PluginProcess deny file-read-data /Library/Application Support/Macromedia/FlashPlayerTrust
Created attachment 206690 [details] Patch
<rdar://problem/14255963>
Comment on attachment 206690 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=206690&action=review > Source/WebKit2/Resources/PlugInSandboxProfiles/com.macromedia.Flash Player.plugin.sb:40 > + (literal "Library/Application Support/Macromedia/FlashPlayerTrust") This is not a proper path, there should be a slash before "Library". I'd block "subpath", not "literal" - we are not interested in further violations inside this path even if Flash goes there. Also, four space indentation please.
Comment on attachment 206690 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=206690&action=review >> Source/WebKit2/Resources/PlugInSandboxProfiles/com.macromedia.Flash Player.plugin.sb:40 >> +(deny file-read* (with no-log) >> + (literal "Library/Application Support/Macromedia/FlashPlayerTrust") > > This is not a proper path, there should be a slash before "Library". > > I'd block "subpath", not "literal" - we are not interested in further violations inside this path even if Flash goes there. > > Also, four space indentation please. This should go above the (webkit-foo) stuff.
As previously noted the proposed change is not good.
> This should go above the (webkit-foo) stuff. Why? Generally, "deny" rules should be last, to make sure that they take precedence.
It doesn't really matter where the rules are -- they can be put above the (webkit-foo) stuff -- along with the other path rules (but at the end of them). The only reason the (webkit-foo) things were stuck at the end was to avoid a merge conflict when I was making multiple changes at once -- they probably ought to moved to the top of the sub-profile anyway.
Created attachment 206714 [details] Patch
Comment on attachment 206714 [details] Patch Clearing flags on attachment: 206714 Committed r152698: <http://trac.webkit.org/changeset/152698>
All reviewed patches have been landed. Closing bug.