[Mac] Add an experimental SPI for plug-ins to enter sandbox

https://bugs.webkit.org/show_bug.cgi?id=79709

Reviewed by Anders Carlsson.

* PluginProcess/PluginProcess.h: (WebKit::PluginProcess::pluginPath): Exposed plugin path.

* PluginProcess/mac/com.apple.WebKit.PluginProcess.sb: Added.

* WebKit2.xcodeproj/project.pbxproj: Added new files.

* WebProcess/Plugins/Netscape/NetscapeBrowserFuncs.cpp: (WebKit::NPN_GetValue): Exposed
a function to access sandboxing functions when available.

* WebProcess/Plugins/Netscape/mac/NetscapeSandboxFunctions.h: Added.
* WebProcess/Plugins/Netscape/mac/NetscapeSandboxFunctions.mm: Added.


Canonical link: https://commits.webkit.org/96903@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@109143 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit2/ChangeLog

@@ -1,3 +1,22 @@
+2012-02-28  Alexey Proskuryakov  <ap@apple.com>
+
+        [Mac] Add an experimental SPI for plug-ins to enter sandbox
+        https://bugs.webkit.org/show_bug.cgi?id=79709
+
+        Reviewed by Anders Carlsson.
+
+        * PluginProcess/PluginProcess.h: (WebKit::PluginProcess::pluginPath): Exposed plugin path.
+
+        * PluginProcess/mac/com.apple.WebKit.PluginProcess.sb: Added.
+
+        * WebKit2.xcodeproj/project.pbxproj: Added new files.
+
+        * WebProcess/Plugins/Netscape/NetscapeBrowserFuncs.cpp: (WebKit::NPN_GetValue): Exposed
+        a function to access sandboxing functions when available.
+
+        * WebProcess/Plugins/Netscape/mac/NetscapeSandboxFunctions.h: Added.
+        * WebProcess/Plugins/Netscape/mac/NetscapeSandboxFunctions.mm: Added.
+
 2012-02-28  Mahesh Kulkarni  <mahesh.kulkarni@nokia.com>
 
         [Qt] Allow read/write to the WebView.url property

Source/WebKit2/PluginProcess/PluginProcess.h

@@ -52,6 +52,8 @@ class PluginProcess : ChildProcess {
 
     NetscapePluginModule* netscapePluginModule();
 
+    const String& pluginPath() const { return m_pluginPath; }
+
 #if PLATFORM(MAC)
     void initializeShim();
 

Source/WebKit2/PluginProcess/mac/com.apple.WebKit.PluginProcess.sb

@@ -0,0 +1,191 @@
+(version 1)
+(deny default (with partial-symbolication))
+(allow ipc-posix-shm system-audit system-socket file-read-metadata)
+
+(import "system.sb")
+
+;; Utility functions for home directory relative path filters
+(define (home-regex home-relative-regex)
+  (regex (string-append "^" (regex-quote (param "HOME_DIR")) home-relative-regex)))
+
+(define (home-subpath home-relative-subpath)
+  (subpath (string-append (param "HOME_DIR") home-relative-subpath)))
+
+(define (home-literal home-relative-literal)
+  (literal (string-append (param "HOME_DIR") home-relative-literal)))
+
+;; Read-only preferences and data
+(allow file-read*
+       ;; Basic system paths
+       (subpath "/Library/Frameworks")
+       (subpath "/private/var/db/mds")
+
+       ;; System and user preferences
+       (literal "/Library/Preferences/.GlobalPreferences.plist")
+       (literal "/Library/Preferences/com.apple.Bluetooth.plist")
+       (literal "/Library/Preferences/com.apple.QuickTime.plist")
+       (regex #"^/Library/Preferences/com\.apple\.security")
+       (home-literal "/.CFUserTextEncoding")
+       (home-subpath "/Library/Audio")
+       (home-subpath "/Library/ColorPickers")
+       (home-subpath "/Library/ColorSync")
+       (home-subpath "/Library/Components")
+       (home-subpath "/Library/Input Methods")
+       (home-subpath "/Library/KeyBindings")
+       (home-subpath "/Library/Keyboard Layouts")
+       (home-subpath "/Library/Fonts")
+       (home-subpath "/Library/PDF Services")
+       (home-literal "/Library/Preferences/.GlobalPreferences.plist")
+       (home-regex #"/Library/Preferences/ByHost/\.GlobalPreferences\.")
+       (home-regex #"/Library/Preferences/ByHost/com\.apple\.Bluetooth\.")
+       (home-literal "/Library/Preferences/com.apple.ATS.plist")
+       (home-literal "/Library/Preferences/com.apple.driver.AppleBluetoothMultitouch.mouse.plist")
+       (home-literal "/Library/Preferences/com.apple.driver.AppleBluetoothMultitouch.trackpad.plist")
+       (home-literal "/Library/Preferences/com.apple.driver.AppleHIDMouse.plist")
+       (home-literal "/Library/Preferences/com.apple.inputmethodkit.plist")
+       (home-literal "/Library/Preferences/com.apple.iWork.Pages.plist")
+       (home-literal "/Library/Preferences/com.apple.LaunchServices.plist")
+       (home-literal "/Library/Preferences/com.apple.MultitouchSupport.plist")
+       (home-literal "/Library/Preferences/com.apple.opengl.plist")
+       (home-literal "/Library/Preferences/com.apple.security.plist")
+       (home-literal "/Library/Preferences/com.apple.security_common.plist")
+       (home-literal "/Library/Preferences/com.apple.speech.voice.prefs.plist")
+       (home-literal "/Library/Preferences/com.apple.speech.synthesis.general.prefs.plist")
+       (home-literal "/Library/Preferences/com.apple.systemsound.plist")
+       (home-literal "/Library/Preferences/com.apple.universalaccess.plist")
+       (home-literal "/Library/Preferences/com.apple.WebFoundation.plist")
+       (home-literal "/Library/Preferences/com.nvidia.OpenGL.plist")
+       (home-literal "/Library/Preferences/pbs.plist")
+       (home-literal "/Library/Preferences/com.apple.ServicesMenu.Services.plist")
+       (home-literal "/Library/Preferences/QuickTime Preferences")
+
+       (home-literal "/Library/Caches/com.apple.coreaudio.components.plist")
+
+       (subpath "/Library/Audio/Plug-Ins/Components")
+       (home-subpath "/Library/Audio/Plug-Ins/Components")
+       (subpath "/Library/Audio/Plug-Ins/HAL")
+       (subpath "/Library/QuickTime")
+       (home-subpath "/Library/QuickTime")
+       (subpath "/Library/Video/Plug-Ins")
+
+       (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains")
+
+       (home-literal "/Library/Application Support/SyncServices/Local/ClientsWithChanges/com.apple.Keychain")
+
+       ;; FIXME: This should be removed when <rdar://problem/10479685> is fixed.
+       (subpath "/Library/Keychains")
+)
+
+;; Read-write preferences and data
+(allow file*
+       (home-regex #"/Library/Preferences/com\.apple\.WebKit\.PluginProcess\.plist")
+
+       (home-subpath "/Library/Caches/QuickTime")
+
+       ;; FIXME: This should be removed when <rdar://problem/10479685> is fixed.
+       (home-subpath "/Library/Keychains"))
+
+;; IOKit user clients
+(allow iokit-open
+       (iokit-connection "IOAccelerator")
+       (iokit-user-client-class "AGPMClient")
+       (iokit-user-client-class "AppleGraphicsControlClient")
+       (iokit-user-client-class "AppleSNBFBUserClient")
+       (iokit-user-client-class "IOAccelerationUserClient")
+       (iokit-user-client-class "IOAudioControlUserClient")
+       (iokit-user-client-class "IOAudioEngineUserClient")
+       (iokit-user-client-class "IOFramebufferSharedUserClient")
+       (iokit-user-client-class "IOHIDParamUserClient")
+       (iokit-user-client-class "IOSurfaceRootUserClient")
+       (iokit-user-client-class "IOSurfaceSendRight")
+       (iokit-user-client-class "RootDomainUserClient"))
+
+;; Various services required by AppKit and other frameworks
+(allow mach-lookup
+       (global-name "com.apple.CoreServices.coreservicesd")
+       (global-name "com.apple.DiskArbitration.diskarbitrationd")
+       (global-name "com.apple.FileCoordination")
+       (global-name "com.apple.FontObjectsServer")
+       (global-name "com.apple.FontServer")
+       (global-name "com.apple.ImageCaptureExtension2.presence")
+       (global-name "com.apple.SecurityServer")
+       (global-name "com.apple.SystemConfiguration.configd")
+       (global-name "com.apple.audio.VDCAssistant")
+       (global-name "com.apple.audio.audiohald")
+       (global-name "com.apple.audio.coreaudiod")
+       (global-name "com.apple.cmio.VDCAssistant")
+       (global-name "com.apple.cookied") ;; FIXME: <rdar://problem/10790768> Limit access to cookies.
+       (global-name "com.apple.cvmsServ")
+       (global-name "com.apple.ocspd")
+       (global-name "com.apple.pasteboard.1")
+       (global-name "com.apple.window_proxies")
+       (global-name "com.apple.windowserver.active")
+       (global-name "com.apple.cfnetwork.AuthBrokerAgent")
+       (global-name "com.apple.PowerManagement.control")
+       (global-name-regex #"_OpenStep$")
+)
+
+;; Networking
+(allow system-socket (socket-domain AF_ROUTE))
+(allow system-socket (require-all (socket-domain AF_SYSTEM) (socket-protocol 2))) ; SYSPROTO_CONTROL
+(allow network-outbound
+       ;; Kernel controls
+       (control-name "com.apple.network.statistics")
+       (control-name "com.apple.netsrc")
+
+       ;; Local mDNSResponder for DNS, arbitrary outbound TCP
+       (literal "/private/var/run/mDNSResponder")
+       (remote tcp))
+
+(allow mach-lookup
+       (global-name "com.apple.tsm.uiserver")
+       (local-name "com.apple.tsm.portname")
+)
+
+;; Open and Save panels
+(define (apply-read-and-issue-extension op path-filter)
+       (op file-read* path-filter)
+       (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") path-filter)))
+(define (apply-write-and-issue-extension op path-filter)
+       (op file-write* path-filter)
+       (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") path-filter)))
+(define (read-write-and-issue-extensions path-filter)
+       (apply-read-and-issue-extension allow path-filter)
+       (apply-write-and-issue-extension allow path-filter))
+(allow qtn-user
+       (extension "com.apple.app-sandbox.read-write"))
+(read-write-and-issue-extensions (extension "com.apple.app-sandbox.read-write"))
+
+;; Printing
+(allow network-outbound (literal "/private/var/run/cupsd"))
+(allow mach-lookup
+       (global-name "com.apple.printuitool.agent")
+       (global-name "com.apple.printtool.agent")
+       (global-name "com.apple.printtool.daemon"))
+(allow file-read*
+       (home-literal "/.cups/lpoptions")
+       (home-literal "/.cups/client.conf")
+       (literal "/private/etc/cups/client.conf")
+       (literal "/private/etc/cups/lpoptions")
+       (subpath "/private/etc/cups/ppd")
+       (subpath "/private/var/run/cupsd")
+       (home-literal "/Library/Preferences/org.cups.PrintingPrefs.plist"))
+
+;; Text Services Manager
+(allow iokit-set-properties (iokit-property "CapsLockDelayOverride"))
+
+;; Image Capture (used by print preview dialog)
+(allow appleevent-send (appleevent-destination "com.apple.imagecaptureextension2"))
+
+;; Silently block access to some files
+(deny file-read* file-write* (with no-log)
+       (home-regex #"/Library/Preferences/com\.apple\.internetconfigpriv\.plist")
+       (home-regex #"/Library/Preferences/com\.apple\.internetconfig\.plist")
+
+       ;; FIXME: Should be removed after <rdar://problem/9422957> is fixed.
+       (home-literal "/Library/Caches/Cache.db")
+
+       ;; FIXME: Should be removed after <rdar://problem/10463881> is fixed.
+       (home-literal "/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2")
+       (home-literal "/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2-journal"))
+

Source/WebKit2/WebKit2.xcodeproj/project.pbxproj

@@ -886,6 +886,9 @@
 		E134F01A12EA5D99004EC58D /* WKPrintingView.mm in Sources */ = {isa = PBXBuildFile; fileRef = E134F01912EA5D99004EC58D /* WKPrintingView.mm */; };
 		E179FD9C134D38060015B883 /* ArgumentCodersMac.h in Headers */ = {isa = PBXBuildFile; fileRef = E179FD9B134D38060015B883 /* ArgumentCodersMac.h */; };
 		E179FD9F134D38250015B883 /* ArgumentCodersMac.mm in Sources */ = {isa = PBXBuildFile; fileRef = E179FD9E134D38250015B883 /* ArgumentCodersMac.mm */; };
+		E17BF99614D0A73E00A5A069 /* NetscapeSandboxFunctions.h in Headers */ = {isa = PBXBuildFile; fileRef = E17BF99514D0A73E00A5A069 /* NetscapeSandboxFunctions.h */; };
+		E17BF99814D0AA8300A5A069 /* NetscapeSandboxFunctions.mm in Sources */ = {isa = PBXBuildFile; fileRef = E17BF99714D0AA8300A5A069 /* NetscapeSandboxFunctions.mm */; };
+		E17BF99A14D0CBF100A5A069 /* com.apple.WebKit.PluginProcess.sb in Resources */ = {isa = PBXBuildFile; fileRef = E17BF99914D0CBF100A5A069 /* com.apple.WebKit.PluginProcess.sb */; };
 		E18C92F412DB9E7100CF2AEB /* PrintInfo.cpp in Sources */ = {isa = PBXBuildFile; fileRef = E18C92F312DB9E7100CF2AEB /* PrintInfo.cpp */; };
 		E199875E142C045400BB2DE7 /* BuiltInPDFView.cpp in Sources */ = {isa = PBXBuildFile; fileRef = E199875C142BFC9700BB2DE7 /* BuiltInPDFView.cpp */; };
 		E1A31732134CEA6C007C9A4F /* AttributedString.h in Headers */ = {isa = PBXBuildFile; fileRef = E1A31731134CEA6C007C9A4F /* AttributedString.h */; };
@@ -1932,6 +1935,9 @@
 		E14E99F914D879C9001D221F /* add-entitlements.sh */ = {isa = PBXFileReference; lastKnownFileType = text.script.sh; path = "add-entitlements.sh"; sourceTree = "<group>"; };
 		E179FD9B134D38060015B883 /* ArgumentCodersMac.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ArgumentCodersMac.h; sourceTree = "<group>"; };
 		E179FD9E134D38250015B883 /* ArgumentCodersMac.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = ArgumentCodersMac.mm; sourceTree = "<group>"; };
+		E17BF99514D0A73E00A5A069 /* NetscapeSandboxFunctions.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = NetscapeSandboxFunctions.h; sourceTree = "<group>"; };
+		E17BF99714D0AA8300A5A069 /* NetscapeSandboxFunctions.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = NetscapeSandboxFunctions.mm; sourceTree = "<group>"; };
+		E17BF99914D0CBF100A5A069 /* com.apple.WebKit.PluginProcess.sb */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = com.apple.WebKit.PluginProcess.sb; sourceTree = "<group>"; };
 		E18C92F312DB9E7100CF2AEB /* PrintInfo.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = PrintInfo.cpp; sourceTree = "<group>"; };
 		E199875A142BF9B800BB2DE7 /* BuiltInPDFView.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = BuiltInPDFView.h; path = PDF/BuiltInPDFView.h; sourceTree = "<group>"; };
 		E199875C142BFC9700BB2DE7 /* BuiltInPDFView.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = BuiltInPDFView.cpp; path = PDF/BuiltInPDFView.cpp; sourceTree = "<group>"; };
@@ -2123,6 +2129,7 @@
 				1A0EC802124BD41E007EF4A5 /* PluginProcessMainMac.mm */,
 				1AC25F8912A48E0300BD2671 /* PluginProcessShim.h */,
 				1AC25F8A12A48E0300BD2671 /* PluginProcessShim.mm */,
+				E17BF99914D0CBF100A5A069 /* com.apple.WebKit.PluginProcess.sb */,
 				E14E99F914D879C9001D221F /* add-entitlements.sh */,
 			);
 			path = mac;
@@ -2250,6 +2257,8 @@
 			isa = PBXGroup;
 			children = (
 				1AE5B7F911E7AED200BA6767 /* NetscapePluginMac.mm */,
+				E17BF99514D0A73E00A5A069 /* NetscapeSandboxFunctions.h */,
+				E17BF99714D0AA8300A5A069 /* NetscapeSandboxFunctions.mm */,
 				1A2D92201281DC1B001EB962 /* PluginProxyMac.mm */,
 			);
 			path = mac;
@@ -3695,6 +3704,7 @@
 			isa = PBXHeadersBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
+				E17BF99A14D0CBF100A5A069 /* com.apple.WebKit.PluginProcess.sb in Resources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -4137,6 +4147,7 @@
 				BFA6179F12F0B99D0033E0CA /* WKViewPrivate.h in Headers */,
 				BC2E6E8E1141971500A63B1E /* WorkQueue.h in Headers */,
 				1AB42E8714BBBBB2004272F7 /* KeychainShimResponseMap.h in Headers */,
+				E17BF99614D0A73E00A5A069 /* NetscapeSandboxFunctions.h in Headers */,
 				BCE0937814FB128C001138D9 /* RemoteLayerClient.h in Headers */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
@@ -4300,6 +4311,7 @@
 			isa = PBXResourcesBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
+				E17BF99A14D0CBF100A5A069 /* com.apple.WebKit.PluginProcess.sb in Resources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -4874,6 +4886,7 @@
 				BC8699B6116AADAA002A925B /* WKView.mm in Sources */,
 				BC2E6E8D1141971500A63B1E /* WorkQueue.cpp in Sources */,
 				BC0092F8115837A300E0AE2A /* WorkQueueMac.cpp in Sources */,
+				E17BF99814D0AA8300A5A069 /* NetscapeSandboxFunctions.mm in Sources */,
 				BCE0937714FB128C001138D9 /* RemoteLayerClient.mm in Sources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;

Source/WebKit2/WebProcess/Plugins/Netscape/NetscapeBrowserFuncs.cpp

@@ -36,6 +36,10 @@
 #include <WebCore/SharedBuffer.h>
 #include <utility>
 
+#if PLATFORM(MAC) && !defined(BUILDING_ON_LEOPARD) || !defined(BUILDING_ON_SNOW_LEOPARD)
+#include "NetscapeSandboxFunctions.h"
+#endif
+
 using namespace WebCore;
 using namespace std;
 
@@ -411,6 +415,8 @@ static const unsigned WKNVExpectsNonretainedLayer = 74657;
 // Whether plug-in code is allowed to enter (arbitrary) sandbox for the process.
 static const unsigned WKNVAllowedToEnterSandbox = 74658;
 
+// WKNVSandboxFunctions = 74659 is defined in NetscapeSandboxFunctions.h
+
 // The Core Animation render server port.
 static const unsigned WKNVCALayerRenderServerPort = 71879;
 
@@ -502,6 +508,14 @@ static NPError NPN_GetValue(NPP npp, NPNVariable variable, void *value)
             *(NPBool*)value = true;
             break;
 
+#if PLATFORM(MAC) && !defined(BUILDING_ON_LEOPARD) || !defined(BUILDING_ON_SNOW_LEOPARD)
+        case WKNVSandboxFunctions:
+        {
+            *(WKNSandboxFunctions **)value = netscapeSandboxFunctions();
+            break;
+        }
+#endif
+
 #ifndef NP_NO_QUICKDRAW
         case NPNVsupportsQuickDrawBool:
             // We don't support the QuickDraw drawing model.

Source/WebKit2/WebProcess/Plugins/Netscape/mac/NetscapeSandboxFunctions.h

@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2012 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef NetscapeSandboxFunctions_h
+#define NetscapeSandboxFunctions_h
+
+#include <WebCore/npapi.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define WKNVSandboxFunctions 74659
+#define WKNVSandboxFunctionsVersionCurrent 1
+
+typedef NPError (*WKN_EnterSandboxProcPtr)(const char *readOnlyPaths[], const char *readWritePaths[]);
+typedef NPError (*WKN_FileStopAccessingProcPtr)(const char* path);
+
+NPError WKN_EnterSandbox(const char *readOnlyPaths[], const char *readWritePaths[]);
+NPError WKN_FileStopAccessing(const char* path);
+
+typedef struct _WKNSandboxFunctions {
+    uint16_t size;
+    uint16_t version;
+
+    WKN_EnterSandboxProcPtr enterSandbox;
+    WKN_FileStopAccessingProcPtr fileStopAccessing;
+} WKNSandboxFunctions;
+
+WKNSandboxFunctions* netscapeSandboxFunctions();
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif