WebKit Bugzilla
Attachment 361925 Details for
Bug 194553
: [WPE][GTK][STABLE] Remove sandbox APIs from 2.24 branch
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-194553-20190213124724.patch (text/plain), 57.99 KB, created by
Michael Catanzaro
on 2019-02-13 10:47:25 PST
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Michael Catanzaro
Created:
2019-02-13 10:47:25 PST
Size:
57.99 KB
patch
obsolete
>Subversion Revision: 241437 >diff --git a/Source/WebKit/ChangeLog b/Source/WebKit/ChangeLog >index 09e4edb7d87f17e20439f0afaa4f5c751e96c1ac..59b40e048a8ecb61fd40166a04f931cc56df4bd6 100644 >--- a/Source/WebKit/ChangeLog >+++ b/Source/WebKit/ChangeLog >@@ -1,3 +1,32 @@ >+2019-02-13 Michael Catanzaro <mcatanzaro@igalia.com> >+ >+ [WPE][GTK][STABLE] Remove sandbox APIs from 2.24 branch >+ https://bugs.webkit.org/show_bug.cgi?id=194553 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * PlatformGTK.cmake: >+ * SourcesGTK.txt: >+ * SourcesWPE.txt: >+ * UIProcess/API/glib/WebKitWebContext.cpp: >+ (webkit_web_context_set_sandbox_enabled): Deleted. >+ (webkit_web_context_add_path_to_sandbox): Deleted. >+ (webkit_web_context_get_sandbox_enabled): Deleted. >+ * UIProcess/API/gtk/WebKitWebContext.h: >+ * UIProcess/API/gtk/docs/webkit2gtk-4.0-sections.txt: >+ * UIProcess/API/wpe/WebKitWebContext.h: >+ * UIProcess/API/wpe/docs/wpe-0.1-sections.txt: >+ * UIProcess/Launcher/glib/BubblewrapLauncher.cpp: Removed. >+ * UIProcess/Launcher/glib/BubblewrapLauncher.h: Removed. >+ * UIProcess/Launcher/glib/FlatpakLauncher.cpp: Removed. >+ * UIProcess/Launcher/glib/FlatpakLauncher.h: Removed. >+ * UIProcess/Launcher/glib/ProcessLauncherGLib.cpp: >+ (WebKit::ProcessLauncher::launchProcess): >+ (WebKit::isInsideFlatpak): Deleted. >+ * UIProcess/WebProcessPool.h: >+ * UIProcess/glib/WebProcessProxyGLib.cpp: >+ (WebKit::WebProcessProxy::platformGetLaunchOptions): >+ > 2019-02-13 Truitt Savell <tsavell@apple.com> > > Unreviewed, rolling out r241433. >diff --git a/Source/WebKit/PlatformGTK.cmake b/Source/WebKit/PlatformGTK.cmake >index 634b0003d951e14879de2309977c763a8c4bda85..bfad8c514f95270ef715dc8038fa7b6ae9daa80b 100644 >--- a/Source/WebKit/PlatformGTK.cmake >+++ b/Source/WebKit/PlatformGTK.cmake >@@ -628,8 +628,6 @@ if (ENABLE_PLUGIN_PROCESS_GTK2) > > UIProcess/Launcher/ProcessLauncher.cpp > >- UIProcess/Launcher/glib/BubblewrapLauncher.cpp >- UIProcess/Launcher/glib/FlatpakLauncher.cpp > UIProcess/Launcher/glib/ProcessLauncherGLib.cpp > > UIProcess/Plugins/unix/PluginProcessProxyUnix.cpp >diff --git a/Source/WebKit/SourcesGTK.txt b/Source/WebKit/SourcesGTK.txt >index 4829a9ff27237c4a49431cc344e9530d1a244f31..d41ec9591a7cdfae1d0053affeb3f931a3cbbe44 100644 >--- a/Source/WebKit/SourcesGTK.txt >+++ b/Source/WebKit/SourcesGTK.txt >@@ -209,8 +209,6 @@ UIProcess/Automation/cairo/WebAutomationSessionCairo.cpp > UIProcess/Automation/gtk/WebAutomationSessionGtk.cpp > > UIProcess/Launcher/glib/ProcessLauncherGLib.cpp @no-unify >-UIProcess/Launcher/glib/BubblewrapLauncher.cpp @no-unify >-UIProcess/Launcher/glib/FlatpakLauncher.cpp @no-unify > > UIProcess/Network/CustomProtocols/LegacyCustomProtocolManagerProxy.cpp > >diff --git a/Source/WebKit/SourcesWPE.txt b/Source/WebKit/SourcesWPE.txt >index 5ce95833b6041261105d85481b41d099e2dbf26d..6cbe33d0450da7b59b612d786773b0854b2beb8b 100644 >--- a/Source/WebKit/SourcesWPE.txt >+++ b/Source/WebKit/SourcesWPE.txt >@@ -182,8 +182,6 @@ UIProcess/Automation/wpe/WebAutomationSessionWPE.cpp > UIProcess/glib/WebProcessProxyGLib.cpp > > UIProcess/Launcher/glib/ProcessLauncherGLib.cpp >-UIProcess/Launcher/glib/BubblewrapLauncher.cpp >-UIProcess/Launcher/glib/FlatpakLauncher.cpp > > UIProcess/Network/CustomProtocols/LegacyCustomProtocolManagerProxy.cpp > >diff --git a/Source/WebKit/UIProcess/API/glib/WebKitWebContext.cpp b/Source/WebKit/UIProcess/API/glib/WebKitWebContext.cpp >index 724c5fbf5e847ced1f30fb08cfd58d8d1f569f0b..deb5e06c8b13c9d0e46efce211a2b120d6693c28 100644 >--- a/Source/WebKit/UIProcess/API/glib/WebKitWebContext.cpp >+++ b/Source/WebKit/UIProcess/API/glib/WebKitWebContext.cpp >@@ -1147,73 +1147,6 @@ void webkit_web_context_register_uri_scheme(WebKitWebContext* context, const cha > context->priv->processPool->registerSchemeForCustomProtocol(String::fromUTF8(scheme)); > } > >-/** >- * webkit_web_context_set_sandbox_enabled: >- * @context: a #WebKitWebContext >- * @enabled: if %TRUE enable sandboxing >- * >- * Set whether WebKit subprocesses will be sandboxed, limiting access to the system. >- * >- * This method **must be called before any web process has been created**, >- * as early as possible in your application. Calling it later is a fatal error. >- * >- * This is only implemented on Linux and is a no-op otherwise. >- * >- * Since: 2.24 >- */ >-void webkit_web_context_set_sandbox_enabled(WebKitWebContext* context, gboolean enabled) >-{ >- g_return_if_fail(WEBKIT_IS_WEB_CONTEXT(context)); >- >- if (context->priv->processPool->processes().size()) >- g_error("Sandboxing cannot be changed after subprocesses were spawned."); >- >- context->priv->processPool->setSandboxEnabled(enabled); >-} >- >-/** >- * webkit_web_context_add_path_to_sandbox: >- * @context: a #WebKitWebContext >- * @path: (type filename): an absolute path to mount in the sandbox >- * @read_only: if %TRUE the path will be read-only >- * >- * Adds a path to be mounted in the sandbox. @path must exist before any web process >- * has been created otherwise it will be silently ignored. It is a fatal error to >- * add paths after a web process has been spawned. >- * >- * See also webkit_web_context_set_sandbox_enabled() >- * >- * Since: 2.24 >- */ >-void webkit_web_context_add_path_to_sandbox(WebKitWebContext* context, const char* path, gboolean readOnly) >-{ >- g_return_if_fail(WEBKIT_IS_WEB_CONTEXT(context)); >- g_return_if_fail(g_path_is_absolute(path)); >- >- if (context->priv->processPool->processes().size()) >- g_error("Sandbox paths cannot be changed after subprocesses were spawned."); >- >- auto permission = readOnly ? SandboxPermission::ReadOnly : SandboxPermission::ReadWrite; >- context->priv->processPool->addSandboxPath(path, permission); >-} >- >-/** >- * webkit_web_context_get_sandbox_enabled: >- * @context: a #WebKitWebContext >- * >- * Get whether sandboxing is currently enabled. >- * >- * Returns: %TRUE if sandboxing is enabled, or %FALSE otherwise. >- * >- * Since: 2.24 >- */ >-gboolean webkit_web_context_get_sandbox_enabled(WebKitWebContext* context) >-{ >- g_return_val_if_fail(WEBKIT_IS_WEB_CONTEXT(context), FALSE); >- >- return context->priv->processPool->sandboxEnabled(); >-} >- > /** > * webkit_web_context_get_spell_checking_enabled: > * @context: a #WebKitWebContext >diff --git a/Source/WebKit/UIProcess/API/gtk/WebKitWebContext.h b/Source/WebKit/UIProcess/API/gtk/WebKitWebContext.h >index 81351af3c51080eb73c24505c6af822f6220c9a2..3149a329c27821ac4448f5dc24d0b0395229d4ad 100644 >--- a/Source/WebKit/UIProcess/API/gtk/WebKitWebContext.h >+++ b/Source/WebKit/UIProcess/API/gtk/WebKitWebContext.h >@@ -247,18 +247,6 @@ webkit_web_context_register_uri_scheme (WebKitWebContext > gpointer user_data, > GDestroyNotify user_data_destroy_func); > >-WEBKIT_API void >-webkit_web_context_set_sandbox_enabled (WebKitWebContext *context, >- gboolean enabled); >- >-WEBKIT_API gboolean >-webkit_web_context_get_sandbox_enabled (WebKitWebContext *context); >- >-WEBKIT_API void >-webkit_web_context_add_path_to_sandbox (WebKitWebContext *context, >- const char *path, >- gboolean read_only); >- > WEBKIT_API gboolean > webkit_web_context_get_spell_checking_enabled (WebKitWebContext *context); > >diff --git a/Source/WebKit/UIProcess/API/gtk/docs/webkit2gtk-4.0-sections.txt b/Source/WebKit/UIProcess/API/gtk/docs/webkit2gtk-4.0-sections.txt >index 4efb952584672511ee95d062a96e7ff4ea33fb10..38745d0e6d95c6a8308091364933d8ac3a568b14 100644 >--- a/Source/WebKit/UIProcess/API/gtk/docs/webkit2gtk-4.0-sections.txt >+++ b/Source/WebKit/UIProcess/API/gtk/docs/webkit2gtk-4.0-sections.txt >@@ -51,9 +51,6 @@ webkit_web_context_get_security_manager > webkit_web_context_set_additional_plugins_directory > webkit_web_context_get_plugins > webkit_web_context_get_plugins_finish >-webkit_web_context_get_sandbox_enabled >-webkit_web_context_set_sandbox_enabled >-webkit_web_context_add_path_to_sandbox > webkit_web_context_get_spell_checking_enabled > webkit_web_context_set_spell_checking_enabled > webkit_web_context_get_spell_checking_languages >diff --git a/Source/WebKit/UIProcess/API/wpe/WebKitWebContext.h b/Source/WebKit/UIProcess/API/wpe/WebKitWebContext.h >index 081cd11a342a9f611a4f4198cec293294c2a2701..8cf646f4ede340e5276cee7da84fcd9308938764 100644 >--- a/Source/WebKit/UIProcess/API/wpe/WebKitWebContext.h >+++ b/Source/WebKit/UIProcess/API/wpe/WebKitWebContext.h >@@ -247,18 +247,6 @@ webkit_web_context_register_uri_scheme (WebKitWebContext > gpointer user_data, > GDestroyNotify user_data_destroy_func); > >-WEBKIT_API void >-webkit_web_context_set_sandbox_enabled (WebKitWebContext *context, >- gboolean enabled); >- >-WEBKIT_API gboolean >-webkit_web_context_get_sandbox_enabled (WebKitWebContext *context); >- >-WEBKIT_API void >-webkit_web_context_add_path_to_sandbox (WebKitWebContext *context, >- const char *path, >- gboolean read_only); >- > WEBKIT_API gboolean > webkit_web_context_get_spell_checking_enabled (WebKitWebContext *context); > >diff --git a/Source/WebKit/UIProcess/API/wpe/docs/wpe-0.1-sections.txt b/Source/WebKit/UIProcess/API/wpe/docs/wpe-0.1-sections.txt >index a5ecfe4637f8f3917af26127face01517f378806..446bb2229a1fd54fc6d9a8c247769a050f06ee79 100644 >--- a/Source/WebKit/UIProcess/API/wpe/docs/wpe-0.1-sections.txt >+++ b/Source/WebKit/UIProcess/API/wpe/docs/wpe-0.1-sections.txt >@@ -29,9 +29,6 @@ webkit_web_context_get_security_manager > webkit_web_context_set_additional_plugins_directory > webkit_web_context_get_plugins > webkit_web_context_get_plugins_finish >-webkit_web_context_get_sandbox_enabled >-webkit_web_context_set_sandbox_enabled >-webkit_web_context_add_path_to_sandbox > webkit_web_context_get_spell_checking_enabled > webkit_web_context_set_spell_checking_enabled > webkit_web_context_get_spell_checking_languages >diff --git a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp >deleted file mode 100644 >index f8b102a68e971cc34d3d914e84d2a4ac42f28221..0000000000000000000000000000000000000000 >--- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp >+++ /dev/null >@@ -1,851 +0,0 @@ >-/* >- * Copyright (C) 2018 Igalia S.L. >- * >- * This program is free software; you can redistribute it and/or >- * modify it under the terms of the GNU Lesser General Public >- * License as published by the Free Software Foundation; either >- * version 2.1 of the License, or (at your option) any later version. >- * >- * This library is distributed in the hope that it will be useful, >- * but WITHOUT ANY WARRANTY; without even the implied warranty of >- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU >- * Lesser General Public License for more details. >- * >- * You should have received a copy of the GNU Lesser General Public >- * License along with this library. If not, see <http://www.gnu.org/licenses/>. >- */ >- >-#include "config.h" >-#include "BubblewrapLauncher.h" >- >-#if ENABLE(BUBBLEWRAP_SANDBOX) >- >-#include <WebCore/PlatformDisplay.h> >-#include <fcntl.h> >-#include <glib.h> >-#include <seccomp.h> >-#include <sys/ioctl.h> >-#include <wtf/FileSystem.h> >-#include <wtf/glib/GLibUtilities.h> >-#include <wtf/glib/GRefPtr.h> >-#include <wtf/glib/GUniquePtr.h> >- >-#if __has_include(<sys/memfd.h>) >- >-#include <sys/memfd.h> >- >-#else >- >-// These defines were added in glibc 2.27, the same release that added memfd_create. >-// But the kernel added all of this in Linux 3.17. So it's totally safe for us to >-// depend on, as long as we define it all ourselves. Remove this once we depend on >-// glibc 2.27. >- >-#define F_ADD_SEALS 1033 >-#define F_GET_SEALS 1034 >- >-#define F_SEAL_SEAL 0x0001 >-#define F_SEAL_SHRINK 0x0002 >-#define F_SEAL_GROW 0x0004 >-#define F_SEAL_WRITE 0x0008 >- >-#define MFD_ALLOW_SEALING 2U >- >-static int memfd_create(const char* name, unsigned flags) >-{ >- return syscall(__NR_memfd_create, name, flags); >-} >-#endif >- >-namespace WebKit { >-using namespace WebCore; >- >-static int createSealedMemFdWithData(const char* name, gconstpointer data, size_t size) >-{ >- int fd = memfd_create(name, MFD_ALLOW_SEALING); >- if (fd == -1) { >- g_warning("memfd_create failed: %s", g_strerror(errno)); >- return -1; >- } >- >- ssize_t bytesWritten = write(fd, data, size); >- if (bytesWritten < 0) { >- g_warning("Writing args to memfd failed: %s", g_strerror(errno)); >- close(fd); >- return -1; >- } >- >- if (static_cast<size_t>(bytesWritten) != size) { >- g_warning("Failed to write all args to memfd"); >- close(fd); >- return -1; >- } >- >- if (lseek(fd, 0, SEEK_SET) == -1) { >- g_warning("lseek failed: %s", g_strerror(errno)); >- close(fd); >- return -1; >- } >- >- if (fcntl(fd, F_ADD_SEALS, F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE | F_SEAL_SEAL) == -1) { >- g_warning("Failed to seal memfd: %s", g_strerror(errno)); >- close(fd); >- return -1; >- } >- >- return fd; >-} >- >-static int >-argsToFd(const Vector<CString>& args, const char *name) >-{ >- GString* buffer = g_string_new(nullptr); >- >- for (const auto& arg : args) >- g_string_append_len(buffer, arg.data(), arg.length() + 1); // Include NUL >- >- GRefPtr<GBytes> bytes = adoptGRef(g_string_free_to_bytes(buffer)); >- >- size_t size; >- gconstpointer data = g_bytes_get_data(bytes.get(), &size); >- >- int memfd = createSealedMemFdWithData(name, data, size); >- if (memfd == -1) >- g_error("Failed to write memfd"); >- >- return memfd; >-} >- >-enum class DBusAddressType { >- Normal, >- Abstract, >-}; >- >-class XDGDBusProxyLauncher { >-public: >- void setAddress(const char* dbusAddress, DBusAddressType addressType) >- { >- GUniquePtr<char> dbusPath = dbusAddressToPath(dbusAddress, addressType); >- if (!dbusPath.get()) >- return; >- >- GUniquePtr<char> appRunDir(g_build_filename(g_get_user_runtime_dir(), g_get_prgname(), nullptr)); >- m_proxyPath = makeProxyPath(appRunDir.get()).get(); >- >- m_socket = dbusAddress; >- m_path = dbusPath.get(); >- } >- >- bool isRunning() const { return m_isRunning; }; >- const CString& path() const { return m_path; }; >- const CString& proxyPath() const { return m_proxyPath; }; >- >- void setPermissions(Vector<CString>&& permissions) >- { >- RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(!isRunning()); >- m_permissions = WTFMove(permissions); >- }; >- >- void launch() >- { >- RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(!isRunning()); >- >- if (m_socket.isNull() || m_path.isNull() || m_proxyPath.isNull()) >- return; >- >- int syncFds[2]; >- if (pipe2 (syncFds, O_CLOEXEC) == -1) >- g_error("Failed to make syncfds for dbus-proxy: %s", g_strerror(errno)); >- >- GUniquePtr<char> syncFdStr(g_strdup_printf("--fd=%d", syncFds[1])); >- >- Vector<CString> proxyArgs = { >- m_socket, m_proxyPath, >- "--filter", >- syncFdStr.get(), >- }; >- >- if (!g_strcmp0(g_getenv("WEBKIT_ENABLE_DBUS_PROXY_LOGGING"), "1")) >- proxyArgs.append("--log"); >- >- proxyArgs.appendVector(m_permissions); >- >- int proxyFd = argsToFd(proxyArgs, "dbus-proxy"); >- GUniquePtr<char> proxyArgsStr(g_strdup_printf("--args=%d", proxyFd)); >- >- Vector<CString> args = { >- DBUS_PROXY_EXECUTABLE, >- proxyArgsStr.get(), >- }; >- >- int nargs = args.size() + 1; >- int i = 0; >- char** argv = g_newa(char*, nargs); >- for (const auto& arg : args) >- argv[i++] = const_cast<char*>(arg.data()); >- argv[i] = nullptr; >- >- GRefPtr<GSubprocessLauncher> launcher = adoptGRef(g_subprocess_launcher_new(G_SUBPROCESS_FLAGS_INHERIT_FDS)); >- g_subprocess_launcher_set_child_setup(launcher.get(), childSetupFunc, GINT_TO_POINTER(syncFds[1]), nullptr); >- g_subprocess_launcher_take_fd(launcher.get(), proxyFd, proxyFd); >- g_subprocess_launcher_take_fd(launcher.get(), syncFds[1], syncFds[1]); >- // We are purposefully leaving syncFds[0] open here. >- // xdg-dbus-proxy will exit() itself once that is closed on our exit >- >- GUniqueOutPtr<GError> error; >- GRefPtr<GSubprocess> process = adoptGRef(g_subprocess_launcher_spawnv(launcher.get(), argv, &error.outPtr())); >- if (!process.get()) >- g_error("Failed to start dbus proxy: %s", error->message); >- >- char out; >- // We need to ensure the proxy has created the socket. >- // FIXME: This is more blocking IO. >- if (read (syncFds[0], &out, 1) != 1) >- g_error("Failed to fully launch dbus-proxy %s", g_strerror(errno)); >- >- m_isRunning = true; >- }; >- >-private: >- static void childSetupFunc(gpointer userdata) >- { >- int fd = GPOINTER_TO_INT(userdata); >- fcntl(fd, F_SETFD, 0); // Unset CLOEXEC >- } >- >- static GUniquePtr<char> makeProxyPath(const char* appRunDir) >- { >- if (g_mkdir_with_parents(appRunDir, 0700) == -1) { >- g_warning("Failed to mkdir for dbus proxy (%s): %s", appRunDir, g_strerror(errno)); >- return GUniquePtr<char>(nullptr); >- } >- >- GUniquePtr<char> proxySocketTemplate(g_build_filename(appRunDir, "dbus-proxy-XXXXXX", nullptr)); >- int fd; >- if ((fd = g_mkstemp(proxySocketTemplate.get())) == -1) { >- g_warning("Failed to make socket file for dbus proxy: %s", g_strerror(errno)); >- return GUniquePtr<char>(nullptr); >- } >- >- close(fd); >- return proxySocketTemplate; >- }; >- >- static GUniquePtr<char> dbusAddressToPath(const char* address, DBusAddressType addressType = DBusAddressType::Normal) >- { >- if (!address) >- return nullptr; >- >- if (!g_str_has_prefix(address, "unix:")) >- return nullptr; >- >- const char* path = strstr(address, addressType == DBusAddressType::Abstract ? "abstract=" : "path="); >- if (!path) >- return nullptr; >- >- path += strlen(addressType == DBusAddressType::Abstract ? "abstract=" : "path="); >- const char* pathEnd = path; >- while (*pathEnd && *pathEnd != ',') >- pathEnd++; >- >- return GUniquePtr<char>(g_strndup(path, pathEnd - path)); >-} >- >- CString m_socket; >- CString m_path; >- CString m_proxyPath; >- bool m_isRunning; >- Vector<CString> m_permissions; >-}; >- >-enum class BindFlags { >- ReadOnly, >- ReadWrite, >- Device, >-}; >- >-static void bindIfExists(Vector<CString>& args, const char* path, BindFlags bindFlags = BindFlags::ReadOnly) >-{ >- if (!path) >- return; >- >- const char* bindType; >- if (bindFlags == BindFlags::Device) >- bindType = "--dev-bind-try"; >- else if (bindFlags == BindFlags::ReadOnly) >- bindType = "--ro-bind-try"; >- else >- bindType = "--bind-try"; >- args.appendVector(Vector<CString>({ bindType, path, path })); >-} >- >-static void bindDBusSession(Vector<CString>& args, XDGDBusProxyLauncher& proxy) >-{ >- if (!proxy.isRunning()) >- proxy.setAddress(g_getenv("DBUS_SESSION_BUS_ADDRESS"), DBusAddressType::Normal); >- >- if (proxy.proxyPath().data()) { >- args.appendVector(Vector<CString>({ >- "--bind", proxy.proxyPath(), proxy.path(), >- })); >- } >-} >- >-static void bindX11(Vector<CString>& args) >-{ >- const char* display = g_getenv("DISPLAY"); >- if (!display || display[0] != ':' || !g_ascii_isdigit(const_cast<char*>(display)[1])) >- display = ":0"; >- GUniquePtr<char> x11File(g_strdup_printf("/tmp/.X11-unix/X%s", display + 1)); >- bindIfExists(args, x11File.get(), BindFlags::ReadWrite); >- >- const char* xauth = g_getenv("XAUTHORITY"); >- if (!xauth) { >- const char* homeDir = g_get_home_dir(); >- GUniquePtr<char> xauthFile(g_build_filename(homeDir, ".Xauthority", nullptr)); >- bindIfExists(args, xauthFile.get()); >- } else >- bindIfExists(args, xauth); >-} >- >-#if PLATFORM(WAYLAND) && USE(EGL) >-static void bindWayland(Vector<CString>& args) >-{ >- const char* display = g_getenv("WAYLAND_DISPLAY"); >- if (!display) >- display = "wayland-0"; >- >- const char* runtimeDir = g_get_user_runtime_dir(); >- GUniquePtr<char> waylandRuntimeFile(g_build_filename(runtimeDir, display, nullptr)); >- bindIfExists(args, waylandRuntimeFile.get(), BindFlags::ReadWrite); >-} >-#endif >- >-static void bindPulse(Vector<CString>& args) >-{ >- // FIXME: The server can be defined in config files we'd have to parse. >- // They can also be set as X11 props but that is getting a bit ridiculous. >- const char* pulseServer = g_getenv("PULSE_SERVER"); >- if (pulseServer) { >- if (g_str_has_prefix(pulseServer, "unix:")) >- bindIfExists(args, pulseServer + 5, BindFlags::ReadWrite); >- // else it uses tcp >- } else { >- const char* runtimeDir = g_get_user_runtime_dir(); >- GUniquePtr<char> pulseRuntimeDir(g_build_filename(runtimeDir, "pulse", nullptr)); >- bindIfExists(args, pulseRuntimeDir.get(), BindFlags::ReadWrite); >- } >- >- const char* pulseConfig = g_getenv("PULSE_CLIENTCONFIG"); >- if (pulseConfig) >- bindIfExists(args, pulseConfig); >- >- const char* configDir = g_get_user_config_dir(); >- GUniquePtr<char> pulseConfigDir(g_build_filename(configDir, "pulse", nullptr)); >- bindIfExists(args, pulseConfigDir.get()); >- >- const char* homeDir = g_get_home_dir(); >- GUniquePtr<char> pulseHomeConfigDir(g_build_filename(homeDir, ".pulse", nullptr)); >- GUniquePtr<char> asoundHomeConfigDir(g_build_filename(homeDir, ".asoundrc", nullptr)); >- bindIfExists(args, pulseHomeConfigDir.get()); >- bindIfExists(args, asoundHomeConfigDir.get()); >- >- // This is the ultimate fallback to raw ALSA >- bindIfExists(args, "/dev/snd", BindFlags::Device); >-} >- >-static void bindFonts(Vector<CString>& args) >-{ >- const char* configDir = g_get_user_config_dir(); >- const char* homeDir = g_get_home_dir(); >- const char* dataDir = g_get_user_data_dir(); >- const char* cacheDir = g_get_user_cache_dir(); >- >- // Configs can include custom dirs but then we have to parse them... >- GUniquePtr<char> fontConfig(g_build_filename(configDir, "fontconfig", nullptr)); >- GUniquePtr<char> fontCache(g_build_filename(cacheDir, "fontconfig", nullptr)); >- GUniquePtr<char> fontHomeConfig(g_build_filename(homeDir, ".fonts.conf", nullptr)); >- GUniquePtr<char> fontHomeConfigDir(g_build_filename(configDir, ".fonts.conf.d", nullptr)); >- GUniquePtr<char> fontData(g_build_filename(dataDir, "fonts", nullptr)); >- GUniquePtr<char> fontHomeData(g_build_filename(homeDir, ".fonts", nullptr)); >- bindIfExists(args, fontConfig.get()); >- bindIfExists(args, fontCache.get(), BindFlags::ReadWrite); >- bindIfExists(args, fontHomeConfig.get()); >- bindIfExists(args, fontHomeConfigDir.get()); >- bindIfExists(args, fontData.get()); >- bindIfExists(args, fontHomeData.get()); >-} >- >-#if PLATFORM(GTK) >-static void bindGtkData(Vector<CString>& args) >-{ >- const char* configDir = g_get_user_config_dir(); >- const char* dataDir = g_get_user_data_dir(); >- const char* homeDir = g_get_home_dir(); >- >- GUniquePtr<char> gtkConfig(g_build_filename(configDir, "gtk-3.0", nullptr)); >- GUniquePtr<char> themeData(g_build_filename(dataDir, "themes", nullptr)); >- GUniquePtr<char> themeHomeData(g_build_filename(homeDir, ".themes", nullptr)); >- GUniquePtr<char> iconHomeData(g_build_filename(homeDir, ".icons", nullptr)); >- bindIfExists(args, gtkConfig.get()); >- bindIfExists(args, themeData.get()); >- bindIfExists(args, themeHomeData.get()); >- bindIfExists(args, iconHomeData.get()); >-} >- >-static void bindA11y(Vector<CString>& args) >-{ >- static XDGDBusProxyLauncher proxy; >- >- if (!proxy.isRunning()) { >- // FIXME: Avoid blocking IO... (It is at least a one-time cost) >- GRefPtr<GDBusConnection> sessionBus = adoptGRef(g_bus_get_sync(G_BUS_TYPE_SESSION, nullptr, nullptr)); >- if (!sessionBus.get()) >- return; >- >- GRefPtr<GDBusMessage> msg = adoptGRef(g_dbus_message_new_method_call( >- "org.a11y.Bus", "/org/a11y/bus", "org.a11y.Bus", "GetAddress")); >- g_dbus_message_set_body(msg.get(), g_variant_new("()")); >- GRefPtr<GDBusMessage> reply = adoptGRef(g_dbus_connection_send_message_with_reply_sync( >- sessionBus.get(), msg.get(), >- G_DBUS_SEND_MESSAGE_FLAGS_NONE, >- 30000, >- nullptr, >- nullptr, >- nullptr)); >- >- if (reply.get()) { >- GUniqueOutPtr<GError> error; >- if (g_dbus_message_to_gerror(reply.get(), &error.outPtr())) { >- if (!g_error_matches(error.get(), G_DBUS_ERROR, G_DBUS_ERROR_SERVICE_UNKNOWN)) >- g_warning("Can't find a11y bus: %s", error->message); >- } else { >- GUniqueOutPtr<char> a11yAddress; >- g_variant_get(g_dbus_message_get_body(reply.get()), "(s)", &a11yAddress.outPtr()); >- proxy.setAddress(a11yAddress.get(), DBusAddressType::Abstract); >- } >- } >- >- proxy.setPermissions({ >- "--sloppy-names", >- "--call=org.a11y.atspi.Registry=org.a11y.atspi.Socket.Embed@/org/a11y/atspi/accessible/root", >- "--call=org.a11y.atspi.Registry=org.a11y.atspi.Socket.Unembed@/org/a11y/atspi/accessible/root", >- "--call=org.a11y.atspi.Registry=org.a11y.atspi.Registry.GetRegisteredEvents@/org/a11y/atspi/registry", >- "--call=org.a11y.atspi.Registry=org.a11y.atspi.DeviceEventController.GetKeystrokeListeners@/org/a11y/atspi/registry/deviceeventcontroller", >- "--call=org.a11y.atspi.Registry=org.a11y.atspi.DeviceEventController.GetDeviceEventListeners@/org/a11y/atspi/registry/deviceeventcontroller", >- "--call=org.a11y.atspi.Registry=org.a11y.atspi.DeviceEventController.NotifyListenersSync@/org/a11y/atspi/registry/deviceeventcontroller", >- "--call=org.a11y.atspi.Registry=org.a11y.atspi.DeviceEventController.NotifyListenersAsync@/org/a11y/atspi/registry/deviceeventcontroller", >- }); >- >- proxy.launch(); >- } >- >- if (proxy.proxyPath().data()) { >- args.appendVector(Vector<CString>({ >- "--bind", proxy.proxyPath(), proxy.path(), >- })); >- } >-} >-#endif >- >-static bool bindPathVar(Vector<CString>& args, const char* varname) >-{ >- const char* pathValue = g_getenv(varname); >- if (!pathValue) >- return false; >- >- GUniquePtr<char*> splitPaths(g_strsplit(pathValue, ":", -1)); >- for (size_t i = 0; splitPaths.get()[i]; ++i) >- bindIfExists(args, splitPaths.get()[i]); >- >- return true; >-} >- >-static void bindGStreamerData(Vector<CString>& args) >-{ >- if (!bindPathVar(args, "GST_PLUGIN_PATH_1_0")) >- bindPathVar(args, "GST_PLUGIN_PATH"); >- >- if (!bindPathVar(args, "GST_PLUGIN_SYSTEM_PATH_1_0")) { >- if (!bindPathVar(args, "GST_PLUGIN_SYSTEM_PATH")) { >- GUniquePtr<char> gstData(g_build_filename(g_get_user_data_dir(), "gstreamer-1.0", nullptr)); >- bindIfExists(args, gstData.get()); >- } >- } >- >- GUniquePtr<char> gstCache(g_build_filename(g_get_user_cache_dir(), "gstreamer-1.0", nullptr)); >- bindIfExists(args, gstCache.get(), BindFlags::ReadWrite); >- >- // /usr/lib is already added so this is only requried for other dirs >- const char* scannerPath = g_getenv("GST_PLUGIN_SCANNER") ?: "/usr/libexec/gstreamer-1.0/gst-plugin-scanner"; >- const char* helperPath = g_getenv("GST_INSTALL_PLUGINS_HELPER ") ?: "/usr/libexec/gst-install-plugins-helper"; >- >- bindIfExists(args, scannerPath); >- bindIfExists(args, helperPath); >-} >- >-static void bindOpenGL(Vector<CString>& args) >-{ >- args.appendVector(Vector<CString>({ >- "--dev-bind-try", "/dev/dri", "/dev/dri", >- // Mali >- "--dev-bind-try", "/dev/mali", "/dev/mali", >- "--dev-bind-try", "/dev/mali0", "/dev/mali0", >- "--dev-bind-try", "/dev/umplock", "/dev/umplock", >- // Nvidia >- "--dev-bind-try", "/dev/nvidiactl", "/dev/nvidiactl", >- "--dev-bind-try", "/dev/nvidia0", "/dev/nvidia0", >- "--dev-bind-try", "/dev/nvidia", "/dev/nvidia", >- // Adreno >- "--dev-bind-try", "/dev/kgsl-3d0", "/dev/kgsl-3d0", >- "--dev-bind-try", "/dev/ion", "/dev/ion", >-#if PLATFORM(WPE) >- "--dev-bind-try", "/dev/fb0", "/dev/fb0", >- "--dev-bind-try", "/dev/fb1", "/dev/fb1", >-#endif >- })); >-} >- >-static void bindV4l(Vector<CString>& args) >-{ >- args.appendVector(Vector<CString>({ >- "--dev-bind-try", "/dev/v4l", "/dev/v4l", >- // Not pretty but a stop-gap for pipewire anyway. >- "--dev-bind-try", "/dev/video0", "/dev/video0", >- "--dev-bind-try", "/dev/video1", "/dev/video1", >- })); >-} >- >-static void bindSymlinksRealPath(Vector<CString>& args, const char* path) >-{ >- char realPath[PATH_MAX]; >- >- if (realpath(path, realPath) && strcmp(path, realPath)) { >- args.appendVector(Vector<CString>({ >- "--ro-bind", realPath, realPath, >- })); >- } >-} >- >-static int setupSeccomp() >-{ >- // NOTE: This is shared code (flatpak-run.c - LGPLv2.1+) >- // There are today a number of different Linux container >- // implementations. That will likely continue for long into the >- // future. But we can still try to share code, and it's important >- // to do so because it affects what library and application writers >- // can do, and we should support code portability between different >- // container tools. >- // >- // This syscall blacklist is copied from linux-user-chroot, which was in turn >- // clearly influenced by the Sandstorm.io blacklist. >- // >- // If you make any changes here, I suggest sending the changes along >- // to other sandbox maintainers. Using the libseccomp list is also >- // an appropriate venue: >- // https://groups.google.com/forum/#!topic/libseccomp >- // >- // A non-exhaustive list of links to container tooling that might >- // want to share this blacklist: >- // >- // https://github.com/sandstorm-io/sandstorm >- // in src/sandstorm/supervisor.c++ >- // http://cgit.freedesktop.org/xdg-app/xdg-app/ >- // in common/flatpak-run.c >- // https://git.gnome.org/browse/linux-user-chroot >- // in src/setup-seccomp.c >- struct scmp_arg_cmp cloneArg = SCMP_A0(SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER); >- struct scmp_arg_cmp ttyArg = SCMP_A1(SCMP_CMP_EQ, static_cast<scmp_datum_t>(TIOCSTI), static_cast<scmp_datum_t>(0)); >- struct { >- int scall; >- struct scmp_arg_cmp* arg; >- } syscallBlacklist[] = { >- // Block dmesg >- { SCMP_SYS(syslog), nullptr }, >- // Useless old syscall. >- { SCMP_SYS(uselib), nullptr }, >- // Don't allow disabling accounting. >- { SCMP_SYS(acct), nullptr }, >- // 16-bit code is unnecessary in the sandbox, and modify_ldt is a >- // historic source of interesting information leaks. >- { SCMP_SYS(modify_ldt), nullptr }, >- // Don't allow reading current quota use. >- { SCMP_SYS(quotactl), nullptr }, >- >- // Don't allow access to the kernel keyring. >- { SCMP_SYS(add_key), nullptr }, >- { SCMP_SYS(keyctl), nullptr }, >- { SCMP_SYS(request_key), nullptr }, >- >- // Scary VM/NUMA ops >- { SCMP_SYS(move_pages), nullptr }, >- { SCMP_SYS(mbind), nullptr }, >- { SCMP_SYS(get_mempolicy), nullptr }, >- { SCMP_SYS(set_mempolicy), nullptr }, >- { SCMP_SYS(migrate_pages), nullptr }, >- >- // Don't allow subnamespace setups: >- { SCMP_SYS(unshare), nullptr }, >- { SCMP_SYS(mount), nullptr }, >- { SCMP_SYS(pivot_root), nullptr }, >- { SCMP_SYS(clone), &cloneArg }, >- >- // Don't allow faking input to the controlling tty (CVE-2017-5226) >- { SCMP_SYS(ioctl), &ttyArg }, >- >- // Profiling operations; we expect these to be done by tools from outside >- // the sandbox. In particular perf has been the source of many CVEs. >- { SCMP_SYS(perf_event_open), nullptr }, >- // Don't allow you to switch to bsd emulation or whatnot. >- { SCMP_SYS(personality), nullptr }, >- { SCMP_SYS(ptrace), nullptr } >- }; >- >- scmp_filter_ctx seccomp = seccomp_init(SCMP_ACT_ALLOW); >- if (!seccomp) >- g_error("Failed to init seccomp"); >- >- for (auto& rule : syscallBlacklist) { >- int scall = rule.scall; >- int r; >- if (rule.arg) >- r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), scall, 1, rule.arg); >- else >- r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), scall, 0); >- if (r == -EFAULT) { >- seccomp_release(seccomp); >- g_error("Failed to add seccomp rule"); >- } >- } >- >- int tmpfd = memfd_create("seccomp-bpf", 0); >- if (tmpfd == -1) { >- seccomp_release(seccomp); >- g_error("Failed to create memfd: %s", g_strerror(errno)); >- } >- >- if (seccomp_export_bpf(seccomp, tmpfd)) { >- seccomp_release(seccomp); >- close(tmpfd); >- g_error("Failed to export seccomp bpf"); >- } >- >- if (lseek(tmpfd, 0, SEEK_SET) < 0) >- g_error("lseek failed: %s", g_strerror(errno)); >- >- seccomp_release(seccomp); >- return tmpfd; >-} >- >-static int createFlatpakInfo() >-{ >- GUniquePtr<GKeyFile> keyFile(g_key_file_new()); >- >- const char* sharedPermissions[] = { "network", nullptr }; >- g_key_file_set_string_list(keyFile.get(), "Context", "shared", sharedPermissions, sizeof(sharedPermissions)); >- >- // xdg-desktop-portal relates your name to certain permissions so we want >- // them to be application unique which is best done via GApplication. >- GApplication* app = g_application_get_default(); >- if (!app) { >- g_warning("GApplication is required for xdg-desktop-portal access in the WebKit sandbox. Actions that require xdg-desktop-portal will be broken."); >- return -1; >- } >- g_key_file_set_string(keyFile.get(), "Application", "name", g_application_get_application_id(app)); >- >- size_t size; >- GUniqueOutPtr<GError> error; >- GUniquePtr<char> data(g_key_file_to_data(keyFile.get(), &size, &error.outPtr())); >- if (error.get()) { >- g_warning("%s", error->message); >- return -1; >- } >- >- return createSealedMemFdWithData("flatpak-info", data.get(), size); >-} >- >-GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const ProcessLauncher::LaunchOptions& launchOptions, char** argv, GError **error) >-{ >- ASSERT(launcher); >- >- // It is impossible to know what access arbitrary plugins need and since it is for legacy >- // reasons lets just leave it unsandboxed. >- if (launchOptions.processType == ProcessLauncher::ProcessType::Plugin64 >- || launchOptions.processType == ProcessLauncher::ProcessType::Plugin32) >- return adoptGRef(g_subprocess_launcher_spawnv(launcher, argv, error)); >- >- // For now we are just considering the network process trusted as it >- // requires a lot of access but doesn't execute arbitrary code like >- // the WebProcess where our focus lies. >- if (launchOptions.processType == ProcessLauncher::ProcessType::Network) >- return adoptGRef(g_subprocess_launcher_spawnv(launcher, argv, error)); >- >- Vector<CString> sandboxArgs = { >- "--die-with-parent", >- "--unshare-pid", >- "--unshare-uts", >- >- // We assume /etc has safe permissions. >- // At a later point we can start masking privacy-concerning files. >- "--ro-bind", "/etc", "/etc", >- "--dev", "/dev", >- "--proc", "/proc", >- "--tmpfs", "/tmp", >- "--unsetenv", "TMPDIR", >- "--dir", "/run", >- "--symlink", "../run", "/var/run", >- "--symlink", "../tmp", "/var/tmp", >- "--ro-bind", "/sys/block", "/sys/block", >- "--ro-bind", "/sys/bus", "/sys/bus", >- "--ro-bind", "/sys/class", "/sys/class", >- "--ro-bind", "/sys/dev", "/sys/dev", >- "--ro-bind", "/sys/devices", "/sys/devices", >- >- "--ro-bind-try", "/usr/share", "/usr/share", >- "--ro-bind-try", "/usr/local/share", "/usr/local/share", >- "--ro-bind-try", DATADIR, DATADIR, >- >- // We only grant access to the libdirs webkit is built with and >- // guess system libdirs. This will always have some edge cases. >- "--ro-bind-try", "/lib", "/lib", >- "--ro-bind-try", "/usr/lib", "/usr/lib", >- "--ro-bind-try", "/usr/local/lib", "/usr/local/lib", >- "--ro-bind-try", LIBDIR, LIBDIR, >- "--ro-bind-try", "/lib64", "/lib64", >- "--ro-bind-try", "/usr/lib64", "/usr/lib64", >- "--ro-bind-try", "/usr/local/lib64", "/usr/local/lib64", >- >- "--ro-bind-try", PKGLIBEXECDIR, PKGLIBEXECDIR, >- }; >- // We would have to parse ld config files for more info. >- bindPathVar(sandboxArgs, "LD_LIBRARY_PATH"); >- >- const char* libraryPath = g_getenv("LD_LIBRARY_PATH"); >- if (libraryPath && libraryPath[0]) { >- // On distros using a suid bwrap it drops this env var >- // so we have to pass it through to the children. >- sandboxArgs.appendVector(Vector<CString>({ >- "--setenv", "LD_LIBRARY_PATH", libraryPath, >- })); >- } >- >- bindSymlinksRealPath(sandboxArgs, "/etc/resolv.conf"); >- bindSymlinksRealPath(sandboxArgs, "/etc/localtime"); >- >- // xdg-desktop-portal defaults to assuming you are host application with >- // full permissions unless it can identify you as a snap or flatpak. >- // The easiest method is for us to pretend to be a flatpak and if that >- // fails just blocking portals entirely as it just becomes a sandbox escape. >- int flatpakInfoFd = createFlatpakInfo(); >- if (flatpakInfoFd != -1) { >- g_subprocess_launcher_take_fd(launcher, flatpakInfoFd, flatpakInfoFd); >- GUniquePtr<char> flatpakInfoFdStr(g_strdup_printf("%d", flatpakInfoFd)); >- >- sandboxArgs.appendVector(Vector<CString>({ >- "--ro-bind-data", flatpakInfoFdStr.get(), "/.flatpak-info" >- })); >- } >- >- // NOTE: This has network access for HLS via GStreamer. >- if (launchOptions.processType == ProcessLauncher::ProcessType::Web) { >- static XDGDBusProxyLauncher proxy; >- >- // If Wayland in use don't grant X11 >-#if PLATFORM(WAYLAND) && USE(EGL) >- if (PlatformDisplay::sharedDisplay().type() == PlatformDisplay::Type::Wayland) { >- bindWayland(sandboxArgs); >- sandboxArgs.append("--unshare-ipc"); >- } else >-#endif >- bindX11(sandboxArgs); >- >- for (const auto& pathAndPermission : launchOptions.extraWebProcessSandboxPaths) { >- sandboxArgs.appendVector(Vector<CString>({ >- pathAndPermission.value == SandboxPermission::ReadOnly ? "--ro-bind-try": "--bind-try", >- pathAndPermission.key, pathAndPermission.key >- })); >- } >- >- Vector<String> extraPaths = { "applicationCacheDirectory", "waylandSocket"}; >- for (const auto& path : extraPaths) { >- String extraPath = launchOptions.extraInitializationData.get(path); >- if (!extraPath.isEmpty()) >- sandboxArgs.appendVector(Vector<CString>({ "--bind-try", extraPath.utf8(), extraPath.utf8() })); >- } >- >- bindDBusSession(sandboxArgs, proxy); >- // FIXME: We should move to Pipewire as soon as viable, Pulse doesn't restrict clients atm. >- bindPulse(sandboxArgs); >- bindFonts(sandboxArgs); >- bindGStreamerData(sandboxArgs); >- bindOpenGL(sandboxArgs); >- // FIXME: This is also fixed by Pipewire once in use. >- bindV4l(sandboxArgs); >-#if PLATFORM(GTK) >- bindA11y(sandboxArgs); >- bindGtkData(sandboxArgs); >-#endif >- >- if (!proxy.isRunning()) { >- Vector<CString> permissions = { >- // GStreamers plugin install helper. >- "--call=org.freedesktop.PackageKit=org.freedesktop.PackageKit.Modify2.InstallGStreamerResources@/org/freedesktop/PackageKit" >- }; >- if (flatpakInfoFd != -1) { >- // xdg-desktop-portal used by GTK and us. >- permissions.append("--talk=org.freedesktop.portal.Desktop"); >- } >- proxy.setPermissions(WTFMove(permissions)); >- proxy.launch(); >- } >- } else { >- // Only X11 users need this for XShm which is only the Web process. >- sandboxArgs.append("--unshare-ipc"); >- } >- >-#if ENABLE(DEVELOPER_MODE) >- const char* execDirectory = g_getenv("WEBKIT_EXEC_PATH"); >- if (execDirectory) { >- String parentDir = FileSystem::directoryName(FileSystem::stringFromFileSystemRepresentation(execDirectory)); >- bindIfExists(sandboxArgs, parentDir.utf8().data()); >- } >- >- CString executablePath = getCurrentExecutablePath(); >- if (!executablePath.isNull()) { >- // Our executable is `/foo/bar/bin/Process`, we want `/foo/bar` as a usable prefix >- String parentDir = FileSystem::directoryName(FileSystem::directoryName(FileSystem::stringFromFileSystemRepresentation(executablePath.data()))); >- bindIfExists(sandboxArgs, parentDir.utf8().data()); >- } >-#endif >- >- int seccompFd = setupSeccomp(); >- GUniquePtr<char> fdStr(g_strdup_printf("%d", seccompFd)); >- g_subprocess_launcher_take_fd(launcher, seccompFd, seccompFd); >- sandboxArgs.appendVector(Vector<CString>({ "--seccomp", fdStr.get() })); >- >- int bwrapFd = argsToFd(sandboxArgs, "bwrap"); >- GUniquePtr<char> bwrapFdStr(g_strdup_printf("%d", bwrapFd)); >- g_subprocess_launcher_take_fd(launcher, bwrapFd, bwrapFd); >- >- Vector<CString> bwrapArgs = { >- BWRAP_EXECUTABLE, >- "--args", >- bwrapFdStr.get(), >- "--", >- }; >- >- char** newArgv = g_newa(char*, g_strv_length(argv) + bwrapArgs.size() + 1); >- size_t i = 0; >- >- for (auto& arg : bwrapArgs) >- newArgv[i++] = const_cast<char*>(arg.data()); >- for (size_t x = 0; argv[x]; x++) >- newArgv[i++] = argv[x]; >- newArgv[i++] = nullptr; >- >- return adoptGRef(g_subprocess_launcher_spawnv(launcher, newArgv, error)); >-} >- >-}; >- >-#endif // ENABLE(BUBBLEWRAP_SANDBOX) >diff --git a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.h b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.h >deleted file mode 100644 >index 0c2cd5554f0559dbb79c4050199a4f6d6f6b6a3d..0000000000000000000000000000000000000000 >--- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.h >+++ /dev/null >@@ -1,43 +0,0 @@ >-/* >- * Copyright (C) 2018 Igalia S.L. >- * >- * Redistribution and use in source and binary forms, with or without >- * modification, are permitted provided that the following conditions >- * are met: >- * 1. Redistributions of source code must retain the above copyright >- * notice, this list of conditions and the following disclaimer. >- * 2. Redistributions in binary form must reproduce the above copyright >- * notice, this list of conditions and the following disclaimer in the >- * documentation and/or other materials provided with the distribution. >- * >- * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS'' >- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, >- * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR >- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS >- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR >- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF >- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS >- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN >- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) >- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF >- * THE POSSIBILITY OF SUCH DAMAGE. >- */ >- >-#pragma once >- >-#if ENABLE(BUBBLEWRAP_SANDBOX) >- >-#include "ProcessLauncher.h" >- >-#include <wtf/glib/GRefPtr.h> >- >-typedef struct _GSubprocess GSubprocess; >-typedef struct _GSubprocessLauncher GSubprocessLauncher; >- >-namespace WebKit { >- >-GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher*, const ProcessLauncher::LaunchOptions&, char** argv, GError**); >- >-}; >- >-#endif >diff --git a/Source/WebKit/UIProcess/Launcher/glib/FlatpakLauncher.cpp b/Source/WebKit/UIProcess/Launcher/glib/FlatpakLauncher.cpp >deleted file mode 100644 >index c7d776e18cea88f9101124eaccd19e45f6f2e2b8..0000000000000000000000000000000000000000 >--- a/Source/WebKit/UIProcess/Launcher/glib/FlatpakLauncher.cpp >+++ /dev/null >@@ -1,68 +0,0 @@ >-/* >- * Copyright (C) 2018 Igalia S.L. >- * >- * Redistribution and use in source and binary forms, with or without >- * modification, are permitted provided that the following conditions >- * are met: >- * 1. Redistributions of source code must retain the above copyright >- * notice, this list of conditions and the following disclaimer. >- * 2. Redistributions in binary form must reproduce the above copyright >- * notice, this list of conditions and the following disclaimer in the >- * documentation and/or other materials provided with the distribution. >- * >- * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS'' >- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, >- * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR >- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS >- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR >- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF >- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS >- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN >- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) >- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF >- * THE POSSIBILITY OF SUCH DAMAGE. >- */ >- >-#include "config.h" >-#include "FlatpakLauncher.h" >- >-#if OS(LINUX) >- >-#include <gio/gio.h> >-#include <wtf/glib/GUniquePtr.h> >- >-namespace WebKit { >- >-GRefPtr<GSubprocess> flatpakSpawn(GSubprocessLauncher* launcher, const WebKit::ProcessLauncher::LaunchOptions& launchOptions, char** argv, int childProcessSocket, GError** error) >-{ >- ASSERT(launcher); >- >- // When we are running inside of flatpak's sandbox we do not have permissions to >- // use the same sandbox we do outside but flatpak offers to create new sandboxes >- // for us using flatpak-spawn. >- // >- // This is just a stub implementation atm though as the Spawn interface does not expose >- // much outside of `--sandbox` (no permissions) and `--no-network`. We need to >- // add some permissions in between those for this to provide meaningful security. >- >- GUniquePtr<gchar> childProcessSocketArg(g_strdup_printf("--forward-fd=%d", childProcessSocket)); >- Vector<const char*> flatpakArgs = { >- "/usr/bin/flatpak-spawn", >- childProcessSocketArg.get(), >- }; >- >- char** newArgv = g_newa(char*, g_strv_length(argv) + flatpakArgs.size() + 1); >- size_t i = 0; >- >- for (const auto& arg : flatpakArgs) >- newArgv[i++] = const_cast<char*>(arg); >- for (size_t x = 0; argv[x]; x++) >- newArgv[i++] = argv[x]; >- newArgv[i++] = nullptr; >- >- return adoptGRef(g_subprocess_launcher_spawnv(launcher, newArgv, error)); >-} >- >-}; >- >-#endif // OS(LINUX) >diff --git a/Source/WebKit/UIProcess/Launcher/glib/FlatpakLauncher.h b/Source/WebKit/UIProcess/Launcher/glib/FlatpakLauncher.h >deleted file mode 100644 >index 501e20c4baf5b4afc79c3ac8aa536a2bc9cae274..0000000000000000000000000000000000000000 >--- a/Source/WebKit/UIProcess/Launcher/glib/FlatpakLauncher.h >+++ /dev/null >@@ -1,43 +0,0 @@ >-/* >- * Copyright (C) 2018 Igalia S.L. >- * >- * Redistribution and use in source and binary forms, with or without >- * modification, are permitted provided that the following conditions >- * are met: >- * 1. Redistributions of source code must retain the above copyright >- * notice, this list of conditions and the following disclaimer. >- * 2. Redistributions in binary form must reproduce the above copyright >- * notice, this list of conditions and the following disclaimer in the >- * documentation and/or other materials provided with the distribution. >- * >- * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS'' >- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, >- * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR >- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS >- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR >- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF >- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS >- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN >- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) >- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF >- * THE POSSIBILITY OF SUCH DAMAGE. >- */ >- >-#pragma once >- >-#if OS(LINUX) >- >-#include "ProcessLauncher.h" >- >-#include <wtf/glib/GRefPtr.h> >- >-typedef struct _GSubprocess GSubprocess; >-typedef struct _GSubprocessLauncher GSubprocessLauncher; >- >-namespace WebKit { >- >-GRefPtr<GSubprocess> flatpakSpawn(GSubprocessLauncher*, const WebKit::ProcessLauncher::LaunchOptions&, char** argv, int childProcessSocket, GError**); >- >-}; >- >-#endif >diff --git a/Source/WebKit/UIProcess/Launcher/glib/ProcessLauncherGLib.cpp b/Source/WebKit/UIProcess/Launcher/glib/ProcessLauncherGLib.cpp >index 0c39073fe1de7adaf5312683d816462f64d3ec6f..f17415c5350b2e17f50007477a6ec745dada4313 100644 >--- a/Source/WebKit/UIProcess/Launcher/glib/ProcessLauncherGLib.cpp >+++ b/Source/WebKit/UIProcess/Launcher/glib/ProcessLauncherGLib.cpp >@@ -27,9 +27,7 @@ > #include "config.h" > #include "ProcessLauncher.h" > >-#include "BubblewrapLauncher.h" > #include "Connection.h" >-#include "FlatpakLauncher.h" > #include "ProcessExecutablePath.h" > #include <errno.h> > #include <fcntl.h> >@@ -54,25 +52,6 @@ static void childSetupFunction(gpointer userData) > close(socket); > } > >-#if OS(LINUX) >-static bool isInsideFlatpak() >-{ >- static int ret = -1; >- if (ret != -1) >- return ret; >- >- GUniquePtr<GKeyFile> infoFile(g_key_file_new()); >- if (!g_key_file_load_from_file(infoFile.get(), "/.flatpak-info", G_KEY_FILE_NONE, nullptr)) { >- ret = false; >- return ret; >- } >- >- // If we are in a `flatpak build` session we cannot launch ourselves since we aren't installed. >- ret = !g_key_file_get_boolean(infoFile.get(), "Instance", "build", nullptr); >- return ret; >-} >-#endif >- > void ProcessLauncher::launchProcess() > { > IPC::Connection::SocketPair socketPair = IPC::Connection::createPlatformConnection(IPC::Connection::ConnectionOptions::SetCloexecOnServer); >@@ -164,22 +143,7 @@ void ProcessLauncher::launchProcess() > > GUniqueOutPtr<GError> error; > GRefPtr<GSubprocess> process; >-#if OS(LINUX) >- const char* sandboxEnv = g_getenv("WEBKIT_FORCE_SANDBOX"); >- bool sandboxEnabled = m_launchOptions.extraInitializationData.get("enable-sandbox") == "true"; >- >- if (sandboxEnv) >- sandboxEnabled = !strcmp(sandboxEnv, "1"); >- >- if (sandboxEnabled && isInsideFlatpak()) >- process = flatpakSpawn(launcher.get(), m_launchOptions, argv, socketPair.client, &error.outPtr()); >-#if ENABLE(BUBBLEWRAP_SANDBOX) >- else if (sandboxEnabled) >- process = bubblewrapSpawn(launcher.get(), m_launchOptions, argv, &error.outPtr()); >-#endif >- else >-#endif >- process = adoptGRef(g_subprocess_launcher_spawnv(launcher.get(), argv, &error.outPtr())); >+ process = adoptGRef(g_subprocess_launcher_spawnv(launcher.get(), argv, &error.outPtr())); > > if (!process.get()) > g_error("Unable to fork a new child process: %s", error->message); >diff --git a/Source/WebKit/UIProcess/WebProcessPool.h b/Source/WebKit/UIProcess/WebProcessPool.h >index a86edd8243d5be286a07dba70a7619f8d5307e1b..fa129b54d03d9b2522f8d99af932aadeda7bd767 100644 >--- a/Source/WebKit/UIProcess/WebProcessPool.h >+++ b/Source/WebKit/UIProcess/WebProcessPool.h >@@ -479,13 +479,6 @@ public: > void sendDisplayConfigurationChangedMessageForTesting(); > void clearCurrentModifierStateForTesting(); > >-#if PLATFORM(GTK) || PLATFORM(WPE) >- void setSandboxEnabled(bool enabled) { m_sandboxEnabled = enabled; }; >- void addSandboxPath(const CString& path, SandboxPermission permission) { m_extraSandboxPaths.add(path, permission); }; >- const HashMap<CString, SandboxPermission>& sandboxPaths() const { return m_extraSandboxPaths; }; >- bool sandboxEnabled() const { return m_sandboxEnabled; }; >-#endif >- > private: > void platformInitialize(); > >@@ -743,11 +736,6 @@ private: > #if PLATFORM(MAC) && ENABLE(WEBPROCESS_WINDOWSERVER_BLOCKING) > Vector<std::unique_ptr<DisplayLink>> m_displayLinks; > #endif >- >-#if PLATFORM(GTK) || PLATFORM(WPE) >- bool m_sandboxEnabled { false }; >- HashMap<CString, SandboxPermission> m_extraSandboxPaths; >-#endif > }; > > template<typename T> >diff --git a/Source/WebKit/UIProcess/glib/WebProcessProxyGLib.cpp b/Source/WebKit/UIProcess/glib/WebProcessProxyGLib.cpp >index 03ef6d8262d38b3dd4948805e41dfd7377e1e47c..c6da42e40f9d54a090c79ca2cc096b4eaaf556be 100644 >--- a/Source/WebKit/UIProcess/glib/WebProcessProxyGLib.cpp >+++ b/Source/WebKit/UIProcess/glib/WebProcessProxyGLib.cpp >@@ -39,13 +39,9 @@ using namespace WebCore; > > void WebProcessProxy::platformGetLaunchOptions(ProcessLauncher::LaunchOptions& launchOptions) > { >- launchOptions.extraInitializationData.set("enable-sandbox", m_processPool->sandboxEnabled() ? "true" : "false"); >- > websiteDataStore().resolveDirectoriesIfNecessary(); > launchOptions.extraInitializationData.set("applicationCacheDirectory", websiteDataStore().resolvedApplicationCacheDirectory()); > >- launchOptions.extraWebProcessSandboxPaths = m_processPool->sandboxPaths(); >- > #if PLATFORM(WAYLAND) && USE(EGL) > if (PlatformDisplay::sharedDisplay().type() == PlatformDisplay::Type::Wayland) { > String displayName = WaylandCompositor::singleton().displayName(); >diff --git a/Source/cmake/OptionsGTK.cmake b/Source/cmake/OptionsGTK.cmake >index 718ca0a9676f5b7a9fecaac5fcb476ae50042492..985d1199c15b2a30dd022b55cd71abe95a923eaf 100644 >--- a/Source/cmake/OptionsGTK.cmake >+++ b/Source/cmake/OptionsGTK.cmake >@@ -120,12 +120,6 @@ else () > WEBKIT_OPTION_DEFAULT_PORT_VALUE(ENABLE_RESOURCE_USAGE PRIVATE OFF) > endif () > >-if (CMAKE_SYSTEM_NAME MATCHES "Linux" AND NOT EXISTS "/.flatpak-info") >- WEBKIT_OPTION_DEFAULT_PORT_VALUE(ENABLE_BUBBLEWRAP_SANDBOX PUBLIC ON) >-else () >- WEBKIT_OPTION_DEFAULT_PORT_VALUE(ENABLE_BUBBLEWRAP_SANDBOX PRIVATE OFF) >-endif () >- > # Enable variation fonts when cairo >= 1.16, fontconfig >= 2.13.0, freetype >= 2.9.0 and harfbuzz >= 1.4.2. > if (("${PC_CAIRO_VERSION}" VERSION_GREATER "1.16.0" OR "${PC_CAIRO_VERSION}" STREQUAL "1.16.0") > AND ("${PC_FONTCONFIG_VERSION}" VERSION_GREATER "2.13.0" OR "${PC_FONTCONFIG_VERSION}" STREQUAL "2.13.0") >@@ -215,38 +209,6 @@ if (ENABLE_ACCELERATED_2D_CANVAS) > endif () > endif () > >-if (ENABLE_BUBBLEWRAP_SANDBOX) >- find_program(BWRAP_EXECUTABLE bwrap) >- if (NOT BWRAP_EXECUTABLE) >- message(FATAL_ERROR "bwrap executable is needed for ENABLE_BUBBLEWRAP_SANDBOX") >- endif () >- add_definitions(-DBWRAP_EXECUTABLE="${BWRAP_EXECUTABLE}") >- >- execute_process( >- COMMAND "${BWRAP_EXECUTABLE}" --version >- RESULT_VARIABLE BWRAP_RET >- OUTPUT_VARIABLE BWRAP_OUTPUT >- ) >- if (BWRAP_RET) >- message(FATAL_ERROR "Failed to run ${BWRAP_EXECUTABLE}") >- endif () >- string(REGEX MATCH "([0-9]+.[0-9]+.[0-9]+)" BWRAP_VERSION "${BWRAP_OUTPUT}") >- if (NOT "${BWRAP_VERSION}" VERSION_GREATER_EQUAL "0.3.1") >- message(FATAL_ERROR "bwrap must be >= 0.3.1 but ${BWRAP_VERSION} found") >- endif () >- >- find_package(Libseccomp) >- if (NOT LIBSECCOMP_FOUND) >- message(FATAL_ERROR "libseccomp is needed for ENABLE_BUBBLEWRAP_SANDBOX") >- endif () >- >- find_program(DBUS_PROXY_EXECUTABLE xdg-dbus-proxy) >- if (NOT DBUS_PROXY_EXECUTABLE) >- message(FATAL_ERROR "xdg-dbus-proxy not found and is needed for ENABLE_BUBBLEWRAP_SANDBOX") >- endif () >- add_definitions(-DDBUS_PROXY_EXECUTABLE="${DBUS_PROXY_EXECUTABLE}") >-endif () >- > if (USE_LIBSECRET) > find_package(Libsecret) > if (NOT LIBSECRET_FOUND) >diff --git a/Source/cmake/WebKitFeatures.cmake b/Source/cmake/WebKitFeatures.cmake >index a031de400146650ed192d72be2941b81fc839bd3..95031e1da811370b001c226301298109d947d306 100644 >--- a/Source/cmake/WebKitFeatures.cmake >+++ b/Source/cmake/WebKitFeatures.cmake >@@ -99,7 +99,6 @@ macro(WEBKIT_OPTION_BEGIN) > WEBKIT_OPTION_DEFINE(ENABLE_ASYNC_SCROLLING "Enable asynchronous scrolling" PRIVATE OFF) > WEBKIT_OPTION_DEFINE(ENABLE_ATTACHMENT_ELEMENT "Toggle Attachment Element support" PRIVATE OFF) > WEBKIT_OPTION_DEFINE(ENABLE_AVF_CAPTIONS "Toggle AVFoundation caption support" PRIVATE OFF) >- WEBKIT_OPTION_DEFINE(ENABLE_BUBBLEWRAP_SANDBOX "Toggle Bubblewrap sandboxing support" PRIVATE OFF) > WEBKIT_OPTION_DEFINE(ENABLE_CACHE_PARTITIONING "Toggle cache partitioning support" PRIVATE OFF) > WEBKIT_OPTION_DEFINE(ENABLE_CHANNEL_MESSAGING "Toggle Channel Messaging support" PRIVATE ON) > WEBKIT_OPTION_DEFINE(ENABLE_CONTENT_EXTENSIONS "Toggle Content Extensions support" PRIVATE OFF) >diff --git a/ChangeLog b/ChangeLog >index 031b5e2547a3f4b7c2eb4382b9159f0e977fd18a..6c5666abded12472ece34fe624098671a377275a 100644 >--- a/ChangeLog >+++ b/ChangeLog >@@ -1,3 +1,13 @@ >+2019-02-13 Michael Catanzaro <mcatanzaro@igalia.com> >+ >+ [WPE][GTK][STABLE] Remove sandbox APIs from 2.24 branch >+ https://bugs.webkit.org/show_bug.cgi?id=194553 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * Source/cmake/OptionsGTK.cmake: >+ * Source/cmake/WebKitFeatures.cmake: >+ > 2019-02-11 Adrian Perez de Castro <aperez@igalia.com> > > [GTK][WPE] Add content extensions support in WKTR and unskip layout tests
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=361925">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
cgarcia
:
review+
mcatanzaro
:
commit-queue-
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 194553
:
361824
| 361925