[webkit-changes] [172055] branches/safari-600.1.4-branch/Source/WebKit2

Tue, 05 Aug 2014 13:20:47 -0700

Title: [172055] branches/safari-600.1.4-branch/Source/WebKit2

Diff

Modified: branches/safari-600.1.4-branch/Source/WebKit2/ChangeLog (172054 => 172055)


--- branches/safari-600.1.4-branch/Source/WebKit2/ChangeLog	2014-08-05 20:19:35 UTC (rev 172054)
+++ branches/safari-600.1.4-branch/Source/WebKit2/ChangeLog	2014-08-05 20:20:28 UTC (rev 172055)
@@ -1,5 +1,38 @@
 2014-08-05  Matthew Hanson  <matthew_han...@apple.com>
 
+        Merge r172031. <rdar://problem/17864079>
+
+    2014-08-05  Oliver Hunt  <oli...@apple.com>
+    
+            SSO expects to be able to walk parent application's bundle
+            https://bugs.webkit.org/show_bug.cgi?id=135581
+            <rdar://problem/17864079>
+    
+            Reviewed by Alexey Proskuryakov.
+    
+            SSO expects to be able to walk the parent application's
+            bundle looking for Info plists. To allow this to actually
+            work we provide an extension from the ui process that
+            covers the bundle directory, and then in the profile
+            restrict access to the ability to read directories and
+            files named Info.plist.
+    
+            * NetworkProcess/cocoa/NetworkProcessCocoa.mm:
+            (WebKit::NetworkProcess::platformInitializeNetworkProcessCocoa):
+            * Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:
+            * Shared/Network/NetworkProcessCreationParameters.cpp:
+            (WebKit::NetworkProcessCreationParameters::encode):
+            (WebKit::NetworkProcessCreationParameters::decode):
+            * Shared/Network/NetworkProcessCreationParameters.h:
+            * UIProcess/WebContext.cpp:
+            (WebKit::WebContext::ensureNetworkProcess):
+            (WebKit::WebContext::parentBundleDirectory):
+            * UIProcess/WebContext.h:
+            * UIProcess/mac/WebContextMac.mm:
+            (WebKit::WebContext::parentBundleDirectory):
+    
+2014-08-05  Matthew Hanson  <matthew_han...@apple.com>
+
         Merge r172016. <rdar://problem/17896295>
 
     2014-08-04  Benjamin Poulain  <bpoul...@apple.com>

Modified: branches/safari-600.1.4-branch/Source/WebKit2/NetworkProcess/cocoa/NetworkProcessCocoa.mm (172054 => 172055)


--- branches/safari-600.1.4-branch/Source/WebKit2/NetworkProcess/cocoa/NetworkProcessCocoa.mm	2014-08-05 20:19:35 UTC (rev 172054)
+++ branches/safari-600.1.4-branch/Source/WebKit2/NetworkProcess/cocoa/NetworkProcessCocoa.mm	2014-08-05 20:20:28 UTC (rev 172055)
@@ -63,6 +63,7 @@
     SandboxExtension::consumePermanently(parameters.cookieStorageDirectoryExtensionHandle);
 #if PLATFORM(IOS)
     SandboxExtension::consumePermanently(parameters.hstsDatabasePathExtensionHandle);
+    SandboxExtension::consumePermanently(parameters.parentBundleDirectoryExtensionHandle);
 #endif
     m_diskCacheDirectory = parameters.diskCacheDirectory;

Modified: branches/safari-600.1.4-branch/Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb (172054 => 172055)


--- branches/safari-600.1.4-branch/Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb	2014-08-05 20:19:35 UTC (rev 172054)
+++ branches/safari-600.1.4-branch/Source/WebKit2/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb	2014-08-05 20:20:28 UTC (rev 172055)
@@ -29,7 +29,7 @@
 (import "removed-dev-nodes.sb")
 
 ;; Access to client's cache folder & re-vending to CFNetwork.
-;; FIXME: Remove the webkti specific extension classes <rdar://problem/17755931>
+;; FIXME: Remove the webkit specific extension classes <rdar://problem/17755931>
 (allow file-issue-extension (require-all
     (extension "com.apple.app-sandbox.read-write")
     (extension-class "com.apple.nsurlstorage.extension-cache")))
@@ -38,6 +38,27 @@
 (allow file-read* file-write* (extension "com.apple.app-sandbox.read-write"))
 (allow file-read* (extension "com.apple.app-sandbox.read"))
 
+;; FIXME: <rdar://problem/17909681> SSO expects to be able to walk the parent
+;; bundle to find Info plists, so we jump through a few hoops here to provide
+;; enough access to make it possible.
+
+;; Disallow networking process from reading any bundles, even with the read extension
+(deny file-read* (subpath "/Applications") (extension "com.apple.app-sandbox.read"))
+(deny file-read* (subpath "/private/var/mobile/Containers/Bundle/Application") (extension "com.apple.app-sandbox.read"))
+
+;; Allow the networking process to read directories inside the bundle directories
+;; that we may have killed off above
+(allow file-read*
+    (require-all
+        (extension "com.apple.app-sandbox.read")
+        (vnode-type DIRECTORY)))
+
+;; Allow the networking process to read the Info.plist files
+(allow file-read*
+    (require-all
+        (extension "com.apple.app-sandbox.read")
+        (regex #"/Info\.plist$")))
+
 ;; IOKit user clients
 (allow iokit-open
        (iokit-user-client-class "RootDomainUserClient"))

Modified: branches/safari-600.1.4-branch/Source/WebKit2/Shared/Network/NetworkProcessCreationParameters.cpp (172054 => 172055)


--- branches/safari-600.1.4-branch/Source/WebKit2/Shared/Network/NetworkProcessCreationParameters.cpp	2014-08-05 20:19:35 UTC (rev 172054)
+++ branches/safari-600.1.4-branch/Source/WebKit2/Shared/Network/NetworkProcessCreationParameters.cpp	2014-08-05 20:20:28 UTC (rev 172055)
@@ -47,6 +47,8 @@
 #if PLATFORM(IOS)
     encoder << hstsDatabasePath;
     encoder << hstsDatabasePathExtensionHandle;
+    encoder << parentBundleDirectory;
+    encoder << parentBundleDirectoryExtensionHandle;
 #endif
     encoder << shouldUseTestingNetworkSession;
 #if ENABLE(CUSTOM_PROTOCOLS)
@@ -88,6 +90,10 @@
         return false;
     if (!decoder.decode(result.hstsDatabasePathExtensionHandle))
         return false;
+    if (!decoder.decode(result.parentBundleDirectory))
+        return false;
+    if (!decoder.decode(result.parentBundleDirectoryExtensionHandle))
+        return false;
 #endif
     if (!decoder.decode(result.shouldUseTestingNetworkSession))
         return false;

Modified: branches/safari-600.1.4-branch/Source/WebKit2/Shared/Network/NetworkProcessCreationParameters.h (172054 => 172055)


--- branches/safari-600.1.4-branch/Source/WebKit2/Shared/Network/NetworkProcessCreationParameters.h	2014-08-05 20:19:35 UTC (rev 172054)
+++ branches/safari-600.1.4-branch/Source/WebKit2/Shared/Network/NetworkProcessCreationParameters.h	2014-08-05 20:20:28 UTC (rev 172055)
@@ -63,6 +63,9 @@
     // FIXME: Remove this once <rdar://problem/17726660> is fixed.
     String hstsDatabasePath;
     SandboxExtension::Handle hstsDatabasePathExtensionHandle;
+
+    String parentBundleDirectory;
+    SandboxExtension::Handle parentBundleDirectoryExtensionHandle;
 #endif
     bool shouldUseTestingNetworkSession;

Modified: branches/safari-600.1.4-branch/Source/WebKit2/UIProcess/WebContext.cpp (172054 => 172055)


--- branches/safari-600.1.4-branch/Source/WebKit2/UIProcess/WebContext.cpp	2014-08-05 20:19:35 UTC (rev 172054)
+++ branches/safari-600.1.4-branch/Source/WebKit2/UIProcess/WebContext.cpp	2014-08-05 20:20:28 UTC (rev 172055)
@@ -428,6 +428,10 @@
     parameters.hstsDatabasePath = networkingHSTSDatabasePath();
     if (!parameters.hstsDatabasePath.isEmpty())
         SandboxExtension::createHandle(parameters.hstsDatabasePath, SandboxExtension::ReadWrite, parameters.hstsDatabasePathExtensionHandle);
+
+    parameters.parentBundleDirectory = parentBundleDirectory();
+    if (!parameters.parentBundleDirectory.isEmpty())
+        SandboxExtension::createHandle(parameters.parentBundleDirectory, SandboxExtension::ReadOnly, parameters.parentBundleDirectoryExtensionHandle);
 #endif
 
     parameters.shouldUseTestingNetworkSession = m_shouldUseTestingNetworkSession;

Modified: branches/safari-600.1.4-branch/Source/WebKit2/UIProcess/WebContext.h (172054 => 172055)


--- branches/safari-600.1.4-branch/Source/WebKit2/UIProcess/WebContext.h	2014-08-05 20:19:35 UTC (rev 172054)
+++ branches/safari-600.1.4-branch/Source/WebKit2/UIProcess/WebContext.h	2014-08-05 20:20:28 UTC (rev 172055)
@@ -431,6 +431,10 @@
     String networkingHSTSDatabasePath() const;
     String platformDefaultNetworkingHSTSDatabasePath() const;
 
+#if PLTFORM(IOS)
+    String parentBundleDirectory() const;
+#endif
+
     String containerTemporaryDirectory() const;
 
 #if PLATFORM(COCOA)

Modified: branches/safari-600.1.4-branch/Source/WebKit2/UIProcess/mac/WebContextMac.mm (172054 => 172055)


--- branches/safari-600.1.4-branch/Source/WebKit2/UIProcess/mac/WebContextMac.mm	2014-08-05 20:19:35 UTC (rev 172054)
+++ branches/safari-600.1.4-branch/Source/WebKit2/UIProcess/mac/WebContextMac.mm	2014-08-05 20:20:28 UTC (rev 172055)
@@ -323,6 +323,13 @@
 #endif
 }
 
+#if PLATFORM(IOS)
+String WebContext::parentBundleDirectory() const
+{
+    return [[[NSBundle mainBundle] bundlePath] stringByStandardizingPath];
+}
+#endif
+
 String WebContext::containerTemporaryDirectory() const
 {
     String path = NSTemporaryDirectory();

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to