Mirrors/servo
1
0
Fork 0
mirror of https://github.com/servo/servo.git synced 2025-08-11 16:35:33 +01:00
Code Issues Projects Releases Packages Wiki Activity

delegate resource reading to embedder

Browse source
This commit is contained in:
Paul Rouget 2018-04-11 16:04:07 +08:00
parent 21517504cb
commit 9fb5795f37
52 changed files with 472 additions and 396 deletions
Download patch file Download diff file Expand all files Collapse all files

33
components/constellation/sandboxing.rs
View file

@ -2,18 +2,17 @@
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
use embedder_traits::resources;
use gaol::profile::{Operation, PathPattern, Profile};
use servo_config::resource_files;
use std::path::PathBuf;
/// Our content process sandbox profile on Mac. As restrictive as possible.
#[cfg(target_os = "macos")]
pub fn content_process_sandbox_profile() -> Profile {
use gaol::platform;
Profile::new(vec![
let mut operations = vec![
Operation::FileReadAll(PathPattern::Literal(PathBuf::from("/dev/urandom"))),
Operation::FileReadAll(PathPattern::Subpath(resource_files::resources_dir_path()
.expect("Cannot find resource dir"))),
Operation::FileReadAll(PathPattern::Subpath(PathBuf::from("/Library/Fonts"))),
Operation::FileReadAll(PathPattern::Subpath(PathBuf::from("/System/Library/Fonts"))),
Operation::FileReadAll(PathPattern::Subpath(PathBuf::from(
@ -27,16 +26,32 @@ pub fn content_process_sandbox_profile() -> Profile {
Operation::SystemInfoRead,
Operation::PlatformSpecific(platform::macos::Operation::MachLookup(
b"com.apple.FontServer".to_vec())),
]).expect("Failed to create sandbox profile!")
];
operations.extend(resources::sandbox_access_files().into_iter().map(|p| {
Operation::FileReadAll(PathPattern::Literal(p))
}));
operations.extend(resources::sandbox_access_files_dirs().into_iter().map(|p| {
Operation::FileReadAll(PathPattern::Subpath(p))
}));
Profile::new(operations).expect("Failed to create sandbox profile!")
}
/// Our content process sandbox profile on Linux. As restrictive as possible.
#[cfg(not(target_os = "macos"))]
pub fn content_process_sandbox_profile() -> Profile {
Profile::new(vec![
let mut operations = vec![
Operation::FileReadAll(PathPattern::Literal(PathBuf::from("/dev/urandom"))),
Operation::FileReadAll(PathPattern::Subpath(resource_files::resources_dir_path()
.expect("Cannot find resource dir"))),
]).expect("Failed to create sandbox profile!")
];
operations.extend(resources::sandbox_access_files().into_iter().map(|p| {
Operation::FileReadAll(PathPattern::Literal(p))
}));
operations.extend(resources::sandbox_access_files_dirs().into_iter().map(|p| {
Operation::FileReadAll(PathPattern::Subpath(p))
}));
Profile::new(operations).expect("Failed to create sandbox profile!")
}