Skip to content
Permalink
Browse files
Correct plugin sandbox after r208611
https://bugs.webkit.org/show_bug.cgi?id=165187
<rdar://problem/29431165>

Reviewed by Alex Christensen.

In r208611 I removed the 'else' clause of a Scheme conditional
that was needed to properly run plugins (such as Flash Player).

This change retains the relevant current sandbox content, while
still stripping out the old code that is no longer needed.

* PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in:


Canonical link: https://commits.webkit.org/182819@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@209133 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information
brentfulgham committed Nov 30, 2016
1 parent cb429e3 commit 8e90d99a537697ea472e8ade2502e2f6dd81d459
Showing with 32 additions and 0 deletions.
  1. +16 −0 Source/WebKit2/ChangeLog
  2. +16 −0 Source/WebKit2/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in
@@ -1,3 +1,19 @@
2016-11-30 Brent Fulgham <bfulgham@apple.com>

Correct plugin sandbox after r208611
https://bugs.webkit.org/show_bug.cgi?id=165187
<rdar://problem/29431165>

Reviewed by Alex Christensen.

In r208611 I removed the 'else' clause of a Scheme conditional
that was needed to properly run plugins (such as Flash Player).

This change retains the relevant current sandbox content, while
still stripping out the old code that is no longer needed.

* PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in:

2016-11-29 Carlos Garcia Campos <cgarcia@igalia.com>

[GTK] Database process should not initialize gtk
@@ -347,6 +347,22 @@
(define (webkit-microphone)
(allow device-microphone))

(allow ipc-posix-shm*
(ipc-posix-name-regex #"^AudioIO")
(ipc-posix-name-regex #"^CFPBS:")
(ipc-posix-name "com.apple.ColorSync.Gen.lock")
(ipc-posix-name "com.apple.ColorSync.Disp.lock")
(ipc-posix-name "com.apple.ColorSync.Gray2.2")
(ipc-posix-name "com.apple.ColorSync.sRGB")
(ipc-posix-name "com.apple.ColorSync.GenGray")
(ipc-posix-name "com.apple.ColorSync.GenRGB")
(ipc-posix-name-regex #"^com\.apple\.cs\.")
(ipc-posix-name-regex #"^ls\."))
(allow ipc-posix-shm-read*
(ipc-posix-name-regex #"^/tmp/com\.apple\.csseed\.")
(ipc-posix-name "FNetwork.defaultStorageSession")
(ipc-posix-name "apple.shm.notification_center"))

;; Silently block access to some resources
(deny file-read* file-write* (with no-log)
(subpath "/Network/Library")

0 comments on commit 8e90d99

Please sign in to comment.