10.7: Java applets do not work due to sandbox violation/exception

https://bugs.webkit.org/show_bug.cgi?id=118920
<rdar://problem/14471541&12910934&14223830&14260729&14267679>

Patch by Simon Cooper <scooper@apple.com> on 2013-07-23
Reviewed by Alexey Proskuryakov.

Introduce versioning into the common profile and use it to fix
a number of issues with Java on 10.7 and 10.8. Allow writing the
com.apple.java.util.prefs preference file. This change also
introduces a "/Library/Application Support/Java/PublicFiles"
area which Java can read without any restrictions. Files written
to this location will need to be created and written to by
a privileged process.

* Resources/PlugInSandboxProfiles/com.apple.WebKit.plugin-common.sb:
* Resources/PlugInSandboxProfiles/com.oracle.java.JavaAppletPlugin.sb:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153070 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent c8a34d59
2013-07-23 Simon Cooper <scooper@apple.com>
10.7: Java applets do not work due to sandbox violation/exception
https://bugs.webkit.org/show_bug.cgi?id=118920
<rdar://problem/14471541&12910934&14223830&14260729&14267679>
Reviewed by Alexey Proskuryakov.
Introduce versioning into the common profile and use it to fix
a number of issues with Java on 10.7 and 10.8. Allow writing the
com.apple.java.util.prefs preference file. This change also
introduces a "/Library/Application Support/Java/PublicFiles"
area which Java can read without any restrictions. Files written
to this location will need to be created and written to by
a privileged process.
* Resources/PlugInSandboxProfiles/com.apple.WebKit.plugin-common.sb:
* Resources/PlugInSandboxProfiles/com.oracle.java.JavaAppletPlugin.sb:
2013-07-23 Eunmi Lee <eunmi15.lee@samsung.com>
[EFL][WK2] Add doneWithTouchEvent callback to the WKViewClient.
......
......@@ -50,6 +50,11 @@
(home-library-preferences-regex (string-append #"/ByHost/" (regex-quote domain) #"\..*\.plist$")))))
domains))
;; WebKit2 sandbox launcher needs to define an _OS_VERSION parameter
;; This parameter is the major OS Version number.
(if (not (defined? 'os-version))
(define os-version (param "_OS_VERSION")))
;; OS X 10.7 (Lion) compatibility
(if (not (defined? 'ipc-posix-shm*))
(define ipc-posix-shm* ipc-posix-shm))
......@@ -212,6 +217,9 @@
(local-name "com.apple.tsm.portname")
(global-name-regex #"_OpenStep$"))
(if (equal? os-version "10.7")
(allow mach-lookup
(global-name "com.apple.system.DirectoryService.membership_v1")))
;; Configuration directories
(allow file-read* (subpath (param "PLUGIN_PATH")))
......@@ -311,23 +319,28 @@
(define (webkit-microphone)
(allow device-microphone))
(allow ipc-posix-shm*
(ipc-posix-name-regex #"^AudioIO")
(ipc-posix-name-regex #"^CFPBS:")
(ipc-posix-name "com.apple.ColorSync.Gen.lock")
(ipc-posix-name "com.apple.ColorSync.Disp.lock")
(ipc-posix-name "com.apple.ColorSync.Gray2.2")
(ipc-posix-name "com.apple.ColorSync.sRGB")
(ipc-posix-name "com.apple.ColorSync.GenGray")
(ipc-posix-name "com.apple.ColorSync.GenRGB")
(ipc-posix-name-regex #"^com\.apple\.cs\.")
(ipc-posix-name "_CS_GSHMEMLOCK")
(ipc-posix-name "_CS_DSHMEMLOCK"))
(allow ipc-posix-shm-read*
(ipc-posix-name-regex #"^/tmp/com\.apple\.csseed\.")
(ipc-posix-name "FNetwork.defaultStorageSession")
(ipc-posix-name "apple.shm.notification_center"))
(if (equal? os-version "10.7")
(allow ipc-posix-shm)
(begin
(if (equal? os-version "10.8")
(allow ipc-posix-shm*
(ipc-posix-name "_CS_GSHMEMLOCK")
(ipc-posix-name "_CS_DSHMEMLOCK")))
(allow ipc-posix-shm*
(ipc-posix-name-regex #"^AudioIO")
(ipc-posix-name-regex #"^CFPBS:")
(ipc-posix-name "com.apple.ColorSync.Gen.lock")
(ipc-posix-name "com.apple.ColorSync.Disp.lock")
(ipc-posix-name "com.apple.ColorSync.Gray2.2")
(ipc-posix-name "com.apple.ColorSync.sRGB")
(ipc-posix-name "com.apple.ColorSync.GenGray")
(ipc-posix-name "com.apple.ColorSync.GenRGB")
(ipc-posix-name-regex #"^com\.apple\.cs\.")
(ipc-posix-name-regex #"^ls\."))
(allow ipc-posix-shm-read*
(ipc-posix-name-regex #"^/tmp/com\.apple\.csseed\.")
(ipc-posix-name "FNetwork.defaultStorageSession")
(ipc-posix-name "apple.shm.notification_center"))))
;; Silently block access to some resources
(deny file-read* file-write* (with no-log)
......
(webkit-printing)
(allow signal network-inbound)
(allow process-fork)
(allow process-exec
(subpath "/System/Library/Java/JavaVirtualMachines")
(subpath "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin"))
(allow mach-lookup (global-name "com.apple.coreservices.launchservicesd"))
(allow mach-lookup
(global-name "com.apple.coreservices.launchservicesd")
(global-name-regex #"^PlaceHolderServerName-"))
(if (equal? os-version "10.7")
(begin
(allow mach-lookup
(global-name-regex #"^com\.apple\.java\.jrs\.carenderserver"))
(allow file-read* file-write*
(home-library-subpath "/Caches/net.java.openjdk.cmd"))))
(allow file-read*
(literal "/dev/fd")
......@@ -15,8 +26,11 @@
(shared-preferences-read
"com.apple.java.JavaPreferences"
"com.apple.java.util.prefs")
(shared-preferences-read-write "com.oracle.javadeployment")
"net.java.openjdk.cmd")
(shared-preferences-read-write
"com.apple.java.util.prefs"
"com.oracle.javadeployment")
(allow file-read* file-write*
(home-library-subpath "/Saved Application State/net.java.openjdk.cmd.savedState")
......@@ -27,14 +41,14 @@
(home-library-literal "/Application Support/Oracle")
(home-library-literal "/Application Support/Oracle/Java"))
(allow file-read*
(subpath "/Library/Application Support/Java/PublicFiles")
(subpath "/Library/Application Support/Oracle/Java/Deployment"))
(allow network-bind network-outbound (subpath (param "DARWIN_USER_TEMP_DIR")))
(allow network-bind (local ip))
(deny mach-lookup (with no-log)
(global-name "com.apple.ls.boxd")
(global-name-regex #"^PlaceHolderServerName-"))
(deny job-creation (with no-log))
(deny file-write* (with no-log) (subpath "/Library/Application Support/Oracle"))
(deny file-write* (with no-log) (subpath (param "WEBKIT2_FRAMEWORK_DIR")))
(webkit-printing)
(deny job-creation (with no-log))
......@@ -46,6 +46,7 @@ public:
void addConfDirectoryParameter(const char* name, int confID);
void addPathParameter(const char* name, NSString *path);
void addPathParameter(const char* name, const char* path);
void addParameter(const char* name, const char* value);
const char* const* namedParameterArray() const;
......
......@@ -29,6 +29,7 @@
#import "SandboxInitializationParameters.h"
#import "WebKitSystemInterface.h"
#import <WebCore/FileSystem.h>
#import <WebCore/SystemVersionMac.h>
#import <mach/task.h>
#import <pwd.h>
#import <stdlib.h>
......@@ -166,6 +167,18 @@ void ChildProcess::initializeSandbox(const ChildProcessInitializationParameters&
sandboxParameters.setSystemDirectorySuffix(defaultSystemDirectorySuffix);
}
Vector<String> osVersionParts;
String osSystemMarketingVersion = String(systemMarketingVersion());
osSystemMarketingVersion.split('.', false, osVersionParts);
if (osVersionParts.size() < 2) {
WTFLogAlways("%s: Couldn't find OS Version\n", getprogname());
exit(EX_NOPERM);
}
String osVersion = osVersionParts[0];
osVersion.append('.');
osVersion.append(osVersionParts[1]);
sandboxParameters.addParameter("_OS_VERSION", osVersion.utf8().data());
#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 1080
// Use private temporary and cache directories.
setenv("DIRHELPER_USER_DIR_SUFFIX", fileSystemRepresentation(sandboxParameters.systemDirectorySuffix()).data(), 0);
......
......@@ -70,6 +70,12 @@ void SandboxInitializationParameters::addPathParameter(const char* name, const c
appendPathInternal(name, path);
}
void SandboxInitializationParameters::addParameter(const char* name, const char* value)
{
m_namedParameters.append(name);
m_namedParameters.append(fastStrDup(value));
}
const char* const* SandboxInitializationParameters::namedParameterArray() const
{
if (!(m_namedParameters.size() % 2))
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment