<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[167946] trunk/Source/WebKit2</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/167946">167946</a></dd>
<dt>Author</dt> <dd>ap@apple.com</dd>
<dt>Date</dt> <dd>2014-04-29 10:54:21 -0700 (Tue, 29 Apr 2014)</dd>
</dl>
<h3>Log Message</h3>
<pre>[WK2] DatabaseProcess should be sandboxed
https://bugs.webkit.org/show_bug.cgi?id=132324
<rdar://problem/15961708>
Reviewed by Darin Adler.
* Configurations/WebKit2.xcconfig: Added the profile to the list of files skipped
on iOS.
* DatabaseProcess/DatabaseProcess.cpp: (WebKit::DatabaseProcess::initializeDatabaseProcess):
Consume a sandbox extension for IndexedDB directory (which we get with initialization
message after entering sandbox).
* DatabaseProcess/ios: Added.
* DatabaseProcess/ios/DatabaseProcessIOS.mm: Copied from Source/WebKit2/DatabaseProcess/mac/DatabaseProcessMac.mm.
Separated from Mac version to match how other processes are implemented.
* DatabaseProcess/mac/DatabaseProcessMac.mm: (WebKit::DatabaseProcess::initializeProcessName):
Removed ifdefs.
* DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in: Added.
* DerivedSources.make: Generate the profile from .sb.in.
* Shared/Databases/DatabaseProcessCreationParameters.cpp:
(WebKit::DatabaseProcessCreationParameters::encode):
(WebKit::DatabaseProcessCreationParameters::decode):
* Shared/Databases/DatabaseProcessCreationParameters.h:
Added a sandbox extension for indexedDatabaseDirectory.
* Shared/SecurityOriginData.h: Added an unrelated FIXME.
* UIProcess/WebContext.cpp: (WebKit::WebContext::ensureDatabaseProcess): Create
a sandbox extension for indexedDatabaseDirectory.
* WebKit2.xcodeproj/project.pbxproj: Added new files.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceWebKit2ChangeLog">trunk/Source/WebKit2/ChangeLog</a></li>
<li><a href="#trunkSourceWebKit2ConfigurationsWebKit2xcconfig">trunk/Source/WebKit2/Configurations/WebKit2.xcconfig</a></li>
<li><a href="#trunkSourceWebKit2DatabaseProcessDatabaseProcesscpp">trunk/Source/WebKit2/DatabaseProcess/DatabaseProcess.cpp</a></li>
<li><a href="#trunkSourceWebKit2DatabaseProcessmacDatabaseProcessMacmm">trunk/Source/WebKit2/DatabaseProcess/mac/DatabaseProcessMac.mm</a></li>
<li><a href="#trunkSourceWebKit2DerivedSourcesmake">trunk/Source/WebKit2/DerivedSources.make</a></li>
<li><a href="#trunkSourceWebKit2SharedDatabasesDatabaseProcessCreationParameterscpp">trunk/Source/WebKit2/Shared/Databases/DatabaseProcessCreationParameters.cpp</a></li>
<li><a href="#trunkSourceWebKit2SharedDatabasesDatabaseProcessCreationParametersh">trunk/Source/WebKit2/Shared/Databases/DatabaseProcessCreationParameters.h</a></li>
<li><a href="#trunkSourceWebKit2SharedSecurityOriginDatah">trunk/Source/WebKit2/Shared/SecurityOriginData.h</a></li>
<li><a href="#trunkSourceWebKit2UIProcessWebContextcpp">trunk/Source/WebKit2/UIProcess/WebContext.cpp</a></li>
<li><a href="#trunkSourceWebKit2WebKit2xcodeprojprojectpbxproj">trunk/Source/WebKit2/WebKit2.xcodeproj/project.pbxproj</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li>trunk/Source/WebKit2/DatabaseProcess/ios/</li>
<li><a href="#trunkSourceWebKit2DatabaseProcessiosDatabaseProcessIOSmm">trunk/Source/WebKit2/DatabaseProcess/ios/DatabaseProcessIOS.mm</a></li>
<li><a href="#trunkSourceWebKit2DatabaseProcessmaccomappleWebKitDatabasessbin">trunk/Source/WebKit2/DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceWebKit2ChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/ChangeLog (167945 => 167946)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/ChangeLog 2014-04-29 17:45:24 UTC (rev 167945)
+++ trunk/Source/WebKit2/ChangeLog 2014-04-29 17:54:21 UTC (rev 167946)
</span><span class="lines">@@ -1,3 +1,42 @@
</span><ins>+2014-04-29 Alexey Proskuryakov <ap@apple.com>
+
+ [WK2] DatabaseProcess should be sandboxed
+ https://bugs.webkit.org/show_bug.cgi?id=132324
+ <rdar://problem/15961708>
+
+ Reviewed by Darin Adler.
+
+ * Configurations/WebKit2.xcconfig: Added the profile to the list of files skipped
+ on iOS.
+
+ * DatabaseProcess/DatabaseProcess.cpp: (WebKit::DatabaseProcess::initializeDatabaseProcess):
+ Consume a sandbox extension for IndexedDB directory (which we get with initialization
+ message after entering sandbox).
+
+ * DatabaseProcess/ios: Added.
+ * DatabaseProcess/ios/DatabaseProcessIOS.mm: Copied from Source/WebKit2/DatabaseProcess/mac/DatabaseProcessMac.mm.
+ Separated from Mac version to match how other processes are implemented.
+
+ * DatabaseProcess/mac/DatabaseProcessMac.mm: (WebKit::DatabaseProcess::initializeProcessName):
+ Removed ifdefs.
+
+ * DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in: Added.
+
+ * DerivedSources.make: Generate the profile from .sb.in.
+
+ * Shared/Databases/DatabaseProcessCreationParameters.cpp:
+ (WebKit::DatabaseProcessCreationParameters::encode):
+ (WebKit::DatabaseProcessCreationParameters::decode):
+ * Shared/Databases/DatabaseProcessCreationParameters.h:
+ Added a sandbox extension for indexedDatabaseDirectory.
+
+ * Shared/SecurityOriginData.h: Added an unrelated FIXME.
+
+ * UIProcess/WebContext.cpp: (WebKit::WebContext::ensureDatabaseProcess): Create
+ a sandbox extension for indexedDatabaseDirectory.
+
+ * WebKit2.xcodeproj/project.pbxproj: Added new files.
+
</ins><span class="cx"> 2014-04-28 Andy Estes <aestes@apple.com>
</span><span class="cx">
</span><span class="cx"> [iOS] Introduce -didNotHandleTapAsClickAtPoint: to WKUIDelegatePrivate
</span></span></pre></div>
<a id="trunkSourceWebKit2ConfigurationsWebKit2xcconfig"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/Configurations/WebKit2.xcconfig (167945 => 167946)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/Configurations/WebKit2.xcconfig 2014-04-29 17:45:24 UTC (rev 167945)
+++ trunk/Source/WebKit2/Configurations/WebKit2.xcconfig 2014-04-29 17:54:21 UTC (rev 167946)
</span><span class="lines">@@ -43,7 +43,7 @@
</span><span class="cx"> OTHER_LDFLAGS_macosx = $(ASAN_OTHER_LDFLAGS) $(FRAMEWORK_AND_LIBRARY_LDFLAGS);
</span><span class="cx">
</span><span class="cx"> EXCLUDED_SOURCE_FILE_NAMES = $(EXCLUDED_SOURCE_FILE_NAMES_$(PLATFORM_NAME));
</span><del>-EXCLUDED_SOURCE_FILE_NAMES_iphoneos = *.pdf com.apple.WebKit.NetworkProcess.sb com.apple.WebProcess.sb PlugInSandboxProfiles/*.sb;
</del><ins>+EXCLUDED_SOURCE_FILE_NAMES_iphoneos = *.pdf com.apple.WebKit.DatabaseProcess.sb com.apple.WebKit.NetworkProcess.sb com.apple.WebProcess.sb PlugInSandboxProfiles/*.sb;
</ins><span class="cx"> EXCLUDED_SOURCE_FILE_NAMES_iphonesimulator = $(EXCLUDED_SOURCE_FILE_NAMES_iphoneos);
</span><span class="cx">
</span><span class="cx"> INSTALLHDRS_SCRIPT_PHASE = YES;
</span></span></pre></div>
<a id="trunkSourceWebKit2DatabaseProcessDatabaseProcesscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/DatabaseProcess/DatabaseProcess.cpp (167945 => 167946)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/DatabaseProcess/DatabaseProcess.cpp 2014-04-29 17:45:24 UTC (rev 167945)
+++ trunk/Source/WebKit2/DatabaseProcess/DatabaseProcess.cpp 2014-04-29 17:54:21 UTC (rev 167946)
</span><span class="lines">@@ -98,6 +98,7 @@
</span><span class="cx"> void DatabaseProcess::initializeDatabaseProcess(const DatabaseProcessCreationParameters& parameters)
</span><span class="cx"> {
</span><span class="cx"> m_indexedDatabaseDirectory = parameters.indexedDatabaseDirectory;
</span><ins>+ SandboxExtension::consumePermanently(parameters.indexedDatabaseDirectoryExtensionHandle);
</ins><span class="cx">
</span><span class="cx"> ensureIndexedDatabaseRelativePathExists(StringImpl::empty());
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebKit2DatabaseProcessiosDatabaseProcessIOSmmfromrev167945trunkSourceWebKit2DatabaseProcessmacDatabaseProcessMacmm"></a>
<div class="copfile"><h4>Copied: trunk/Source/WebKit2/DatabaseProcess/ios/DatabaseProcessIOS.mm (from rev 167945, trunk/Source/WebKit2/DatabaseProcess/mac/DatabaseProcessMac.mm) (0 => 167946)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/DatabaseProcess/ios/DatabaseProcessIOS.mm (rev 0)
+++ trunk/Source/WebKit2/DatabaseProcess/ios/DatabaseProcessIOS.mm 2014-04-29 17:54:21 UTC (rev 167946)
</span><span class="lines">@@ -0,0 +1,55 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#import "config.h"
+
+#if PLATFORM(IOS) && ENABLE(DATABASE_PROCESS)
+
+#import "DatabaseProcess.h"
+
+#import "SandboxInitializationParameters.h"
+#import <WebCore/LocalizedStrings.h>
+#import <WebKitSystemInterface.h>
+
+using namespace WebCore;
+
+namespace WebKit {
+
+void DatabaseProcess::initializeProcess(const ChildProcessInitializationParameters&)
+{
+}
+
+void DatabaseProcess::initializeProcessName(const ChildProcessInitializationParameters& parameters)
+{
+}
+
+void DatabaseProcess::initializeSandbox(const ChildProcessInitializationParameters& parameters, SandboxInitializationParameters& sandboxParameters)
+{
+ notImplemented();
+}
+
+} // namespace WebKit
+
+#endif // PLATFORM(IOS) && ENABLE(DATABASE_PROCESS)
</ins></span></pre></div>
<a id="trunkSourceWebKit2DatabaseProcessmacDatabaseProcessMacmm"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/DatabaseProcess/mac/DatabaseProcessMac.mm (167945 => 167946)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/DatabaseProcess/mac/DatabaseProcessMac.mm 2014-04-29 17:45:24 UTC (rev 167945)
+++ trunk/Source/WebKit2/DatabaseProcess/mac/DatabaseProcessMac.mm 2014-04-29 17:54:21 UTC (rev 167946)
</span><span class="lines">@@ -24,14 +24,16 @@
</span><span class="cx"> */
</span><span class="cx">
</span><span class="cx"> #import "config.h"
</span><ins>+
+#if PLATFORM(MAC) && ENABLE(DATABASE_PROCESS)
+
</ins><span class="cx"> #import "DatabaseProcess.h"
</span><span class="cx">
</span><span class="cx"> #import "SandboxInitializationParameters.h"
</span><ins>+#import <WebCore/FileSystem.h>
</ins><span class="cx"> #import <WebCore/LocalizedStrings.h>
</span><span class="cx"> #import <WebKitSystemInterface.h>
</span><span class="cx">
</span><del>-#if ENABLE(DATABASE_PROCESS)
-
</del><span class="cx"> using namespace WebCore;
</span><span class="cx">
</span><span class="cx"> namespace WebKit {
</span><span class="lines">@@ -44,10 +46,8 @@
</span><span class="cx">
</span><span class="cx"> void DatabaseProcess::initializeProcessName(const ChildProcessInitializationParameters& parameters)
</span><span class="cx"> {
</span><del>-#if !PLATFORM(IOS)
</del><span class="cx"> NSString *applicationName = [NSString stringWithFormat:WEB_UI_STRING("%@ Database Storage", "visible name of the database process. The argument is the application name."), (NSString *)parameters.uiProcessName];
</span><span class="cx"> WKSetVisibleApplicationName((CFStringRef)applicationName);
</span><del>-#endif
</del><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void DatabaseProcess::initializeSandbox(const ChildProcessInitializationParameters& parameters, SandboxInitializationParameters& sandboxParameters)
</span><span class="lines">@@ -61,4 +61,4 @@
</span><span class="cx">
</span><span class="cx"> } // namespace WebKit
</span><span class="cx">
</span><del>-#endif // ENABLE(DATABASE_PROCESS)
</del><ins>+#endif // PLATFORM(MAC) && ENABLE(DATABASE_PROCESS)
</ins></span></pre></div>
<a id="trunkSourceWebKit2DatabaseProcessmaccomappleWebKitDatabasessbin"></a>
<div class="addfile"><h4>Added: trunk/Source/WebKit2/DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in (0 => 167946)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in (rev 0)
+++ trunk/Source/WebKit2/DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in 2014-04-29 17:54:21 UTC (rev 167946)
</span><span class="lines">@@ -0,0 +1,81 @@
</span><ins>+; Copyright (C) 2014 Apple Inc. All rights reserved.
+;
+; Redistribution and use in source and binary forms, with or without
+; modification, are permitted provided that the following conditions
+; are met:
+; 1. Redistributions of source code must retain the above copyright
+; notice, this list of conditions and the following disclaimer.
+; 2. Redistributions in binary form must reproduce the above copyright
+; notice, this list of conditions and the following disclaimer in the
+; documentation and/or other materials provided with the distribution.
+;
+; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+; THE POSSIBILITY OF SUCH DAMAGE.
+
+(version 1)
+(deny default (with partial-symbolication))
+(allow system-audit file-read-metadata)
+
+(import "system.sb")
+
+;; Utility functions for home directory relative path filters
+(define (home-regex home-relative-regex)
+ (regex (string-append "^" (regex-quote (param "HOME_DIR")) home-relative-regex)))
+
+(define (home-subpath home-relative-subpath)
+ (subpath (string-append (param "HOME_DIR") home-relative-subpath)))
+
+(define (home-literal home-relative-literal)
+ (literal (string-append (param "HOME_DIR") home-relative-literal)))
+
+;; Read-only preferences and data
+(allow file-read*
+ ;; Basic system paths
+ (subpath "/Library/Frameworks")
+ (subpath "/Library/Managed Preferences")
+
+ ;; System and user preferences
+ (literal "/Library/Preferences/.GlobalPreferences.plist")
+ (home-literal "/Library/Preferences/.GlobalPreferences.plist")
+ (home-regex #"/Library/Preferences/ByHost/\.GlobalPreferences\.")
+
+ ;; On-disk WebKit2 framework location, to account for debug installations
+ ;; outside of /System/Library/Frameworks
+ (subpath (param "WEBKIT2_FRAMEWORK_DIR")))
+
+;; Sandbox extensions
+(define (apply-read-and-issue-extension op path-filter)
+ (op file-read* path-filter)
+ (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") path-filter)))
+(define (apply-write-and-issue-extension op path-filter)
+ (op file-write* path-filter)
+ (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") path-filter)))
+(define (read-only-and-issue-extensions path-filter)
+ (apply-read-and-issue-extension allow path-filter))
+(define (read-write-and-issue-extensions path-filter)
+ (apply-read-and-issue-extension allow path-filter)
+ (apply-write-and-issue-extension allow path-filter))
+(read-only-and-issue-extensions (extension "com.apple.app-sandbox.read"))
+(read-write-and-issue-extensions (extension "com.apple.app-sandbox.read-write"))
+
+(if (defined? 'vnode-type)
+ (deny file-write-create (vnode-type SYMLINK)))
+
+;; FIXME: Should be removed once <rdar://problem/16329087> is fixed.
+(deny file-write-xattr (xattr "com.apple.quarantine") (with no-log))
+
+;; Reserve a namespace for additional protected extended attributes.
+#if __MAC_OS_X_VERSION_MIN_REQUIRED > 1090
+(deny file-read-xattr file-write-xattr (xattr-regex #"^com\.apple\.security\.private\."))
+#else
+(deny file-read-xattr file-write-xattr (xattr #"^com\.apple\.security\.private\."))
+#endif
</ins></span></pre></div>
<a id="trunkSourceWebKit2DerivedSourcesmake"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/DerivedSources.make (167945 => 167946)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/DerivedSources.make 2014-04-29 17:45:24 UTC (rev 167945)
+++ trunk/Source/WebKit2/DerivedSources.make 2014-04-29 17:54:21 UTC (rev 167946)
</span><span class="lines">@@ -24,6 +24,7 @@
</span><span class="cx"> $(WebKit2) \
</span><span class="cx"> $(WebKit2)/DatabaseProcess \
</span><span class="cx"> $(WebKit2)/DatabaseProcess/IndexedDB \
</span><ins>+ $(WebKit2)/DatabaseProcess/mac \
</ins><span class="cx"> $(WebKit2)/NetworkProcess \
</span><span class="cx"> $(WebKit2)/NetworkProcess/mac \
</span><span class="cx"> $(WebKit2)/PluginProcess \
</span><span class="lines">@@ -179,6 +180,7 @@
</span><span class="cx">
</span><span class="cx"> SANDBOX_PROFILES = \
</span><span class="cx"> com.apple.WebProcess.sb \
</span><ins>+ com.apple.WebKit.Databases.sb \
</ins><span class="cx"> com.apple.WebKit.NetworkProcess.sb
</span><span class="cx">
</span><span class="cx"> all: $(SANDBOX_PROFILES)
</span></span></pre></div>
<a id="trunkSourceWebKit2SharedDatabasesDatabaseProcessCreationParameterscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/Shared/Databases/DatabaseProcessCreationParameters.cpp (167945 => 167946)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/Shared/Databases/DatabaseProcessCreationParameters.cpp 2014-04-29 17:45:24 UTC (rev 167945)
+++ trunk/Source/WebKit2/Shared/Databases/DatabaseProcessCreationParameters.cpp 2014-04-29 17:54:21 UTC (rev 167946)
</span><span class="lines">@@ -39,12 +39,15 @@
</span><span class="cx"> void DatabaseProcessCreationParameters::encode(IPC::ArgumentEncoder& encoder) const
</span><span class="cx"> {
</span><span class="cx"> encoder << indexedDatabaseDirectory;
</span><ins>+ encoder << indexedDatabaseDirectoryExtensionHandle;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> bool DatabaseProcessCreationParameters::decode(IPC::ArgumentDecoder& decoder, DatabaseProcessCreationParameters& result)
</span><span class="cx"> {
</span><span class="cx"> if (!decoder.decode(result.indexedDatabaseDirectory))
</span><span class="cx"> return false;
</span><ins>+ if (!decoder.decode(result.indexedDatabaseDirectoryExtensionHandle))
+ return false;
</ins><span class="cx">
</span><span class="cx"> return true;
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebKit2SharedDatabasesDatabaseProcessCreationParametersh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/Shared/Databases/DatabaseProcessCreationParameters.h (167945 => 167946)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/Shared/Databases/DatabaseProcessCreationParameters.h 2014-04-29 17:45:24 UTC (rev 167945)
+++ trunk/Source/WebKit2/Shared/Databases/DatabaseProcessCreationParameters.h 2014-04-29 17:54:21 UTC (rev 167946)
</span><span class="lines">@@ -27,6 +27,7 @@
</span><span class="cx"> #ifndef DatabaseProcessCreationParameters_h
</span><span class="cx"> #define DatabaseProcessCreationParameters_h
</span><span class="cx">
</span><ins>+#include "SandboxExtension.h"
</ins><span class="cx"> #include <wtf/text/WTFString.h>
</span><span class="cx">
</span><span class="cx"> #if ENABLE(INDEXED_DATABASE) && ENABLE(DATABASE_PROCESS)
</span><span class="lines">@@ -45,6 +46,7 @@
</span><span class="cx"> static bool decode(IPC::ArgumentDecoder&, DatabaseProcessCreationParameters&);
</span><span class="cx">
</span><span class="cx"> String indexedDatabaseDirectory;
</span><ins>+ SandboxExtension::Handle indexedDatabaseDirectoryExtensionHandle;
</ins><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> } // namespace WebKit
</span></span></pre></div>
<a id="trunkSourceWebKit2SharedSecurityOriginDatah"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/Shared/SecurityOriginData.h (167945 => 167946)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/Shared/SecurityOriginData.h 2014-04-29 17:45:24 UTC (rev 167945)
+++ trunk/Source/WebKit2/Shared/SecurityOriginData.h 2014-04-29 17:54:21 UTC (rev 167946)
</span><span class="lines">@@ -27,7 +27,7 @@
</span><span class="cx"> #define SecurityOriginData_h
</span><span class="cx">
</span><span class="cx"> #include "APIObject.h"
</span><del>-#include "GenericCallback.h"
</del><ins>+#include "GenericCallback.h" // FIXME: This is a UIProcess file, and may not be included from Shared directory files.
</ins><span class="cx"> #include <wtf/text/WTFString.h>
</span><span class="cx">
</span><span class="cx"> namespace IPC {
</span></span></pre></div>
<a id="trunkSourceWebKit2UIProcessWebContextcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/UIProcess/WebContext.cpp (167945 => 167946)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/UIProcess/WebContext.cpp 2014-04-29 17:45:24 UTC (rev 167945)
+++ trunk/Source/WebKit2/UIProcess/WebContext.cpp 2014-04-29 17:54:21 UTC (rev 167946)
</span><span class="lines">@@ -443,6 +443,7 @@
</span><span class="cx"> // We should fix this, and move WebSQL into a subdirectory (https://bugs.webkit.org/show_bug.cgi?id=124807)
</span><span class="cx"> // In the meantime, an entity name prefixed with three underscores will not conflict with any WebSQL entities.
</span><span class="cx"> parameters.indexedDatabaseDirectory = pathByAppendingComponent(databaseDirectory(), "___IndexedDB");
</span><ins>+ SandboxExtension::createHandleForReadWriteDirectory(parameters.indexedDatabaseDirectory, parameters.indexedDatabaseDirectoryExtensionHandle);
</ins><span class="cx">
</span><span class="cx"> m_databaseProcess->send(Messages::DatabaseProcess::InitializeDatabaseProcess(parameters), 0);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebKit2WebKit2xcodeprojprojectpbxproj"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/WebKit2.xcodeproj/project.pbxproj (167945 => 167946)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/WebKit2.xcodeproj/project.pbxproj 2014-04-29 17:45:24 UTC (rev 167945)
+++ trunk/Source/WebKit2/WebKit2.xcodeproj/project.pbxproj 2014-04-29 17:54:21 UTC (rev 167946)
</span><span class="lines">@@ -1507,6 +1507,8 @@
</span><span class="cx"> D3B9484911FF4B6500032B39 /* WebSearchPopupMenu.h in Headers */ = {isa = PBXBuildFile; fileRef = D3B9484511FF4B6500032B39 /* WebSearchPopupMenu.h */; };
</span><span class="cx"> DF58C6361371ACA000F9A37C /* NativeWebWheelEventMac.mm in Sources */ = {isa = PBXBuildFile; fileRef = DF58C6351371ACA000F9A37C /* NativeWebWheelEventMac.mm */; };
</span><span class="cx"> E105FE5418D7B9DE008F57A8 /* EditingRange.h in Headers */ = {isa = PBXBuildFile; fileRef = E105FE5318D7B9DE008F57A8 /* EditingRange.h */; };
</span><ins>+ E115C714190F89E400ECC516 /* DatabaseProcessIOS.mm in Sources */ = {isa = PBXBuildFile; fileRef = E1FEF39C190F791C00731658 /* DatabaseProcessIOS.mm */; };
+ E115C716190F8A2500ECC516 /* com.apple.WebKit.Databases.sb in Resources */ = {isa = PBXBuildFile; fileRef = E115C715190F8A2500ECC516 /* com.apple.WebKit.Databases.sb */; };
</ins><span class="cx"> E11D35AE16B63D1B006D23D7 /* com.apple.WebProcess.sb in Resources */ = {isa = PBXBuildFile; fileRef = E1967E37150AB5E200C73169 /* com.apple.WebProcess.sb */; };
</span><span class="cx"> E133FD8A1423DD7F00FC7BFB /* WebKit.icns in Resources */ = {isa = PBXBuildFile; fileRef = E133FD891423DD7F00FC7BFB /* WebKit.icns */; };
</span><span class="cx"> E13833EC189C33C8001E2350 /* LocalStorageDetails.h in Headers */ = {isa = PBXBuildFile; fileRef = E13833EB189C33C8001E2350 /* LocalStorageDetails.h */; };
</span><span class="lines">@@ -3422,6 +3424,7 @@
</span><span class="cx"> DF58C6311371AC5800F9A37C /* NativeWebWheelEvent.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = NativeWebWheelEvent.h; sourceTree = "<group>"; };
</span><span class="cx"> DF58C6351371ACA000F9A37C /* NativeWebWheelEventMac.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = NativeWebWheelEventMac.mm; sourceTree = "<group>"; };
</span><span class="cx"> E105FE5318D7B9DE008F57A8 /* EditingRange.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = EditingRange.h; sourceTree = "<group>"; };
</span><ins>+ E115C715190F8A2500ECC516 /* com.apple.WebKit.Databases.sb */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = file; path = com.apple.WebKit.Databases.sb; sourceTree = "<group>"; };
</ins><span class="cx"> E133FD891423DD7F00FC7BFB /* WebKit.icns */ = {isa = PBXFileReference; lastKnownFileType = image.icns; name = WebKit.icns; path = Resources/WebKit.icns; sourceTree = "<group>"; };
</span><span class="cx"> E13833EB189C33C8001E2350 /* LocalStorageDetails.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = LocalStorageDetails.h; sourceTree = "<group>"; };
</span><span class="cx"> E14A954716E016A40068DE82 /* NetworkProcessPlatformStrategies.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = NetworkProcessPlatformStrategies.cpp; path = NetworkProcess/NetworkProcessPlatformStrategies.cpp; sourceTree = "<group>"; };
</span><span class="lines">@@ -3468,6 +3471,8 @@
</span><span class="cx"> E1E552C316AE065E004ED653 /* SandboxInitializationParameters.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SandboxInitializationParameters.h; sourceTree = "<group>"; };
</span><span class="cx"> E1EE53DC11F8CF9F00CCBEE4 /* InjectedBundlePageEditorClient.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = InjectedBundlePageEditorClient.h; sourceTree = "<group>"; };
</span><span class="cx"> E1EE53E611F8CFFB00CCBEE4 /* InjectedBundlePageEditorClient.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = InjectedBundlePageEditorClient.cpp; sourceTree = "<group>"; };
</span><ins>+ E1FEF39A190F76F300731658 /* com.apple.WebKit.Databases.sb.in */ = {isa = PBXFileReference; lastKnownFileType = text; path = com.apple.WebKit.Databases.sb.in; sourceTree = "<group>"; };
+ E1FEF39C190F791C00731658 /* DatabaseProcessIOS.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = DatabaseProcessIOS.mm; sourceTree = "<group>"; };
</ins><span class="cx"> F036978715F4BF0500C3A80E /* WebColorPicker.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = WebColorPicker.cpp; sourceTree = "<group>"; };
</span><span class="cx"> F6113E24126CE1820057D0A7 /* WebUserContentURLPattern.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WebUserContentURLPattern.h; sourceTree = "<group>"; };
</span><span class="cx"> F6113E26126CE19B0057D0A7 /* WKUserContentURLPattern.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = WKUserContentURLPattern.cpp; sourceTree = "<group>"; };
</span><span class="lines">@@ -4955,6 +4960,7 @@
</span><span class="cx"> isa = PBXGroup;
</span><span class="cx"> children = (
</span><span class="cx"> 51E35201180F5D1E00E53BE9 /* DatabaseProcessMac.mm */,
</span><ins>+ E1FEF39A190F76F300731658 /* com.apple.WebKit.Databases.sb.in */,
</ins><span class="cx"> );
</span><span class="cx"> path = mac;
</span><span class="cx"> sourceTree = "<group>";
</span><span class="lines">@@ -5085,6 +5091,7 @@
</span><span class="cx"> children = (
</span><span class="cx"> 51F7DC0B180CC42200212CA3 /* EntryPoint */,
</span><span class="cx"> 51E351F9180F5CF600E53BE9 /* IndexedDB */,
</span><ins>+ E1FEF39B190F791C00731658 /* ios */,
</ins><span class="cx"> 517DD5C0180DB7AA0081660B /* mac */,
</span><span class="cx"> 51E351FA180F5D0B00E53BE9 /* DatabaseProcess.cpp */,
</span><span class="cx"> 51E351FB180F5D0B00E53BE9 /* DatabaseProcess.h */,
</span><span class="lines">@@ -6337,6 +6344,7 @@
</span><span class="cx"> 2DE6943C18BD2A68005C15E5 /* SmartMagnificationControllerMessages.h */,
</span><span class="cx"> 512F58A012A883AD00629530 /* AuthenticationManagerMessageReceiver.cpp */,
</span><span class="cx"> 512F58A112A883AD00629530 /* AuthenticationManagerMessages.h */,
</span><ins>+ E115C715190F8A2500ECC516 /* com.apple.WebKit.Databases.sb */,
</ins><span class="cx"> E17AE2C216B9C63A001C42F1 /* com.apple.WebKit.NetworkProcess.sb */,
</span><span class="cx"> E1967E37150AB5E200C73169 /* com.apple.WebProcess.sb */,
</span><span class="cx"> 2984F586164BA095004BC0C6 /* CustomProtocolManagerMessageReceiver.cpp */,
</span><span class="lines">@@ -6579,6 +6587,14 @@
</span><span class="cx"> name = PDF;
</span><span class="cx"> sourceTree = "<group>";
</span><span class="cx"> };
</span><ins>+ E1FEF39B190F791C00731658 /* ios */ = {
+ isa = PBXGroup;
+ children = (
+ E1FEF39C190F791C00731658 /* DatabaseProcessIOS.mm */,
+ );
+ path = ios;
+ sourceTree = "<group>";
+ };
</ins><span class="cx"> F638955A133BF57D008941D5 /* mac */ = {
</span><span class="cx"> isa = PBXGroup;
</span><span class="cx"> children = (
</span><span class="lines">@@ -7791,6 +7807,7 @@
</span><span class="cx"> E17AE2C316B9C63A001C42F1 /* com.apple.WebKit.NetworkProcess.sb in Resources */,
</span><span class="cx"> E11D35AE16B63D1B006D23D7 /* com.apple.WebProcess.sb in Resources */,
</span><span class="cx"> 1CBC945E16515ED200D68AAE /* DockBottom.pdf in Resources */,
</span><ins>+ E115C716190F8A2500ECC516 /* com.apple.WebKit.Databases.sb in Resources */,
</ins><span class="cx"> 1CB75C941701E880009F809F /* DockRight.pdf in Resources */,
</span><span class="cx"> 8DC2EF530486A6940098B216 /* InfoPlist.strings in Resources */,
</span><span class="cx"> );
</span><span class="lines">@@ -8609,6 +8626,7 @@
</span><span class="cx"> 3760881E150413E900FC82C7 /* WebRenderObject.cpp in Sources */,
</span><span class="cx"> 51217464164C21370037A5C1 /* WebResourceBuffer.cpp in Sources */,
</span><span class="cx"> 3336762F130C9998006C9DE2 /* WebResourceCacheManager.cpp in Sources */,
</span><ins>+ E115C714190F89E400ECC516 /* DatabaseProcessIOS.mm in Sources */,
</ins><span class="cx"> 33F9D5B91312F1EE000D683F /* WebResourceCacheManagerCFNet.cpp in Sources */,
</span><span class="cx"> 33367655130C9ECA006C9DE2 /* WebResourceCacheManagerMessageReceiver.cpp in Sources */,
</span><span class="cx"> 51EF124E19098522008A6532 /* SelectionOverlayController.cpp in Sources */,
</span></span></pre>
</div>
</div>
</body>
</html>