[webkit-reviews] review granted: [Bug 197844] Correct the sandbox to allow loading libraries from /Library/Apple : [Attachment 369744] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon May 13 10:27:46 PDT 2019
Per Arne Vollan <pvollan at apple.com> has granted Brent Fulgham
<bfulgham at webkit.org>'s request for review:
Bug 197844: Correct the sandbox to allow loading libraries from /Library/Apple
https://bugs.webkit.org/show_bug.cgi?id=197844
Attachment 369744: Patch
https://bugs.webkit.org/attachment.cgi?id=369744&action=review
--- Comment #3 from Per Arne Vollan <pvollan at apple.com> ---
Comment on attachment 369744
--> https://bugs.webkit.org/attachment.cgi?id=369744
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=369744&action=review
R=me.
> Source/WebKit/WebProcess/com.apple.WebProcess.sb.in:43
> (allow file-read*
> (require-all (file-mode #o0004)
> (require-any (subpath "/Library/Filesystems/NetFSPlugins")
> + (subpath "/Library/Apple/System")
Is this only needed for the injected bundle? If that is the case, maybe we
could issue an extension? I don't think this is required now, and could be done
in a followup patch.
> Source/WebKit/WebProcess/com.apple.WebProcess.sb.in:63
> +;;; Allow mapping of system frameworks + dylibs
> +(allow file-map-executable
> + (subpath "/Library/Apple/System/Library/Frameworks")
> + (subpath "/Library/Apple/System/Library/PrivateFrameworks")
> + (subpath "/System/Library/Frameworks")
> + (subpath "/System/Library/PrivateFrameworks")
> + (subpath "/usr/lib")
Ditto.
More information about the webkit-reviews
mailing list