Cherry-pick r291814. rdar://problem/90343926
Update Sandbox profiles for system content path
https://bugs.webkit.org/show_bug.cgi?id=238255
Reviewed by Per Arne Vollan.
Updated WebKit sandbox profiles to include system content path rule files when building with the system content path.
Changed the iOS profiles to be preprocessed to make these changes.
* DerivedSources-input.xcfilelist
* DerivedSources-output.xcfilelist
* DerivedSources.make:
* Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb: Removed.
* Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb.in: Copied from Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb.
* Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb: Removed.
* Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb.in: Copied from Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb.
* Resources/SandboxProfiles/ios/com.apple.WebKit.WebAuthn.sb: Removed.
* Resources/SandboxProfiles/ios/com.apple.WebKit.WebAuthn.sb.in: Copied from Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebAuthn.sb.
* Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:
* Resources/SandboxProfiles/ios/com.apple.WebKit.adattributiond.sb: Removed.
* Resources/SandboxProfiles/ios/com.apple.WebKit.adattributiond.sb.in: Copied from Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.adattributiond.sb.
* Shared/Sandbox/preferences.sb:
* WebAuthnProcess/mac/com.apple.WebKit.WebAuthnProcess.sb.in:
* WebKit.xcodeproj/project.pbxproj:
* WebProcess/com.apple.WebProcess.sb.in:
Canonical link: https://commits.webkit.org/248841@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@291814 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Canonical link: https://commits.webkit.org/247549.15@safari-614.1.5.5-branch
git-svn-id: https://svn.webkit.org/repository/webkit/branches/safari-614.1.5.5-branch@291826 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/WebKit/ChangeLog b/Source/WebKit/ChangeLog
index cd1fb0f..c04c077 100644
--- a/Source/WebKit/ChangeLog
+++ b/Source/WebKit/ChangeLog
@@ -1,3 +1,61 @@
+2022-03-24 Russell Epstein <repstein@apple.com>
+
+ Cherry-pick r291814. rdar://problem/90343926
+
+ Update Sandbox profiles for system content path
+ https://bugs.webkit.org/show_bug.cgi?id=238255
+
+ Reviewed by Per Arne Vollan.
+
+ Updated WebKit sandbox profiles to include system content path rule files when building with the system content path.
+ Changed the iOS profiles to be preprocessed to make these changes.
+
+ * DerivedSources-input.xcfilelist
+ * DerivedSources-output.xcfilelist
+ * DerivedSources.make:
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb: Removed.
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb.in: Copied from Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb.
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb: Removed.
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb.in: Copied from Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb.
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.WebAuthn.sb: Removed.
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.WebAuthn.sb.in: Copied from Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebAuthn.sb.
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.adattributiond.sb: Removed.
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.adattributiond.sb.in: Copied from Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.adattributiond.sb.
+ * Shared/Sandbox/preferences.sb:
+ * WebAuthnProcess/mac/com.apple.WebKit.WebAuthnProcess.sb.in:
+ * WebKit.xcodeproj/project.pbxproj:
+ * WebProcess/com.apple.WebProcess.sb.in:
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@291814 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2022-03-24 Michael Saboff <msaboff@apple.com>
+
+ Update Sandbox profiles for system content path
+ https://bugs.webkit.org/show_bug.cgi?id=238255
+
+ Reviewed by Per Arne Vollan.
+
+ Updated WebKit sandbox profiles to include system content path rule files when building with the system content path.
+ Changed the iOS profiles to be preprocessed to make these changes.
+
+ * DerivedSources-input.xcfilelist
+ * DerivedSources-output.xcfilelist
+ * DerivedSources.make:
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb: Removed.
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb.in: Copied from Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb.
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb: Removed.
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb.in: Copied from Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb.
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.WebAuthn.sb: Removed.
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.WebAuthn.sb.in: Copied from Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebAuthn.sb.
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.adattributiond.sb: Removed.
+ * Resources/SandboxProfiles/ios/com.apple.WebKit.adattributiond.sb.in: Copied from Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.adattributiond.sb.
+ * Shared/Sandbox/preferences.sb:
+ * WebAuthnProcess/mac/com.apple.WebKit.WebAuthnProcess.sb.in:
+ * WebKit.xcodeproj/project.pbxproj:
+ * WebProcess/com.apple.WebProcess.sb.in:
+
2022-02-24 Russell Epstein <repstein@apple.com>
Cherry-pick r290288. rdar://problem/89062166
diff --git a/Source/WebKit/DerivedSources-input.xcfilelist b/Source/WebKit/DerivedSources-input.xcfilelist
index 3cd391f..e64e9da 100644
--- a/Source/WebKit/DerivedSources-input.xcfilelist
+++ b/Source/WebKit/DerivedSources-input.xcfilelist
@@ -106,7 +106,11 @@
$(PROJECT_DIR)/PluginProcess/PluginProcess.messages.in
$(PROJECT_DIR)/PluginProcess/WebProcessConnection.messages.in
$(PROJECT_DIR)/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in
+$(PROJECT_DIR)/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb.in
+$(PROJECT_DIR)/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb.in
+$(PROJECT_DIR)/Resources/SandboxProfiles/ios/com.apple.WebKit.WebAuthn.sb.in
$(PROJECT_DIR)/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in
+$(PROJECT_DIR)/Resources/SandboxProfiles/ios/com.apple.WebKit.adattributiond.sb.in
$(PROJECT_DIR)/Scripts/PreferencesTemplates/WebPageUpdatePreferences.cpp.erb
$(PROJECT_DIR)/Scripts/PreferencesTemplates/WebPreferencesDefinitions.h.erb
$(PROJECT_DIR)/Scripts/PreferencesTemplates/WebPreferencesExperimentalFeatures.cpp.erb
diff --git a/Source/WebKit/DerivedSources-output.xcfilelist b/Source/WebKit/DerivedSources-output.xcfilelist
index c26b7c7..6260e51 100644
--- a/Source/WebKit/DerivedSources-output.xcfilelist
+++ b/Source/WebKit/DerivedSources-output.xcfilelist
@@ -643,10 +643,14 @@
$(BUILT_PRODUCTS_DIR)/DerivedSources/WebKit/WebUserContentControllerProxyMessageReceiver.cpp
$(BUILT_PRODUCTS_DIR)/DerivedSources/WebKit/WebUserContentControllerProxyMessages.h
$(BUILT_PRODUCTS_DIR)/DerivedSources/WebKit/WebUserContentControllerProxyMessagesReplies.h
+$(BUILT_PRODUCTS_DIR)/DerivedSources/WebKit/com.apple.WebKit.GPU.sb
$(BUILT_PRODUCTS_DIR)/DerivedSources/WebKit/com.apple.WebKit.GPUProcess.sb
$(BUILT_PRODUCTS_DIR)/DerivedSources/WebKit/com.apple.WebKit.NetworkProcess.sb
+$(BUILT_PRODUCTS_DIR)/DerivedSources/WebKit/com.apple.WebKit.Networking.sb
+$(BUILT_PRODUCTS_DIR)/DerivedSources/WebKit/com.apple.WebKit.WebAuthn.sb
$(BUILT_PRODUCTS_DIR)/DerivedSources/WebKit/com.apple.WebKit.WebAuthnProcess.sb
$(BUILT_PRODUCTS_DIR)/DerivedSources/WebKit/com.apple.WebKit.WebContent.sb
+$(BUILT_PRODUCTS_DIR)/DerivedSources/WebKit/com.apple.WebKit.adattributiond.sb
$(BUILT_PRODUCTS_DIR)/DerivedSources/WebKit/com.apple.WebKit.plugin-common.sb
$(BUILT_PRODUCTS_DIR)/DerivedSources/WebKit/com.apple.WebKit.webpushd.sb
$(BUILT_PRODUCTS_DIR)/DerivedSources/WebKit/com.apple.WebProcess.sb
diff --git a/Source/WebKit/DerivedSources.make b/Source/WebKit/DerivedSources.make
index 8db1281..9daf15c 100644
--- a/Source/WebKit/DerivedSources.make
+++ b/Source/WebKit/DerivedSources.make
@@ -348,6 +348,10 @@
TARGET_TRIPLE_FLAGS=-target $(WK_CURRENT_ARCH)-$(LLVM_TARGET_TRIPLE_VENDOR)-$(LLVM_TARGET_TRIPLE_OS_VERSION)$(LLVM_TARGET_TRIPLE_SUFFIX)
endif
+ifeq ($(USE_SYSTEM_CONTENT_PATH),YES)
+ SANDBOX_DEFINES = -DUSE_SYSTEM_CONTENT_PATH=1 -DSYSTEM_CONTENT_PATH=$(SYSTEM_CONTENT_PATH)
+endif
+
SANDBOX_PROFILES = \
com.apple.WebProcess.sb \
com.apple.WebKit.NetworkProcess.sb \
@@ -356,7 +360,11 @@
com.apple.WebKit.webpushd.sb
SANDBOX_PROFILES_IOS = \
- com.apple.WebKit.WebContent.sb \
+ com.apple.WebKit.adattributiond.sb \
+ com.apple.WebKit.GPU.sb \
+ com.apple.WebKit.Networking.sb \
+ com.apple.WebKit.WebAuthn.sb \
+ com.apple.WebKit.WebContent.sb
sandbox-profiles-ios : $(SANDBOX_PROFILES_IOS)
@@ -364,7 +372,7 @@
%.sb : %.sb.in
@echo Pre-processing $* sandbox profile...
- grep -o '^[^;]*' $< | $(CC) $(SDK_FLAGS) $(TARGET_TRIPLE_FLAGS) $(TEXT_PREPROCESSOR_FLAGS) $(FRAMEWORK_FLAGS) $(HEADER_FLAGS) -include "wtf/Platform.h" - > $@
+ grep -o '^[^;]*' $< | $(CC) $(SDK_FLAGS) $(TARGET_TRIPLE_FLAGS) $(SANDBOX_DEFINES) $(TEXT_PREPROCESSOR_FLAGS) $(FRAMEWORK_FLAGS) $(HEADER_FLAGS) -include "wtf/Platform.h" - > $@
AUTOMATION_PROTOCOL_GENERATOR_SCRIPTS = \
$(JavaScriptCore_SCRIPTS_DIR)/cpp_generator_templates.py \
diff --git a/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in b/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in
index 502e17f..eaa00fb 100644
--- a/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in
+++ b/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in
@@ -32,6 +32,10 @@
#include "Shared/Sandbox/preferences.sb"
+#if USE(SYSTEM_CONTENT_PATH)
+#include <WebKitAdditions/SystemContentSandbox-macos.defs>
+#endif
+
;;;
;;; The following rules were originally contained in 'system.sb'. We are duplicating them here so we can
;;; remove unneeded sandbox extensions.
diff --git a/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in b/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in
index 236ddd3..7bb0cfc 100644
--- a/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in
+++ b/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in
@@ -38,6 +38,10 @@
#include "Shared/Sandbox/preferences.sb"
+#if USE(SYSTEM_CONTENT_PATH)
+#include <WebKitAdditions/SystemContentSandbox-macos.defs>
+#endif
+
;; Utility functions for home directory relative path filters
(define (home-regex home-relative-regex)
(regex (string-append "^" (regex-quote (param "HOME_DIR")) home-relative-regex)))
diff --git a/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb b/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb.in
similarity index 97%
rename from Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb
rename to Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb.in
index bc5a335..fbd1075 100644
--- a/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb
+++ b/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb.in
@@ -852,3 +852,21 @@
MSC_task_name_for_pid
MSC_task_self_trap
MSC_thread_get_special_reply_port)))
+
+#if USE(SYSTEM_CONTENT_PATH)
+#include <WebKitAdditions/SystemContentSandbox-ios.defs>
+
+(allow file-read* file-test-existence
+ (apply subpath file-read-existence-secondary-paths))
+
+(allow file-map-executable
+ (apply subpath secondary-framework-and-dylib-paths))
+
+(allow-read-and-issue-generic-extensions
+ (apply subpath issue-extension-secondary-paths))
+
+(allow file-issue-extension
+ (require-all
+ (extension-class "com.apple.mediaserverd.read")
+ (apply subpath issue-extension-secondary-paths)))
+#endif
diff --git a/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb b/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb.in
similarity index 98%
rename from Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb
rename to Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb.in
index 53bff6e..637ff38 100644
--- a/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb
+++ b/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb.in
@@ -789,3 +789,16 @@
(allow mach-kernel-endpoint
(apply-message-filter
(allow mach-message-send (with report) (with telemetry)))))
+
+#if USE(SYSTEM_CONTENT_PATH)
+#include <WebKitAdditions/SystemContentSandbox-ios.defs>
+
+(allow file-read* file-test-existence
+ (apply subpath file-read-existence-secondary-paths))
+
+(allow file-map-executable
+ (apply subpath secondary-framework-and-dylib-paths))
+
+(allow-read-and-issue-generic-extensions
+ (apply subpath issue-extension-secondary-paths))
+#endif
diff --git a/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebAuthn.sb b/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebAuthn.sb.in
similarity index 97%
rename from Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebAuthn.sb
rename to Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebAuthn.sb.in
index 1700e0e..8f77307 100644
--- a/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebAuthn.sb
+++ b/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebAuthn.sb.in
@@ -445,3 +445,13 @@
(allow network-outbound
(literal "/private/var/run/syslog"))
)
+
+#if USE(SYSTEM_CONTENT_PATH)
+#include <WebKitAdditions/SystemContentSandbox-ios.defs>
+
+(allow file-read* file-test-existence
+ (apply subpath file-read-existence-secondary-paths))
+
+(allow file-map-executable
+ (apply subpath secondary-framework-and-dylib-paths))
+#endif
diff --git a/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in b/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in
index a880b1c..9eeea7e 100644
--- a/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in
+++ b/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in
@@ -1651,3 +1651,23 @@
"com.apple.accessibility.wob.status"
"com.apple.automation.stringlookupinfoenabled"
"com.apple.webinspectord.availability_check"))
+
+#if USE(SYSTEM_CONTENT_PATH)
+#include <WebKitAdditions/SystemContentSandbox-ios.defs>
+
+(allow file-read* file-test-existence
+ (apply subpath file-read-existence-secondary-paths))
+
+(allow file-map-executable
+ (apply subpath "secondary-framework-and-dylib-paths))
+
+(allow-read-and-issue-generic-extensions
+ (apply subpath issue-extension-secondary-paths))
+
+(allow file-issue-extension
+ (require-all
+ (extension-class "com.apple.mediaserverd.read")
+ (require-any
+ (apply subpath issue-extension-secondary-paths)
+ )))
+#endif
diff --git a/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.adattributiond.sb b/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.adattributiond.sb.in
similarity index 95%
rename from Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.adattributiond.sb
rename to Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.adattributiond.sb.in
index 2e2ad0d..9d0eeaf 100644
--- a/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.adattributiond.sb
+++ b/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.adattributiond.sb.in
@@ -164,3 +164,13 @@
;; Needed for CFNetworkAgent, see 33386291
(allow mach-lookup
(global-name "com.apple.cfnetwork.cfnetworkagent"))
+
+#if USE(SYSTEM_CONTENT_PATH)
+#include <WebKitAdditions/SystemContentSandbox-ios.defs>
+
+(allow file-read* file-test-existence
+ (apply subpath file-read-existence-secondary-paths))
+
+(allow file-map-executable
+ (apply subpath secondary-framework-and-dylib-paths))
+#endif
diff --git a/Source/WebKit/WebAuthnProcess/mac/com.apple.WebKit.WebAuthnProcess.sb.in b/Source/WebKit/WebAuthnProcess/mac/com.apple.WebKit.WebAuthnProcess.sb.in
index 68e1772..36066fc 100644
--- a/Source/WebKit/WebAuthnProcess/mac/com.apple.WebKit.WebAuthnProcess.sb.in
+++ b/Source/WebKit/WebAuthnProcess/mac/com.apple.WebKit.WebAuthnProcess.sb.in
@@ -31,6 +31,10 @@
#include "Shared/Sandbox/preferences.sb"
+#if USE(SYSTEM_CONTENT_PATH)
+#include <WebKitAdditions/SystemContentSandbox-macos.defs>
+#endif
+
;;;
;;; The following rules were originally contained in 'system.sb'. We are duplicating them here so we can
;;; remove unneeded sandbox extensions.
@@ -310,6 +314,11 @@
;; This is to avoid warnings attempting to create extensions for these resources.
(allow-read-directory-and-issue-read-extensions "/System/Library/PrivateFrameworks/WebInspectorUI.framework")
+#if USE(SYSTEM_CONTENT_PATH)
+(map allow-read-directory-and-issue-read-extensions
+ read-directory-and-issue-read-extension-secondary-paths)
+#endif
+
;; Sandbox extensions
(define (apply-read-and-issue-extension op path-filter)
(op file-read* path-filter)
diff --git a/Source/WebKit/WebKit.xcodeproj/project.pbxproj b/Source/WebKit/WebKit.xcodeproj/project.pbxproj
index 9e7ec99..5e43b5c 100644
--- a/Source/WebKit/WebKit.xcodeproj/project.pbxproj
+++ b/Source/WebKit/WebKit.xcodeproj/project.pbxproj
@@ -64,7 +64,6 @@
isa = PBXAggregateTarget;
buildConfigurationList = A7AADA1419395CA9003EA1C7 /* Build configuration list for PBXAggregateTarget "Sandbox Profiles" */;
buildPhases = (
- A7AADA1519395CC3003EA1C7 /* CopyFiles */,
E30CFBA3266138730094D9C0 /* ShellScript */,
);
dependencies = (
@@ -693,7 +692,6 @@
2DACE64E18ADBFF000E4CA76 /* _WKThumbnailViewInternal.h in Headers */ = {isa = PBXBuildFile; fileRef = 2DACE64D18ADBFF000E4CA76 /* _WKThumbnailViewInternal.h */; };
2DAF06D618BD1A470081CEB1 /* SmartMagnificationController.h in Headers */ = {isa = PBXBuildFile; fileRef = 2DAF06D418BD1A470081CEB1 /* SmartMagnificationController.h */; };
2DB94299234E7A7F00E776AD /* WKMouseGestureRecognizer.h in Headers */ = {isa = PBXBuildFile; fileRef = 2DB94297234E7A7F00E776AD /* WKMouseGestureRecognizer.h */; };
- 2DB96053239886C100102791 /* com.apple.WebKit.GPU.sb in CopyFiles */ = {isa = PBXBuildFile; fileRef = 2DB96052239886B900102791 /* com.apple.WebKit.GPU.sb */; };
2DC18FB3218A6E9E0025A88D /* RemoteLayerTreeViews.h in Headers */ = {isa = PBXBuildFile; fileRef = 2DC18FB1218A6E9E0025A88D /* RemoteLayerTreeViews.h */; };
2DC18FB4218A6E9E0025A88D /* RemoteLayerTreeViews.mm in Sources */ = {isa = PBXBuildFile; fileRef = 2DC18FB2218A6E9E0025A88D /* RemoteLayerTreeViews.mm */; };
2DC18FF6EF2A3130C1301767 /* SharedBufferDataReference.h in Headers */ = {isa = PBXBuildFile; fileRef = 2DC1881ACBCAB5D57C5C6EF0 /* SharedBufferDataReference.h */; };
@@ -1196,7 +1194,6 @@
57DCEDCB214F4E420016B847 /* MockAuthenticatorManager.h in Headers */ = {isa = PBXBuildFile; fileRef = 57DCEDC9214F4E420016B847 /* MockAuthenticatorManager.h */; };
57EB2E3A21E1983E00B89CDF /* U2fAuthenticator.h in Headers */ = {isa = PBXBuildFile; fileRef = 57EB2E3821E1983E00B89CDF /* U2fAuthenticator.h */; };
57EBE26A234676C5008D8AF9 /* APIWebAuthenticationPanel.h in Headers */ = {isa = PBXBuildFile; fileRef = 57EBE268234676C5008D8AF9 /* APIWebAuthenticationPanel.h */; };
- 57EFC77E2550EB8600F9477D /* com.apple.WebKit.WebAuthn.sb in CopyFiles */ = {isa = PBXBuildFile; fileRef = 57EFC77D2550EB8500F9477D /* com.apple.WebKit.WebAuthn.sb */; };
57FABB0F25817CF00059DC95 /* AuthenticationServicesCoreSPI.h in Headers */ = {isa = PBXBuildFile; fileRef = 57FABB0E25817CF00059DC95 /* AuthenticationServicesCoreSPI.h */; };
57FABB122581827C0059DC95 /* AuthenticationServicesCoreSoftLink.h in Headers */ = {isa = PBXBuildFile; fileRef = 57FABB102581827C0059DC95 /* AuthenticationServicesCoreSoftLink.h */; };
57FABB132581827C0059DC95 /* AuthenticationServicesCoreSoftLink.mm in Sources */ = {isa = PBXBuildFile; fileRef = 57FABB112581827C0059DC95 /* AuthenticationServicesCoreSoftLink.mm */; };
@@ -1211,7 +1208,6 @@
57FE688C260ABB3D00BF45E4 /* PrivateClickMeasurementNetworkLoader.h in Headers */ = {isa = PBXBuildFile; fileRef = 57FE688A260ABB3D00BF45E4 /* PrivateClickMeasurementNetworkLoader.h */; };
5C0B17781E7C880E00E9123C /* NetworkSocketStreamMessageReceiver.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 5C0B17741E7C879C00E9123C /* NetworkSocketStreamMessageReceiver.cpp */; };
5C0B17791E7C882100E9123C /* WebSocketStreamMessageReceiver.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 5C0B17761E7C879C00E9123C /* WebSocketStreamMessageReceiver.cpp */; };
- 5C0D161C27972C09008EDF0D /* com.apple.WebKit.adattributiond.sb in CopyFiles */ = {isa = PBXBuildFile; fileRef = 5C1578E5270E0DBC00ED5280 /* com.apple.WebKit.adattributiond.sb */; };
5C121E842410208D00486F9B /* FrameTreeNodeData.h in Headers */ = {isa = PBXBuildFile; fileRef = 5C121E8324101F7000486F9B /* FrameTreeNodeData.h */; };
5C121E89241029C900486F9B /* _WKFrameTreeNode.h in Headers */ = {isa = PBXBuildFile; fileRef = 5C121E882410290D00486F9B /* _WKFrameTreeNode.h */; settings = {ATTRIBUTES = (Private, ); }; };
5C1426ED1C23F80900D41183 /* NetworkProcessCreationParameters.h in Headers */ = {isa = PBXBuildFile; fileRef = 5C1426E31C23F80500D41183 /* NetworkProcessCreationParameters.h */; };
@@ -1645,7 +1641,6 @@
A5E391FD2183C1F800C8FB31 /* InspectorTargetProxy.h in Headers */ = {isa = PBXBuildFile; fileRef = A5E391FC2183C1E900C8FB31 /* InspectorTargetProxy.h */; };
A5EC6AD42151BD7B00677D17 /* WebPageDebuggable.h in Headers */ = {isa = PBXBuildFile; fileRef = A5EC6AD32151BD6900677D17 /* WebPageDebuggable.h */; };
A5EFD38C16B0E88C00B2F0E8 /* WKPageVisibilityTypes.h in Headers */ = {isa = PBXBuildFile; fileRef = A5EFD38B16B0E88C00B2F0E8 /* WKPageVisibilityTypes.h */; settings = {ATTRIBUTES = (Private, ); }; };
- A78CCDDB193AC9F8005ECC25 /* com.apple.WebKit.Networking.sb in CopyFiles */ = {isa = PBXBuildFile; fileRef = A78CCDD8193AC9E3005ECC25 /* com.apple.WebKit.Networking.sb */; };
A7D792D81767CCA300881CBE /* ActivityAssertion.h in Headers */ = {isa = PBXBuildFile; fileRef = A7D792D41767CB0900881CBE /* ActivityAssertion.h */; };
AAB145E6223F931200E489D8 /* PrefetchCache.h in Headers */ = {isa = PBXBuildFile; fileRef = AAB145E4223F931200E489D8 /* PrefetchCache.h */; };
AAFA634F234F7C6400FFA864 /* AsyncRevalidation.h in Headers */ = {isa = PBXBuildFile; fileRef = AAFA634E234F7C6300FFA864 /* AsyncRevalidation.h */; };
@@ -2438,19 +2433,6 @@
name = "Copy Plug-ins";
runOnlyForDeploymentPostprocessing = 0;
};
- A7AADA1519395CC3003EA1C7 /* CopyFiles */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 2147483647;
- dstPath = "$(INSTALL_PATH)";
- dstSubfolderSpec = 0;
- files = (
- 5C0D161C27972C09008EDF0D /* com.apple.WebKit.adattributiond.sb in CopyFiles */,
- 2DB96053239886C100102791 /* com.apple.WebKit.GPU.sb in CopyFiles */,
- A78CCDDB193AC9F8005ECC25 /* com.apple.WebKit.Networking.sb in CopyFiles */,
- 57EFC77E2550EB8600F9477D /* com.apple.WebKit.WebAuthn.sb in CopyFiles */,
- );
- runOnlyForDeploymentPostprocessing = 0;
- };
DDB04F3C278E55D0008D3678 /* Product Dependencies */ = {
isa = PBXCopyFilesBuildPhase;
buildActionMask = 2147483647;
@@ -3840,7 +3822,7 @@
2DAF4FFA1B636181006013D6 /* ViewGestureController.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ViewGestureController.cpp; sourceTree = "<group>"; };
2DB94297234E7A7F00E776AD /* WKMouseGestureRecognizer.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = WKMouseGestureRecognizer.h; path = ios/WKMouseGestureRecognizer.h; sourceTree = "<group>"; };
2DB94298234E7A7F00E776AD /* WKMouseGestureRecognizer.mm */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.objcpp; name = WKMouseGestureRecognizer.mm; path = ios/WKMouseGestureRecognizer.mm; sourceTree = "<group>"; };
- 2DB96052239886B900102791 /* com.apple.WebKit.GPU.sb */ = {isa = PBXFileReference; lastKnownFileType = text; path = com.apple.WebKit.GPU.sb; sourceTree = "<group>"; };
+ 2DB96052239886B900102791 /* com.apple.WebKit.GPU.sb.in */ = {isa = PBXFileReference; lastKnownFileType = text; path = com.apple.WebKit.GPU.sb.in; sourceTree = "<group>"; };
2DC18001D90DDD15FC6991A9 /* SharedBufferCopy.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = SharedBufferCopy.cpp; sourceTree = "<group>"; };
2DC1855EDBFB850BA0B6D06D /* SharedBufferDataReference.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = SharedBufferDataReference.cpp; sourceTree = "<group>"; };
2DC1881ACBCAB5D57C5C6EF0 /* SharedBufferDataReference.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SharedBufferDataReference.h; sourceTree = "<group>"; };
@@ -4829,7 +4811,7 @@
57EB2E3921E1983E00B89CDF /* U2fAuthenticator.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = U2fAuthenticator.cpp; sourceTree = "<group>"; };
57EBE268234676C5008D8AF9 /* APIWebAuthenticationPanel.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = APIWebAuthenticationPanel.h; sourceTree = "<group>"; };
57EBE269234676C5008D8AF9 /* APIWebAuthenticationPanel.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = APIWebAuthenticationPanel.cpp; sourceTree = "<group>"; };
- 57EFC77D2550EB8500F9477D /* com.apple.WebKit.WebAuthn.sb */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = com.apple.WebKit.WebAuthn.sb; sourceTree = "<group>"; };
+ 57EFC77D2550EB8500F9477D /* com.apple.WebKit.WebAuthn.sb.in */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = com.apple.WebKit.WebAuthn.sb.in; sourceTree = "<group>"; };
57FABB0E25817CF00059DC95 /* AuthenticationServicesCoreSPI.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = AuthenticationServicesCoreSPI.h; sourceTree = "<group>"; };
57FABB102581827C0059DC95 /* AuthenticationServicesCoreSoftLink.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = AuthenticationServicesCoreSoftLink.h; sourceTree = "<group>"; };
57FABB112581827C0059DC95 /* AuthenticationServicesCoreSoftLink.mm */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.objcpp; path = AuthenticationServicesCoreSoftLink.mm; sourceTree = "<group>"; };
@@ -4886,7 +4868,7 @@
5C1427141C23F8B000D41183 /* LegacyCustomProtocolManager.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = LegacyCustomProtocolManager.h; sourceTree = "<group>"; };
5C1427151C23F8B000D41183 /* LegacyCustomProtocolManager.messages.in */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = LegacyCustomProtocolManager.messages.in; sourceTree = "<group>"; };
5C14271B1C23F8CC00D41183 /* LegacyCustomProtocolManagerCocoa.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = LegacyCustomProtocolManagerCocoa.mm; sourceTree = "<group>"; };
- 5C1578E5270E0DBC00ED5280 /* com.apple.WebKit.adattributiond.sb */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = com.apple.WebKit.adattributiond.sb; sourceTree = "<group>"; };
+ 5C1578E5270E0DBC00ED5280 /* com.apple.WebKit.adattributiond.sb.in */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = com.apple.WebKit.adattributiond.sb.in; sourceTree = "<group>"; };
5C1579DA27165B2F00ED5280 /* webpushd */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = webpushd; sourceTree = BUILT_PRODUCTS_DIR; };
5C1579DD27165BE500ED5280 /* webpushd.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; path = webpushd.xcconfig; sourceTree = "<group>"; };
5C1579E227172A4900ED5280 /* DaemonConnection.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = DaemonConnection.cpp; sourceTree = "<group>"; };
@@ -5718,7 +5700,7 @@
A5EC6AD32151BD6900677D17 /* WebPageDebuggable.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = WebPageDebuggable.h; sourceTree = "<group>"; };
A5EFD38B16B0E88C00B2F0E8 /* WKPageVisibilityTypes.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WKPageVisibilityTypes.h; sourceTree = "<group>"; };
A72D5D7F1236CBA800A88B15 /* APISerializedScriptValue.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = APISerializedScriptValue.h; sourceTree = "<group>"; };
- A78CCDD8193AC9E3005ECC25 /* com.apple.WebKit.Networking.sb */ = {isa = PBXFileReference; lastKnownFileType = text; path = com.apple.WebKit.Networking.sb; sourceTree = "<group>"; };
+ A78CCDD8193AC9E3005ECC25 /* com.apple.WebKit.Networking.sb.in */ = {isa = PBXFileReference; lastKnownFileType = text; path = com.apple.WebKit.Networking.sb.in; sourceTree = "<group>"; };
A7D792D41767CB0900881CBE /* ActivityAssertion.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = ActivityAssertion.h; sourceTree = "<group>"; };
A7D792D51767CB6E00881CBE /* ActivityAssertion.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ActivityAssertion.cpp; sourceTree = "<group>"; };
A7E93CEB192531AA00A1DC48 /* AuxiliaryProcessIOS.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; name = AuxiliaryProcessIOS.mm; path = ios/AuxiliaryProcessIOS.mm; sourceTree = "<group>"; };
@@ -10814,10 +10796,10 @@
A78CCDD6193AC9E3005ECC25 /* ios */ = {
isa = PBXGroup;
children = (
- 5C1578E5270E0DBC00ED5280 /* com.apple.WebKit.adattributiond.sb */,
- 2DB96052239886B900102791 /* com.apple.WebKit.GPU.sb */,
- A78CCDD8193AC9E3005ECC25 /* com.apple.WebKit.Networking.sb */,
- 57EFC77D2550EB8500F9477D /* com.apple.WebKit.WebAuthn.sb */,
+ 5C1578E5270E0DBC00ED5280 /* com.apple.WebKit.adattributiond.sb.in */,
+ 2DB96052239886B900102791 /* com.apple.WebKit.GPU.sb.in */,
+ A78CCDD8193AC9E3005ECC25 /* com.apple.WebKit.Networking.sb.in */,
+ 57EFC77D2550EB8500F9477D /* com.apple.WebKit.WebAuthn.sb.in */,
E313664D265EE5AF0051084F /* com.apple.WebKit.WebContent.sb.in */,
);
path = ios;
@@ -15535,7 +15517,7 @@
);
runOnlyForDeploymentPostprocessing = 0;
shellPath = /bin/sh;
- shellScript = "echo \"Preprocessing sandbox\"\nScripts/generate-derived-sources.sh sandbox-profiles-ios\ncp ${BUILT_PRODUCTS_DIR}/DerivedSources/WebKit/com.apple.WebKit.WebContent.sb ${DSTROOT}/${INSTALL_PATH}\n";
+ shellScript = "echo \"Preprocessing sandbox\"\nScripts/generate-derived-sources.sh sandbox-profiles-ios\ncp ${BUILT_PRODUCTS_DIR}/DerivedSources/WebKit/com.apple.WebKit.adattributiond.sb ${DSTROOT}/${INSTALL_PATH}\ncp ${BUILT_PRODUCTS_DIR}/DerivedSources/WebKit/com.apple.WebKit.GPU.sb ${DSTROOT}/${INSTALL_PATH}\ncp ${BUILT_PRODUCTS_DIR}/DerivedSources/WebKit/com.apple.WebKit.Networking.sb ${DSTROOT}/${INSTALL_PATH}\ncp ${BUILT_PRODUCTS_DIR}/DerivedSources/WebKit/com.apple.WebKit.WebAuth.sb ${DSTROOT}/${INSTALL_PATH}\ncp ${BUILT_PRODUCTS_DIR}/DerivedSources/WebKit/com.apple.WebKit.WebContent.sb ${DSTROOT}/${INSTALL_PATH}\n";
};
F4EFBAD522540CBB00049BA6 /* Replace WebKitAdditions in Framework Headers */ = {
isa = PBXShellScriptBuildPhase;
diff --git a/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in b/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in
index 61692fd..cbded9e 100644
--- a/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in
+++ b/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in
@@ -32,6 +32,10 @@
#include "Shared/Sandbox/preferences.sb"
+#if USE(SYSTEM_CONTENT_PATH)
+#include <WebKitAdditions/SystemContentSandbox-macos.defs>
+#endif
+
;;;
;;; The following rules were originally contained in 'system.sb'. We are duplicating them here so we can
;;; remove unneeded sandbox extensions.
@@ -1096,6 +1100,11 @@
;; This is to avoid warnings attempting to create extensions for these resources.
(allow-read-directory-and-issue-read-extensions "/System/Library/PrivateFrameworks/WebInspectorUI.framework")
+#if USE(SYSTEM_CONTENT_PATH)
+(map allow-read-directory-and-issue-read-extensions
+ read-directory-and-issue-read-extension-secondary-paths)
+#endif
+
;; Sandbox extensions
(define (apply-read-and-issue-extension op path-filter)
(op file-read* path-filter)
