Diff
Modified: trunk/Source/WebKit2/ChangeLog (149216 => 149217)
--- trunk/Source/WebKit2/ChangeLog 2013-04-26 22:20:51 UTC (rev 149216)
+++ trunk/Source/WebKit2/ChangeLog 2013-04-26 22:22:53 UTC (rev 149217)
@@ -1,3 +1,26 @@
+2013-04-26 Simon Cooper <scoo...@apple.com>
+
+ Permit ~/Library or ~/Library/Preferences to be symlinks
+ https://bugs.webkit.org/show_bug.cgi?id=115142
+ <rdar://problem/12953603>
+
+ Reviewed by Alexey Proskuryakov.
+
+ Pass in two new parameters which are the resolved paths to ~/Library
+ and ~/Library/Preferences. Added new expansion functions and
+ substituted the new functions for home-regex, home-subpath and
+ home-literal for places referencing resources in "~/Library" or
+ "~/Library/Preferences".
+
+ * Resources/PlugInSandboxProfiles/com.apple.QuickTime Plugin.plugin.sb:
+ * Resources/PlugInSandboxProfiles/com.apple.WebKit.plugin-common.sb:
+ * Resources/PlugInSandboxProfiles/com.apple.ist.ds.appleconnect.webplugin.sb:
+ * Resources/PlugInSandboxProfiles/com.macromedia.Flash Player.plugin.sb:
+ * Resources/PlugInSandboxProfiles/com.microsoft.SilverlightPlugin.sb:
+ * Resources/PlugInSandboxProfiles/com.oracle.java.JavaAppletPlugin.sb:
+ * Shared/mac/ChildProcessMac.mm:
+ (WebKit::ChildProcess::initializeSandbox):
+
2013-04-26 Alexey Proskuryakov <a...@apple.com>
[WK2] WKContextClient doesn't need to be versioned yet
Modified: trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.apple.QuickTime Plugin.plugin.sb (149216 => 149217)
--- trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.apple.QuickTime Plugin.plugin.sb 2013-04-26 22:20:51 UTC (rev 149216)
+++ trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.apple.QuickTime Plugin.plugin.sb 2013-04-26 22:22:53 UTC (rev 149217)
@@ -2,8 +2,8 @@
(shared-preferences-read "com.apple.quicktime.plugin.preferences")
(allow file-read* file-write*
- (home-subpath "/Library/Caches/QuickTime")
- (home-literal "/Library/Preferences/QuickTime Preferences"))
+ (home-library-subpath "/Caches/QuickTime")
+ (home-library-preferences-literal "/QuickTime Preferences"))
(allow network-inbound (local udp))
(allow network-outbound (remote udp))
Modified: trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.apple.WebKit.plugin-common.sb (149216 => 149217)
--- trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.apple.WebKit.plugin-common.sb 2013-04-26 22:20:51 UTC (rev 149216)
+++ trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.apple.WebKit.plugin-common.sb 2013-04-26 22:22:53 UTC (rev 149217)
@@ -5,15 +5,27 @@
(import "system.sb")
;; Utility functions
-(define (home-regex home-relative-regex)
- (regex (string-append "^" (regex-quote (param "HOME_DIR")) home-relative-regex)))
-
-(define (home-subpath home-relative-subpath)
- (subpath (string-append (param "HOME_DIR") home-relative-subpath)))
-
(define (home-literal home-relative-literal)
(literal (string-append (param "HOME_DIR") home-relative-literal)))
+(define (home-library-regex home-library-relative-regex)
+ (regex (string-append "^" (regex-quote (param "HOME_LIBRARY_DIR")) home-library-relative-regex)))
+
+(define (home-library-subpath home-library-relative-subpath)
+ (subpath (string-append (param "HOME_LIBRARY_DIR") home-library-relative-subpath)))
+
+(define (home-library-literal home-library-relative-literal)
+ (literal (string-append (param "HOME_LIBRARY_DIR") home-library-relative-literal)))
+
+(define (home-library-preferences-regex home-library-preferences-relative-regex)
+ (regex (string-append "^" (regex-quote (param "HOME_LIBRARY_PREFERENCES_DIR")) home-library-preferences-relative-regex)))
+
+(define (home-library-preferences-subpath home-library-preferences-relative-subpath)
+ (subpath (string-append (param "HOME_LIBRARY_PREFERENCES_DIR") home-library-preferences-relative-subpath)))
+
+(define (home-library-preferences-literal home-library-preferences-relative-literal)
+ (literal (string-append (param "HOME_LIBRARY_PREFERENCES_DIR") home-library-preferences-relative-literal)))
+
(define (shared-preferences-read . domains)
(for-each (lambda (domain)
(begin
@@ -22,8 +34,8 @@
; (Temporary) backward compatibility with non-CFPreferences readers.
(allow file-read*
(literal (string-append "/Library/Preferences/" domain ".plist"))
- (home-literal (string-append "/Library/Preferences/" domain ".plist"))
- (home-regex (string-append #"/Library/Preferences/ByHost/" (regex-quote domain) #"\..*\.plist$")))))
+ (home-library-preferences-literal (string-append "/" domain ".plist"))
+ (home-library-preferences-regex (string-append #"/ByHost/" (regex-quote domain) #"\..*\.plist$")))))
domains))
(define (shared-preferences-read-write . domains)
@@ -34,8 +46,8 @@
; (Temporary) backward compatibility with non-CFPreferences readers / writers.
(allow file-read* file-write*
(literal (string-append "/Library/Preferences/" domain ".plist"))
- (home-literal (string-append "/Library/Preferences/" domain ".plist"))
- (home-regex (string-append #"/Library/Preferences/ByHost/" (regex-quote domain) #"\..*\.plist$")))))
+ (home-library-preferences-literal (string-append "/" domain ".plist"))
+ (home-library-preferences-regex (string-append #"/ByHost/" (regex-quote domain) #"\..*\.plist$")))))
domains))
@@ -80,6 +92,7 @@
"com.apple.systemsound"
"com.apple.universalaccess"
"com.apple.WebFoundation"
+ "com.apple.WebKit.PluginProcess"
"pbs"
"com.apple.ServicesMenu.Services")
@@ -91,35 +104,35 @@
(regex #"^/Library/Preferences/com\.apple\.security")
(home-literal "/.CFUserTextEncoding")
- (home-subpath "/Library/Audio")
- (home-subpath "/Library/ColorPickers")
- (home-subpath "/Library/ColorSync")
- (home-subpath "/Library/Components")
+ (home-library-subpath "/Audio")
+ (home-library-subpath "/ColorPickers")
+ (home-library-subpath "/ColorSync")
+ (home-library-subpath "/Components")
(subpath "/Library/Contextual Menu Items")
- (home-subpath "/Library/Input Methods")
- (home-subpath "/Library/KeyBindings")
- (home-subpath "/Library/Keyboard Layouts")
+ (home-library-subpath "/Input Methods")
+ (home-library-subpath "/KeyBindings")
+ (home-library-subpath "/Keyboard Layouts")
(subpath "/Library/Fonts")
- (home-subpath "/Library/Fonts")
+ (home-library-subpath "/Fonts")
(subpath "/Library/Spelling")
- (home-subpath "/Library/Spelling")
+ (home-library-subpath "/Spelling")
(subpath "/Library/PDF Services")
- (home-subpath "/Library/PDF Services")
- (home-literal "/Library/Preferences/QuickTime Preferences")
+ (home-library-subpath "/PDF Services")
+ (home-library-preferences-literal "/QuickTime Preferences")
- (home-literal "/Library/Caches/com.apple.coreaudio.components.plist")
+ (home-library-literal "/Caches/com.apple.coreaudio.components.plist")
(subpath "/Library/Audio/Plug-Ins/Components")
- (home-subpath "/Library/Audio/Plug-Ins/Components")
+ (home-library-subpath "/Audio/Plug-Ins/Components")
(subpath "/Library/Audio/Plug-Ins/HAL")
(subpath "/Library/QuickTime")
- (home-subpath "/Library/QuickTime")
+ (home-library-subpath "/QuickTime")
(subpath "/Library/Video/Plug-Ins")
- (home-subpath "/Library/Caches/QuickTime")
+ (home-library-subpath "/Caches/QuickTime")
(literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains")
- (home-literal "/Library/Application Support/SyncServices/Local/ClientsWithChanges/com.apple.Keychain")
+ (home-library-literal "/Application Support/SyncServices/Local/ClientsWithChanges/com.apple.Keychain")
(subpath "/Library/ColorSync")
@@ -129,10 +142,8 @@
;; Read-write preferences and data
(allow file*
- (home-regex #"/Library/Preferences/com\.apple\.WebKit\.PluginProcess\.plist")
-
;; FIXME: This should be removed when <rdar://problem/10479685> is fixed.
- (home-subpath "/Library/Keychains"))
+ (home-library-subpath "/Keychains"))
;; IOKit user clients
(allow iokit-open
@@ -226,7 +237,7 @@
(literal "/private/etc/cups/lpoptions")
(subpath "/private/etc/cups/ppd")
(subpath "/private/var/run/cupsd")
- (home-literal "/Library/Preferences/org.cups.PrintingPrefs.plist")))
+ (shared-preferences-read "org.cups.PrintingPrefs")))
;; Text Services Manager
(allow iokit-set-properties (iokit-property "CapsLockDelayOverride"))
@@ -246,15 +257,14 @@
;; Silently block access to some resources
(deny file-read* file-write* (with no-log)
- (home-regex #"/Library/Preferences/com\.apple\.internetconfigpriv\.plist")
- (home-regex #"/Library/Preferences/com\.apple\.internetconfig\.plist")
+ (home-library-preferences-regex #"/com\.apple\.internetconfig(priv)?\.plist")
;; FIXME: Should be removed after <rdar://problem/9422957> is fixed.
- (home-literal "/Library/Caches/Cache.db")
+ (home-library-literal "/Caches/Cache.db")
;; FIXME: Should be removed after <rdar://problem/10463881> is fixed.
- (home-literal "/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2")
- (home-literal "/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2-journal"))
+ (home-library-preferences-literal "/com.apple.LaunchServices.QuarantineEventsV2")
+ (home-library-preferences-literal "/com.apple.LaunchServices.QuarantineEventsV2-journal"))
(deny mach-lookup (with no-log)
(global-name "com.apple.FSEvents")
Modified: trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.apple.ist.ds.appleconnect.webplugin.sb (149216 => 149217)
--- trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.apple.ist.ds.appleconnect.webplugin.sb 2013-04-26 22:20:51 UTC (rev 149216)
+++ trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.apple.ist.ds.appleconnect.webplugin.sb 2013-04-26 22:22:53 UTC (rev 149217)
@@ -22,7 +22,7 @@
(allow file-read*
(subpath "/Library/KerberosPlugins/GSSAPI")
(literal "/Library/Preferences/edu.mit.Kerberos")
- (home-literal "/Library/Preferences/edu.mit.Kerberos"))
+ (home-library-preferences-literal "/edu.mit.Kerberos"))
(allow file-read*
(literal "/private/etc/services"))
Modified: trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.macromedia.Flash Player.plugin.sb (149216 => 149217)
--- trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.macromedia.Flash Player.plugin.sb 2013-04-26 22:20:51 UTC (rev 149216)
+++ trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.macromedia.Flash Player.plugin.sb 2013-04-26 22:22:53 UTC (rev 149217)
@@ -5,23 +5,23 @@
(home-literal "/mms.cfg"))
(deny file-read-xattr (with no-log)
- (home-literal "/Library/Caches")
- (home-literal "/Library/Preferences"))
+ (home-library-literal "/Caches")
+ (home-library-preferences-literal "/"))
(allow file-read* file-write-create file-write-mode
- (home-literal "/Library/Caches/Adobe")
- (home-literal "/Library/Preferences/Macromedia"))
+ (home-library-literal "/Caches/Adobe")
+ (home-library-preferences-literal "/Macromedia"))
(allow file-read* file-write*
(literal "/Library/Application Support/Macromedia/mms.cfg")
- (home-literal "/Library/Application Support/Macromedia/mms.cfg")
- (home-subpath "/Library/Caches/Adobe/Flash Player")
- (home-subpath "/Library/Preferences/Macromedia/Flash Player"))
+ (home-library-literal "/Application Support/Macromedia/mms.cfg")
+ (home-library-subpath "/Caches/Adobe/Flash Player")
+ (home-library-preferences-subpath "/Macromedia/Flash Player"))
(allow file-read*
(literal "/Library/PreferencePanes/Flash Player.prefPane")
- (home-literal "/Library/PreferencePanes/Flash Player.prefPane")
- (home-regex "/Library/Application Support/Macromedia/ss\.(cfg|cfn|sgn)$"))
+ (home-library-literal "/PreferencePanes/Flash Player.prefPane")
+ (home-library-regex "/Application Support/Macromedia/ss\.(cfg|cfn|sgn)$"))
(allow file-read* file-write*
(mount-relative-regex #"^/\.TemporaryItems/"))
Modified: trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.microsoft.SilverlightPlugin.sb (149216 => 149217)
--- trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.microsoft.SilverlightPlugin.sb 2013-04-26 22:20:51 UTC (rev 149216)
+++ trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.microsoft.SilverlightPlugin.sb 2013-04-26 22:22:53 UTC (rev 149217)
@@ -8,14 +8,14 @@
(shared-preferences-read-write "com.microsoft.silverlight")
(allow file-write-create
- (home-literal "/Library/Application Support/Microsoft"))
+ (home-library-literal "/Application Support/Microsoft"))
(allow file-read* file-write*
;; Sigh, mode 777 in /Library.
(subpath "/Library/Application Support/Microsoft/PlayReady")
- (home-subpath "/Library/Application Support/Microsoft/PlayReady")
- (home-subpath "/Library/Application Support/Microsoft/Silverlight")
- (home-subpath "/Library/Caches/TemporaryItems"))
+ (home-library-subpath "/Application Support/Microsoft/PlayReady")
+ (home-library-subpath "/Application Support/Microsoft/Silverlight")
+ (home-library-subpath "/Caches/TemporaryItems"))
;; FIXME: <rdar://problem/13636078>
(allow ipc-posix-shm*
Modified: trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.oracle.java.JavaAppletPlugin.sb (149216 => 149217)
--- trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.oracle.java.JavaAppletPlugin.sb 2013-04-26 22:20:51 UTC (rev 149216)
+++ trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.oracle.java.JavaAppletPlugin.sb 2013-04-26 22:22:53 UTC (rev 149217)
@@ -19,13 +19,13 @@
(shared-preferences-read-write "com.oracle.javadeployment.plist")
(allow file-read* file-write*
- (home-subpath "/Library/Saved Application State/net.java.openjdk.cmd.savedState")
- (home-subpath "/Library/Application Support/Oracle/Java/Deployment")
- (home-subpath "/Library/Caches/Java"))
+ (home-library-subpath "/Saved Application State/net.java.openjdk.cmd.savedState")
+ (home-library-subpath "/Application Support/Oracle/Java/Deployment")
+ (home-library-subpath "/Caches/Java"))
(allow file-write-create
- (home-literal "/Library/Application Support/Oracle")
- (home-literal "/Library/Application Support/Oracle/Java"))
+ (home-library-literal "/Application Support/Oracle")
+ (home-library-literal "/Application Support/Oracle/Java"))
(allow network-bind network-outbound (subpath (param "DARWIN_USER_TEMP_DIR")))
Modified: trunk/Source/WebKit2/Shared/mac/ChildProcessMac.mm (149216 => 149217)
--- trunk/Source/WebKit2/Shared/mac/ChildProcessMac.mm 2013-04-26 22:20:51 UTC (rev 149216)
+++ trunk/Source/WebKit2/Shared/mac/ChildProcessMac.mm 2013-04-26 22:22:53 UTC (rev 149217)
@@ -139,6 +139,15 @@
sandboxParameters.addPathParameter("HOME_DIR", pwd.pw_dir);
+ String path = String::fromUTF8(pwd.pw_dir);
+ path.append("/Library");
+
+ sandboxParameters.addPathParameter("HOME_LIBRARY_DIR", fileSystemRepresentation(path).data());
+
+ path.append("/Preferences");
+
+ sandboxParameters.addPathParameter("HOME_LIBRARY_PREFERENCES_DIR", fileSystemRepresentation(path).data());
+
switch (sandboxParameters.mode()) {
case SandboxInitializationParameters::UseDefaultSandboxProfilePath:
case SandboxInitializationParameters::UseOverrideSandboxProfilePath: {
