RESOLVED FIXED 118690
PluginProcess deny file-read-data /Library/Application Support/Macromedia/FlashPlayerTrust 
https://bugs.webkit.org/show_bug.cgi?id=118690
Summary PluginProcess deny file-read-data /Library/Application Support/Macromedia/Fla...
Maciej Stachowiak
Reported 2013-07-15 15:16:01 PDT
PluginProcess deny file-read-data /Library/Application Support/Macromedia/FlashPlayerTrust
Attachments
Patch (1.36 KB, patch)
2013-07-15 15:18 PDT, Maciej Stachowiak 		no flags
DetailsFormatted DiffDiff
Patch (1.88 KB, patch)
2013-07-15 18:29 PDT, Simon Cooper 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Maciej Stachowiak
Comment 1 2013-07-15 15:18:33 PDT
Created attachment 206690 [details] Patch
Maciej Stachowiak
Comment 2 2013-07-15 15:19:36 PDT
<rdar://problem/14255963>
Alexey Proskuryakov
Comment 3 2013-07-15 15:22:18 PDT
Comment on attachment 206690 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=206690&action=review > Source/WebKit2/Resources/PlugInSandboxProfiles/com.macromedia.Flash Player.plugin.sb:40 > + (literal "Library/Application Support/Macromedia/FlashPlayerTrust") This is not a proper path, there should be a slash before "Library". I'd block "subpath", not "literal" - we are not interested in further violations inside this path even if Flash goes there. Also, four space indentation please.
Sam Weinig
Comment 4 2013-07-15 15:23:23 PDT
Comment on attachment 206690 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=206690&action=review >> Source/WebKit2/Resources/PlugInSandboxProfiles/com.macromedia.Flash Player.plugin.sb:40 >> +(deny file-read* (with no-log) >> + (literal "Library/Application Support/Macromedia/FlashPlayerTrust") > > This is not a proper path, there should be a slash before "Library". > > I'd block "subpath", not "literal" - we are not interested in further violations inside this path even if Flash goes there. > > Also, four space indentation please. This should go above the (webkit-foo) stuff.
Simon Cooper
Comment 5 2013-07-15 15:41:30 PDT
As previously noted the proposed change is not good.
Alexey Proskuryakov
Comment 6 2013-07-15 16:05:32 PDT
> This should go above the (webkit-foo) stuff. Why? Generally, "deny" rules should be last, to make sure that they take precedence.
Simon Cooper
Comment 7 2013-07-15 16:43:44 PDT
It doesn't really matter where the rules are -- they can be put above the (webkit-foo) stuff -- along with the other path rules (but at the end of them). The only reason the (webkit-foo) things were stuck at the end was to avoid a merge conflict when I was making multiple changes at once -- they probably ought to moved to the top of the sub-profile anyway.
Simon Cooper
Comment 8 2013-07-15 18:29:13 PDT
Created attachment 206714 [details] Patch
WebKit Commit Bot
Comment 9 2013-07-15 19:35:45 PDT
Comment on attachment 206714 [details] Patch Clearing flags on attachment: 206714 Committed r152698: <http://trac.webkit.org/changeset/152698>
WebKit Commit Bot
Comment 10 2013-07-15 19:35:48 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.