summaryrefslogtreecommitdiffstats
path: root/Source/WebKit2/WebProcess/com.apple.WebProcess.sb
diff options
context:
space:
mode:
Diffstat (limited to 'Source/WebKit2/WebProcess/com.apple.WebProcess.sb')
-rw-r--r--Source/WebKit2/WebProcess/com.apple.WebProcess.sb92
1 files changed, 55 insertions, 37 deletions
diff --git a/Source/WebKit2/WebProcess/com.apple.WebProcess.sb b/Source/WebKit2/WebProcess/com.apple.WebProcess.sb
index df57bde..5d81971 100644
--- a/Source/WebKit2/WebProcess/com.apple.WebProcess.sb
+++ b/Source/WebKit2/WebProcess/com.apple.WebProcess.sb
@@ -6,48 +6,57 @@
;; Read-only preferences and data
(allow file-read*
- ;; Basic system paths
- (subpath "/Library/Fonts")
- (subpath "/Library/Frameworks")
- (subpath "/Library/Keychains")
- (subpath "/private/var/db/mds")
- (regex #"^/private/etc/(hosts|group|passwd)$")
-
- ;; Plugins
- (subpath "/Library/Internet Plug-Ins")
- (subpath (string-append (param "_HOME") "/Library/Internet Plug-Ins"))
-
- ;; System and user preferences
- (literal "/Library/Preferences/.GlobalPreferences.plist")
- (literal "/Library/Preferences/com.apple.security.plist")
- (literal (string-append (param "_HOME") "/Library/Preferences/.GlobalPreferences.plist"))
- (regex (string-append "^" (param "_HOME") "/Library/Preferences/ByHost/\.GlobalPreferences\."))
- (literal (string-append (param "_HOME") "/Library/Preferences/com.apple.ATS.plist"))
- (literal (string-append (param "_HOME") "/Library/Preferences/com.apple.HIToolbox.plist"))
- (literal (string-append (param "_HOME") "/Library/Preferences/com.apple.LaunchServices.plist"))
- (literal (string-append (param "_HOME") "/Library/Preferences/com.apple.WebFoundation.plist"))
- (literal (string-append (param "_HOME") "/Library/Preferences/com.apple.security.plist"))
- (literal (string-append (param "_HOME") "/Library/Preferences/com.apple.security.revocation.plist"))
- (subpath (string-append (param "_HOME") "/Library/Keychains"))
-
- ;; On-disk WebKit2 framework location, to account for debug installations
- ;; outside of /System/Library/Frameworks
- (subpath (param "WEBKIT2_FRAMEWORK_DIR"))
-
- ;; Extensions from UIProcess
- (extension)
+ ;; Basic system paths
+ (subpath "/Library/Fonts")
+ (subpath "/Library/Frameworks")
+ (subpath "/Library/Keychains")
+ (subpath "/private/var/db/mds")
+ (subpath "/private/var/db/DetachedSignatures")
+ (regex #"^/private/etc/(hosts|group|passwd)$")
+
+ ;; Plugins
+ (subpath "/Library/Internet Plug-Ins")
+ (subpath (string-append (param "HOME_DIR") "/Library/Internet Plug-Ins"))
+
+ ;; System and user preferences
+ (literal "/Library/Preferences/.GlobalPreferences.plist")
+ (literal "/Library/Preferences/com.apple.crypto.plist")
+ (literal "/Library/Preferences/com.apple.security.plist")
+ (literal "/Library/Preferences/com.apple.security.common.plist")
+ (literal "/Library/Preferences/com.apple.security.revocation.plist")
+ (literal (string-append (param "HOME_DIR") "/Library/Preferences/.GlobalPreferences.plist"))
+ (regex (string-append "^" (param "HOME_DIR") "/Library/Preferences/ByHost/\.GlobalPreferences\."))
+ (literal (string-append (param "HOME_DIR") "/Library/Preferences/com.apple.ATS.plist"))
+ (literal (string-append (param "HOME_DIR") "/Library/Preferences/com.apple.HIToolbox.plist"))
+ (literal (string-append (param "HOME_DIR") "/Library/Preferences/com.apple.LaunchServices.plist"))
+ (literal (string-append (param "HOME_DIR") "/Library/Preferences/com.apple.WebFoundation.plist"))
+ (literal (string-append (param "HOME_DIR") "/Library/Preferences/com.apple.security.plist"))
+ (literal (string-append (param "HOME_DIR") "/Library/Preferences/com.apple.security.revocation.plist"))
+ (literal (string-append (param "HOME_DIR") "/Library/Application Support/SyncServices/Local/ClientsWithChanges/com.apple.Keychain"))
+ (regex (string-append "^" (param "HOME_DIR") "/Library/Preferences/com\.apple\.driver\.(AppleBluetoothMultitouch\.mouse|AppleBluetoothMultitouch\.trackpad|AppleHIDMouse)\.plist$"))
+
+ ;; On-disk WebKit2 framework location, to account for debug installations
+ ;; outside of /System/Library/Frameworks
+ (subpath (param "WEBKIT2_FRAMEWORK_DIR"))
+
+ ;; FIXME: This should be removed when <rdar://problem/8957845> is fixed.
+ (subpath (string-append (param "HOME_DIR") "/Library/Fonts"))
+
+ ;; Extensions from UIProcess
+ (extension)
)
(allow file-write*
- ;; Extensions from UIProcess
- (extension)
+ ;; Extensions from UIProcess
+ (extension)
)
;; Writable preferences and temporary files
(allow file*
- (subpath (string-append (param "_HOME") "/Library/Caches/com.apple.WebProcess"))
- (regex (string-append "^" (param "_HOME") "/Library/Preferences/ByHost/com\.apple\.HIToolbox\."))
- (regex (string-append "^" (param "_HOME") "/Library/Preferences/com\.apple\.WebProcess\."))
+ (subpath (string-append (param "HOME_DIR") "/Library/Caches/com.apple.WebProcess"))
+ (regex (string-append "^" (param "HOME_DIR") "/Library/Preferences/ByHost/com\.apple\.HIToolbox\."))
+ (regex (string-append "^" (param "HOME_DIR") "/Library/Preferences/com\.apple\.WebProcess\."))
+ (subpath (string-append (param "HOME_DIR") "/Library/Keychains"))
)
;; Darwin temporary files and caches, if present
@@ -56,6 +65,10 @@
(if (positive? (string-length (param "DARWIN_USER_TEMP_DIR")))
(allow file* (subpath (param "DARWIN_USER_TEMP_DIR"))))
+;; Database dir
+(if (positive? (string-length (param "WEBKIT_DATABASE_DIR")))
+ (allow file* (subpath (param "WEBKIT_DATABASE_DIR"))))
+
;; The NSURLCache directory.
(if (positive? (string-length (param "NSURL_CACHE_DIR")))
(allow file* (subpath (param "NSURL_CACHE_DIR"))))
@@ -89,6 +102,7 @@
(global-name "com.apple.dock.server")
(global-name "com.apple.ocspd")
(global-name "com.apple.pasteboard.1")
+ (global-name "com.apple.system.opendirectoryd.api")
(global-name "com.apple.window_proxies")
(global-name "com.apple.windowserver.active")
(global-name-regex #"^com\.apple\.WebKit\.WebProcess-")
@@ -107,8 +121,8 @@
;; FIXME: These rules are required until plug-ins are moved out of the web process.
(allow file-read*
- (regex (string-append "^" (param "_HOME") "/Library/Preferences/ByHost/com\.apple\.ist\."))
- (literal (string-append (param "_HOME") "/Library/Preferences/edu.mit.Kerberos"))
+ (regex (string-append "^" (param "HOME_DIR") "/Library/Preferences/ByHost/com\.apple\.ist\."))
+ (literal (string-append (param "HOME_DIR") "/Library/Preferences/edu.mit.Kerberos"))
(literal "/Library/Preferences/edu.mit.Kerberos")
)
@@ -127,6 +141,10 @@
;; FIXME: Once <rdar://problem/8900275> has been fixed, these rules can be removed.
(allow mach-lookup (global-name "com.apple.pubsub.ipc"))
(allow network-outbound (regex #"^/private/tmp/launch-[^/]+/Render"))
+(allow file-read*
+ (literal (string-append (param "HOME_DIR") "/Library/Preferences/com.apple.Safari.RSS.plist"))
+ (literal (string-append (param "HOME_DIR") "/Library/Preferences/com.apple.Syndication.plist"))
+)
;; FIXME: Investigate these.
(allow appleevent-send (appleevent-destination "com.apple.WebProcess"))
generated by cgit v1.1 at 2024-05-28 07:13:55 +0000