 /* WebMemorySampler.cpp */; };
@@ -918,7 +924,7 @@
 		BCAF35E816CA253B00D4E9FC /* OfflineStorageProcessCreationParameters.cpp in Sources */ = {isa = PBXBuildFile; fileRef = BCAF35E616CA253B00D4E9FC /* OfflineStorageProcessCreationParameters.cpp */; };
 		BCAF35E916CA253B00D4E9FC /* OfflineStorageProcessCreationParameters.cpp in Sources */ = {isa = PBXBuildFile; fileRef = BCAF35E616CA253B00D4E9FC /* OfflineStorageProcessCreationParameters.cpp */; };
 		BCAF35EA16CA253B00D4E9FC /* OfflineStorageProcessCreationParameters.h in Headers */ = {isa = PBXBuildFile; fileRef = BCAF35E716CA253B00D4E9FC /* OfflineStorageProcessCreationParameters.h */; };
-		BCAF361B16CA285400D4E9FC /* OfflineStorageProcess.app in CopyFiles */ = {isa = PBXBuildFile; fileRef = BCAF359A16CA1D5700D4E9FC /* OfflineStorageProcess.app */; };
+		BCAF361B16CA285400D4E9FC /* OfflineStorageProcess.app in Copy Files */ = {isa = PBXBuildFile; fileRef = BCAF359A16CA1D5700D4E9FC /* OfflineStorageProcess.app */; };
 		BCAF361C16CA286700D4E9FC /* com.apple.WebKit.OfflineStorage.sb in Resources */ = {isa = PBXBuildFile; fileRef = BCAF361516CA274000D4E9FC /* com.apple.WebKit.OfflineStorage.sb */; };
 		BCAF361D16CA28C100D4E9FC /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = BC3DE46815A91763008D26FC /* Foundation.framework */; };
 		BCAF361E16CA28C500D4E9FC /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = BC3DE46815A91763008D26FC /* Foundation.framework */; };
@@ -1003,7 +1009,7 @@
 		BCDE059B11CDA8AE00E41AF1 /* WebContextInjectedBundleClient.h in Headers */ = {isa = PBXBuildFile; fileRef = BCDE059911CDA8AE00E41AF1 /* WebContextInjectedBundleClient.h */; };
 		BCDE059C11CDA8AE00E41AF1 /* WebContextInjectedBundleClient.cpp in Sources */ = {isa = PBXBuildFile; fileRef = BCDE059A11CDA8AE00E41AF1 /* WebContextInjectedBundleClient.cpp */; };
 		BCDE093D13272496001259FB /* PluginProcessShim.dylib in Copy Plug-in Process Shim */ = {isa = PBXBuildFile; fileRef = 1AC25FB012A48EA700BD2671 /* PluginProcessShim.dylib */; };
-		BCDE0ABF13272708001259FB /* PluginProcess.app in CopyFiles */ = {isa = PBXBuildFile; fileRef = BCDE094213272496001259FB /* PluginProcess.app */; };
+		BCDE0ABF13272708001259FB /* PluginProcess.app in Copy Files */ = {isa = PBXBuildFile; fileRef = BCDE094213272496001259FB /* PluginProcess.app */; };
 		BCE0937714FB128C001138D9 /* LayerHostingContext.mm in Sources */ = {isa = PBXBuildFile; fileRef = BCE0937514FB128B001138D9 /* LayerHostingContext.mm */; };
 		BCE0937814FB128C001138D9 /* LayerHostingContext.h in Headers */ = {isa = PBXBuildFile; fileRef = BCE0937614FB128B001138D9 /* LayerHostingContext.h */; };
 		BCE0E425168B7A280057E66A /* WebProcessSupplement.h in Headers */ = {isa = PBXBuildFile; fileRef = BCE0E424168B7A280057E66A /* WebProcessSupplement.h */; };
@@ -1340,17 +1346,18 @@
 /* End PBXContainerItemProxy section */
 
 /* Begin PBXCopyFilesBuildPhase section */
-		1A50DB70110A3D67000D3FE5 /* CopyFiles */ = {
+		1A50DB70110A3D67000D3FE5 /* Copy Files */ = {
 			isa = PBXCopyFilesBuildPhase;
 			buildActionMask = 2147483647;
 			dstPath = WebKit2.framework;
 			dstSubfolderSpec = 1;
 			files = (
-				510CC8491613C85C00D03ED3 /* NetworkProcess.app in CopyFiles */,
-				BCDE0ABF13272708001259FB /* PluginProcess.app in CopyFiles */,
-				1A50DB66110A3D57000D3FE5 /* WebProcess.app in CopyFiles */,
-				BCAF361B16CA285400D4E9FC /* OfflineStorageProcess.app in CopyFiles */,
+				510CC8491613C85C00D03ED3 /* NetworkProcess.app in Copy Files */,
+				BCDE0ABF13272708001259FB /* PluginProcess.app in Copy Files */,
+				1A50DB66110A3D57000D3FE5 /* WebProcess.app in Copy Files */,
+				BCAF361B16CA285400D4E9FC /* OfflineStorageProcess.app in Copy Files */,
 			);
+			name = "Copy Files";
 			runOnlyForDeploymentPostprocessing = 0;
 		};
 		5183B38F1379F56800E8754E /* Copy Sec Item Shim */ = {
@@ -1375,6 +1382,22 @@
 			name = "Copy Message Generation Scripts";
 			runOnlyForDeploymentPostprocessing = 0;
 		};
+		7CB16FEE1724BA05007A0A95 /* Copy Plug-in Sandbox Profiles */ = {
+			isa = PBXCopyFilesBuildPhase;
+			buildActionMask = 2147483647;
+			dstPath = PlugInSandboxProfiles;
+			dstSubfolderSpec = 7;
+			files = (
+				7CB16FEF1724BA23007A0A95 /* com.apple.ist.ds.appleconnect.webplugin.sb in Copy Plug-in Sandbox Profiles */,
+				7CB16FF01724BA24007A0A95 /* com.apple.QuickTime Plugin.plugin.sb in Copy Plug-in Sandbox Profiles */,
+				7CB16FF21724BA28007A0A95 /* com.macromedia.Flash Player.plugin.sb in Copy Plug-in Sandbox Profiles */,
+				7CB16FF31724BA2F007A0A95 /* com.microsoft.SilverlightPlugin.sb in Copy Plug-in Sandbox Profiles */,
+				7CB16FF41724BA30007A0A95 /* com.oracle.java.JavaAppletPlugin.sb in Copy Plug-in Sandbox Profiles */,
+				7CB16FF11724BA26007A0A95 /* com.apple.WebKit.plugin-common.sb in Copy Plug-in Sandbox Profiles */,
+			);
+			name = "Copy Plug-in Sandbox Profiles";
+			runOnlyForDeploymentPostprocessing = 0;
+		};
 		BCDE093C13272496001259FB /* Copy Plug-in Process Shim */ = {
 			isa = PBXCopyFilesBuildPhase;
 			buildActionMask = 2147483647;
@@ -1994,6 +2017,12 @@
 		762B7484120BBA2D00819339 /* WKPreferencesPrivate.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WKPreferencesPrivate.h; sourceTree = "<group>"; };
 		7801C095142290C400FAF9AF /* WebHitTestResult.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = WebHitTestResult.cpp; sourceTree = "<group>"; };
 		7801C096142290C400FAF9AF /* WebHitTestResult.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WebHitTestResult.h; sourceTree = "<group>"; };
+		7CB16FE21724B9B5007A0A95 /* com.apple.ist.ds.appleconnect.webplugin.sb */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = com.apple.ist.ds.appleconnect.webplugin.sb; sourceTree = "<group>"; };
+		7CB16FE31724B9B5007A0A95 /* com.apple.QuickTime Plugin.plugin.sb */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = "com.apple.QuickTime Plugin.plugin.sb"; sourceTree = "<group>"; };
+		7CB16FE41724B9B5007A0A95 /* com.apple.WebKit.plugin-common.sb */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = "com.apple.WebKit.plugin-common.sb"; sourceTree = "<group>"; };
+		7CB16FE51724B9B5007A0A95 /* com.macromedia.Flash Player.plugin.sb */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = "com.macromedia.Flash Player.plugin.sb"; sourceTree = "<group>"; };
+		7CB16FE61724B9B5007A0A95 /* com.microsoft.SilverlightPlugin.sb */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = com.microsoft.SilverlightPlugin.sb; sourceTree = "<group>"; };
+		7CB16FE71724B9B5007A0A95 /* com.oracle.java.JavaAppletPlugin.sb */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = com.oracle.java.JavaAppletPlugin.sb; sourceTree = "<group>"; };
 		8CFECE931490F140002AAA32 /* EditorState.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = EditorState.cpp; sourceTree = "<group>"; };
 		8DC2EF5A0486A6940098B216 /* Info.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = "<group>"; };
 		8DC2EF5B0486A6940098B216 /* WebKit2.framework */ = {isa = PBXFileReference; explicitFileType = wrapper.framework; includeInIndex = 0; path = WebKit2.framework; sourceTree = BUILT_PRODUCTS_DIR; };
@@ -2862,6 +2891,7 @@
 		089C1665FE841158C02AAC07 /* Resources */ = {
 			isa = PBXGroup;
 			children = (
+				7CB16FE11724B9B5007A0A95 /* PlugInSandboxProfiles */,
 				6D8A91A511F0EFD100DD01FE /* com.apple.WebProcess.sb.in */,
 				1CBC945D16515ED200D68AAE /* DockBottom.pdf */,
 				1CB75C931701E880009F809F /* DockRight.pdf */,
@@ -3700,6 +3730,20 @@
 			name = mac;
 			sourceTree = "<group>";
 		};
+		7CB16FE11724B9B5007A0A95 /* PlugInSandboxProfiles */ = {
+			isa = PBXGroup;
+			children = (
+				7CB16FE21724B9B5007A0A95 /* com.apple.ist.ds.appleconnect.webplugin.sb */,
+				7CB16FE31724B9B5007A0A95 /* com.apple.QuickTime Plugin.plugin.sb */,
+				7CB16FE41724B9B5007A0A95 /* com.apple.WebKit.plugin-common.sb */,
+				7CB16FE51724B9B5007A0A95 /* com.macromedia.Flash Player.plugin.sb */,
+				7CB16FE61724B9B5007A0A95 /* com.microsoft.SilverlightPlugin.sb */,
+				7CB16FE71724B9B5007A0A95 /* com.oracle.java.JavaAppletPlugin.sb */,
+			);
+			name = PlugInSandboxProfiles;
+			path = Resources/PlugInSandboxProfiles;
+			sourceTree = "<group>";
+		};
 		9394AE411702B25B00344232 /* mac */ = {
 			isa = PBXGroup;
 			children = (
@@ -5759,6 +5803,7 @@
 			buildPhases = (
 				8DC2EF500486A6940098B216 /* Headers */,
 				8DC2EF520486A6940098B216 /* Resources */,
+				7CB16FEE1724BA05007A0A95 /* Copy Plug-in Sandbox Profiles */,
 				5D1A239015E75B100023E981 /* Copy Message Generation Scripts */,
 				5D1A239215E760590023E981 /* Remove Compiled Python Files */,
 				8DC2EF540486A6940098B216 /* Sources */,

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

[webkit-changes] [148902] trunk/Source/WebKit2

Log Message

Modified Paths

Added Paths

Diff

Modified: trunk/Source/WebKit2/ChangeLog (148901 => 148902)

Modified: trunk/Source/WebKit2/PluginProcess/EntryPoint/mac/LegacyProcess/PluginProcessMain.mm (148901 => 148902)

Modified: trunk/Source/WebKit2/PluginProcess/EntryPoint/mac/XPCService/PluginServiceEntryPoint.mm (148901 => 148902)

Modified: trunk/Source/WebKit2/PluginProcess/mac/PluginProcessMac.mm (148901 => 148902)

Added: trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.apple.QuickTime Plugin.plugin.sb (0 => 148902)

Added: trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.apple.WebKit.plugin-common.sb (0 => 148902)

Added: trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.apple.ist.ds.appleconnect.webplugin.sb (0 => 148902)

Added: trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.macromedia.Flash Player.plugin.sb (0 => 148902)

Added: trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.microsoft.SilverlightPlugin.sb (0 => 148902)

Added: trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.oracle.java.JavaAppletPlugin.sb (0 => 148902)

Modified: trunk/Source/WebKit2/UIProcess/Plugins/mac/PluginProcessProxyMac.mm (148901 => 148902)

Modified: trunk/Source/WebKit2/WebKit2.xcodeproj/project.pbxproj (148901 => 148902)

Reply via email to