[webkit-reviews] review granted: [Bug 197844] Correct the sandbox to allow loading libraries from /Library/Apple : [Attachment 369744] Patch

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon May 13 10:27:46 PDT 2019

Per Arne Vollan <pvollan at apple.com> has granted Brent Fulgham
<bfulgham at webkit.org>'s request for review:
Bug 197844: Correct the sandbox to allow loading libraries from /Library/Apple

Attachment 369744: Patch


--- Comment #3 from Per Arne Vollan <pvollan at apple.com> ---
Comment on attachment 369744
  --> https://bugs.webkit.org/attachment.cgi?id=369744

View in context: https://bugs.webkit.org/attachment.cgi?id=369744&action=review


> Source/WebKit/WebProcess/com.apple.WebProcess.sb.in:43
>  (allow file-read*
>      (require-all (file-mode #o0004)
>      (require-any (subpath "/Library/Filesystems/NetFSPlugins")
> +    (subpath "/Library/Apple/System")

Is this only needed for the injected bundle? If that is the case, maybe we
could issue an extension? I don't think this is required now, and could be done
in a followup patch.

> Source/WebKit/WebProcess/com.apple.WebProcess.sb.in:63
> +;;; Allow mapping of system frameworks + dylibs
> +(allow file-map-executable
> +    (subpath "/Library/Apple/System/Library/Frameworks")
> +    (subpath "/Library/Apple/System/Library/PrivateFrameworks")
> +    (subpath "/System/Library/Frameworks")
> +    (subpath "/System/Library/PrivateFrameworks")
> +    (subpath "/usr/lib")


More information about the webkit-reviews mailing list