Bug 142987 - [Seccomp] Further improvements to default web process policy
Summary: [Seccomp] Further improvements to default web process policy
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit2 (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Linux
: P2 Normal
Assignee: Michael Catanzaro
URL:
Keywords:
Depends on: 142982 142986
Blocks: 140072
  Show dependency treegraph
 
Reported: 2015-03-23 15:06 PDT by Michael Catanzaro
Modified: 2015-07-29 13:16 PDT (History)
2 users (show)

See Also:


Attachments
[Linux] Improvements to SyscallPolicy (7.98 KB, patch)
2015-03-23 15:19 PDT, Michael Catanzaro
no flags Details | Formatted Diff | Diff
Patch (7.92 KB, patch)
2015-07-28 14:18 PDT, Michael Catanzaro
zan: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Catanzaro 2015-03-23 15:06:27 PDT
Further improvements to default web process policy
Comment 1 Michael Catanzaro 2015-03-23 15:19:11 PDT
Created attachment 249284 [details]
[Linux] Improvements to SyscallPolicy
Comment 2 Michael Catanzaro 2015-07-28 14:17:40 PDT
OK Zan, last bug for now!
Comment 3 Michael Catanzaro 2015-07-28 14:18:59 PDT
Created attachment 257685 [details]
Patch
Comment 4 Zan Dobersek 2015-07-29 03:27:22 PDT
Comment on attachment 257685 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=257685&action=review

> Source/WebKit2/Shared/linux/SeccompFilters/SyscallPolicy.cpp:264
> +    char* gstreamerPluginDirectory = getenv("GST_PLUGIN_PATH_1_0");
> +    if (gstreamerPluginDirectory)
> +        addDirectoryPermission(gstreamerPluginDirectory, Read);
> +    char* gstreamerRegistryFile = getenv("GST_REGISTRY_1_0");
> +    if (gstreamerRegistryFile)
> +        addFilePermission(gstreamerRegistryFile, ReadAndWrite);

Consider

    if (char* envVariable = getenv("name"))
        addFilePermission(envVariable, ...);
Comment 5 Michael Catanzaro 2015-07-29 08:37:11 PDT
OK. Is that new in C++11, or have you always been able to do that? I saw it for the first time last year and keep forgetting that it's possible.
Comment 6 Michael Catanzaro 2015-07-29 08:53:55 PDT
Committed r187547: <http://trac.webkit.org/changeset/187547>
Comment 7 Zan Dobersek 2015-07-29 13:16:12 PDT
(In reply to comment #5)
> OK. Is that new in C++11, or have you always been able to do that? I saw it
> for the first time last year and keep forgetting that it's possible.

It's older than C++11. Not sure about 'always'.