Bug 118690 - PluginProcess deny file-read-data /Library/Application Support/Macromedia/FlashPlayerTrust
Summary: PluginProcess deny file-read-data /Library/Application Support/Macromedia/Fla...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Maciej Stachowiak
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2013-07-15 15:16 PDT by Maciej Stachowiak
Modified: 2013-07-15 19:35 PDT (History)
5 users (show)

See Also:

Attachments
Patch (1.36 KB, patch)
2013-07-15 15:18 PDT, Maciej Stachowiak 		no flags Details | Formatted Diff | Diff
Patch (1.88 KB, patch)
2013-07-15 18:29 PDT, Simon Cooper 		no flags Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Maciej Stachowiak 2013-07-15 15:16:01 PDT 
PluginProcess deny file-read-data /Library/Application Support/Macromedia/FlashPlayerTrust
Comment 1 Maciej Stachowiak 2013-07-15 15:18:33 PDT 
Created attachment 206690 [details]
Patch
Comment 2 Maciej Stachowiak 2013-07-15 15:19:36 PDT 
<rdar://problem/14255963>
Comment 3 Alexey Proskuryakov 2013-07-15 15:22:18 PDT 
Comment on attachment 206690 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=206690&action=review

> Source/WebKit2/Resources/PlugInSandboxProfiles/com.macromedia.Flash Player.plugin.sb:40
> +      (literal "Library/Application Support/Macromedia/FlashPlayerTrust")

This is not a proper path, there should be a slash before "Library".

I'd block "subpath", not "literal" - we are not interested in further violations inside this path even if Flash goes there.

Also, four space indentation please.
Comment 4 Sam Weinig 2013-07-15 15:23:23 PDT 
Comment on attachment 206690 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=206690&action=review

>> Source/WebKit2/Resources/PlugInSandboxProfiles/com.macromedia.Flash Player.plugin.sb:40
>> +(deny file-read* (with no-log)
>> +      (literal "Library/Application Support/Macromedia/FlashPlayerTrust")
> 
> This is not a proper path, there should be a slash before "Library".
> 
> I'd block "subpath", not "literal" - we are not interested in further violations inside this path even if Flash goes there.
> 
> Also, four space indentation please.

This should go above the (webkit-foo) stuff.
Comment 5 Simon Cooper 2013-07-15 15:41:30 PDT 
As previously noted the proposed change is not good.
Comment 6 Alexey Proskuryakov 2013-07-15 16:05:32 PDT 
> This should go above the (webkit-foo) stuff.

Why? Generally, "deny" rules should be last, to make sure that they take precedence.
Comment 7 Simon Cooper 2013-07-15 16:43:44 PDT 
It doesn't really matter where the rules are -- they can be put above the (webkit-foo) stuff -- along with the other path rules (but at the end of them).

The only reason the (webkit-foo) things were stuck at the end was to avoid a merge conflict when I was making multiple changes at once -- they probably ought to moved to the top of the sub-profile anyway.
Comment 8 Simon Cooper 2013-07-15 18:29:13 PDT 
Created attachment 206714 [details]
Patch
Comment 9 WebKit Commit Bot 2013-07-15 19:35:45 PDT 
Comment on attachment 206714 [details]
Patch

Clearing flags on attachment: 206714

Committed r152698: <http://trac.webkit.org/changeset/152698>
Comment 10 WebKit Commit Bot 2013-07-15 19:35:48 PDT 
All reviewed patches have been landed.  Closing bug.